Update Effective August 17, 2021:
Our mission is global, and therefore, we may store information in the United States and other locations worldwide where we or our service providers have facilities. In July 2020, The European Court of Justice (“ECJ”) invalidated Privacy Shield as a GDPR compliant method to transfer personal data from the EU to the US (see Schrems II Judgment). At the same time, the ECJ affirmed that adoption of and adherence to the EU’s Standard Contractual Clauses (“SCCs”) (with supplementary measures where appropriate) does meet GDPR requirements for lawful cross border transfers of EU personal data to the US and any other country that has not received an Adequacy Decision in accordance with GDPR.
Bitglass is committed to handling personal data received from the European Economic Area (“EEA”), the United Kingdom, and Switzerland responsibly and uses a variety of legal mechanisms to help ensure your rights and protections regarding the international transfer of your personal information. Specific to our Services, Bitglass provides a Data Protection Addendum (“DPA”) to customers that incorporates the SCCs. The Bitglass DPA, which is incorporated by reference into our standard terms and conditions, states that we apply the SCCs whenever we have occasion to transfer EU personal data to a country that has not received an Adequacy Decision. As applicable, Bitglass also participates in and has certified compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, the “Privacy Shield”) regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom, and Switzerland to the United States. More information about the Privacy Shield can be found at http://www.privacyshield.gov.
Bitglass is responsible under the Principles and/or SCCs for the processing of personal data it receives and subsequently transfers to third parties acting as agents on our behalf. Bitglass remains liable if such an agent processes personal data transferred from the EEA, the United Kingdom, and Switzerland in a manner inconsistent with the Principles or SCCs (unless Bitglass can prove that we are not responsible for the event giving rise to the damage).
EU individuals and Swiss individuals have rights to access personal data about them, and to limit the use and disclosure of their personal data. With our Privacy Shield self-certification or reliance on the SCCs, Bitglass has committed to respect those rights. Bitglass personnel have limited ability to access the data our customers submit to our services. Therefore,if you wish to request access to your data, or limit the use, or disclosure of your data, please provide the name of the Bitglass customer who submitted your data to our services. We will refer your request to that customer, and will support them as needed in responding to your request. You may contact us at firstname.lastname@example.org if you have questions about our GDPR and Privacy Shield compliance.