Data Transfer Impact Assessment

Overview

This document provides information to help Fudge Customers conduct data transfer impact assessments in connection with their use of Fudge products and services, in light of the "Schrems II" ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.

In particular, this document describes the legal regimes applicable to Fudge It, Inc. ("Fudge") in the US, the safeguards Fudge puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland ("Europe"), and Fudge's ability to comply with its obligations as a "data importer" under the Standard Contractual Clauses ("SCCs").

Description of transfer

Categories of data subjects

• Customer’s data subjects:These are users that visit the websites of Fudge Customers where those websites are proxied through Fudge acceleration servers.
• Platform users: Users who have access to, and visit the Fudge dashboard located at app.fudge.ai (the "platform")

Purpose of transfer

• Customer’s data subjects: We log information about HTTP requests and responses that pass through our systems. We use this data to assess and improve the performance of Fudge, to debug any technical issues, and to present the performance impact of Fudge to the Customer.
• Platform users: We collect and store information to facilitate the authentication and use of the dashboard, and for the continuous improvement of functionality.

Frequency of transfer

Data is transferred continuously.

Categories of personal data transferred, including sensitive data (if applicable)

Customer’s data subjects: We capture data about each HTTP request / visit to a website that is proxied through Fudge acceleration servers. This includes:

• IP Address
• Request URL
• Timestamp
• User Agent (and derivative information such as device type)
• Performance metrics (e.g. FCP / LCP / TTFB)

Platform users: We store each user's full name, email address, password, social login data, and data about their usage of the product.

Duration of processing

Data is retained indefinitely by default. However, upon termination of service or expiry of subscription, all data collected on behalf of Customer is deleted.

Applicable transfer mechanism

For transfers from Europe, we rely on Data Processing Agreements (DPAs) incorporating the new European Commission-approved SCCs for enabling international transfers to the United States or other appropriate and approved transfer mechanisms.

Onward transfers

Fudge's solution is running on AWS servers located in Virginia, in the United States.

As our subprocessor, any data sent to AWS is subject to equal enforcement of the terms of the DPA we sign with our customers. Our agreement with AWS is supplemented with AWS’s DPA, incorporating the new SCCs. Our complete list of subprocessors is included in our DPA.

Safeguards to protect customer data

• Encryption: All data traffic to and from Fudge is transmitted over Secure HTTP (HTTPS) using TLS v1.2 or above. All volumes underlying Fudge data stores are encrypted using the industry standard AES-256 encryption algorithm to encrypt your data. AWS KMS is used for key management and cryptographic operations.
• Multi-tenancy: We have adopted a multi-tenancy model to ensure that one customer’s data is never available to another customer. Customer data separation is logical. Each customer is assigned a unique Team ID and customer data is separated by this ID.
• Logical separation between dasboard app and data pipeline: The dashboard app manages the configuration of our customer’s sites and display of aggregated analytics data, while the data pipeline is Fudge's core engine responsible for receiving and buffering HTTP request data, transforming the events into the required destination format and relaying the events to the destination.
• Dashboard app access control and authentication: The platform supports role-based access control with strong password requirements.
• Personnel security: All personnel go through background screening, and are bound by privacy and confidentiality obligations as part of their contract and non-disclosure agreement with Fudge. All personnel are also required to undertake relevant security and privacy training.
• Contractual measures: Our contractual measures are set out in the DPA we sign with our customers. We are obligated under the SCCs (incorporated within your DPA) to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority.

Relevant local laws that apply within the jurisdiction of transfer

The following US laws were identified by the Court of Justice of the European Union in "Schrems II" as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

• FISA Section 702 (“FISA 702”): FISA 702 allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. In-scope providers subject to FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP") as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
• Executive Order 12333 ("EO 12333"): EO 12333 authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.

The U.S government, in response, has prepared a White Paper, providing information about privacy protections in current U.S. law and practices relating to government access to data for national security purposes, focusing in particular on the issues that appear to have concerned the ECJ in "Schrems II", for consideration by companies transferring personal data from the EU to the United States. To summarize some of the key points, the White Paper notes:

Regarding FISA 702

• For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
• There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.

Regarding EO 12333

• EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
• Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.

Is Fudge likely impacted by FISA 702 or EO 12333?

Like most US-based SaaS companies, Fudge could technically be subject to FISA 702 or EO12333. However, we have not been subject to any FISA 702 or EO 12333 requests in the past and we believe that the risk of access to your data is low. Here is why:

FISA 702: The term "electronic communications service provider" is defined broadly to include telecommunications carriers, providers of electronic communications services and remote computing services, as well as any other communications service providers that have access to wire or electronic communications (either in transit or in storage). Fudge neither provides internet backbone services nor is a telecommunication carrier. However, the definition of a RCSP is broad enough that it could potentially capture any company that sends and receives electronic communications, regardless of the company's primary business or function.

While AWS (our subcontractor) is considered to be a RCSP and is technically subject to FISA 702, our DPA with AWS requires them to notify us in case of access by public authorities. Even so, we do not process personal data that is likely to be of interest to US intelligence agencies.

On top of this, we are committed to assist our customers in preventing, limiting, and handling such requests through additional contractual steps as outlined in our DPA.

EO 1233: EO 12333 contains no authorization to compel private companies like (such as Fudge) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition, which is generally unrelated to commercial information.

Have we practically dealt with such requests?

Fudge has not been subject to these types of requests in our day-to-day business operations.

Our position with regards to EU-US transfers

At Fudge, we believe that transfers of personal data by data exporters to Fudge (as the data importer) do not undermine the protections afforded data subjects by the SCCs, the GDPR, and the service agreement between Fudge and its customers.

This is because of our subprocessors' strong commitment to data privacy (including AWS's compliance with the CISPE Code), and the low likelihood that surveillance orders would be issued under the relevant laws discussed above.