You may have heard about the CJEU's recent ruling on EU data transfers. We've created this FAQs page to address any concerns you have about the decision and how it impacts your use of Sentry.
How is Sentry responding to the recent decision from the Court of Justice of the European Union (CJEU) regarding Privacy Shield?
Prior to the Schrems II decision (Case C‑311/18), Sentry relied on the EU-US Privacy Shield as the data transfer mechanism for EU data transfers. Now that the CJEU has held in its July 16, 2020 ruling that the Privacy Shield is an invalid data transfer mechanism, Sentry will rely instead on the Standard Contractual Clauses (SCCs) to transfer EU data to the U.S. Even as it invalidated the Privacy Shield, the CJEU confirmed in Schrems II that the Standard Contractual Clauses (SCCs) can be used to transfer data outside the EU in compliance with the GDPR.
Will you offer Standard Contractual Clauses (SCCs)?
Yes. The SCCs are contractual terms that allow companies to transfer and process data outside the EU in compliance with the GDPR. They were approved by the European Commission and are the primary mechanism for data transfers. You will find the Sentry SCCs in our newly revised Data Processing Addendum.
Apart from the SCCs, how else does Sentry protect my data?
Sentry has put in place a number of measures to ensure that customer data remains protected in compliance with the GDPR, even when it is processed in the US.
- Security. We are proud of the robust security framework that we have built. We have achieved international compliance standards (SOC2 and Privacy Shield) and conduct regular external audits and pen-tests.
- Encryption. All data sent to Sentry is encrypted at rest. Sentry also sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.
- Data scrubbing. Our Data Scrubbing option also allows you to scrub any personally identifiable information (PII) from your data, to ensure that PII doesn't get sent to or stored on Sentry's servers.
- Data retention. We only retain event data for 90 days by default. Post-retention, all event data and most metadata is eradicated from the service and from the server without additional archiving.
- Supplier commitments. We require our subprocessors to enter into GDPR-compliant data processing agreements with us to ensure that customer data will remain protected in accordance with the GDPR and our commitments to you.
- Government requests. We also provide our customers with a number of assurances about government requests for data. You can read more about our approach to data requests below.
You can find out more about our security program on our Security page.
How does Sentry handle government requests for data?
Sentry considers any government request for data very carefully. This includes both requests from law enforcement as well as national security agencies. As a policy, we only respond to requests where we are legally compelled to do so – for example, where we have received a court order, subpoena, warrant, or other valid legal process that legally requires us to provide access to the data. We will also notify you of any requests that we receive, except where we are legally prevented from doing so.
Take a look at our transparency report for more information.
Is it true that European customers can't send personal data to the U.S. anymore?
No! Although the CJEU invalidated the EU-US Privacy Shield, it didn't say that all data transfers to the U.S. are illegal or that data should no longer be transferred to the U.S. In fact, the CJEU confirmed that companies can transfer data outside the EU – including to the U.S. – so long as they have implemented adequate safeguards to protect the data. There has been a lot of confusion on this topic, so we want to take a moment to explain.
Firstly, the CJEU said that the SCCs can be used to transfer data.
Secondly, it said that companies relying on the SCCs (the "data exporter" and "data importer") must assess whether the data which is subject to the transfer will remain protected according to EU standards.
In some cases, the SCCs will be enough on their own to satisfy this requirement. In other cases, the parties may need to agree on "additional measures" (also referred to as "supplementary measures") alongside the SCCs. Like many other US companies, we eagerly await further guidance from EU regulators and the European Data Protection Board (EDPB) that we hope will provide more clarity on what these "additional measures" should look like.
I want to use Sentry. Can I still do so after Schrems II?
Yes! We want to reassure you that Sentry is committed to protecting your data and complying with the GDPR. The Schrems II decision does not affect the strong data privacy protections we have put in place to ensure that customer data remains protected when it is transferred to, and stored in, the U.S.
Before Schrems II, Sentry relied on the Privacy Shield to receive customer data from Europe. From now on, we'll be making use of the SCCs to ensure we can continue to receive and process customer data from Europe in compliance with the GDPR.
We have already updated our standard Data Processing Addendum (DPA) to ensure that the SCCs are automatically incorporated in all our agreements. You can view our DPA at https://sentry.io/legal/dpa/2.0.0/.
To accept the DPA, follow these instructions.
Can you fill out a verification form?
Unfortunately, we are not able to provide individual responses to requests for verification forms. However, we have specifically developed these FAQs to answer our customer's queries and concerns regarding Sentry's compliance with EU/UK data export laws and which we therefore hope will go some way to meeting your concerns. If you have any remaining questions, please get in touch with us at firstname.lastname@example.org.
Where can I find a copy of your transparency report?
Our transparency report is at https://sentry.io/legal/transparency-report/.