Unterauftragnehmer im EU-Ausland
Wie du ebenfalls unserem Auftragsverarbeitungsvertrag entnehmen kannst, nutzen wir einen Unterauftragnehmer in den USA, um E-Mail-Benachrichtigungen von Smartplan zu versenden. Nachfolgend kannst du unsere Risikobewertung zur Nutzung dieses Unterauftragnehmers in Form eines Transfer Impact Assessment (TIA) lesen und erfahren, warum es sicher ist, diesen Service in Anspruch zu nehmen.
Wir haben uns dafür entschieden, die Analyse in englischer Sprache zu erstellen, da wir Kunden sowohl in Skandinavien, als auch dem Vereinigten Königreich und Deutschland haben. Aus rechtlichen und ressourcenbedingten Gründen musste das TIA daher auf Englisch verfasst werden.
Transfer Mechanism:
ActiveCampaign, LLC has implemented EUs Standard Contractual Clauses in their DPA.
Our Transfer Impact Assessment (TIA):
We have decided to use ActiveCampaign, LLC for our Transactional Emails, because we couldn't find a EU provider that lived up to the same trustworthy approach for handling emails.
All the EU providers we talked to could not clarify well enough where our data was located.
We know ActiveCampaign, LLC is a US company and in this assessment we want to clarify that we find it necessary and safe to use ActiveCampaign, LLC as a transactional email provider.
ActiveCampaign, LLC is doing our transactional emails: Email notifications from Smartplan.
The emails contain the following data:
- Notifications from Smartplan.
- Messages the users on the Smartplan account send to each other.
Personal data:
The notifications can contain names of employees.
The messages contain the content the employees put in the message.
Why we trust ActiveCampaign, LLC
ActiveCampaign, LLC's business model is based on transactional emails. Not marketing emails. We believe it's in their interest to protect our emails in order to stay in business. An email marketing company would instead have an interest in harvesting the data to sell it. We don't have to worry about this with ActiveCampaign, LLC. We don't have to try to figure out where the data is and how it it's used. They are very clear about where the data is hosted and that it is automatically deleted after 45 days.
ActiveCampaign, LLC is only using two sub-processors, which makes it easier for us to trust that we know how the data is processed. We have also put the following as reasons we believe the use of ActiveCampaign, LLC is fully compliant:
- The data center ActiveCampaign, LLC is using has very high security demands and has the following certifications: ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3, PCI DSS Level 1.
- Their employees are under confidentiality.
- Employees with access to data is screened and security vetted.
- They encrypt all data during transport.
- Their deletion policy looks like ours. They keep data for 45 days for debugging after that it is automatically deleted.
- They have addressed local laws and obligations in their DPA.
- They have implemented the EU SCC's in their DPA.
- We tried other providers and no one were as transparent as ActiveCampaign, LLC.
- They deliver emails fast and reliable, which is a need for Smartplan to work well for our customers.
- The type of data processed is of very low risk for the individual.
- The users can decide to turn off email notifications and no data is sent.
You can read a lot more about ActiveCampaign, LLC data security here: https://postmarkapp.com/eu-privacy#security-and-privacy