Home
 / 
trust center
 / 
schrems
Legals

Privacy Shield Invalidation (Schrems II)

Back to Trust Center

Privacy Shield Invalidation and Secure Code Warriors Practices

What is Schrems II?

On the 16th of July 2020, the Court of Justice of the European Union (“CJEU”) issued their decision in case C-311/18, also known as Schrems II. The CJEU’s decision confirmed the validity of the European Commission Controller-Processor Standard Contractual Clauses (“SCCs”) while invalidating the EU-US Privacy Shield Framework as a mechanism to transfer personal data from the EU to the US. The decision requires organizations engaged in transfers of personal data to a third country to carry out an assessment prior to making a transfer under the SCCs to ensure that data subjects are afforded a level of protection “essentially equivalent” to that guaranteed within the European Union (“EU”) by the GDPR. If this level of protection cannot be achieved through reliance on the SCCs alone, then the exporting organization must implement "supplementary measures" to protect the exported personal data to an "essentially equivalent" standard.

Secure Code Warriors position on Schrems II

At Secure Code Warrior, privacy protections have been a fundamental component of our services since day one. Our commitment to protecting our customers’ data is not limited by a geographical border or region, and extends to ensure we keep pace with global privacy standards.

With regards to the ruling by the Court of Justice of the European Union (CJEU) as a result of what has become known as the “Schrems II” case, Secure Code Warrior has taken the following preliminary steps;

  • Updated our Data Processing Addendum to include (where relevant) Standard Contractual Clauses (SCCs) with our data processors
  • Communicated with our European based GDPR consultants to ensure we address the revised requirements.
  • Undertaking a review of all data flows, including our records of processing activities as per the GDPR Article 30
  • Undertaking a dedicated risk assessment on the CJEU ruling, and its implications for us as a company and on the data processors we use. 
  • Conduct a privacy/data protection due diligence and risk assessment for all international transfers, including:
  • validating that each data processor is compliant with the GDPR and 
  • maintains strong security to supplement the requirements under GDPR
  • Assessing all relevant GDPR, privacy and security documentation, to ensure we get fully aligned with the requirements under GDPR and Schrems II

We will continue to closely follow the European Data Protection Board (EDPB) and the ICO’s (the UK’s data protection authority) recommendations going forward.

Supplementary Measures

Regarding the adoption of Supplementary Measures, and advice from the European Data Protection Board (EDPB), Secure Code Warrior is continuing to review our Technical, Organisational and Contractual measures. 

At a glance, here is how Secure Code Warrior is addressing these issues. 

1. Technical Measures;

  • We have adopted encryption algorithms to help secure data transfers. Secure Code Warrior has partnered with our Cloud providers (AWS) and (MongoDB) to ensure customer data is encrypted at rest and in transit and all encryption keys are safely stored. Furthermore, we are exploring options to provide our customers (at a cost to the customer) additional measures around encryption such as implementing "customer key management" or a "cloud-based hardware security module (HSM)" that enables the customer or SCW (on behalf of the customer) to easily generate and manage encryption keys.

2. Contractual Measures:  

We are working with our sub-processors to evaluate compliance with the SCCs and adding into Data Processing Agreements (where applicable) to notify Secure Code Warrior as the data controller, in the event a subprocessor is unable to comply with contractual commitments.

3. Organisational Measures: 

We are working with our sub-processors to enhance the standard of protection for personal data. These include, data security certification, the implementation of comprehensive data protection notices, regular review of internal policies, and effective staff training.


Appendix A
Appendix b
Appendix c
Appendix d
Appendix e
Appendix A - Secure Code Warrior Legal Entities


a. UNITED KINGDOM (incorporated in England and Wales)
   Secure Code Warrior Limited
   Company Number 08559432
   Ironstone House
   4 Ironstone Way
   Brixworth, Northampton. NNG 9UD
   United Kingdom

b. AUSTRALIA
   Secure Code Warrior Pty Limited
   ABN 97 608 498 639
   c/o Vital Addition
   5, 120 Sussex Street
   Sydney. NSW 2000
   Australia

c. BELGIUM
   Secure Code Warrior BVBA
   Baron Ruzettelaan 5
   bus 3 8310 Brugge
   Belgium

d. USA
   Security Code Warrior Inc
   265 Franklin Street, Suite 1702
   Boston MA 02110
   USA

e. ICELAND
   Motherji ehf
   Borgatun 24, 105,
   Reykjavik,
   Iceland

Appendix B - Collection of Personal Information
a. PLATFORM USER

As a user of the Secure Code Warrior platform we will hold the following information about you

  1. User name
  2. Password
  3. Employer
  4. Job title
  5. Location
  6. Test results
  7. IP Address
  8. IMEI number
  9. MAC Address
  10. Browser type

This personal information will be held about you for so long as you have access to our platform and thereafter for a further period of twelve (12) months or as specified in your employers contract with us (whichever is the lower).

RECRUITMENT CANDIDATES

As potential employee of Secure Code Warrior we hold the following information about you:

  1. Contact details
  2. CV
  3. Date of Birth
  4. Qualifications
  5. References

Should you be unsuccessful we will retain this data for a period of twelve (12) months so that we may contact you regarding any future opportunities, unless you request that we delete the data beforehand.


CUSTOMERS

As an email contact or prospective customer to Secure Code Warrior we hold the following information about you:

  1. Name
  2. Contact details
  3. Employer
  4. Job Title
  5. Location

We will retain this data for up to 7 years from our last contact with you, unless you request that we delete the data beforehand.

PARTICIPANTS IN TOURNAMENTS AND OR COMPETITIONS

As a registrant, or participant in a tournament or competition we hold the following information about you:

  1. Name
  2. Email address
  3. Physical address where there may be a prize to be delivered
  4. Region

This personal information will be held about you for so long as you have access to our platform and thereafter for a further period of twelve (12) months.

SUPPLIERS

As a supplier to Secure Code Warrior we hold the following information about you:

  1. Name
  2. Business/ Company Name
  3. Contact details
  4. Bank Details (if acting as a sole trader or using a personal account)
  5. We will retain this data for up to 7 years from our last contact with you, unless you request that we delete the data beforehand.

Appendix C - Processing of Personal Information
a. PLATFORM USER

Necessary to enable us to perform our contract with you:

  1. to set up, administer and manage a user’s account, verify a user’s identity, provider users with our platform and services, and to receive and respond to a user’s communications and requests.
  2. to notify our users of updates to our platform and services necessary for the performance of the contract we have with you.
  3. to support any other purpose necessary for performance of our contractual obligations or specifically stated at the time at which you provided your personal information.

Necessary for the performance of our contract with you where such communication relates specifically to our services, and legitimate interest to be able to handle such queries:

  1. to receive and respond to a user’s communications and requests.

For legitimate interest to enable Secure Code Warrior to:

  1. carry out market research campaigns so that we can better understand the functionality of our platform and how we can improve our platform and our services.
  2. prepare statistics relating to the use of our platform and services by our users so that we can understand the use of, and improve our platform and services.

For legitimate interests to allow Secure Code Warrior to improve customer services offering:

  1. to record and review customer service communications for training and performance improvements to enable us to improve customer services.

To enable Secure Code Warrior to comply with a legal obligation:

  1. to enable Secure Code Warrior to comply with legal obligations.

With consent:

  1. to send users marketing materials where marketing materials have been specifically requested.

RECRUITMENT

To enable Secure Code Warrior to recruit employees and assess potential candidates, that is to:
consider applications for roles for which you may have applied, directly or via a recruitment, and the negotiation of employment opportunities,
consider applicants for other roles within Secure Code Warrior for which they may be suited,
obtain references from former employers.


CUSTOMERS, PROSPECTIVE CUSTOMERS or BUSINESS CONTACTS

Necessary for the performance of a contract

  1. conducting business and make our services available to customers,

For legitimate interests to enable Secure Code Warrior to conduct business

  1. to send and receive business communications
  2. to administer our relationship with customers, prospective customers and business contacts

For legitimate interests to contact those who may benefit from our services

  1. informing prospective customers and business contacts about our services.

With consent

  1. to send out marketing materials where these have been specifically requested.

PARTICIPANTS IN TOURNAMENTS AND OR COMPETITIONS

Necessary for the running of the competition and/ or tournament
With consent

  1. to send out marketing materials

SUPPLIERS

for legitimate interests to enable Secure Code Warrior for the performance of a contract where the supplier is an individual

  1. to assess and appoint suppliers

Legitimate interests to conduct business

  1. to send and receive business communications
  2. to administer our relationship with our suppliers.
Appendix D - Secure Code Warrior Related Websites
  1. securecodewarrior.com
  2. help.securecodewarrior.com
  3. insights.securecodewarrior.com
  4. discover.securecodewarrior.com
  5. leadersinappsec.com
  6. leadersindevsec.com
  7. softwaresecuritygurus.com
  8. scw.io
Appendix E - External Service Providers

Please see list of our data sub-processors here.

Embrace developer-driven secure coding.

Contact us today and make software security an intrinsic part of your development process.

Start Your Free Trial
Sensei Free 21 Day Trial
Book a Demo
Product
Features
CoursesMissionsTournamentsAssessmentsTrainingLearning ResourcesSCW for GitHub
Product
More
IntegrationsSupported LanguagesSupported vulnerabilities
Learning Resources
SCW for GitHub
SCW for Jira
Secure Code Warrior Bootcamp
Solutions
For Industries
GovernmentRetailFinance & BankingInsuranceTechnologyAutomotive & TransportHealthcareInternet-of-Things
Solutions
For Teams
Engineering TeamsSecurity TeamsLearning & DevelopmentC-Suite
Use cases
Achieve ComplianceIncrease ProductivityMitigate RiskIncrease My Skills
Company
About UsPlansPartnersCareersNewsroomTrust CenterContact Us
Community
BlogResourcesLeaders-in-AppSecSoftware Security GurusEvents
SUPPORT
Help CenterCustomer SuccessRelease NotesFAQ
connect with us and keep up to date with THE LATEST NEWS
Submit
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Twitter
Linkedin
Instagram
Facebook
Youtube
Sydney

Level 2, 29-43 Balfour Street Chippendale, NSW 2008 Australia

Boston

c/o Suite 1702, 265 Franklin Street
Boston, MA 02110 USA

Portland

Working remotely in and around Portland, OR 97204 USA

London

Working remotely in and around London, United Kingdom UK1

Bruges

Baron Ruzettelaan 5 bus 3 8310 Brugge Belgium

REYKJAVIK

Katrínartún 4 105 Reykjavik Iceland

© 2015-2022 Secure Code Warrior Limited. All Rights Reserved. Terms of Use | Privacy Policy | Cookie Policy | Accessibility