Transfer Impact Assessment (TIA) - Byteflies Cloud

For the data protection-compliant transfer of personal data between data processors from the EU, standard contractual clauses (“SCCs”) were introduced by the European Commission (Updated June 2022, in accordance with the “Schrems II” ruling), next to the recommendations from the European Data Protection Board (“EDPB”).

Both the SCCs and recommendations from the EDB include the requirement to perform a Transfer Impact Assessment (“TIA”) as a tool to outline all possible intended and unintended transfers, and any legal and/or technical mitigations put in place.


In the interest of full transparency, we provide a public TIA here.
We will follow a typical 6-step assessment to assess any impact on the privacy of the data processed by Byteflies Cloud during its lifetime, in particular by Byteflies Sensor Dot, Byteflies Docking Station and cloud hosting provider Amazon Web Services (“AWS”) in Ireland.

More information on your data rights can be found in our Privacy Policy.
More information on the processing of the data can be found in our Data Protection Impact Assessment.

1. Know your transfers

The Byteflies Sensor Dot is a wearable device to be used in a home or hospital environment that uploads raw anonymous medical biometric data to the Byteflies Cloud and is accessed by Healthcare Professionals (HCPs).

HCPs might use the Byteflies Cloud to provide pseudonyms to link the anonymized data to their patients, as well as provide extra inputs to augment the data.

Byteflies Sensor Dot transfers its recordings when it is docked in the Byteflies Docking Station, which happens on a 12-24h schedule from the location of the patient.

After upload to the Byteflies Cloud,and next to the usage of HCPs, the data will not be transferred during the rest of its lifetime.

The Byteflies Cloud is hosted on AWS. As part of AWSs services, a region can be designated where all data is stored. In our case, we opted for the EU region, and more specifically: all data stored in the Byteflies Cloud is hosted in Ireland.

In accordance with the AWS GDPR DPA, AWS will not transfer data outside the chosen region, unless i) it is necessary to provide AWS services initiated by Byteflies or ii) it is necessary to comply with law or a valid and binding order of a governmental body.

  • With regard to the first exception, Byteflies ensures that no services are chosen that involve a transfer of data outside our chosen region. For example, an opt-out was provided for the transfer of data for development and improvement purposes of AWS services and no use is made of services where transfer is an essential part of the relevant AWS service (such as content delivery service).


In addition, AWS prohibits and its systems are designed to prevent remote access by AWS personnel to customer data for any purpose, including service maintenance, unless access is requested by customers, is required to prevent fraud and abuse, or to comply with law.

  • As for the second exception, although Byteflies has a contractual relationship with a European entity of AWS based in Luxembourg (namely: Amazon Web Services EMEA SARL), the foregoing entity is a subsidiary of the US parent company. As US security laws in principle apply to US companies outside the US, there is a potential risk of access (and thus a transfer of data) to the data by US law enforcement agencies as described under 3. Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer.

As a rule of thumb, we can conclude that data in the Byteflies Cloud does not leave the EU which means that the General Data Protection Regulation (“GDPR”) is applicable at all times. Only in the two aforementioned exceptions, there can potentially be a transfer of data outside the EU to the US.

In what follows, we will focus further on this transfer, its risks and what measures were taken to mitigate these risks.

2. Identify the transfer tool relied upon

As we use a cloud hosting provider (Amazon Web Services) to host Byteflies Cloud in the Ireland (EU) region, we have DPAs and contracts with updated SCCs in place with AWS as a sub-processor to make sure that all our data is protected under GDPR.

In case there is a transfer of data by AWS to the US, this transfer is therefore based on the SCCs to provide an appropriate safeguard for the transfer.

The SCCs are part of the AWS Service Terms and incorporated by reference into the AWS GDPR DPA.

Both the Schrems II ruling and the EDPB Recommendations confirm that SCCs are a valid mechanism for transferring personal data subject to GDPR outside the EEA. Byteflies can therefore rely on the SCCs included in the AWS GDPR DPA for transfers of its data, in compliance with GDPR.

3. Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer

US Surveillance legislation

The Court of Justice of the European Union (“CJEU”) identified in Schrems II the following US laws as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

  • Foreign Intelligence Surveilance Act Section 702 (“FISA 702”) which sets forth processes and conditions for US intelligence agencies to lawfully collect information relating to non-US persons who are reasonably believed to be located outside the US if a significant purpose of such collection is to acquire foreign intelligence information and the source of the information is a US-based electronic communication service provider (“ECSPs”), which can include remote computing service providers (“RCSP”).
  • Executive Order 12333 (“EO 12333”) which authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.

More information about these laws can be found in the White Paper that the US Department of Commerce, Department of Justice and the Office of the Director of National Intelligence jointly issued in September 2020, detailing the limits and safeguards pertaining to their access.

Applicability of US Surveillance legislation

FISA 702

Technically, AWS could be subject to FISA 702 as a RCSP. The data processed on the Byteflies Cloud is however not likely to be of interest to the US government or intelligence agencies. In this regard, the White Paper explicitly mentions that for many companies, the issue of national security access to their personal data is “unlikely to arise because the data they handle is of no interest to the US intelligence community”.

We consider this to be also applicable with regard to the data on the Byteflies Cloud, as health data is not likely to be useful for criminal or anti-terrorism purposes. Especially in the case of the data on the Byteflies Cloud, which is stored anonymously or pseudonymised without any link to the identity of the users.

In addition, primarily the upstream surveillance orders under FISA 702 (the type of order largely issued) were deemed problematic in Schrems II. Upstream collection authorizes US authorities to collect communications as they travel over the internet backbone. AWS does not offer such backbone services as a provider of cloud computing services, but only carries traffic involving its own customers. As a result, AWS is not eligible to receive the type of orders principally addressed in, and deemed problematic by the Schrems II ruling.


EO 12333

EO 12333 does not provide an authorization to US authorities to force companies to disclose data. The most important concern regarding EO 12333 according to the CJEU in Schrems II is the US government’s ability to collect personal data while it is in transit to the US by intercepting data traveling over transatlantic cables.

As stated, all data stored in the Byteflies Cloud is hosted in Ireland, reducing the risk of interception, since only in exceptional cases there will be a transfer to the US.

Furthermore, personal data can be protected from this type of interception through security measures such as encryption. As explained under 4. Identify the technical, contractual and organizational measures applied to protect the transferred data, Byteflies uses encryption which further reduces the risk of interception.

Access requests in the context of US Surveillance legislation in practice

Even in the case data processed on the Byteflies Cloud would be of interest to the US government or intelligence agencies, AWS reviews every law enforcement request individually and independently.

In this context, AWS explicitly states “that is has a history of formally challenging government requests for customer information that it believes are overbroad or otherwise inappropriate. AWS will continue to thoroughly scrutinize such requests, including those that conflict with local law such as GDPR, and object where it has appropriate grounds to do so.”

In addition, AWS makes contractual commitments to challenge these law enforcement requests, based on the supplementary addendum to the AWS GDPR DPA which is applicable between Byteflies and AWS. As a result, AWS is obligated to challenge any overbroad or inappropriate request (including where such request conflicts with the law of the European Union or applicable Member State law).

In practice, according to the reports on the Amazon Information Requests webpage, disclosures by AWS of customer data in response to governments requests are very rare.

Until now, no request resulted in disclosure to the US government of enterprise content located outside the United States.

Therefore, based on the above, we can conclude that access by the US government of data on the Byteflies Cloud is not likely to occur.

4. Identify the technical, contractual and organizational measures applied to protect the transferred data

Even if the risks associated with the transfer of data are limited, Byteflies identified and adopted supplementary measures to reduce the risk even more in accordance with the EDPD recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Therefore, we implemented the following technical measures to secure data:

  • Hosting region: we chose the EU region (Ireland) as the location where all data in the Byteflies Cloud is hosted. In addition, we ensure that no AWS services are chosen that involve a transfer of data outside our chosen region
  • Encryption: we make sure that all our data is encrypted both in transfer and at rest. When the data transfers from the Byteflies Sensor Dot device, it is secured using TLS 1.2 over an MQTT(S) tunnel and uploaded to encrypted storage (AES-256) within the Byteflies Cloud, hosted on AWS in the Ireland region. All connections to access data on the Byteflies Cloud are also secured using TLS 1.2.

Byteflies Sensor Dot and Byteflies Docking Station store their data encrypted on encrypted storage, providing sufficient protection from prohibited physical access.

Byteflies Cloud uses encrypted storage to prevent any unauthorized access by the cloud hosting provider and performs any processing in temporary, secured and isolated containers to mitigate any possible exposure across the cloud provider.

  • Pseudonymization and anonymization: all data stored in the Byteflies Cloud is either pseudonymized or anonymized, depending on the context of processing.
  • Secured connection: at Byteflies we do not trust the networks on which our data travels to / from our Byteflies Cloud, and will always assure that our data travels through a secured connection, preventing any “man-in-the-middle” from accessing it or compromising its integrity.

More information about our commitment to data safety can be found here.

With regard to contractual measures, the following requirements were implemented:

  • AWS GDPR DPA: based on the AWS GDPR DPA, AWS makes contractual commitments about the measures it takes and makes available to protect customer data. For example, AWS contractually commits to (i) implement technical measures to protect the AWS network, (ii) assist customers in complying with their security obligations under GDPR by offering tools and functionalities, and (iii) provide third party certifications and audit reports so that customers can verify AWS’s compliance with the AWS GDPR DPA.
  • Supplementary addendum: based on the supplementary addendum, AWS commits to (i) use every reasonable effort to redirect any governmental body requesting customer data to the applicable customer; (ii) promptly notify the applicable customer about the request if legally permitted to do so; and (iii) challenge any overbroad or inappropriate request, including where the request conflicts with EU law. AWS also commits that if, after exhausting the preceding steps, it remains compelled to disclose customer data, AWS will disclose only the minimum amount of customer data necessary to satisfy the request.

Furthermore, AWS warrants that it has no reason to believe that the legislation applicable to AWS or its sub-processors, including in any country to which customer data is transferred, prevents AWS from fulfilling its obligations under the AWS GDPR DPA or the supplementary addendum. AWS also commits to promptly notify any change in legislation which is likely to have a substantial impact on AWS fulfilling its obligations.

The following organizational measures were identified:

  • Processes: AWS has internal processes to deal with governmental requests for customer data, and irrespective of the source of the request or the laws that apply, AWS reviews every governmental request individually and independently in accordance with its law enforcement guidelines and commitments in the AWS supplementary addendum. AWS rigorously limits – or rejects outright – law enforcement requests for customer data coming from any country, including the United States, where they are overly broad or AWS has any appropriate grounds to.
  • Information Request Reports: AWS regularly publishes on the Amazon Information Requests webpage an Information Request Report (“IRR”) about the types and volume of governmental requests it receives. Beginning with the July-December 2020 report, AWS launched a new IRR format as an organizational supplementary measure that provides more information about the types of governmental requests AWS receives, and the country of origin of such requests.
  • Organisation methods and data minimization measures: all Byteflies products adhere to the Least Priviliged and Four-eyes principles, and use rigorous encryption standards.
  • Adoptation of standards and best practices: Byteflies is ISO 13485 certified for the design and production of medical device hardware and software and has an EU and US-compliant Quality Management System.

Byteflies has a Chief Medical Officer (CMO) who is responsible for safeguarding our adherence to good clinical practice (GCP).

As a result of the above measures, we believe that the level of protection of the data transferred is brought up to the EU standard of essential equivalence.

5. Procedural steps necessary to implement effective supplementary measures

Byteflies’ mission is to enable wearable health, which requires an ecosystem in which privacy is respected and security can be trusted. We believe that with the current safeguards and mitigations in place, we can adequately protect our users' data from being accessed in the context of transferring data to the US. Therefore, no additional supplementary measures are necessary at this moment.

6. Re-evaluate at appropriate intervals

As part of our internal processes, we constantly evaluate the reasoning in this document as well as additional measures we can implement.

For any additional information, feel free to contact dpo@byteflies.com.