This page is designed to address Frequently Asked Questions (“FAQs”) from customers (“customers”, “you”) about the Contentsquare group (“we”, “us”, “our”) certification to the Trans-Atlantic Data Privacy Framework.If you have additional questions that are not answered in this FAQs Guide, please contact your Sales or Account representative, who will be happy to assist you and coordinate with our Data Privacy Team to ensure that all your questions are answered.

What is the Data Privacy Framework and why does it matter?

• What is the Trans-Atlantic Data Privacy Framework?

  The Trans-Atlantic Data Privacy Framework (the “DPF”) is a new mechanism that was developed by the United States of America (“US”) to transfer personal data from the European Union (“EU”), United Kingdom (“UK”) and Switzerland (collectively “Europe”) to the US, while safeguardings Europeans’ data protection rights. This addresses the ruling of the European Court of Justice (Schrems II) which invalidated the previous Privacy Shield framework, established in 2016 to provide a legal basis for companies to comply with European data protection requirements when transferring personal data to the US.

• Why is the DPF important?

  In 2023, the European Commission and the UK Government each concluded that the US’ DPF ensures an adequate or essentially equivalent standard of data protection as under European data protection laws, namely General Data Protection Regulation (“GDPR”) and UK GDPR.This means that European personal data may be freely processed within and transferred to organizations in the US who have certified to the DPF, without having to implement any further data protection or safeguard like the Standard Contractual Clauses.

• Is all of the US an “Adequate Country” under European data protection laws because of the DPF?

  No, the adequacy decisions conclude that the US ensures an adequate level of protection for personal data transferred only to those US companies who are certified under the DPF.

• How does the DPF provide this “adequate level of protection” under European data protection laws?

  US organizations which certify to the DPF commit to comply with similar obligations as they would be subject to under European data protection laws such as only processing and handling personal data in line with purpose limitation, data minimization, data retention limitation, disclosure limitation, data security principles, etc.The DPF also includes limitations on the ability of the US government to access Europeans’ personal data, as well as provides to Europeans dedicated redress procedures over the handling of their personal data.

• How do you know if a US company is certified under the DPF?

  US-businesses that maintain active certifications to the DPF are publicly listed at this link.

• Where can you find more information about the DPF?

  More detailed information about the DPF is available at their official website at this link.More information about the European adequacy decisions on the DPF:

  • European Commission press release can be found here;

  • UK government notice can be found here.

Contentsquare group’s DPF certification

• Are Contentsquare, Clicktale, and Heap certified under the DPF?

  Yes! Each of Contentsquare group US companies, namely Contentsquare Inc., Clicktale Inc., and Heap Inc. are included in our DPF certification, which can be found at this link.Our certification statement where we commit to comply with the DPF and its Principles is available in our privacy policy.

• Do we use DPF-certified cloud hosting providers?

  Yes, we use Amazon Web Services (AWS) and Microsoft Azure as cloud hosting providers for our customers’ data. Both AWS and Azure are DPF-certified and their certifications can also be found at this link.

• Will you need to sign a new Data Processing Agreement (“DPA”) with Contentsquare, Clicktale or Heap to include the DPF?

  Except in special circumstances, the DPA you signed with us already permits the transfer of personal data to countries which benefit from an adequacy decision so a specific reference to transfers under the DPF is not necessary.

• Will our DPA still include the Standard Contractual Clauses (“SCCs”)?

  US organizations which certify to the DPF commit to comply with similar obligations as they would be subject to under European data protection laws such as only processing and handling personal data in line with purpose limitation, data minimization, data retention limitation, disclosure limitation, data security principles, etc.The DPF also includes limitations on the ability of the US government to access Europeans’ personal data, as well as provides to Europeans dedicated redress procedures over the handling of their personal data.

• Does the DPF impact customer data storage?

  Quite the opposite! For Heap customers, your European data stored in or transferred to the US will be now safely protected under the DPF.For Contentsquare and Clicktale customers, your data will continue to be stored in its designated cloud storage location as agreed under the agreement with Contentsquare and Clicktale. By default, European customers' data are stored in our European data centers.Furthermore, customer data accessed from our US companies to provide services to our customers (support, maintenance,...) will be covered by the DPF.