Legalities of Data Transfer for Typesense Cloud in EU

Viktor

Hey team, we’re having some issues regarding the legalities of using Typesense Cloud that is preventing us from going live in production. We would love to use Typesense cloud but this is stopping us. Perhaps you can help sort this out. We need to be able to guarantee that no data passes outside of the EU. We have our Typesense Cloud set up in a EU location, but your legal docs specify that data transfer may happen to US. Why is this the case? Can you provide legal docs that communicate a guarantee that no data passes outside of the EU?

Viktor

Jason

Here’s the personal data that is transferred to the US: • The email address you use to signup is stored in a DB in the US • When you use the cloud dashboard to interact with your clusters, data is read from your clusters in the EU, passed on to the dashboard servers hosted in the US, and then sent to your browser. We still don’t store this data in the US servers - it just transiently passes through US servers, before it reaches your browser. Besides that all data you send via the API to your Typesense Cloud cluster is only stored in the region you provision the cluster in and does not get stored anywhere else.

Jason

This is what we mean by “data transfer may happen to US”

Viktor

> When you use the cloud dashboard to interact with your clusters, data is read from your clusters in the EU, passed on to the dashboard servers hosted in the US, and then sent to your browser. We still don’t store this data in the US servers - it just transiently passes through US servers, before it reaches your browser. Does this include a representation of the documents that we have indexed? If so, this is stopping us from using Typesense Cloud

Jason

It does include documents, but again it’s not stored but is pass-through. This has been sufficient for our other EU users… If you want to, you could disable dashboard access in Typesense Cloud and only use the UI to manage the infrastructure. Then your cluster documents data will never pass through the US. Essentially, only the search and curation sections in the dashboard access documents

Viktor

That would work! • Disabling user data access from the dashboard • Providing updated legal docs that clearly state that no user data passes outside of EU Do you think this could be put in place quite soon?

Viktor

Looking further into this. Having the documents in the US dashboards is fine. This is not PII according to the definition. So all that would be needed for us to proceed is to have your legal docs clearly state what data is transferred out from the cluster outside of EU, so that we can clearly motivate that this is not PII

Viktor

We would just make sure that both documents and queries don’t contain any user ids and such

Jason

If this is a GDPR consideration, we use the as the legal basis for the data transfers I mentioned above… So technically, even if you put personal data in your clusters and use the search dashboard, those standard clauses cover this use-case as well.

Jason

In any case, I think someone from your team had emailed us about this as well - we are unable to modify our standard legal documents without a separate support contract, given the legal fees we incur. So if you need to redline our click-through agreements, we’d need to have a paid support contract in place to review the changes.

Viktor

That makes sense. Thank you very much for filling in the blanks on this!

Viktor

Jason I’m reviving this thread since customers have came back and said that regardless of the GDPR aspect, they cannot accept any data leaving the EU. Just disabling the dashboard would not be sufficient since our customers would need the legal docs to confirm that there is no data transfer happening outside of the EU. Can we set this up for Typesense Cloud or do you recommend us to should we self-host Typesense in this case?

Jason

Given the unique nature of this ask and the lawyer fees involved, we’d only be able to support this ask with the purchase of an . The alternative is of course to self-host.

Viktor

Thanks Jason