HashiCorp Data Transfer Impact Assessment
The objective of this document is to:
- Identify and describe any risks associated with customer data transfers to countries (e.g., United States) outside of the EEA, United Kingdom, and Switzerland;
- Outline our ability to comply with our obligations as a “data importer” under the GDPR and the new Standard Contractual Clauses (SCCs); and,
- Detail any supplementary measures taken to protect these transfers.
We aim to provide relevant information to our customers and end users to help perform data transfer impact assessments as required under GDPR and in compliance with the Court of Justice of the European Union's Schrems II judgment.
Applicability of the Transfer
When HashiCorp is considered a “processor” or “data importer” under the European data protection laws, we adhere to the data protection terms outlined in our Data Protection Addendum (DPA). Our DPA incorporates the European Commission’s June 2021 updates to the SCCs, specifically information on the nature of HashiCorp’s processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects (Annex I) and a description of HashiCorp’s security measures (Annex II).
In certain cases, HashiCorp may transfer customer personal data onward to third party service providers or subprocessors in order to provide you with our products or services. A full list of our current subprocessors is available for review, and will be updated when necessary.
Customer personal data for all of our products and services is transferred to the United States for login credential management and support both of which may be performed by US-based resources. Outside of that, below is a list of HashiCorp locations that data may be accessed by HashiCorp employees for purposes such as product support:
- United Kingdom
- United States
We may transfer customer personal data wherever we or our third-party service providers operate for the purpose of providing you the Products and/or Services. The locations will depend on the particular HashiCorp Products you use, as outlined in the chart below.
|Products and/or Services||Countries where HashiCorp stores customer data||Countries where HashiCorp may process customer data (i.e. access, transfer)||Countries where HashiCorp Support teams are located|
|Enterprise Products||N/A - self-hosted by customers||N/A - self-hosted by customers||
- United Kingdom
- United States
|Terraform Cloud (TFC)||United States||United States|
|HashiCorp Cloud Platform (HCP)||United States, European Union, Australia, Singapore||United States|
|Context and purpose of the transfer||
- Cloud/SaaS: Data is transferred as needed in connection with issuing
and maintaining login credentials by US-based resources.
- Support and account management: Data is transferred as needed when support tickets are submitted and/or account management activities are undertaken by US-based resources.
|The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)||As needed to perform the agreement between the parties|
|Categories of personal data transferred||Business contact details (name, business title, address, telephone, email address)|
|Special categories of personal data transferred (if applicable)||We do not intentionally transfer any sensitive data to the United States, unless directed to by the controller.|
|Applicable Transfer Mechanism||Where personal data originating from EU is transferred to HashiCorp, we rely upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. Where personal data originating from the UK is transferred to HashiCorp, we rely upon the UK GDPR and the associated SCCs. To review our Data Processing Addendum (with the SCCs) please visit our Data Processing Addendum. Where customer personal data originating from EU or the UK is transferred by HashiCorp to third-party subprocessors, HashiCorp enters into SCCs with those parties|
|Supplemental Technical Security Measures:|| - Access Controls: HashiCorp has processes in place to limit access to
its systems and customer data to authorized personnel only.
- Disaster Recovery and Business Continuity: HashiCorp maintains a Business Continuity Plan (BCP), which defines the processes and procedures for the company to follow in the event of a disaster.
- Encryption: HashiCorp will ensure all customer data is encrypted in transit and at rest.
- Security and certifications: Additional information about HashiCorp’s security practices and certifications are available on our Security page.
- Security Program and Standards: HashiCorp maintains a written information security program that contains appropriate administrative, technical and physical safeguards to protect Customer data, and that comply with industry standards for security controls. HashiCorp’s Enterprise Products have been certified by an independent third party auditor as aligning with ISO 27001 and SOC 2 Type 2 standards.
- Personnel Screening: HashiCorp performs background checks on all potential employees and contractors prior to employment with the company.
- Security Training and Awareness: HashiCorp maintains a security awareness program that includes training of HashiCorp personnel on HashiCorp’s security program. Training is conducted annually.
- Onward Transfers: When your data is shared with HashiCorp service providers, we remain accountable to you for how it is used. We require all service providers to undergo a diligence process across legal, security, and privacy to validate that our customers' personal data receives adequate protection.
- HashiCorp utilizes a Data Protection Addendum, with additional annexes on technical security measures, as well as a contractual security agreement as part of our standard agreement (and to on-prem customers as needed). The HashiCorp DPA includes EU and UK Standard Contractual Clauses. Our DPA also empowers data subjects to exercise their rights (i.e., erasure, access, limitation of processing, etc.). In addition, we contractually require all subprocessors that process personal data on our behalf to abide by rigorous privacy and security standards, and, to sign a legally-compliant DPA.
|Policy for Law Enforcement Requests to Client Data:||HashiCorp is committed to the importance of trust and transparency for the benefit of our customers. Except as expressly permitted by written agreement, HashiCorp will only disclose personal data to third parties (including governmental authorities) in response to valid legal process. HashiCorp does not voluntarily disclose any data to government authorities unless (a) there is an emergency involving imminent danger of death or serious physical injury to any person, or (b) to prevent harm to HashiCorp’s ability to deliver its products and services or to HashiCorp customers. Unless prohibited by law, HashiCorp will promptly notify the Customer of any request from a government authority to obtain access to or a copy of any personal data, and will inform the government authority that HashiCorp is a processor of the personal data on behalf of the Customer, and in all instances request that any and all requests or demands for access to the personal data should be sent to the Customer in writing.|