Given the recent tumult concerning US-EU privacy agreements, we thought it would be useful to review DocRaptor’s privacy standards and our experience joining the new Privacy Shield program (if you just want to learn about joining Privacy Shield, scroll towards the bottom).
As you can imagine, DocRaptor’s HTML to PDF conversion service sees a lot of private documents, from financial reports to legal paperwork. We take security and privacy very seriously, both for our US-based customers and our many international users. As an example, here are a few privacy-oriented actions we take:
- Default to SSL encryption for all content in transit
- Encrypt all documents at rest (“at rest” meaning not actively in conversion, but sitting on the server)
- Delete input and output HTML based on a user’s data retention policy (allows users to prioritize ease of support or privacy, as best fits their needs)
- Employ industry standard security measures, including:
- No password-based SSH access
- No shared developer credentials
- No global AWS access
- Strict firewalling between servers/groups of servers
- Provide a detailed security policy and information whitepaper
- And until recently, we were part of the US-EU Safe Harbor program
The end of Safe Harbor and a supplemental contract
In October of 2015, the European Court of Justice declared the long-standing Safe Harbor program to be invalid. This created confusion and uncertainty for both US and EU based companies, DocRaptor included.
After discussions with our legal team, it seemed likely that a new agreement would be reached as a Safe Harbor replacement, but it might take many months to complete. In the meantime, we created an EU-specific supplemental contract for our EU customers which laid out, in detail, our data-processing, audit procedures, and security measures. This provided a legal framework that allowed our EU customers to remain within EU laws. We viewed the use of this contract as temporary until Safe Harbor was officially replaced, and we provided it to all customers who inquired about privacy compliance.
The bright new future of Privacy Shield
After prolonged negotiation between various US and EU groups, Privacy Shield was announced as the replacement of Safe Harbor. The framework allows for the legal transfer of personal data, for commercial purposes, between the European Union and the United States. There’s still some uncertainty about Privacy Shield and how it will actually work, but we’re confident that being part of Privacy Shield will be better for DocRaptor and our customers. To that end, we have discontinued use of our supplemental contract in favor of Privacy Shield certification.
What’s different for DocRaptor under Privacy Shield
By self-certifying for Privacy Shield, we agree to follow the Privacy Shield Principles in relation to our EU customers. Fortunately, these principles generally align with our existing practices, but we needed to make a few small changes. Here’s what we’ve done differently:
- Accept greater liability. This is part of the “Recourse, enforcement and liability” principle. Under the Privacy Shield, companies are liable for transferring personal data to third parties, unless they can prove they’re not responsible for the damaging event. We’re used to a legal world that makes our vendors liable for damages they cause. Privacy Shield applies a different standard to liability, but the real world implications are still unclear. We discussed this at length with our attorney and decided we are confident enough in our vendors to accept the risk of greater liability. We recommend anyone considering self-certification have similar conversations with a qualified attorney and ensure that any providers you use adhere to the same Privacy Shield principles.
- Enroll in a dispute resolution program. This is also part of the “Recourse, enforcement and liability” principle. To fulfil this requirement, we chose to work with the BBB (although there are several other options). We’ve worked with the BBB’s dispute resolution service since first becoming Safe Harbor certified, and they’ve been extremely valuable in helping us navigate the transition from Safe Harbor to Privacy Shield.
Those are the only major changes we needed to self-certify for Privacy Shield, and we were fortunate to be in a privacy-friendly position already. There may be significant changes your organization needs to make, so be careful! This great blog post from the International Association of Privacy Professionals dives deeper into some of the other differences between Privacy Shield and Safe Harbor.
How we became Privacy Shield self-certified / TL;DR
Here’s the process we went through to become self-certified:
- Followed the Safe Harbor/Privacy Shield negotiations very closely (fortunately, you don’t need to do that any more!)
- Read the entire Privacy Shield website very closely
- Had plenty of discussions with our lawyer
- Joined the BBB dispute resolution program
- Made a list of things we needed to change to become compliant with the Privacy Shield Principles (see above discussion of what’s different)
- Applied to the Department of Commerce (they’re in charge of keeping track of which companies have self-certified) through the Privacy Shield website and paid a modest fee
- Moving forward, we need to make sure all of our partners are in compliance by June, 2017. Since we applied by September 30, 2016, we have a nine month grace period to ensure our 3rd party partners are also in compliance. We’ve completed all our changes, but we need to make sure our partners (such as Amazon AWS and Stripe) are in full compliance with the principles. While highly unlikely, if some of our partners are not in compliance by the deadline (most already are), we will need to stop working with them. If you did not self-certify by September 30th, you will not be able to self-certify until you AND all your partners are in compliances with ALL the principles.
In the end, after a long period of uncertainty, this was a relatively simple process. We’re happy to have an even stronger framework to ensure the privacy of our EU customers and we hope this blog post helps both our customers and other SaaS companies. If your organization needs to make invoices, reports, brochures or any other documents, DocRaptor is the easiest way to transform HTML into PDF or XLS files!