On Thursday, July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, a transatlantic agreement between the EU and the U.S. for transferring personal data.
Our users’ security is a top priority, and the change won’t affect the way that they use JotForm. We have two options available to manage EU users’ data — our Data Processing Addendum and storing user data in European data centers.
JotForm users from Europe already start with EU Safe Mode enabled. We look up the IP addresses of new users, and if they’re in Europe, we keep their data in the EU only. So most users don’t need to do anything. Additionally, users who collect data in Europe can enable EU Safe Mode to keep all of their data in the EU.
Below are the options in more detail.
The first option is our Data Processing Addendum (DPA) agreement. With the launch of the General Data Protection Regulation (GDPR) in 2018, JotForm created a DPA, allowing the transfer of data from Europe to any country in the world. Though CJEU has invalidated Privacy Shield, it has validated Standard Contractual Clauses (SCCs), which are available in our DPA.
“JotForm offers a Data Processing Addendum, including Model Clauses (Data Processing Addendum) that was approved in 2015 by the EU data protection authorities, known as the Article 29 Working Party. This Data Processing Addendum enables our customers to transfer personal data outside the European Economic Area (EEA) to any country in the world, while maintaining compliance.” Read the full blog post.
The second option is to store user data in Europe by utilizing EU Safe Forms. We released EU Safe Forms after the Safe Harbor Framework was invalidated in 2015. When a form response is submitted, it is kept in European servers and can only be accessed from JotForm’s European site.
“The only permanent solution is to do what European governments are asking: Store European user data only in European servers and never transfer it back to the U.S.
We updated our software with a new option, to transfer all user data to our European servers. Once a European user switches to EU Safe Mode, their form data will only be kept on our European servers.” Read the full blog post here.
We take our users’ security and privacy seriously, and always work to be one of the first SaaS companies to adopt new security measures, such as GDPR, HIPAA, CCPA, and more. We will follow updates on this matter and provide you with more information as needed. If you have any questions or concerns, please reach out to our customer support team at email@example.com.