Legal information

Data Transfer Impact Assessment

Overview

This document provides information to help our customers conduct data transfer impact assessments in connection with their use of Alludo products, in light of the “Schrems II” ruling of the Court of Justice for the European Union (CJEU, ruling of July 16, 2020 - C-311/18) and the recommendations from the European Data Protection Board.

All capitalized terms like “Personal Data,” “Process/Processing,” “Controller,” “Processor,” etc. shall have the meaning set forth in our DPA.

Step 1: Know your transfer.

Where we process Personal Data on behalf of our customers as a Data Processor, we comply with our obligations as described in our Data Processing Addendum (“DPA”) available here. The DPA provides the following information:

The nature of Processing activities in connection with provision of the Services:

The type of Processing performed by Alludo as the Data Processor in relation to its customers is for product registration, order management, and product usage purposes. Customers can also initiate Data Processing by voluntarily asking for support services from Alludo.

The types of Personal Data we process:

The types of Personal Data processed by us under our DPA include registration information, which may include contact data (name, title, company address, phone number, email address), as well as usage data indicating details of the use of our products and services. Customers may also voluntarily submit support requests to Alludo, which may or may not contain Personal Data.

The categories of data subjects:

The Data Subjects are our customers, which includes the customer’s employees and other natural persons whom the customer allows to use the Services.

The customer Personal Data processed by Alludo is of a limited scope, is purely of a commercial nature, and does not contain any sensitive data.

Customers can to a large extent control and further limit the scope of Personal Data processed, for example, by using more generic corporate email addresses for product registrations and support requests.

Step 2: Identify the transfer tool relied upon.

Depending on which of our products the customer uses, the following Alludo Group companies would be acting as Data Processor:

Parallels International GmbH in Switzerland, for software that is branded “Parallels”;

Awingu NV in Belgium, for software that is branded “Awingu” and Corel Corporation in Canada, for all other of our software brands.

As the Data Processor, Corel Corporation is domiciled in Canada. As per decision 2002/2/EC of the EU Commission, Canada is deemed to provide an adequate level of data protection regarding commercial organizations such as Corel Corporation.

Parallels International GmbH, as the Data Processor, is domiciled in Switzerland. As per decision 2000/518/EC of the EU Commission, Switzerland is deemed to provide an adequate level of data protection regarding commercial organizations such as Parallels International GmbH.

Awingu NV is domiciled in Belgium, EU.

We may transfer customer Personal Data wherever we or our third-party service providers (sub-processors) operate for the purpose of providing you the Services. The locations will depend on the particular Products and Services that you use, as outlined in our product specific list of sub-processors.

A list of all of our data sub-processors is available here: https://www.alludo.com/en/legal/sub-processors/.

Where Personal Data originating from EEA, UK, or Switzerland is transferred to Alludo, Alludo relies on adequacy decisions for Canada and Switzerland to provide an appropriate safeguard for the transfer.

Where customer Personal Data originating from EEA, UK, or Switzerland is transferred between Alludo group companies we have an intercompany data transfer agreement in place which has been updated to reflect the new Standard Contractual Clauses.

The transfers of customer Personal Data to sub-processors established in third countries outside the EEA, UK, or Switzerland, or the processing of Personal Data in such third countries, is governed by the new Standard Contractual Clauses.

Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer.

As noted above, Alludo relies on Standard Contractual Clauses to transfer Personal Data internationally. Alludo will continue to use Standard Contractual Clauses (SCCs), which remain valid under the recent Schrems II decision by the CJEU, as a legal mechanism for transferring Personal Data of its customers from the EEA, UK, or Switzerland to our affiliated entities and sub-processors in the U.S. or other applicable jurisdictions. Our Data Processing Agreement (DPA) incorporates the Standard Contractual Clauses which have been adopted by the EU Commission. Sub-processors used by Alludo have undergone a risk assessment to review compliance with the Schrems II requirements.

Alludo continues to monitor the progress of the U.S Government and the European Commission in establishing a new Data Privacy Framework to replace the Privacy Shield. General information on the legal framework and the applicable privacy and data security standards in the U.S. can be found in a whitepaper from September 2020 published by the U.S. government in the wake of Schrems-II U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II.

The latest developments in the EU-US Data Privacy Framework can be followed on the European Commissions website: https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045

The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities which was signed on Oct. 7 2022 by President Biden can be found here: https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/

Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data.

We provide the following technical measures to secure customer data:

  • Data residency: Our data centers are distributed across various global regions. Your data is stored securely in these centers, which implement physical and logical security measures under a shared responsibility model. The confidentiality, integrity, and availability of your data are protected through proper backup solutions in multiple geographic regions. These locations also comply with local residency laws and regulations, while you, as the customer, maintain ownership of your data.
  • Encryption: Personal Data sent to us via network traffic is encrypted using TLS (1.2 is supported). It’s an encryption protocol intended to keep data secure when being transferred over a network. The TLS process uses both asymmetric and symmetric keys that are used by both the client and server to exchange encrypted information for the duration of the data transfer session using 256-bit encryption. Data is protected at rest using encryption protocols adhering to the FIPS 140-2 standard.
  • Security: We have implemented technical and organizational security measures. These are measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (in particular where the Processing involves the transmission of data over a network), and against all other unlawful forms of Processing. Controls in place include, but are not limited to, those involving access, availability, privacy, and processing. Alludo’s Global Security controls are based on a framework built to support the organization’s alignment and compliance with prevailing privacy and security practices. It is a many-to-one security and privacy framework which includes, but is not limited to, the following: GDPR | ISO/IEC 27001-2013 | NIST 800-53 | NIST CSF.
  • Pseudonymization: Depending on the data storage application one of the following techniques is used to pseudonymize data: (1) masking (2) blurring or (3) encryption.

Our contractual measures are set out in our DPA. For transfers to sub-processors in third countries we rely on the SCCs. In particular, we are subject to the following requirements:

  • Technical measures: we are contractually obligated to have in place appropriate technical and organizational measures to safeguard Personal Data (both under the Data Processing Addendum and the SCCs we enter into with service providers, and between entities with the Alludo group).
  • Transparency: our sub-processors are obligated under the SCCs to notify us in the event they are made subject to a request for government access to customer Personal Data from a government authority. In the event that the sub-processor is legally prohibited from making such a disclosure, such sub-processor is contractually obligated to challenge such prohibition and seek a waiver.
  • Actions to challenge access: Under the SCCs, our sub-processors are obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.

Our organizational measures to secure customer data include:

  • Policy for government access: To obtain data from Alludo, law enforcement officials must provide appropriate legal instrument for the type of information sought, such as a subpoena, court order, or a warrant.
  • Onward transfers: Whenever we share your Personal Data with our service providers, we remain accountable to you for how it is used. We require all service providers to undergo a cross-functional diligence process by to help protect our customers' Personal Data during Processing. This process includes a review of the data Alludo plans to share with the service provider and the associated level of risk, the supplier’s security policies, measures, and whether the supplier has a mature privacy program that respects the rights of data subjects. We provide a list of our sub-processors here: https://www.alludo.com/en/legal/sub-processors/.
  • Employee training: Alludo provides data protection training to all Alludo staff.
  • Internal processes and policies: Alludo has internal processes for managing transfers within the Alludo group of companies; internal policies that state employee responsibilities, reporting channels, and operating procedures in the event of issues related to international transfers of Personal Data; privacy and data security policies based on EU and applicable international standards (e.g., ISO standards) and best practices (e.g., ENI-SA).
  • Measures on data minimization: Data access and confidentiality policies and best practices based on a strict need-to-know principle.
  • Data Protection Officer: Appropriately and timely involvement and providing access to information to the Data Protection Officer, as well as legal and internal audit services on issues related to international transfers of personal data.

Step 5: Procedural steps necessary to implement effective supplementary measures.

We have implemented the additional supplementary measures outlined in the section above to reduce the risks in connection with the transfer of Personal Data of our customers to third countries. It is always recommended that each customer does its own risk assessment, based on the specifics of that customer’s business. Based on your particular business, you may choose to implement measures in addition to those laid out in this document We are committed to providing and continuing to advance technical, legal, and organizational safeguards so that Alludo can carry out cross border data transfers in a way that protects your data from being accessed by third parties.

Step 6: Re-evaluate at appropriate intervals.

We will review and, if necessary, reconsider the risks involved and the measures we have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.

Contact

For all privacy related questions please contact privacy@alludo.com

Last updated July 2023