Tresorit, a Swiss provider of end-to-end encrypted cloud file storage, has released its first transparency report, following in the footsteps of U.S. companies like Microsoft, Twitter, Google, or Reddit.
For those not familiar, the legal framework of the company needs a little clarification. As per the transparency report - which you can read in full here -, Niederteufen-based Tresorit AG is a wholly owned subsidiary of Hungarian entity Tresorit Kft. While some aspects of operation are handled in accordance with Hungarian and European Union laws, everything user-related, such as processing and management of user data, is subject to Swiss laws. In particular, personal data is protected by the Swiss Federal Act on Data Protection (FADP). This is because upon signing up, the user enters into a commercial agreement with Tresorit AG, not its Hungarian parent company.
Furthermore, because of its status as a Swiss company, the firm can only hand over user data if the request meets the provisions of the Swiss Federal Act on International Mutual Assistance in Criminal Matters (IMAC). This is important because Tresorit stores user files and metadata in Azure datacenters in Ireland. However, even though Microsoft is a U.S. company, handing over of user data by Tresorit is still subject to Swiss laws.
- Email address associated with the account
- Phone number (if provided by the user)
- Billing information: billing name (company name), billing address, last 4
- digits of credit card, credit card expiry
- IP addresses where user accessed the service from
- Tresor names, basic activity data, device name
Another thing to note is that Swiss authorities are currently working on changing the domestic implementation of the data protection act to be more in line with the EU’s General Data Protection Regulation (GDPR), which becomes applicable from May 25 next year.
Regardless of future legislative changes, the current report is based on the same structure as the Transparency Reporting Toolkit’s Reporting Guide and Template. This was created by the Open Technology Institute at New America and the Berkman Klein Center for Internet & Society at Harvard. The period covered is between the incorporation of Tresorit AG on September 24, 2013, and November 30, 2017.
In the aforementioned period, the company has received exactly one informal request from Swiss police to retain certain user data. That said, due to the absence of an official decision by competent Swiss authorities, no data was handed over.
Seeing as the number was so low, and no foreign requests have been received, we reached out to Tresorit for clarification regarding user data requests from other countries. A spokesperson for the company stated:
As we write in the report, this is governed by the Swiss Federal Act on International Mutual Assistance in Criminal Matters (IMAC). It states that in all cases, an official request should be addressed to Swiss federal authorities and these requests will be processed by either the respective Swiss canton or the Swiss federal authorities. In case of international mutual assistance, the Swiss Federal Office of Justice (FOJ) is usually the competent authority.
There is also the other side of data requests, namely those coming from Swiss authorities themselves. On that subject, the company had this to say:
We are obligated to cooperate with Swiss authorities in providing access to data only in cases when we receive legally binding orders from Swiss authorities. It is important that we can only provide access to the data that we have access to (that is, we cannot give access to file content due to our end-to-end encryption, and can only provide the metadata we have access to detailed in our report). Our mission is to protect our users’ data and their privacy from unauthorized access (such as hackers, surveillance and also unlawful data requests), however, in case of a legally binding order we have to cooperate with authorities and we don’t want to hinder their legitimate work with criminal cases.
We consider all requests on a case-by-case basis with our legal counsel, to decide how we should respond. In all cases, against any such request from a Swiss State prosecutor or any Swiss court, Tresorit would have the right to appeal to court until a final court decision.
Beyond the statements above, Neowin has also been informed that Tresorit does not wish its service to be used for criminal activities, and thus will comply with a legally binding order in a legitimate case, following a discussion with its legal counsel.
If you're interested in signing up, there's more information regarding pricing and features on the company’s official website.
Transparency Report image via Tresorit