In delivering its services Scrive does not actively transfer personal data to the United States and thus, the use of Scrive's services is not directly affected by the "Schrems II" decision by the Court of Justice of the European Union ("CJEU") on 16 July 2020.

Nevertheless, we want to highlight the following:

With all our suppliers, we have specified the location where data will be processed to be within the EU/EEA.

According to the agreements we have with our suppliers, once we have made this choice, they will not transfer data from the selected region.

Still, we have identified two scenarios where personal data could be subject to indirect transfers by our American owned sub-processors, namely when an indirect transfer is: 1. necessary to provide the services initiated by us, or 2. necessary to comply with the law or binding order of a governmental body.

You can find more information about this in our "Schrems II" statement (available on request).

All data traffic in our service is encrypted according to the highest possible standard. When uploading documents, we encrypt them using AES256; one unique cryptographic key per document. Encrypted documents are stored in private S3 buckets in Ireland with replication to Germany. The keys are stored in RDS (database). RDS is also encrypted. The keys to RDS are stored in AWS KMS. Key changes take place annually. We thus encrypt documents in "rest". We also encrypt all external network traffic we can with TLS 1.2.