Curipod, GDPR, cloud vendors and Schrems II

How Curipod is handling the implications of Schrems II

Dear teachers, students and school leaders

In the aftermath of the Schrems II verdict from the European Court, Curipod has received multiple questions from schools leaders, teachers and students regarding which measures Curipod has taken in light of the verdict. The most common questions are around Curipod's use of subcontractors from the U.S. I am publishing this to clarify what we are doing in Curipod to stay GDPR compliant in accordance with the Schrems II verdict.

What is new after Schrems II?

In the Schrems II judgment, the European Court of Justice provides additional requirements for the transfer of personal data to countries outside the EU/EEA (third countries). This means that it is no longer sufficient to merely use a valid transfer basis such as the European Commission's standard provisions (EU SCC), binding corporate rules (BCR). If one wants to transfer or process data in the U.S. or any other third country, one must establish “additional measures”. It is still unclear what this means in practise.

How Curipod use US cloud vendors

All of Curipod's cloud hosting providers (Azure, Google) and third party services (Mixpanel, Mailjet, Elasticsearch) host data on data centres within the EU/EEA. This means that all customer data, including backups of customer data, in Curipod, are processed within the EU/EEA only.

The cloud hosting provider’s personnel are not granted access to customer data. Curipod does not transfer customer data outside the EU/EEA, nor does Curipod instruct our cloud hosting providers or third party services to do so.

What now?

We are paying close attention to all new information such as the ongoing investigating by the EDPS of the European Union's use of Azure and AWS, so that we can always stay compliant with the GDPR.