The US CLOUD Act applies to cloud service providers that are subject to US jurisdiction; the following explains Tresorit's position in this context.
Encrypted Content
Tresorit encrypts all data in transit using SSL (Secure Sockets Layer) and applies additional client-side encryption to all files and folders stored in protected locations (Encrypted Content).
This is a core security feature and is highly relevant to potential government access requests. With current technology, Encrypted Content cannot be decrypted by Tresorit or by any unauthorized third party.
From a data-protection perspective, strong encryption is considered a sufficient safeguard for personal data when certain conditions are met, as confirmed by the European Data Protection Board.
Service Data
To operate its services, Tresorit processes certain non-encrypted information (Service Data), which may include personal data. How Tresorit collects, uses, and discloses Service Data is described in the Privacy Policy and, where applicable, the Data Processing Agreement.
Customers should evaluate Tresorit's services and sub-processors based on the type, volume, and sensitivity of the Service Data processed. As part of this assessment, the following points may be relevant:
- For data storage, Tresorit has entered into a data processing agreement and Standard Contractual Clauses with Microsoft.
- Microsoft commits to using all lawful means to challenge government requests for public-sector or enterprise customer data, from any government, where a legal basis exists.
- Microsoft publishes transparency reports twice a year.
Based on these factors, customers may reasonably conclude that there is no practical reason to expect the US CLOUD Act to be applied to their Service Data.
ℹ️ Our Schrems II article explains the impact of the decision on international and US data transfers.