Auth0 understands the regulatory uncertainty and operational challenges that the United Kingdom (UK) 's exit from the European Union (EU) may be causing for our customers. The intention of this guidance note is to inform and reassure so that Auth0 is one less supplier that you need to worry about in your Brexit impact planning.
Q: Hasn't the UK already left the EU?
A: The UK officially left the EU on 31 January 2020 but then entered into a transition period, during which the UK would remain aligned with all existing EU law. In short, during the transition, nothing has really changed, and EU laws must still be followed. This transition period ends on 31 December 2020, unless it is extended to allow negotiations between the UK and the EU to continue.
Q: What does this mean for my customer data being processed by Auth0?
A: UK and EU privacy laws only apply to personal identifiable data or "personal data." The UK currently bases its own data privacy laws on the EU's General Data Protection Regulation (GDPR), but little is known about its post-Brexit plans for data privacy.
For GDPR purposes, our customers are data controllers, and Auth0 is the data processor, which means the customer is responsible for managing their own personal data flows and ensuring they have valid transfer mechanisms in place for all international transfers of such data.
Q: So, where does Auth0 process its data?
A: It depends on which AWS region our customers have chosen to host their Auth0 tenants.
The primary location in which Auth0 will conduct its core processing of your customer data is chosen by the customer in their Auth0 Sales Orders and when they create an Auth0 tenant. For our UK and EU customers, this is almost always the AWS EU region, which is made up of a primary data center in Frankfurt (Germany) with a failover to a second data center in Dublin (Republic of Ireland). This means that aside from a few limited exceptions (covered below), if a customer selects the EU region, then all data processing activity by Auth0 will take place within the EU.
Limited Exceptions. As disclosed in our contracts with our customers and described in more detail below, Auth0 conducts some limited processing of personal data outside the EU. Please note that for both examples, the transfers will be: (i) within the customer's control; and (ii) covered by Auth0's intra-group Standard Contractual Clauses (Model Clauses).
Management dashboard: For public cloud customers, Auth0 may temporarily process tenant data in the US for display on the Auth0 Management Dashboard. Dashboard web servers are located in the US. This data is not automatically transferred but is only served up when a tenant dashboard administrator requests it for viewing. When this occurs, the data itself is ephemeral, is not permanently stored on our systems, is encrypted during transit, and is only used to display information on the dashboard to the requesting administrator.
This data can include any information that can be viewed through the Auth0 Management Dashboard, which typically includes the user's e-mail address or other UID and basic metadata about that user, such as creation date, last login time, user agent, and the identity provider used.
The dashboard exception does not apply to the Private Cloud. For customers on Auth0's private cloud deployment, all dashboard processing occurs within the AWS region the customer has selected for its tenant for private cloud customers, e.g., if the customer selects the EU region, then dashboard processing will remain in the EU.
Support tickets and logs: If a customer includes personal data in a support ticket, then this may be viewed by Auth0 support personnel outside the EU. In order to resolve the ticket, Auth0 personnel may review activity logs to help understand the underlying error. Personal data in those logs typically consists of a user ID (e.g., e-mail) and IP addresses.
Q: What does Brexit mean for our existing European customers?
A: In terms of international data transfers and data processing locations, it's business as usual. If you are an Auth0 customer based in the EU and have selected the AWS EU (Frankfurt, with failover to Dublin) as your deployment region, then no personal data will be exported to the UK via Auth0 in the provision of Auth0's core services.
Support Service Qualifier. If an Auth0 customer based in the EU chooses to insert personal data into a support ticket (as described above) or share personal data with an Auth0 support operative based in the UK, then a transfer of personal data from the EU to the UK will occur. Please note, however, that such a transfer will be: (i) within the customers' control; and (ii) protected by Auth0's intra-group Standard Contractual Clauses (Model Clauses).
Q: What does this mean for our UK customers?
A: The situation remains fluid in terms of the status the EU will afford the UK (and vice versa) with respect to transfers of personal data. If the EU recognizes that the UK has a suitably robust data privacy regime and makes an adequacy decision in its favor (as it has done with Japan and Argentina), then transfers of personal data from the EU to the UK will be permitted, and data will be able to flow freely between the two regions.
UK to EU transfers of personal data
Currently, the UK's data privacy regulator - the ICO - has confirmed that it will recognize the EU as a region with adequate protections in place for exporting the personal data of UK nationals, i.e., UK to EU transfers of personal data are permitted.
This may change if the EU does not reciprocate and grant an adequacy decision in the UK's favor. Given the UK's post-Brexit data privacy regime is currently unknown, no one can say with any certainty what alternative transfer measures the UK may require for the export of UK personal data. It's reasonable to imagine such a transfer mechanism might be similar to the EU's Standard Contractual Clauses (Model Clauses).
Q: What can Auth0's UK customers do to mitigate against personal data flow uncertainty?
A: If you are an Auth0 customer without a DPA in place with Auth0, you may want to consider countersigning Auth0's current DPA - which attaches the GDPR Standard Contractual Clauses / Model Clauses covering the transfer of personal data to a third party country. Auth0 has published a pre-signed Data Protection Addendum (DPA) at www.auth0.com/legal.
UK customers may wish to countersign the DPA as follows:
If a customer has end-users that are EU citizens, in order to ensure a transfer mechanism is in place for the potential EU to US transfers of personal data under the dashboard and support ticket exceptions described above;
If a customer has UK end-users only, in order to put a preemptive post-transition period transfer mechanism in place for the UK to EU transfers of personal data. Such measures may not be necessary if the UK continues to recognize the EU as an approved country for personal data exports. Please note that we do not know what form, if any, the UK's standard contractual clauses will take for exports of UK personal data to third parties. There is no guarantee that the Standard Contractual Clauses attached to our DPA will be sufficient to cover such transfers. Regardless, we will be following developments and will make updated Standard Contractual Clauses or their equivalents available as the situation becomes more certain.
Q: What if UK data sovereignty is an absolute requirement?
If you are a UK Auth0 customer with UK only end-users, and it is essential that minimal personal data leave the UK, then Auth0's Private Cloud deployment option may provide a solution.
With one of Auth0's Private Cloud deployments, all customer personal data is ring-fenced on the AWS data center that the customer chooses to create its Auth0 tenants. So if a customer chooses the AWS London (UK) region as its desired location to host its Auth0 Private Cloud deployment, then there will be no transfers of customer personal data as part of the core Auth0 services from the UK to either the EU or the US. Please note that even on Auth0 Private Cloud, there may still be some extra-UK transfer of personal data should an Auth0 customer choose to include personal data in a support ticket (as described in the exceptions listed above) or otherwise share such data with an Auth0 customer support operative as part of our support services, e.g., by sharing your screen.
For more information with respect to Auth0 Private Cloud, please see the following link: https://auth0.com/docs/private-cloud.
Q: Aside from data privacy, will Brexit have any other impacts on Auth0's wider operations?
A: Not that we envisage.
Auth0 has a rapidly growing presence of commercial and technical staff on the ground throughout the EU member states who will continue to service our European customers. Our UK customers will continue to be looked after by our UK personnel. Operationally we are well prepared for any outcome of the UK and EU's Brexit negotiations, including a so-called "No Deal" Brexit. Auth0 services for both our UK and EU customers will not be impacted.
We're keeping our ears to the ground.
Auth0 will continue to monitor Brexit developments closely, particularly in relation to data privacy arrangements. We will provide updates as and when and significant developments are announced.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.