Data Transfer Impact Assessment
This document provides information to help Jotform customers conduct data transfer impact assessments in connection with their use of Jotform’s form-building platform (the “Service”), factoring in the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.
This document describes the legal landscape that applies to Jotform in the US, the safeguards Jotform puts in place regarding transfers of personal data from the European Economic Area, United Kingdom, or Switzerland, and Jotform’s efforts to comply with its obligations as a data importer under the Standard Contractual Clauses (“SCCs”).
For more details about Jotform’s GDPR compliance program please see our GDPR compliance page.
Step 1: Know your transfer
Where Jotform processes personal data governed by European data protection laws as a data processor (on behalf of our customers), Jotform complies with its obligations under its Data Processing Addendum available here (“DPA”). The Jotform DPA incorporates the Standard Contractual Clauses and describes Jotform’s processing of personal data and Jotform’s security measures.
Please see the DPA for information on the nature of Jotform’s processing activities in connection with the provision of the Service, the types of personal data processed, and the categories of data subjects. A list of our data sub-processors can be found here.
In connection with providing our customers with the Service, Jotform usually stores personal data associated with a customer account in the US, but where agreed upon with a customer, that data may be stored in the UK or EU (not in the US), or in any other country where our sub-processors allow for storage. See https://cloud.google.com/about/locations and https://aws.amazon.com/about-aws/global-infrastructure/.
Jotform does not typically transfer personal data outside the country or region agreed-upon with the customer. In rare cases where we are required to produce personal data in order to comply with our legal obligations, such as in response to a demand pursuant to a subpoena or law enforcement request, we will produce (transfer) it to that party. See our privacy policy for more information.
Jotform also endeavors to provide local customer and technical support where our customer is located, but when it is not possible to have a support person respond to a request for assistance within the customer’s country or region, and our customer chooses to share personal data with a US-based customer support person, that support person might be able to see that data.
Step 2: Identify the transfer tool relied upon
Where personal data originating from Europe is transferred to Jotform, Jotform relies upon the European Commission’s SCCs to provide an appropriate safeguard for the transfer. Where personal data originating from the UK is transferred to Jotform, Jotform relies upon the UK Addendum to provide an appropriate safeguard for the transfer. See our Data Processing Addendum here.
Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer
U.S. Surveillance Laws
There are a number of surveillance laws in effect in the US. The ECJ of the European Union has identified certain laws as being potential obstacles to the protection of personal data in the US, including FISA Section 702, Executive Order 12333, and the CLOUD Act. New laws may be enacted.
Jotform, like most SaaS companies based in the US, could technically be subject to FISA 702 where it is deemed to be a service provider, but we do not typically process personal data that would be of interest to US intelligence agencies. Also, 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to the types of data we collect. EO 12333 does not authorize the government to compel private companies such as Jotform to disclose personal data to US authorities.
We have not been subject to requests under these laws in our day-to-day business operations.
The CLOUD Act clarified that U.S. law requires that providers subject to U.S. jurisdiction disclose data that is responsive to valid U.S. legal process, regardless of where the company stores the data. If Jotform were deemed to be a covered Internet service provider, and if there were a Cloud Act agreement in place between the U.S. and a country where a Jotform customer’s data may be stored, the U.S. government could arguably require Jotform to produce such data in response to a legal demand. We have not yet faced such a demand based on the Cloud Act.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
For information on the technical and organizational measures and practices and procedures Jotform takes to secure personal data, see our Security page. In our contracts with our enterprise customers, we often agree to additional measures to protect the data. See also our DPA for other related measures. Among the measures we take, we generally allow our customers to choose the country in which their data is stored, we encrypt personal data at rest and in transit, we obtain security certifications, we take accountability for only allowing onward transfers pursuant to agreement with the customer, we employ privacy by design, and we ensure that our staff who may process personal data are well trained and subject to confidentiality restrictions.
Step 5: Procedural steps necessary to implement effective supplementary measures
Given all of the above information provided in this document, and our considerable experience in protecting personal data combined with our legal and contractual obligations, we believe that any perceived risks in transferring and processing the personal data of European and UK residents are low. As such, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate at appropriate intervals
Jotform is committed to reviewing the risks of applicable transfers over time in response to changes in laws and other factors.
Legal Notice: Please make your own independent assessment. The information in this document is for informational purposes only, reflects the current Jotform Service – which is subject to change without notice, and does not create any commitments or assurances, warranties, or guarantees as to any such matters. This document is not part of, nor does it modify, any agreement between Jotform and any customer.