Data Transfer FAQ
Frequently Asked Questions About International Data Transfers
We know that some of our customers have questions about our data export compliance. We’ve prepared these FAQs to address commonly asked questions about Visage’s international transfers of personal data.
What are international transfers of personal data?
The General Data Protection Regulation (GDPR) requires that personal data must be granted an essentially equivalent level of protection when it is transferred outside the European Economic Area (EEA). Switzerland and the UK have equivalent requirements when personal data is transferred outside Switzerland and the UK. This involves protecting personal data through transfer tools, such as the Standard Contractual Clauses (SCCs), as well as assessing the possible risks of the transfer and identifying appropriate supplementary measures where they’re needed.
Does Visage transfer personal data outside Europe?
Yes. Visage is headquartered in the United States and we host our data, including customer and candidate data, on Amazon Web Service (AWS) data centers in Oregon. We also use third-party vendors that are based in the United States and process personal data on our behalf. You can find a list of our sub-processors here.
What transfer tools does Visage rely on?
We take steps to ensure that customer and candidate data remains protected wherever it is processed in accordance with data protection laws. When processing customer data outside Europe, we rely on the standard contractual clauses adopted by the European Commission on 4 June 2021 (SCCs). The SCCs are incorporated by reference into the Visage Data Processing Addendum, meaning that they apply automatically when customer data is processed outside Europe.
We also take steps to ensure that our third-party vendors implement appropriate safeguards to protect personal data they process on our behalf, and contractually require them to process such data in compliance with data protection laws. Where necessary, we implement transfer tools with our vendors including the SCCs.
What about UK transfers?
As explained above, we rely on the SCCs to process customer data outside Europe. For UK transfers, the Visage Data Processing Addendum also incorporates the International Data Transfer Addendum issued by the UK Information Commissioner (UK Addendum). The UK Addendum supplements the SCCs and provides organizations with a tool to transfer personal data outside the UK.
What safeguards does Visage provide to protect personal data?
We have implemented a number of technical, organizational and contractual measures to ensure that customer data and candidate data remains protected when it is processed outside Europe. Here’s a summary of some of the most important measures:
- Security. We host our platform on Amazon’s ISO 27701 and FISMA certified data centers. Our cloud architecture enforces data isolation and segregation. We also have a threat management program, including penetration testing and vulnerability scanning.
- Encryption. Visage has implemented encryption technologies across its infrastructure to help protect personal data from unauthorized access. All Visage data is encrypted at rest and in transit following industry standards.
- Organizational measures. We have implemented a comprehensive organizational security program, designed to protect personal data, including mandatory employee background checks, confidentiality agreements, employee security training, and automatic locking and encryption of employee workstations.
- Data Processing Addendum. We provide rigorous contractual commitments to customers under the Visage Customer Data Processing Addendum relating to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subject rights, notice of security breaches, and more.
- Vendors. We ensure that our agreements with third-party vendors (including sub-processors) contain appropriate commitments regarding the transfer and processing of personal data outside Europe. We also implement appropriate data transfer mechanisms with our vendors that are established outside Europe, such as the SCCs.
- Government requests. We provide our customers with a number of assurances about how we respond to government requests for data. You can read more about these below.
For more information about our security and privacy program, please see our Trust Page.
How does Visage respond to government requests for data?
We consider all requests that we receive from government authorities carefully and, as a policy, only respond to government requests where we are legally compelled to do so. This means that we will only respond if we receive a legally-valid order, subpoena, warrant or other process that compels us to provide the information. We will notify customers of any requests that we receive relating to customer data, unless we are legally prohibited from doing so.
Has Visage received any requests from the US government?
Visage is aware of certain U.S. national security and surveillance laws, including Section 702 of the Foreign Intelligence Surveillance Act (702 FISA) and Executive Order 12333 (EO 12333), which give government agencies the power to access personal data. Like many US service providers, Visage may technically be subject to 702 FISA.
Visage has not received any government requests for access to customer data or candidate data under 702 FISA. We also consider that the likelihood of us receiving such requests is very remote given that the information we process consists of non-sensitive professional information (including candidate profile information and business contact information) that is generally publicly available. A White Paper issued by the US Department of Commerce noted that the personal data processed by most companies, including employee, customer, and sales data, is unlikely to be of interest to U.S. intelligence agencies.
Visage is also aware of President Biden’s recently-issued Executive Order that introduces new safeguards around U.S. signals intelligence. These safeguards are specifically designed to address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II decision. In particular, they require that signals intelligence activities must be necessary and proportionate to advance an authorized intelligence priority and they also establish a new redress mechanism for individuals who claim their information has been unlawfully collected by U.S. agencies. These safeguards give companies that transfer personal data to the U.S. greater legal certainty, including when such transfers are made using the SCCs.
If you have any further questions about international data transfers, please visit our Trust Center or contact us at firstname.lastname@example.org.