With so many aspects of our lives taking place in the online space these days, our data exposure to tech providers has intensified. This comes with power and greater responsibility. The flipside of the coin: Users also expect more guarantees on how tech companies handle their data. Transparency reports are one of the best ways to build and reinforce trust in online services. With this in mind, we are thrilled to announce that our updated transparency report is available. The report offers an overview of our privacy-protective measures, the latest data requests, and the implications of Tresorit’s acquisition by Swiss Post.
Protecting everyone’s right to digital privacy is ingrained in the way we operate – from our mission and ‘privacy by design’ technology to our decisions regarding future partnerships. So being transparent about how we protect user data and what data requests we receive is not an afterthought but one of the key elements of how we live by our mission.
Following our first report published in 2017 and updated in 2019, the current update covers the period from January 1, 2019, to November 30, 2021. It focuses on the following main topics: government data requests issued since the previous version; the changes in our ownership structure after Swiss Post acquired a majority stake of Tresorit in July 2021; and the resulting consequences in our data handling processes.
Insights from our updated transparency report
- We respect the fundamental human right to privacy. We derive everything we do from this leading principle – including our strategic decision to join Swiss Post. Based on our shared values and vision, we believe that together we can build an even stronger portfolio of privacy-focused products. This undertaking is powered by our end-to-end encryption technology that protects user content with utmost security, making access to our users’ data impossible for any third parties, including ourselves.
- The legal framework in which we operate remains the same even after Tresorit’s acquisition by Swiss Post. As a company operating under Swiss jurisdiction and subject to the Swiss data protection regulation (Swiss Federal Act on Data Protection, FADP), we are only obliged to respond to data requests coming from Swiss authorities. This also applies to international requests: information can only be disclosed following an official decision of the cantonal or federal authorities.
- In case of a lawful request, it is impossible for us to hand over user content in plain text due to our end-to-end encryption and client-side key management. As we don’t store encryption keys, we cannot decrypt user files. Thus, we can fulfill these obligations only by providing any available metadata and non-content related user data.
- As a subsidiary of Swiss Post, Tresorit retains its status as an independent legal entity. Accordingly, we remain subject to limited obligations put forth by the data retention and surveillance law. Since we do not meet the thresholds defined by the Swiss Federal Post and Telecommunications Surveillance Act (Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs, BÜPF), we only have to comply with its “light” regulations and supply data accessible to us.
- We received one (1) data request during the covered period.
Read the detailed Transparency Report here.