The General Data Protection Regulation (GDPR) is a European Union (EU) regulation providing data protection for EU citizens, replacing the 1995 Data Protection Directive. In essence it requires businesses that hold data to adhere to standards that SpiderOak has always maintained. In fact, we built our No Knowledge privacy environment specifically to handle the task of safeguarding our customers' data and privacy. As such, each of our products (SpiderOak One and Groups backup, Semaphor messaging, the Encryptr password manager, the Trusted Application Platform, and the Secure Application Updater) all comply with the GDPR.
Although the GDPR only applies to EU citizens, we believe everyone deserves data protection. All of our customers of all of our products, regardless of citizenship or location, enjoy the same high standards of privacy and security.
SpiderOak's servers are located in the United States, so it is relevant to note that under the GDPR the transfer of personal data to a country outside the European Economic Area is allowed if the company provides appropriate legal safeguards, which SpiderOak always has. In our opinion this focus on contracts and codes of conduct and the destination country misses the point, however. While legal restrictions are good, history shows that you should not blindly trust your vendor nor public authorities. For that reason, SpiderOak's products encrypt your files and messages before they leave your computer using encryption keys that only you hold. You don't have to trust us (or nosy third parties, or overreaching authorities) to obey the law, because no one but you is able to decrypt your data. That is the essence of our No Knowledge privacy environment.
Because our privacy environment actually predates the GDPR, our compliance with it is not yet explicitly stated in our products or terms of service. As new versions of our products are released they will contain GDPR statements of compliance and disclosure messages, and we are updating our contracts and terms of service. Likewise for the moment we self-certify our compliance. As our customers' needs regarding GDPR evolve, we will introduce additional statements of compliance and disclosure. Please feel free to let us know what additional statements of compliance and disclosure you or your business or your clients need and how we can help you.
For information on our datacenter certifications, see Datacenter Locations and Certifications.