If you are a user located in the European Economic Area (EEA), the United Kingdom or Switzerland (which we'll refer to collectively as “Europe”), or you use our platform to process data about your contacts in Europe, our Data Processing Addendum (DPA) has been drafted to enable you to transfer European personal data to Emercury in the United States and to permit Emercury to lawfully process that data on your behalf.
Emercury's European data export compliance
Emercury has certified its compliance to both the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework since 2018.
On July 16, 2020, Europe's highest court (the CJEU) invalidated the EU-US Privacy Shield. Additionally, on September 8, 2020, the Swiss Data Protection Authority announced in a position statement that it no longer considers the Swiss-US Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the US.
However, Emercury will continue to protect European data in compliance with the Privacy Shield Principles to which it has certified compliance. See our Global Privacy Statement for more details.
In addition, Emercury contractually commits to transfer and process all of its users’ European data in compliance with the Standard Contractual Clauses (the “SCCs”), which continue to give our users’ the ability to lawfully transfer data subject to the European data protection law (including the GDPR) outside of Europe to Emercury in the United States. The SCCs automatically apply in accordance with Emercury's Data Processing Addendum.
We recently updated our Data Processing Addendum to ensure that it incorporates the new SCCs adopted by the European Commission on June 4, 2021. The new SCCs will apply automatically to any users who started using our service on or after September 27, 2021 and for all other users on December 27, 2022. This is consistent with the EU Commission’s Implementing Decision on June 4, 2021, which accompanied the new SCCs.
More information about data transfers
We know that some of our users may have questions about data transfer compliance, including the impact of the 2020 CJEU’s ruling regarding data transfers and the European Commission’s adoption of the new SCCs on June 4, 2021. In this section, we'll provide some common questions and answers.
What did the CJEU decide regarding data transfers from the EU?
On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield Framework (Privacy Shield), which was one way for companies to transfer data legally from Europe to the US. At the same time, the CJEU confirmed that Standard Contractual Clauses (SCCs) continue to provide a valid mechanism for companies to transfer personal data outside of Europe.
However, the CJEU noted that, in addition to adhering to the SCCs, the data exporter and data importer may need to agree to supplemental measures to ensure an adequate level of protection for the transferred data. Following the CJEU decision, the European Data Protection Board published its Recommendations on supplementary measures, which aims to assist controllers and processors acting as data exporters with their duties. This includes identifying and implementing appropriate supplementary measures where they’re needed and ensuring an essentially equivalent level of protection to the data they transfer outside of Europe.
How does the CJEU's decision affect my use of Emercury?
Our users can continue to transfer European data to Emercury in the United States. We knew that the CJEU’s ruling was a possibility, so we have long provided our users with two layers of protection for data transfers from Europe to the US in our Data Processing Addendum: compliance with the EU-US Privacy Shield Framework and the SCCs.
While the CJEU's ruling invalidated the EU-US Privacy Shield Framework, it did not invalidate the SCCs, which remain a valid data export mechanism. Our agreements are structured in a way that the SCCs automatically take effect, so our users were protected by the SCCs immediately after the ruling. In addition, we will also continue to honor our obligations to protect European data in compliance with the Privacy Shield Principles.
Does Emercury transfer data outside of Europe? If so, to which countries?
No. If you are located outside of the United States data is not transferred out of your geographic region. This means data we process will not be transferred to, stored or processed outside of your respective geographic areas and will be stored or processed in Europe. In addition, we use third-party vendors who process data on our behalf, to provide services to Emercury, and their servers may be located outside of Europe.
You can view the full list of sub-processors we use to process our members’ data, along with details of their location. We take steps to ensure that our vendors offer appropriate safeguards to protect personal data they process on our behalf, and contractually obligate them to process such data in compliance with applicable data protection laws.
What measures has Emercury implemented to protect European customer data processed outside of Europe?
Emercury has put a number of measures in place to ensure that European customer data remains protected while stored in Europe.
In addition to incorporating the SCCs, our Data Processing Addendum also specifies our commitments to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subject rights, notice of security incidents, and more.
Importantly, Emercury does not sell, rent, or trade user data.
Emercury treats the privacy and security of our users’ data with paramount importance. Our security and privacy program is outlined in detail on our Security page.
Here’s a summary of some of the important and specific technical and organizational measures we have implemented (and will continue to implement) to safeguard against unauthorized access to user data:
Emercury has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Emercury. For example, all Emercury production pages use transport layer security (TLS), a secure encryption protocol, and Emercury's internal wireless network utilizes 128bit WPA2 encryption. Further, Emercury email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Emercury applications and the Emercury API.
(2) Access controls
Emercury restricts third-party access to its internal tooling and infrastructure. Our Legal team evaluates all requests for access, ensures that the request is appropriate for the work to be performed, and ensures that the third-party follows all security and privacy provisions outlined in their contract. Once approved, Emercury only grants access through controlled accounts to clearly-defined portions of the system.
Emercury remains committed to maintaining the highest levels of privacy and security for our users. If you have questions about our security and privacy program, please email privacy @ Emercury.net.
We take all steps necessary to ensure that our agreements with our third-party international vendors (including sub-processors) contain appropriate commitments from such third parties regarding the transfer and processing of European data outside Europe and that we implement an appropriate and lawful data transfer mechanism (such as the Standard Contractual Clauses) and additional safeguards as necessary. Up-to-date details of the sub-processors we use to process our members’ data is available.
We no longer rely on the Privacy Shield as a transfer mechanism for data transfers given the EU-US Privacy Shield and Swiss-US Privacy Shield are no longer valid as a result of the recent CJEU ruling in Schrems II. However, to the extent Emercury has ongoing obligations under our existing Privacy Shield Certification, we will continue to honor them, including honoring the direct rights of redress provided to individuals against Emercury, including a right to invoke binding arbitration.
How does Emercury respond to information requests?
We carefully consider all requests for information, and as a policy, don’t provide third parties with information from an account that doesn’t belong to them unless we are legally compelled to do so. This means we will only respond to a valid court order, subpoena, search warrant, or other proper legal process seeking information and records from a Emercury account. Emercury uses certain guidelines when responding to requests for information, whether from a government or non-government entity:
We strive to maintain user privacy and confidentiality.
Where feasible, we ask the requestor to seek the information directly from the relevant account holders rather than from Emercury.
We ask the requestor to provide us with as much information as possible so that we can properly identify the correct user account. We will not respond to a request unless we first have adequate and specific information, such as an email address, email headers, internet domain, username, IP address, or other similar information, that enables us to identify and locate the correct account.
Absent a statutory exception under US law, we only respond to requests that have been made through valid US legal process. This means the legal process (such as subpoenas, discovery requests, search warrants, or court orders) must be properly domesticated by a US court of competent jurisdiction and issued in accordance with the applicable federal and/or state procedural rules before Emercury will respond.
Emercury does not accept requests directly from government entities outside the US. We only respond to foreign government requests made through a Mutual Legal Assistance Treaty or another available diplomatic or legal means to obtain information from Emercury.
In accordance with our Data Processing Addendum, Emercury will provide European users with written notice of compulsory requests to access their data, unless we are prohibited by law from doing so.
Does Emercury publish transparency reports about information requests?
In order to demonstrate our commitment to privacy and our efforts to be as transparent as possible, Emercury will begin to publish annual transparency reports to document the number and type of legal requests we receive. While there are restrictions over the level of detail we can provide, we will do our best to be as transparent as legally possible in all such reports. In the meantime, if you have any questions please contact us at legal @ Emercury.net.
Does Emercury receive information requests from the US government?
At the heart of the recent CJEU ruling (and one of the main reasons the Privacy Shield was invalidated) was an expressed concern about US national intelligence and surveillance programs under Section 702, also referred to as the FISA Amendments Act, and under Executive Order 12333. As a matter of general practice, Emercury doesn’t voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Emercury accounts.
However, as a B2B email marketing platform and therefore an “electronic communication service,” Emercury is, like nearly all US cloud service providers, the type of entity to which the US government is technically authorized to issue FISA directives under Section 702 or undertake intelligence gathering under EO 12333. This means Emercury can technically be served with these types of compulsory information requests.
Our annual transparency reports will document the limited number and specific types of legal requests Emercury has received. Further, as explained above, we also have strict policies and processes in place for responding to law enforcement information requests.
Can I execute the EU's Standard Contractual Clauses with Emercury?
If you would like to sign and execute a copy of the SCCs with Emercury, you can do so by making your request at legal @ Emercury.net with your account name, username, and/or email address associated with your username.