Contentful takes privacy seriously — we see ourselves as caretakers of our customers’ personal data. Some customers have had questions about recent legal changes associated with the transmission of data between the United States and the European Union. We’re able to confirm that Contentful customers’ data remains secure and is transferred via lawful mechanisms between the EU and the U.S.
The EU-U.S. Privacy Shield and Standard Contractual Clauses
The Court of Justice of the European Union recently invalidated the EU-U.S. Privacy Shield Framework. The Privacy Shield Framework, adopted in 2016 by the European Commission following the invalidation of the “Safe Harbor,” was previously a lawful mechanism for transferring personal data from the European Union to the United States and other “third countries.”
However, the court’s decision confirmed that the EU Standard Contractual Clauses (SCCs) remains a valid mechanism to transfer personal data from the EU to the U.S. SCCs were drafted as a means of protecting personal data leaving the European Economic Area (EEA) through contractual obligations in compliance with Article 46 of the EU General Data Protection Regulation.
Companies can continue to operate as usual if they’re compliant with SCCs, which Contentful is.
Privacy for Contentful customers
As applicable, Contentful entities (Contentful GmbH in Germany and Contentful Inc. in the U.S.) sign a Data Processing Addendum (DPA) with our customers that reflects our commitment to lawful data processing, including the SCCs.
If your company hasn’t entered into a version of a DPA that includes the SCCs, you may contact your Contentful account representative who will facilitate the signing of the contract.
It’s not just Contentful. Our suppliers are secure, too
We ensure that all of our suppliers that process personal data on our behalf (known as sub-processors) offer the SCCs as a lawful data transfer mechanism instead of Privacy Shield.
Our sub-processors, some of which are based in the U.S., are listed on our public web page. All sub-processors agree to the SCCs.
Planning for the future
Contentful complies with the strict regulations of the GDPR and the CCPA in the locations of our two main business hubs, Berlin and San Francisco. Our approach to the privacy and security of our customers’ data is also reflected in maintaining an ISO 27001 certified information security management system.
Privacy laws are always evolving, but our customers can rely on Contentful’s commitment to ensuring compliance with laws and security of their data on our platform. We will continue to closely follow the European Data Protection Board’s recommendations going forward.