Privacy at DocRaptor: Why and How We Joined the New US-EU Privacy Shield Program

Given the recent tumult concerning US-EU privacy agreements, we thought it would be useful to review DocRaptor’s privacy standards and our experience joining the new Privacy Shield program (if you just want to learn about joining Privacy Shield, scroll towards the bottom).

DocRaptor Privacy

As you can imagine, DocRaptor’s HTML to PDF conversion service sees a lot of private documents, from financial reports to legal paperwork. We take security and privacy very seriously, both for our US-based customers and our many international users. As an example, here are a few privacy-oriented actions we take:

  • Default to SSL encryption for all content in transit
  • Encrypt all documents at rest (“at rest” meaning not actively in conversion, but sitting on the server)
  • Delete input and output HTML based on a user’s data retention policy (allows users to prioritize ease of support or privacy, as best fits their needs)
  • Employ industry standard security measures, including:
    • No password-based SSH access
    • No shared developer credentials
    • No global AWS access
    • Strict firewalling between servers/groups of servers
  • Provide a detailed security policy and information whitepaper
  • And until recently, we were part of the US-EU Safe Harbor program

The end of Safe Harbor and a supplemental contract

In October of 2015, the European Court of Justice declared the long-standing Safe Harbor program to be invalid. This created confusion and uncertainty for both US and EU based companies, DocRaptor included.

After discussions with our legal team, it seemed likely that a new agreement would be reached as a Safe Harbor replacement, but it might take many months to complete. In the meantime, we created an EU-specific supplemental contract for our EU customers which laid out, in detail, our data-processing, audit procedures, and security measures. This provided a legal framework that allowed our EU customers to remain within EU laws. We viewed the use of this contract as temporary until Safe Harbor was officially replaced, and we provided it to all customers who inquired about privacy compliance.

The bright new future of Privacy Shield

After prolonged negotiation between various US and EU groups, Privacy Shield was announced as the replacement of Safe Harbor. The framework allows for the legal transfer of personal data, for commercial purposes, between the European Union and the United States. There’s still some uncertainty about Privacy Shield and how it will actually work, but we’re confident that being part of Privacy Shield will be better for DocRaptor and our customers. To that end, we have discontinued use of our supplemental contract in favor of Privacy Shield certification.

What’s different for DocRaptor under Privacy Shield

By self-certifying for Privacy Shield, we agree to follow the Privacy Shield Principles in relation to our EU customers. Fortunately, these principles generally align with our existing practices, but we needed to make a few small changes. Here’s what we’ve done differently:

  • Create a Privacy Shield-compliant privacy policy, including for our parent company. This is part of the “Notice” Privacy Shield Principle. DocRaptor’s parent company, Expected Behavior, runs three major products: DocRaptor, Instrumental, and Gauges. During the Safe Harbor days, we had three different privacy policies, one for each of our products. Under Privacy Shield, privacy policies pertaining to a product must reference the legal business entity operating that product, and the same privacy policy must be listed on both the product’s website and the legal entity’s website. We took this requirement as an opportunity to update and consolidate all of our dissimilar policies. We now have one master privacy policy displayed across all four websites. It took a little extra time to unite all our products under the new Privacy Shield language, but it’s been well worth the investment.
  • Accept greater liability. This is part of the “Recourse, enforcement and liability” principle. Under the Privacy Shield, companies are liable for transferring personal data to third parties, unless they can prove they’re not responsible for the damaging event. We’re used to a legal world that makes our vendors liable for damages they cause. Privacy Shield applies a different standard to liability, but the real world implications are still unclear. We discussed this at length with our attorney and decided we are confident enough in our vendors to accept the risk of greater liability. We recommend anyone considering self-certification have similar conversations with a qualified attorney and ensure that any providers you use adhere to the same Privacy Shield principles.
  • Enroll in a dispute resolution program. This is also part of the “Recourse, enforcement and liability” principle. To fulfil this requirement, we chose to work with the BBB (although there are several other options). We’ve worked with the BBB’s dispute resolution service since first becoming Safe Harbor certified, and they’ve been extremely valuable in helping us navigate the transition from Safe Harbor to Privacy Shield.

Those are the only major changes we needed to self-certify for Privacy Shield, and we were fortunate to be in a privacy-friendly position already. There may be significant changes your organization needs to make, so be careful! This great blog post from the International Association of Privacy Professionals dives deeper into some of the other differences between Privacy Shield and Safe Harbor.

How we became Privacy Shield self-certified / TL;DR

Here’s the process we went through to become self-certified:

  1. Followed the Safe Harbor/Privacy Shield negotiations very closely (fortunately, you don’t need to do that any more!)
  2. Read the entire Privacy Shield website very closely
  3. Had plenty of discussions with our lawyer
  4. Joined the BBB dispute resolution program
  5. Made a list of things we needed to change to become compliant with the Privacy Shield Principles (see above discussion of what’s different)
  6. Updated our privacy policy (more discussions with our lawyer!)
  7. Had our privacy policy approved by the BBB
  8. Posted our new privacy policy across all four websites
  9. Applied to the Department of Commerce (they’re in charge of keeping track of which companies have self-certified) through the Privacy Shield website and paid a modest fee
  10. Moving forward, we need to make sure all of our partners are in compliance by June, 2017. Since we applied by September 30, 2016, we have a nine month grace period to ensure our 3rd party partners are also in compliance. We’ve completed all our changes, but we need to make sure our partners (such as Amazon AWS and Stripe) are in full compliance with the principles. While highly unlikely, if some of our partners are not in compliance by the deadline (most already are), we will need to stop working with them. If you did not self-certify by September 30th, you will not be able to self-certify until you AND all your partners are in compliances with ALL the principles.

In the end, after a long period of uncertainty, this was a relatively simple process. We’re happy to have an even stronger framework to ensure the privacy of our EU customers and we hope this blog post helps both our customers and other SaaS companies. If your organization needs to make invoices, reports, brochures or any other documents, DocRaptor is the easiest way to transform HTML into PDF or XLS files!