Data privacy and GDPR

Frequently Asked Questions

• Why did Wooclap choose AWS? And is AWS GDPR compliant?

  The Wooclap infrastructure is hosted on Amazon Web Services (AWS) in the eu-west-3 data center in Paris, France. Our infrastructure was built around AWS architecture best practices called AWS Well-Architected Framework. AWS allows Wooclap to ensure high quality of service and high availability rates. AWS provides important security guarantees for data protection such as full data encryption (both at rest and in transit), compliance with multiple certifications (see AWS Compliance Programs), and compliance with the most stringent security standards and data sovereignty laws. AWS also provides clear responses to the CLOUD Act, Schrems II, GDPR, prohibition of data transfers outside the EU, etc.

  Wooclap retains full control over the region where data is stored and processed systematically, and AWS cannot move the data from that region. This control is independently verified by an auditor as part of AWS' SOC certification.

  AWS cannot access Wooclap data. AWS prohibits and has systems designed to prevent access by AWS personnel to data stored on AWS for any purpose, including service maintenance. Individuals must be specifically granted access to an AWS service. There is no exception to this rule, and it applies to AWS personnel: they do not have access to Wooclap data unless specifically requested in support cases by Wooclap. This control is also independently verified by an auditor as part of AWS' SOC certification. Those accesses are covered by extra security measures such as Identity Access Management (IAM) Policies to grant access to only authorised Wooclap accounts.

  Wooclap works with AWS to build the safest architecture for the Wooclap services. We choose services that are GDPR compliant as listed in the CISPE Code of Conduct. CISPE (Cloud Infrastructure Services Providers in Europe) is a coalition of cloud computing leaders serving millions of European customers. The CISPE Data Protection Code of Conduct is the first pan-European data protection code of conduct for cloud infrastructure service providers under Article 40 of the GDPR. It was approved by the European Data Protection Board (EDPB) in May 2021 and formally adopted by the French Data Protection Authority (CNIL) in June 2021. We want to inform you that all the AWS services we use at Wooclap are certified compliant with the CISPE and therefore compliant with the GDPR.

• What is the CLOUD Act? Can the US Government access my data?

  In 2018, the United States passed the CLOUD Act "Clarifying Lawful Overseas Use of Data Act". This is a new law update to clarify how the United States can collaborate with other nations against serious organised crime, terrorism... The US Government can request the data owners to get a data extract through a rigorous legal framework that is reviewed by a judge and can be challenged by the law, the cloud provider and the data controller (i.e. Wooclap).

  Because the data request has to be justified, the request must be precise, related to specific data, and enable the progress of a judicial investigation.

  Regarding Wooclap data, we do not think that any educational presentation materials and Wooclap events could host data related to the organisation of crimes. We do not see any possible impact of the CLOUD Act on Wooclap data.

  Furthermore, if this were to happen, Wooclap and our service provider AWS would be fully transparent with you to decide together how to proceed with the received request. Legally and contractually, only the dataset concerning the criminal(s) will be provided, which is the absolute maximum. The provided data will be encrypted and without decryption keys because the CLOUD Act is classified as an "encryption-neutral" law and does not require prior decryption, rendering the dataset unusable.

  More information about the purpose of the CLOUD Act here and about the CLOUD Act from the AWS point of view here. This video also explains how AWS protects data privacy and is building security mechanisms for their services.

• How does encryption protect my data?

  All Wooclap data is encrypted at-rest and in-transit.

  At-rest encryption: Wooclap uses Amazon Key Management Service (KMS) with AES 256-bit keys to encrypt data stored by Wooclap. This data encryption scheme has been validated as FIPS 197 by the NIST. Regarding the key storage, AWS uses specific equipment called Hardware Security Module (HSM) — this device guarantees that no technical access is possible to the keys for AWS, Wooclap or anyone else.

  In-transit encryption: Only TLS 1.2 or higher is used at Wooclap. This asymmetric cryptographic algorithm allows Wooclap to encrypt and prevent attacks on communications between Wooclap services and the users' browsers.

  This video explains how AWS protects data privacy and how data encryption is built for their services.

• What is the Privacy Shield and Schrems II? What is the impact on Wooclap data?

  The (EU-US) Privacy Shield was a legal framework for regulating exchanges of personal data for commercial purposes between the European Union and the United States.

  In July 2020, the Privacy Shield was invalidated by the Court of Justice of the European Union (CJEU) following the Schrems II ruling. In addition, the CJEU confirmed the updated Standard Contract Clauses (SCC) remained a valid transfer mechanism for personal data to the US and globally and if appropriate supplementary measures (legal, technical and/or organisational) are implemented.

  The Schrems II ruling main point highlights that personal data transfers outside the EU should have appropriate safeguards to ensure a level of protection equivalent to that guaranteed within the EU. Controllers and sub-processors have to ensure that those guarantees are respected. On that point, Wooclap is engaged and checked with all of our sub-processors on the ongoing safeguards.

  For every sub-processor where data is located outside the EU:

  We have updated Standard Contractual Clauses.

  We signed a Data Processing Agreement with guarantees mentioned in it.

  We implemented and listed the supplementary measures as appropriate (legal, technical and organisational measures).

  We did Data Transfer Impact Assessments to analyse the transfer, calculate the risk and be sure the security level is maximum where data transfers are minimum.

• What is the EU-US Data Privacy Framework? (July 2023)

  On 10 July 2023, the European Commission adopted a new adequacy decision concerning the EU-US data protection framework; this agreement is called the EU-US Data Privacy Framework and replaces the previously invalidated Privacy Shield (see above).

  As a result of this agreement, personal data can flow freely and securely from the European Economic Area to US subcontractors who provide a level of protection equivalent to that of the European Union.

  Wooclap has 95% of subcontractors who host their data in Europe. For the remaining subcontractors, all security and confidentiality guarantees have been verified by the Wooclap security team. These subcontractors provide the additional measures requested by Europe (and by Wooclap) and are also GDPR compliant with this additional compliance to the EU-US Data Privacy Framework.

  For more information, see the European Commission's Q&A article.

• Is there any ads tracking on Wooclap users?

  Users are not targeted for any advertisement. All data uses are defined in the Privacy Policy (and in the DPA attached to the contract for organisational contracts). Wooclap does not resell data or transfer data for external (nor internal) advertising campaigns.

• Is it possible to get the IP address of anonymous users for my Wooclap event?

  Wooclap accords crucial importance to the confidentiality of its users and the protection of their individual liberties. In accordance with our policy and the regulations currently in force, we shall never provide confidential or personal data (such as IP addresses, telephone numbers, etc.) of participants, including in cases involving insults, racism, or any other injurious remarks.

  Regarding IP addresses, please note that those we collect during anonymous participation are not processed to identify a specific user. Consequently, it is technically and legally impossible for us to disclose individual data when participants have not previously identified themselves for the event.

  To obtain the data collected from your participants during an event (responses, pseudonyms, etc.), you may generate an export of results and participations directly from the platform (more information here).

  For event owners who wish to limit anonymity or ascertain the identity of their participants, we recommend two integrated solutions:

  Enable Authentication within your event settings. This mandates users to identify themselves (via an account or institutional login) to participate (more information here).

  Activate the Moderator Mode on your Wooclap event. This permits you to filter and validate responses before they are displayed, thereby ensuring control over the content published during your presentation (more information here).

  Wooclap is committed to guaranteeing a safe and respectful online environment for all its users. Pursuant to the hosting provider obligations arising from Regulation (EU) 2022/2065 on the Digital Services Act or "DSA", the Service Provider Wooclap offers a simple reporting mechanism. Should you identify content or activity that you deem unlawful, use our dedicated form.