Overview

This Transfer Impact Assessment, conducted in light of the “Schrems II” ruling of the Court of Justice for the European Union, provides Planful’s customers with the necessary information to conduct their own data transfer impact assessments.

Planful transfers data outside of Europe in order to provide the Planful services to our customers. This document describes the safeguards Planful has in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (“Europe”), and Planful’s ability to comply with its obligations as “data importer” under the Standard Contractual Clauses (“SCCs”).

Data Transfers

Planful complies with its obligations as a Data Importer under its Data Processing Addendum (“DPA”). The Planful DPA incorporates the SCCs and provides descriptions of Planful’s processing of the personal data (Appendix 1) and a description of Planful’s security measures (Appendix 2).

A list of our data sub-processors and the ability to sign up to receive updates to our sub-processor list can be found here.

Transfer Mechanism

Where personal data originates from Europe, Planful utilizes the European Commission’s SCCs to provide for an appropriate safeguard for transfer. These are included in our DPA.

Where personal data originating from Europe is transferred between Planful and third party sub-processors, Planful executes SCCs with those sub-processors.

Effectiveness of the Transfer Mechanism

U.S. Surveillance LawsThe Court of Justice identified FISA Section 702 (“FISA 702”) and Executive Order 12333 (“EO 12333”) as potential hindrances in accomplishing the same level of protection for personal data in the United States. More information about these laws and other U.S. Surveillance Laws can be found in Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from the United States Department of Commerce.

Is Planful subject to FISA 702 or EO 12333?As a SaaS technology provider, Planful could be subject to FISA 702. However, Planful does not process personal data which is likely to be of interest to U.S. intelligence agencies. Planful is also unlikely to be subject to upstream FISA 702 orders as we only carry traffic related to our own customers, and do not provide internet backbone services (i.e. telecommunication providers). Additionally, EO 12333 does not contain authorization to compel private companies (such as Planful) to disclose data.

Technical, Organizational, and Contractual Measures Safeguard Transferred Data

Technical Measures Planful’s technical measures to protect customer data include:

• Data Hosting Location: Customer data will be stored in AWS locations based on the geographic region from which the data originates. Data originating in Europe is hosted in the United Kingdom and Ireland.
• Encryption: Data is encrypted both in transit and at rest.
• Security Certifications: Planful maintains SOC I, SOC II, SOC III, and ISO 27001 certifications.

Organizational Measures Planful’s organizational measures to protect customer data include:

• Onward Transfers: Whenever Planful shares customer personal data with third party sub-processors, we are responsible for how such data is used. All third party sub-processors undergo a thorough diligence process by Planful’s Security and Privacy teams to ensure that customer data will receive adequate protection. This process includes a review of security policies documentation, security certifications, the categories of data which will be processed, assessment of the risk level, and negotiation and execution of DPAs which align with our customer DPAs.
• Employee Training: Planful requires all employees to take GDPR specific and other data protection trainings bianually.

Contractual Measures Planful’s contractual measures are set forth in the DPA and SCCs, which subject us to the requirements below:

• Technical Measures: Planful is obligated under its DPA and the SCCs to have technical and organizational measures in place which adequately protect personal data.
• Transparency: Planful is required under the SCCs to notify any affected customer if Planful receives a request for access to customer data from a governmental authority. In the event Planful is prohibited from disclosing the request to the affected customer, Planful is obligated to challenge such prohibition and seek a waiver.
• Challenging Access: Planful must review the legality of the governmental access requests and challenge them where they are considered unlawful per the SCCs.

Steps to Implement Necessary Procedural Measures

Given the information discussed in this Transfer Impact Assessment, including the technical, organizational, and contractual measures Planful undertakes to protect customer personal data, Planful does not consider the risks involved in transferring and processing European personal data in/to the US and India to inhibit our ability to comply with our obligations under the SCCs as the data importer or to ensure that individuals’ rights remain protected. As such, no additional supplementary measures are currently required.

Re-evaluation as Appropriate:

Planful will review and, as necessary, re-evaluate the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.

Country Specific Transfers

India

Purpose of Transfer and any further Processing

• Internal transfer: Planful has a registered office and operations in India. Planful employees may require access to customer personal information to provide the services and support.
• Transfer to sub-processors: Planful uses sub-processors in order to provide the Planful services to customers. Planful sub-processors may access personal data in India. Please refer to the list of sub-processors in the DPA or here.

Frequency of Transfer

• Internal transfer: Client Data is transferred on a continuous basis.
• Transfer to sub-processors: Data is transferred to sub-processors as approved by the data controller.

Categories of Personal Data Transferred

• Internal transfer: The data transferred is Client Personal Data as defined in the DPA.
• Transfer to sub-processors: Please see Appendix 1 of SCCs for information regarding the categories of personal data transferred to sub-processors.

Sensitive Data Transfer We do not intentionally transfer any sensitive personal data. We expressly prohibit processing of sensitive personal data in our software.

Technical, Organizational, and Contractual Obligations Information regarding technical, organizational, and contractual obligations is provided in the corresponding sections above.

Law Enforcement Requests Should Planful receive any requests for access from law enforcement, we will notify the customer to the extent lawfully permitted. If we are not permitted to disclose the request to the customer, we will challenge the request and seek to obtain a waiver. Planful will also review and challenge the legality of the requests and not provide access to the data is the request is considered unlawful. We require the same of our sub-processors.

Length of Processing Chain

• Internal transfer: Personal data is processed within Planful.
• Transfer to sub-processors: Personal data is transferred externally to our sub-processors.

Applicable Transfer MechanismsWe use Standard Contractual Clauses for onward transfers to our sub-processors.

United States

Purpose of Transfer and any further Processing

• Internal transfer: Planful has its headquarters in the United States. Planful employees may require access to customer personal information to provide the services and support.
• Transfer to sub-processors: Planful uses sub-processors in order to provide the Planful services to customers. Planful sub-processors may access personal data in the United States. Please refer to the list of sub-processors in the DPA or here.

Frequency of Transfer

• Internal transfer: Client Data is transferred on a continuous basis.
• Transfer to sub-processors: Data is transferred to sub-processors as approved by the data controller.

Categories of Personal Data Transferred

• Internal transfer: The data transferred is Client Personal Data as defined in the DPA.
• Transfer to sub-processors: Please see Exhibit A of the DPA and Appendix 1 of SCCs for information regarding the categories of personal data transferred to sub-processors.

Sensitive Data TransferWe do not intentionally transfer any sensitive personal data. We expressly prohibit processing of sensitive data in our software.

Technical, Organizational, and Contractual ObligationsInformation regarding technical, organizational, and contractual obligations is provided in the corresponding sections above.

Law Enforcement RequestsShould Planful receive any requests for access from law enforcement, we will notify the customer to the extent lawfully permitted. If we are not permitted to disclose the request to the customer, we will challenge the request and seek to obtain a waiver. Planful will also review and challenge the legality of the requests and not provide access to the data if the request is considered unlawful. We require the same of our sub-processors.

Length of Processing Chain

• Internal transfer: Personal data is processed within Planful.
• Transfer to sub-processors: Personal data is transferred externally to our sub-processors.

Applicable Transfer MechanismsWe use Standard Contractual Clauses for onward transfers to our sub-processors.