This overview provides a summary about the US cloud act from Tresorit perspective:
- Encrypted Content: Tresorit encrypts all and every transmission containing personal data using Secure Socket Layer technology (SSL) and apply additional, client-side encryption on the files and directories uploaded and stored in protected storage folders ("Encrypted Content").
This unique feature of the Tresorit Services is indeed relevant in relation to potential government requests, as according to the current state of art, Encrypted Content cannot be decrypted or inverted by Tresorit or any unauthorized third party. This has also been confirmed from data protection perspective, as encryption is considered as sufficient safeguard to protect personal data if it meets certain conditions in accordance with a recent recommendation of the European Data Protection Board.
- Service Data: To operate and provide the Services, Tresorit also collects certain non-encrypted information ("Service Data") that may include personal data. Further information about how Tresorit collects, uses and discloses Personal Data is set out in Tresorit’s Privacy Policy and the Data Processing Agreement (if applicable).
Customers should carry out their assessment in respect of the Tresorit services and its sub-processors with a view to the amount and sensitivity of “Service Data” processed via our services. For the sake of their assessment, the customer may wish to take into account the following, too:
- For data storage purposes, Tresorit entered into data processing agreement as well as and standard contractual clauses with Microsoft. Microsoft undertakes that it will use all lawful efforts to challenge every government request for public sector or enterprise customer data – from any government – where there is a lawful basis for doing so.
- In addition, Microsoft publishes a transparency report twice a year. According to the recent Transparency Report of Microsoft, [in the first half of 2021] „Microsoft received 120 legal demands from law enforcement in the United States for commercial enterprise customers who purchased more than 50 seats. Of those demands, 2 warrants resulted in disclosure of content data related to a non-US enterprise customer whose data was stored outside of the United States”.
Depending on the circumstances, this may lead the customer to conclude that there is no reason to believe that the Cloud Act will be applied in practice in connection with its Service Data.
When it comes to the international transfer of personal data, our summary on the Schrems II decision and its impact on US data transfers can be found here which may also be helpful.