The General Data Protection Regulation (GDPR) represents one of the most significant privacy laws in the world, and Sibros' Deep Connected Platform™ (“Platform”) incorporates robust data protection and security controls and features to support compliance with data privacy regulations. This page provides our customers with important access to key information and resources about privacy and compliance at Sibros, including how Sibros and our Platform enable our customers to comply with privacy and data protection requirements.
Sibros' innovative IoT-based SaaS offerings take a proactive approach to cybersecurity and data protection by providing a comprehensive set of tools and functionality that allow our customers to effectively manage their data protection compliance obligations.
Access to end-user data, vehicle health diagnostics, maintenance suggestions, and driver habits via the customer-built API or via the customer dashboard made available through the customer web portal.
Full vehicle lifecycle cybersecurity management to effectively identify, categorize, and prevent system vulnerabilities and cyberattacks.
Utilization of in-vehicle infotainment systems and mobile applications to obtain user consent for data usage changes and OTA software update installation.
Ongoing in-depth threat analyses and risk assessments provide data for security adaptations and additional measures to protect against novel threats and attack methods.
Implementation of appropriate technical and organizational measures designed to ensure an adequate level of security for customer data, as required under Art. 32 GDPR
Certified under: ISO 27001, ISO 9001, TISAX and SOC 2 Type II. Regular security procedure training for relevant Sibros personnel.
Key Terms
Data Controller or controller
A legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor or processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Identifiable natural person
One who can be identified directly or indirectly.
Personal data
Any information relating to an identified or identifiable natural person (i.e., a ‘data subject’).
Data subject
An identifiable natural person about whom certain personal data relates.
Subprocessor
A data processor who is engaged by another processor to process personal data on behalf of a controller. For purposes of these FAQs, the term “subprocessor” refers to vendors, service providers, and other processors that have been engaged by Sibros to provide certain services that include the processing of personal data on behalf of our customers.
Under the GDPR, Sibros acts as a data processor for the personal data that Sibros processes on behalf of our customers through their use of the Deep Connected PlatformTM. Sibros will only collect, access, store, and process this data as instructed by our customers.
Sibros customers are the data controllers for the personal data that is collected and processed through their use of our Deep Connected Platform because they “determine the purposes and means” of processing this data. Customers determine what data is collected and for what purpose(s), including the timing and frequency, and have the ability to create and run custom reports on their data.
Sibros has implemented various systems, procedures, and documentation to comply with and support our customers’ compliance with the GDPR, including the following:
Customer DPA and Data Transfer (SCCs) Terms:
Sibros’ Data Processing Agreement (our “Customer DPA”) includes standard data protection terms applicable to the processing of personal data and the provision of our services, which are tailored to address the unique aspects of Sibros' services and reflect our data security procedures. Our Customer DPA incorporates:
Subprocessor Compliance:
Sibros has taken a number of actions to ensure that its use of subprocessors complies with applicable data protection obligations.
Data Transfers:
Our Deep Connected Platform products and services, as well as our technical support and corporate operations, are provided from the United States, Germany, France, the UK, and India. We employ a range of measures to ensure that customer data is secure and safe and to maintain the integrity, accuracy, and confidentiality of that data when it is transferred to these jurisdictions. These measures include entering into agreements that include GDPR-compliant data processing terms and the EU SCCs and UK IDTA as applicable. Sibros has also implemented procedures and updated its practices to respond to the Schrems II decision by the European Court of Justice. See below for more information.
Data De-Identification:
Sibros protects and manages the usage of PII, especially geolocation, and performs de-identification actions including deletion or obfuscation of personal data and identifiers associated with the end user, VIN, and GUID(s), including by masking or deleting other unique identifiers such as ESN. The remaining disassociated data is also subject to further data exclusion and masking, which may include random staggering of the data, character shuffling, random dictionary substitution, or deletion of data to make it statistically improbable that the remaining data can be correlated with a particular vehicle or end user.
As the data controller, our customers are responsible for providing notice and obtaining any required consent from data subjects. As the data processor, Sibros provides customers the opportunity to display and link to a GDPR-compliant privacy notice and, where relevant, consent language addressed to the end-users, i.e., the data subjects. Our customers are responsible for providing the relevant notice or consent language and for managing any applicable notices and consents and configurations for such.
Notice and consent language and implementation is configured for each customer during the onboarding process and can be updated and configured as necessary thereafter. Customers configure how and when consent is requested, logged, and subsequently stored. For example, Sibros provides customers with a mechanism for obtaining mandatory electronic consent for log collection and Over the Air (OTA) updates. Customers must obtain end-user consent and send or transmit confirmation of such consent to Sibros before initiating data collection from or deploying FOTA updates to a particular vehicle through the Platform.
Our customers, as the controllers of end-user personal data processed within the Platform, may have certain legal obligations to respond to data subject requests under the GDPR and other applicable regulations. Within our customer portals, customers have the ability to create and export custom end-user reports for some data. The ability to request the deletion of specific end-user data and otherwise manage end-user data is available via Support tickets under the category “Data Privacy Request.” Customers can submit a support ticket in the customer portal to request Sibros support for processing data subject requests. Sibros has established processes, as described below, to facilitate and support our customers in responding to data subject requests regarding Platform data.
Access and Data Portability
Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Access Request” in their respective customer portal to request Sibros’ assistance in preparing and exporting a portable copy of end-user data associated with a particular Vehicle Identification Number (“VIN”). To request an end-user access report, customers must provide the VIN for the relevant end user’s vehicle. Data Access Request reports are provided to customers as a downloadable TAR File.
+ End User Access Report Format and Download
End-user access reports are compiled by Sibros as a TAR file and are usually processed within 10 business days. Sibros will provide customers with a secure download link to access the report. The link and end-user access report (TAR File) are available for 60 days, after which they expire.
Deletion Requests
Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Deletion Request” in the customer portal to initiate an end-user deletion request for data associated with a particular VIN. To request deletion of personal data regarding a specific end-user, customers must provide the VIN for the end user. Sibros processes deletion requests by deleting and/or disassociating the vehicle and device data from a particular end user within the Platform. Archived data that is stored as part of Sibros’ data back-ups are not subject to deletion and disassociation, unless the backup data is restored by Sibros. However, backups are regularly deleted or overwritten (usually within 180 days).
+ Deletion Process
End user VIN is deleted from the relevant GUID asset table(s), which map vehicle and device-related data to a specific VIN within the Platform, and the relevant GUID(s) for the vehicle are also deleted from the Asset tables, which severs the link between the end user and the corresponding vehicle and device-related data within the Platform. At this point, the device data cannot be associated with an end user without external data sources. It may take up to 15 days for a deletion request to be fully processed.
Other Data Subject Requests.
Sibros collects vehicle and device data as it is generated by the vehicle or device and, as such, is not able to verify inaccuracy or “correct” any vehicle and device data that is generated and processed within the Platform. To request support from Sibros to process a correction or other data subject request, customers may submit an “Other Data Request” ticket and provide the relevant VIN for the end user.
Yes, Sibros has customers in many jurisdictions worldwide, which is why our data processing terms are drafted broadly to address data protection requirements around the globe. Our Customer DPA incorporates the core privacy principles on which many international data protection law regimes are built and uses the strict GDPR framework as baseline language.
Yes. As an important privacy safeguard, Sibros is committed to ensure that law enforcement, intelligence agency, or other government requests for disclosure of data will be carefully scrutinized and that Sibros will only disclose the minimum amount of data necessary in response to a request. Where requests are unlawful or unfounded, Sibros will take appropriate steps to challenge these.
No, to date, Sibros has not received any request from law enforcement to disclose data from or about its customers.
In the wake of the new EU Standard Contractual Clauses and the Schrems II ruling by the Court of Justice of the European Union (CJEU), Sibros wants to provide our customers with the information needed to evaluate and assess transfers of personal information outside the European Economic Area (EEA) and the United Kingdom (UK), specifically regarding access from the United States.
Under certain laws, including the GDPR, the UK GDPR, and Swiss Privacy laws, companies may only transfer personal information outside the EEA/UK/Switzerland where either of the following is true:
Previously acknowledged as a ‘valid transfer mechanism’ the EU-US and CH-US Privacy-Shield Framework were invalidated by the Schrems II ruling as a means on which companies can rely upon to transfer data from the EU or Switzerland to the United States.
No, in principle, the CJEU upheld the validity of the SCCs (available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en) as a lawful transfer mechanism but, in addition, now requires companies to evaluate and assess its global transfers and evaluate on a case-by-case basis, whether the privacy and surveillance laws of the recipient country, as well as the technical and organizational security measures deployed by the data importer, ensure a level of data protection adequate to the level required by applicable EEA/UK/Swiss law.
In addition to executing the new EU Standard Contractual Clauses (SCCs) available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en, and the UK Addendum, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, Customers must also conduct a “Schrems II Transfer Assessment” when relying on the new SCCs. Sibros provides these FAQs to help its customers understand what compliance mechanisms Sibros has put in place and to help customers comply with their own compliance requirements.
Yes, where transfers of EEA/UK/Swiss originating personal data to the United States are at stake (“Relevant Transfers”), the customer and Sibros generally rely on executed SCCs and the UK Addendum as relevant. The SCCs and UK Addendum are part of Sibros' Customer Data Processing Addendum.
Sibros has been closely monitoring developments regarding the new EU-US and Swiss-US Data Privacy Frameworks (“DPFs”), which has been approved and signed in July of 2023. For more information, see https://www.dataprivacyframework.gov/s/. In addition, the U.S. and UK governments have announced a deal in principle to establish the "UK Extension" to the EU-U.S. Data Privacy Framework. If established, both would then allow U.S. companies that certify to the DPF to transfer personal data from the EEA/UK to the US, respectively. Sibros is in the process of evaluating the published documentation and a self-certification under the DPFs.
Customers may wish to take the following factors into account:
Sibros uses Amazon Web Services (AWS) and Google Cloud Platform (GCP) for cloud hosting and computing services. Sibros' own instances are generally located in the United States. However, additional regions of the AWS and GCP instance may be agreed upon with the customer, for example, in the EU and certain APAC regions.
No. We are not of the view that any and all transfers to the US are unlawful simply because the possibility that Sibros may be subject to FISA 702 or EO 12,333 cannot be excluded. In addition, the Schrems II decision calls for case-by-case assessments, and the European Data Protection Board (EDPB) FAQs encourage controllers to look at “the circumstances of the transfer,” including the supplementary measures and safeguards in place to protect the data, which supports the argument that not all transfers are automatically unlawful. Many EU supervisory authorities have agreed that an approach of carrying out a risk-based assessment is the way to go, indicating that other factors than FISA 702 should be taken into consideration during the risk assessment process.
Customers should take their own advice on this matter. However, to help you with your risk assessments, we have put together information in these Customer FAQs for you.
FISA applies to the collection of foreign intelligence involving non-US persons where the collection occurs within the US and the collection of foreign intelligence regarding US persons, whereas EO 12,333 applies to a non-US person located outside the United States.