TLDR Viktor had concerns about data transfers outside of the EU when using Typesense Cloud. Jason explained that the Standard Contractual Clauses cover this use-case under GDPR or suggested purchasing an enterprise support plan or self-hosting Typesense.
Here’s the personal data that is transferred to the US: • The email address you use to signup is stored in a DB in the US • When you use the cloud dashboard to interact with your clusters, data is read from your clusters in the EU, passed on to the dashboard servers hosted in the US, and then sent to your browser. We still don’t store this data in the US servers - it just transiently passes through US servers, before it reaches your browser. Besides that all data you send via the API to your Typesense Cloud cluster is only stored in the region you provision the cluster in and does not get stored anywhere else.
This is what we mean by “data transfer may happen to US”
> When you use the cloud dashboard to interact with your clusters, data is read from your clusters in the EU, passed on to the dashboard servers hosted in the US, and then sent to your browser. We still don’t store this data in the US servers - it just transiently passes through US servers, before it reaches your browser. Does this include a representation of the documents that we have indexed? If so, this is stopping us from using Typesense Cloud
It does include documents, but again it’s not stored but is pass-through. This has been sufficient for our other EU users… If you want to, you could disable dashboard access in Typesense Cloud and only use the UI to manage the infrastructure. Then your cluster documents data will never pass through the US. Essentially, only the search and curation sections in the dashboard access documents
That would work! • Disabling user data access from the dashboard • Providing updated legal docs that clearly state that no user data passes outside of EU Do you think this could be put in place quite soon?
Looking further into this. Having the documents in the US dashboards is fine. This is not PII according to the definition. So all that would be needed for us to proceed is to have your legal docs clearly state what data is transferred out from the cluster outside of EU, so that we can clearly motivate that this is not PII
We would just make sure that both documents and queries don’t contain any user ids and such
If this is a GDPR consideration, we use the
In any case, I think someone from your team had emailed us about this as well - we are unable to modify our standard legal documents without a separate support contract, given the legal fees we incur. So if you need to redline our click-through agreements, we’d need to have a paid support contract in place to review the changes.
That makes sense. Thank you very much for filling in the blanks on this!
Jason I’m reviving this thread since customers have came back and said that regardless of the GDPR aspect, they cannot accept any data leaving the EU. Just disabling the dashboard would not be sufficient since our customers would need the legal docs to confirm that there is no data transfer happening outside of the EU. Can we set this up for Typesense Cloud or do you recommend us to should we self-host Typesense in this case?
Given the unique nature of this ask and the lawyer fees involved, we’d only be able to support this ask with the purchase of an
Thanks Jason
Viktor
Wed, 22 Feb 2023 15:11:23 UTCHey team, we’re having some issues regarding the legalities of using Typesense Cloud that is preventing us from going live in production. We would love to use Typesense cloud but this is stopping us. Perhaps you can help sort this out. We need to be able to guarantee that no data passes outside of the EU. We have our Typesense Cloud set up in a EU location, but your legal docs specify that data transfer may happen to US. Why is this the case? Can you provide legal docs that communicate a guarantee that no data passes outside of the EU?