Push me
®

RedJade - Sensory Software

RedJade TIA

United States Laws Applicable to RedJade

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.  This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC.  In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.

Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US.  In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US.  EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.

Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.

Regarding FISA 702 the whitepaper notes:

For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”

There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.

Regarding Executive Order 12333 the whitepaper notes:

EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.

Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.

CLOUD Act

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.

The whitepaper notes:

The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.

The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance

Is RedJade subject to FISA 702 or EO 12333?

RedJade, like most US-based SaaS companies, could technically be subject to FISA 702 where it is deemed to be a RCSP.  However, RedJade does not process personal data that is likely to be of interest to US intelligence agencies.

Furthermore, RedJade is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision.  RedJade does not provide internet backbone services, but instead only carries traffic involving its own customers.   To date, the U.S. Government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).

EO 12333 contains no authorization to compel private companies (such as RedJade) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that RedJade processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.

Transparency Report

To date (2-March-2022), RedJade has not received a request from public authorities to disclose personal data.

RedJade Guidelines for Law Enforcement Requests

RedJade respects the rules and laws of the jurisdiction in which it operates, as well as the privacy and rights of its customers. Accordingly, RedJade provides Information in response to law enforcement or other public authority requests only when we reasonably believe that we are legally required to do so. To protect our customers’ rights, we carefully review requests to ensure that they comply with the law and are within the powers of the requesting authority or law enforcement official.

To obtain Information from RedJade, public authority and law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant. For example, RedJade will not provide non-public content unless served with a valid search warrant, issued on a showing of probable cause by a federal or state court authorized to issue search warrants, which requires RedJade to disclose the content. Please review these guidelines before submitting a law enforcement request to RedJade.

RedJade reviews all governmental requests for data. RedJade strictly construes requests for data, and seeks to limit or object to requests that are overbroad or seek a large amount of information or affect a large number of users. RedJade also objects where production is prohibited or where the process served is insufficient to compel production of the requested data under the Electronic Communications Privacy Act, 18 U.S.C. § 2701, et seq. or other applicable law. RedJade reserves the right to appeal any request for information, where available, and shall not disclose the requested information until required to do so under applicable procedural rules.

These guidelines are intended to serve as an informational resource and do not create obligations or waive any objections concerning how RedJade will respond in any particular case or request. RedJade reserves the right to seek reimbursement for the costs associated with responding to public authority or law enforcement data requests, where appropriate.

RedJade’s policy is to notify customers of requests for their information and provide them with an opportunity to object to the disclosure 7-10 days prior to production, unless such notification is prohibited by law (including where RedJade has been unable or unsuccessful at obtaining a waiver of such prohibition). RedJade may shorten the notice period in its discretion, but generally only does so in emergency situations. Public authority or law enforcement officials who believe that notification would jeopardize, for example, an investigation should obtain an appropriate court order or other process that specifically prohibits customer notification, such as an order issued under 18 U.S.C. § 2705(b).

Further, if your request places RedJade on notice of an ongoing or prior violation of our acceptable use policy, we will take action to prevent further violation, including account termination and other actions that may notify the user that we are aware of the misconduct. If you believe in good faith that taking such actions will jeopardize an ongoing investigation, you may request that RedJade defer such action in your request. RedJade will evaluate such requests on a case-by-case basis. It is the responsibility of the requesting law enforcement official to make this request, as it is RedJade’s policy to enforce its terms of use.

Serving a Valid Law Enforcement Request & Contact Information

Email Address for Law Enforcement Questions and to Send Legal Process: lawenforcement@redjade.net

Mailing Address for Law Enforcement Requests:

RedJade Sensory Solutions, LLC

Attn: Legal Department

1330 Arnold Drive, #254

Martinez, CA 94553

USA

While we agree to accept service of public authority and law enforcement requests by these methods, neither RedJade nor our customers waive any legal rights based on this accommodation.

Each request must include contact information for the authorized public authority or law enforcement agency official submitting the request, including:

Requesting agency name

Requesting agent name and badge/identification number

Requesting agent employer-issued email address

Requesting agent phone contact, including any extension

Requesting agent mailing address (P.O. Box will not be accepted)

Requested response date (see details below for emergency requests)

Please note that requests seeking testimony must be personally served on our registered agent for service of process. We do not accept such requests in person or via email.

International Law Enforcement and Public Authority Requests

U.S. law authorizes RedJade to respond to requests for Customer Information from foreign law enforcement agencies that are issued via a U.S. court either by way of a Mutual Legal Assistance Treaty (MLAT) request or letter rogatory.  It is our policy to respond to such U.S. court-ordered requests only when they are properly served, appropriately scoped, within the power of the requesting authority or agency, and in accordance with applicable legal process. RedJade will evaluate emergency requests from foreign law enforcement on a case-by-case basis, consistent with U.S. law and the laws of other countries, if applicable. Emergency requests may be submitted directly to RedJade via the procedure described below.

Emergency Requests

RedJade evaluates emergency requests on a case-by-case basis. If you provide information that gives us a good faith belief that there is an emergency involving imminent danger of death or serious physical injury to any person, we may provide information necessary to prevent that harm if we are in a position to do so, consistent with applicable law.

Emergency requests may be submitted via email to lawenforcement@redjade.net with the subject line: “Emergency Disclosure Request” and completing and sending this form.

Technical and Organizational Measures

TECHNICAL AND ORGANIZATIONAL MEASURES The following sections define RedJade’s current technical and organizational measures. RedJade may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data. To the extent that the provisioning of RedJade comprises New SCC Relevant Transfers, the Technical and Organizational Measures set out in Annex III describe the measures and safeguards which have been taken to fully take into consideration the nature of the personal data and the risks involved.

Physical Access Control. Unauthorized persons are prevented from gaining physical access to premises, buildings, or rooms where data processing systems that process and/or use Personal Data are located. 

Measures:

  • RedJade protects its assets and facilities.
  • Depending on the security classification, buildings, individual areas, and surrounding premises may be further protected by additional measures. These include specific access profiles, video surveillance, intruder alarm systems and biometric access control systems.
  • Access rights are granted to authorized persons on an individual basis according to the System and Data Access Control measures.

Additional measures for Data Centers:

  • All Data Centers adhere to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms and other measures to prevent equipment and Data Center facilities from being compromised. Only authorized representatives have access to systems and infrastructure within the Data Center facilities. To protect proper functionality, physical security equipment (e.g., motion sensors, cameras, etc.) undergo maintenance on a regular basis.
  • Third-party Data Center providers log the names and times of authorized personnel entering private areas within the Data Centers.

System Access Control. Data processing systems used to provide the Cloud Service must be prevented from being used without authorization. 

Measures:

  • Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes according to RedJade’s Security Policy.
  • All personnel access RedJade’ systems with a unique identifier (user ID).
  • RedJade has procedures in place so that requested authorization changes are implemented only in accordance with RedJade’s Security Policy (for example, no rights are granted without authorization). In case personnel leaves the company, their access rights are revoked.
  • RedJade has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change every six months in compliance with the requirements for complex passwords.
  • The company network is protected from the public network by firewalls.
  • RedJade uses up–to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations.
  • Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to RedJade’ corporate network and critical infrastructure is protected by strong authentication.

Data Access Control. Persons entitled to use data processing systems gain access only to the Personal Data that they have a right to access, and Personal Data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.

Measures:

  • Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. RedJade uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the RedJade’s Security Policy.
  • All production servers are operated in Secure Data Centers. Security measures that protect applications processing Personal Data are regularly checked. To this end, RedJade conducts internal and external security checks and penetration tests on its IT systems.
  • RedJade security standards govern how data and data carriers are deleted or destroyed once they are no longer required.

Data Separation Control. 

Measures:

  • RedJade uses the technical capabilities of the deployed software (for example: multi-tenancy, system landscapes) to achieve data separation among Personal Data originating from multiple customers.
  • Customer (including its Controllers) has access only to its own data.

Data Transmission Control. Except as necessary for the provision of the Services in accordance with the Agreement, Personal Data must not be read, copied, modified, or removed without authorization during transfer.

Measures:

  • Personal Data in transfer is protected according to RedJade’s Security Policy.
  • When data is transferred between RedJade and its customers, the protection measures for the transferred Personal Data are mutually agreed upon and made part of the relevant agreement. This applies to both physical and network based data transfer. In any case, the Customer assumes responsibility for any data transfer once it is outside of RedJade-controlled systems (e.g. data being transmitted outside the firewall of the RedJade Data Center).

Data Input Control. It will be possible to retrospectively examine and establish whether and by whom Personal Data have been entered, modified or removed from RedJade data processing systems. 

Measures:

  • RedJade only allows authorized personnel to access Personal Data as required in the course of their duty.
  • RedJade has implemented a logging system for input, modification and deletion, or blocking of Personal Data by RedJade or its subprocessors within the Service to the extent technically possible.

Job Control. Personal Data being processed on commission (i.e., Personal Data processed on a customer’s behalf) is processed solely in accordance with the Agreement and related instructions of the customer. 

Measures:

  • RedJade uses controls and processes to monitor compliance with contracts between RedJade and its customers, subprocessors or other service providers.
  • As part of RedJade’s Security Policy, Personal Data requires at least the same protection level as “confidential” information.
  • All RedJade employees and contractual subprocessors or other service providers are contractually bound to respect the confidentiality of all sensitive information including trade secrets of RedJade customers and partners.

Availability Control. Personal Data will be protected against accidental or unauthorized destruction or loss. 

Measures:

  • RedJade employs regular backup processes to provide restoration of business-critical systems as and when necessary.
  • RedJade uses uninterrupted power supplies (for example: UPS, batteries, generators, etc.) to protect power availability to the Data Centers.
  • RedJade has defined business contingency plans for business-critical processes and may offer disaster recovery strategies for business-critical Services as further set out in the Documentation or incorporated into the Order Form for the relevant Service.
  • Emergency processes and systems are regularly tested.

Data Separation Control. 

Measures:

  • RedJade uses the technical capabilities of the deployed software (for example: multi-tenancy, system landscapes) to achieve data separation among Personal Data originating from multiple customers.
  • Customer (including its Controllers) has access only to its own data.

Data Integrity Control. Personal Data will remain intact, complete and current during processing activities. 

Measures: 

RedJade has implemented a multi-layered defense strategy as a protection against unauthorized modifications. RedJade uses the following to implement the control and measure sections described above:

  • Firewalls
  • Security Monitoring Center
  • Antivirus software
  • Backup and recovery
  • External and internal penetration testing
  • Regular external audits to prove security measure

RedJade data is stored in the EU and is not transferred to third party countries, including the United States, other than Email addresses for the specific purpose of sending emails through RedJade via Mailchimp. Email sending is not required to use RedJade.

Subprocessors

<3