Last updated: March 21, 2021
Netlandish is an American company and our data infrastructure is currently based in the US. That means if you are in another country in the world and you use our products, your data are transferred to the US. The EU has stronger privacy laws than the US and a core tenet of the GDPR is that if you transfer any personal data of EU residents out of the EU, you must protect it to the same level as guaranteed under EU law. There are two factors to this:
We are serious about treating our customers fairly. We are equally serious about protecting your data, security, and right to privacy as if it were our own. This applies to all our customers, regardless of where you are in the world.
We do work with sub-processors. We've listed links to our current sub-processors at the end of this page. With each vendor, we assess their commitment to privacy and we sign a data processing addendum with them that include the controller-processor Standard Contractual Clauses.
The US does not have a national consumer privacy law akin to GDPR. We'd love to see one put in place and until then, shout out to California for leading with the California Consumer Privacy Act ("CCPA" — more information following this GDPR section) and our spiritual home state of Illinois for its Biometric Information Privacy Act.
There are national US security laws that are relevant to GDPR. Chief amongst them are: the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12-333. FISA establishes ways for US law enforcement and intelligence agencies to gather information within the US about non-US entities suspected of espionage or terrorism. Executive Order 12-333 sets out how US intelligence agencies can gather information, including outside the borders of the US.
Virtually every American software service is subject to FISA. That includes all the American big tech companies you can think of as well as any European service that uses cloud infrastructure from Amazon Web Services, Microsoft Azure, or Google Cloud Computing. It also includes small tech American companies like us, Netlandish Inc. However to date, Netlandish has never been served a FISA order or National Security Letter.
Even so, these laws are relevant for why extra mechanisms need to be in place to allow the legal transfer of personal data from the EU to the US.
In the CCPA, there is an important distinction between what are referred to as "service providers", "businesses", and "third parties". You can see how the regulation defines these words by visiting the California Attorney General's website: https://www.oag.ca.gov/privacy/ccpa.
Under the CCPA, Netlandish is a "service provider." That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we charge a recurring subscription fee to our customers. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.
Our products are currently not HIPAA-compliant and we do not have immediate plans to become so.
Netlandish uses third party subprocessors, such as cloud computing providers, to provide our services. We enter into data processing agreements including GDPR Standard Contractual Clauses with each subprocessor, and require the same of them.
We also use other software as a company that are not part of providing our services but may collect your personal information for other purposes.
You can see which processors are used by category below: