Legalities of Data Transfer for Typesense Cloud in EU

TLDR Viktor had concerns about data transfers outside of the EU when using Typesense Cloud. Jason explained that the Standard Contractual Clauses cover this use-case under GDPR or suggested purchasing an enterprise support plan or self-hosting Typesense.

Photo of Viktor
Viktor
Wed, 22 Feb 2023 15:11:23 UTC

Hey team, we’re having some issues regarding the legalities of using Typesense Cloud that is preventing us from going live in production. We would love to use Typesense cloud but this is stopping us. Perhaps you can help sort this out. We need to be able to guarantee that no data passes outside of the EU. We have our Typesense Cloud set up in a EU location, but your legal docs specify that data transfer may happen to US. Why is this the case? Can you provide legal docs that communicate a guarantee that no data passes outside of the EU?

Photo of Viktor
Viktor
Wed, 22 Feb 2023 15:11:30 UTC

Photo of Jason
Jason
Wed, 22 Feb 2023 15:14:57 UTC

Here’s the personal data that is transferred to the US: • The email address you use to signup is stored in a DB in the US • When you use the cloud dashboard to interact with your clusters, data is read from your clusters in the EU, passed on to the dashboard servers hosted in the US, and then sent to your browser. We still don’t store this data in the US servers - it just transiently passes through US servers, before it reaches your browser. Besides that all data you send via the API to your Typesense Cloud cluster is only stored in the region you provision the cluster in and does not get stored anywhere else.

Photo of Jason
Jason
Wed, 22 Feb 2023 15:15:50 UTC

This is what we mean by “data transfer may happen to US”

Photo of Viktor
Viktor
Wed, 22 Feb 2023 15:27:14 UTC

> When you use the cloud dashboard to interact with your clusters, data is read from your clusters in the EU, passed on to the dashboard servers hosted in the US, and then sent to your browser. We still don’t store this data in the US servers - it just transiently passes through US servers, before it reaches your browser. Does this include a representation of the documents that we have indexed? If so, this is stopping us from using Typesense Cloud

Photo of Jason
Jason
Wed, 22 Feb 2023 15:30:37 UTC

It does include documents, but again it’s not stored but is pass-through. This has been sufficient for our other EU users… If you want to, you could disable dashboard access in Typesense Cloud and only use the UI to manage the infrastructure. Then your cluster documents data will never pass through the US. Essentially, only the search and curation sections in the dashboard access documents

Photo of Viktor
Viktor
Wed, 22 Feb 2023 15:47:57 UTC

That would work! • Disabling user data access from the dashboard • Providing updated legal docs that clearly state that no user data passes outside of EU Do you think this could be put in place quite soon?

Photo of Viktor
Viktor
Wed, 22 Feb 2023 16:26:05 UTC

Looking further into this. Having the documents in the US dashboards is fine. This is not PII according to the definition. So all that would be needed for us to proceed is to have your legal docs clearly state what data is transferred out from the cluster outside of EU, so that we can clearly motivate that this is not PII

Photo of Viktor
Viktor
Wed, 22 Feb 2023 16:26:41 UTC

We would just make sure that both documents and queries don’t contain any user ids and such

Photo of Jason
Jason
Wed, 22 Feb 2023 17:44:36 UTC

If this is a GDPR consideration, we use the as the legal basis for the data transfers I mentioned above… So technically, even if you put personal data in your clusters and use the search dashboard, those standard clauses cover this use-case as well.

Photo of Jason
Jason
Wed, 22 Feb 2023 17:46:10 UTC

In any case, I think someone from your team had emailed us about this as well - we are unable to modify our standard legal documents without a separate support contract, given the legal fees we incur. So if you need to redline our click-through agreements, we’d need to have a paid support contract in place to review the changes.

Photo of Viktor
Viktor
Wed, 22 Feb 2023 18:01:37 UTC

That makes sense. Thank you very much for filling in the blanks on this!

Photo of Viktor
Viktor
Thu, 09 Mar 2023 21:30:43 UTC

Jason I’m reviving this thread since customers have came back and said that regardless of the GDPR aspect, they cannot accept any data leaving the EU. Just disabling the dashboard would not be sufficient since our customers would need the legal docs to confirm that there is no data transfer happening outside of the EU. Can we set this up for Typesense Cloud or do you recommend us to should we self-host Typesense in this case?

Photo of Jason
Jason
Thu, 09 Mar 2023 21:46:02 UTC

Given the unique nature of this ask and the lawyer fees involved, we’d only be able to support this ask with the purchase of an . The alternative is of course to self-host.

Photo of Viktor
Viktor
Fri, 10 Mar 2023 09:03:52 UTC

Thanks Jason