Reejig is committed to complying with all applicable laws governing the privacy, security, and treatment of its customers' data. This includes existing and emerging laws in the United States, European Union, and other jurisdictions. Because these may vary across countries, Reejig has prepared these Frequently Asked Questions (FAQs) addressing common data privacy inquiries from our international customers and partners regarding Reejig's position on government surveillance.

FAQ 1 – Does Reejig comply with the GDPR and other data privacy protection laws?

Reejig complies with the local data privacy laws in each of the countries where we operate. Our internal policies are designed to protect our customers' data in accordance with the local data privacy laws in the countries where their data is stored. This includes complying with the GDPR if customer data is subject to the GDPR.

FAQ 2 – Where does Reejig store European customers' data?

Reejig stores all European customers' data on servers that are in the European Economic Area (EEA), which is governed by GDPR if a European customer so chooses. Reejig complies with the local data privacy laws, including GDPR, in each of the countries where customers' data are stored.

FAQ 3 – Does Reejig transfer European customers' data to recipients in the U.S.?

Currently, implementation services are provided from the United States. Otherwise, Reejig does not transfer European customers' data to a recipient in the U.S. for processing either by Reejig itself or by any other data processor. Reejig ensures that all personal data is handled, processed, transferred, and stored in accordance with GDPR, including with the use of the latest Standard Contractual Clauses that the European Commission has approved for ensuring appropriate data protection safeguards.

FAQ 4 – Does Reejig use encryption to protect European customers' data?

Yes, Reejig encrypts all customer data both as data are stored on servers (i.e., at rest) and as data are transferred (i.e., in transit) to another entity.

FAQ 5 – Does Executive Order 12333 require Reejig to participate in U.S. Government surveillance activities?

Executive Order 12,333 governs the U.S. intelligence community's foreign surveillance and collection activities. It does not authorize intelligence collection against U.S.-based targets or require U.S. companies like Reejig's US subsidiary to participate in intelligence gathering. Reejig has no role in or control over any U.S. intelligence community activities.

FAQ 6 – Does the Foreign Intelligence Surveillance Act ("FISA") require Reejig to participate in U.S. Government surveillance activities?

FISA is designed to investigate foreign spies and terrorist organizations operating within the United States. The U.S. Government can only obtain information under FISA through a warrant issued by an independent federal court. Reejig has not received such warrants, does not anticipate receiving any such warrants, and reserves the right to challenge them through juridical means when necessary.

FAQ 7 – Does Section 702 of FISA apply to Reejig?

Section 702 of FISA authorizes the U.S. government to apply to an independent federal court for a warrant to collect communications from electronic communications or internet service providers for the purpose of investigating foreign spies and terrorist organizations. Reejig is not an electronic communications or internet service provider and has never received a Section 702 warrant. In addition, based on public authorities and Reejig's experience, the personal data that Reejig maintains is highly unlikely to be of any interest to U.S. foreign intelligence investigation.

Consistent with the EDPB's recent recommendations on measures that supplement transfer tools, Reejig has based this assessment on its own documented practical experiences, public statements issued by the U.S. government, the documented experiences of other actors that process similar personal data, and publicly reported cases evidencing the past application of U.S. national security laws, including FISA Section 702. Furthermore, as the U.S. Department of Justice, the Office of the Director of National Intelligence, and the Department of Commerce made clear in a joint White Paper issued in September 2020, companies like Reejig that offer "ordinary commercial products or services," and whose data transfers "involve ordinary commercial information like employee, customer, or sales records," have "no basis to believe U.S. intelligence agencies would seek to collect that data" through FISA Section 702.

FAQ 8 – Does the USA PATRIOT Act and its successor laws require Reejig to participate in U.S. Government surveillance activities?

These laws are designed to investigate money laundering and terrorist financing. Collecting information under these laws typically requires a court order, geographic targeting order, or national security letter. Reejig has not received such orders, does not anticipate receiving any such orders, and reserves the right to challenge them through juridical means when necessary. Based on public authorities, the type of personal data that our customers generally collect and place into Reejig's software is not of interest to U.S. intelligence agencies.

FAQ 9 – Does Reejig voluntarily participate in any U.S. Government or surveillance programs, including those administered by the National Security Agency ("NSA")?

Reejig is not a U.S. Government contractor, does not conduct business with the U.S. intelligence community, and does not knowingly or voluntarily participate in any U.S. Government intelligence or surveillance programs, including surveillance and data collection programs administered by the NSA.

FAQ 10 – Does Reejig provide any customer data to any intelligence agencies?

Reejig does not voluntarily provide customer data with any U.S. or foreign intelligence agencies. Obtaining access to U.S.-based customer data would require a court order or similar directive under U.S. law. Reejig has never received, and does not anticipate receiving, such an order in connection with intelligence activities.

FAQ 11 – Does Reejig provide metadata or other similar content to U.S. intelligence agencies?

Reejig does not provide customer metadata to any intelligence agencies or participate in any government programs involving the bulk collection of metadata. Obtaining access to U.S.-based customer metadata typically requires a court order under U.S. law. Reejig has never received, and does not anticipate receiving, such an order in connection with intelligence activities.

FAQ 12 – Does Reejig share customer data stored outside the United States with any U.S. intelligence agencies?

Reejig's customers control how and where their data is stored and shared. We do not relocate customer data unless a customer specifically directs us to do so, and such activities are authorized under local privacy laws. Nor do we share customer data with any government agency unless we are required to do so under applicable local laws.

FAQ 13 – Does Reejig build any "backdoors" into its software, source code, or systems that would allow U.S. intelligence agencies to access customer data?

Reejig is committed to protecting the privacy and security of its customer's data, regardless of where that data is located. We do not provide any government agencies with software source code, encryption keys, or other forms of access for the purpose of accessing customer data. Reejig has never received, and does not anticipate receiving, requests for "backdoor" access to its software and systems.

FAQ 14 – Does Reejig work with any vendors, suppliers, or other business partners that participate in intelligence and surveillance programs?

Reejig's business partners are commercial enterprises. As such, we are not aware of any vendors or suppliers participating in such programs. Even if our business partners were engaged in such activities, however, our systems are designed to prevent them from accessing customer data without the customer's prior authorization. As noted, Reejig uses encryption for data at rest and in transit and uses Standard Contractual Clauses that the European Commission has approved for ensuring appropriate data protection safeguards.

FAQ 15 – Is Reejig subject to any other laws that would allow governments access to customer data?

Like any company, Reejig is subject to the local laws that apply in the countries where it stores customer data. This means that Reejig may occasionally need to comply with court orders, subpoenas, or search warrants related to routine law enforcement activities. Such measures are consistent with the GDPR's long standing law enforcement exceptions.

FAQ 16 – How will Reejig protect customer data during law enforcement investigations?

  • Reejig believes that any government request should be directed to the appropriate Reejig customer that owns the data.
  • Reejig will work with its legal advisors to determine whether court orders, subpoenas, or other agency directives are authorized under the relevant national laws. If such orders are not consistent with applicable local law, then Reejig reserves the right to challenge them through judicial action or other means.
  • If Reejig receives a government request for customer data, Reejig will investigate: (1) whether Reejig can seek interim measures to suspend enforcement of the government request until Reejig's challenge has been resolved; (2) whether (a) applicable law prohibits Reejig from notifying the affected customer of the government request prior to producing the requested information, and if not, such notice will include all relevant information that Reejig is legally permitted to provide to the customer, and (b) if a government request purports to require Reejig to delay customer notice indefinitely, whether Reejig can challenge it; and (3) whether, if a law enforcement or government agency contacts Reejig, Reejig can inform the agency that it is merely a processor of its customers' data, and redirect the agency to make the request directly to the relevant customer.