SingleStore is a distributed, highly-scalable SQL database. SingleStore offers a number of products, services and solutions to help customers achieve their data goals. As a part of offering these services, SingleStore processes personal data on behalf of its customers (Customer Personal Data).
In relation to Customer Personal Data, SingleStore is a data processor and the customer is the data controller. For information about the limited occasions in relation to customers where SingleStore acts as a data controller, please see our privacy notice.
SingleStore has in place data processing agreements with all customers which provide robust contractual terms that meet the requirements of EU, UK and Swiss data protection laws. Our data processing agreement with each customer requires SingleStore to (among other obligations) only process Customer Personal Data in accordance with our customer’s instructions, to keep Customer Personal Data secure and ensure confidentiality, and to support our customers to comply with their own obligations including in responding to data subject rights.
All members of the SingleStore group of companies are subject to contractual obligations to protect Customer Personal Data including being required to comply with comprehensive group-wide security standards.
A central tenet of EU, UK, and Swiss data protection laws is that measures must be taken to ensure a level of security appropriate to the risk. SingleStore has data security legal obligations both: (1) directly under EU, UK, and Swiss data protection laws; and (2) under data processing agreements with all customers.
SingleStore puts data security at the heart of its service offerings because at SingleStore nothing is more important than the security and reliability of Customer Personal Data. SingleStore is certified to the ISO/IEC 27001 standard and complies against SOC 2 Type II controls as attested by an accredited third-party.
More information about data security at SingleStore can be found here. For compliance questions please reach out to compliance@singlestore.com.
SingleStore is fully aware of the impact of the Court of Justice of the European Union decision in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (commonly referred to as Schrems II) and has measures in place to ensure compliance with its principles. To see the Schrems II decision at a glance see a paper published by the European Parliament produced here. In short, the following excerpt from the European Parliament paper summarises the impact of Schrems II:
“In its July 2020 Schrems II judgment, the Court of Justice of the European Union (CJEU) declared the European Commission’s Privacy Shield Decision invalid on account of invasive US surveillance programmes, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal. Furthermore, the Court stipulated stricter requirements for the transfer of personal data based on standard contract clauses (SCCs). Data controllers or processors that intend to transfer data based on SCCs must ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed by the General Data Protection Regulation (GDPR) and the EU Charter of Fundamental Rights (CFR) – if necessary with additional measures to compensate for lacunae in protection of thirdcountry legal systems. Failing that, operators must suspend the transfer of personal data outside the EU.”
SingleStore uses standard contractual clauses approved by the European Commission and UK and Swiss governments (SCCs) wherever required to legitimize transfers of Customer Personal Data outside of the European Economic Area, UK, and Switzerland.
For a full copy of the SCCs see here and to see a copy of the UK International Data Transfer Addendum see here. Further information (including the particulars of the SCCs, UK International Data Transfer Addendum, and modifications to the SCCs for extra-Swiss data transfers can be found in our Data Processing Agreement).
SingleStore also uses SCCs in respect of data sharing among the SingleStore group and with SingleStore’s service providers. Wherever SCCs are used, SingleStore ensures that Customer Personal Data is granted an essentially equivalent level of protection to the protection guaranteed by EU, UK, and Swiss data protection laws.
Wherever SingleStore acts as a data exporter, it assesses the laws and practices of the data importer’s country to determine whether the data importer is able fulfil their obligations under the SCCs by reference to laws authorising public authorities access to Customer Personal Data.
In respect of data transfers to the US, SingleStore is not considered an “electronic communications service provider” and so is not subject to Section 702 of the Foreign Intelligence Surveillance Act (known as FISA 702). SingleStore has assessed other US data access laws, such as Executive Order 12333, and determined that those laws incorporate more elements of “necessity” and “proportionality” with regard to the legitimate objective being pursued that was considered in Schrems II.
Please note that SingleStore has never received a request under FISA 702 or EO 12333 to provide access to Customer Personal Data. Despite this, SingleStore has contractually binding procedures in place setting out its obligations in case of access to, or a request to access, Customer Personal Data. These obligations include: (1) notification to the customer (where legal to do so); (2) a requirement to challenge any access requests by public authorities; and (3) a commitment to not disclose Customer Personal Data voluntarily without the consent of our customer.
We also put in place, as standard, security measures such as encryption in transit and at rest to prevent unauthorised access to Customer Personal Data by public authorities. Please see here for information about our information security measures or contact compliance@singlestore.com for more information.