Paris, January 2, 2023 - Astran, the software editor building zero trust storage in the clouds, becomes the first effective technical measure approved by the French Data Protection Authority (CNIL) in the context of the use of non-European cloud solutions, in particular for data archiving and multi-party processing.
A technical and regulatory deadlock?
Companies subject to the European GDPR were in a deadlock since the invalidation of the Privacy Shield in 2020 by the Schrems II ruling. Indeed, their management was caught between the need to accelerate digital transformation - notably by using SaaS solutions and accelerating their move to the cloud - and the need to ensure that there is no risk of regulated data transfers outside the European Union.
This situation was further exacerbated by the January 2022 Europe-wide Google Analytics case law, which clarified that companies are subject to an obligation of result regarding data privacy protection with respect to transfers outside the European Union.
Despite efforts to converge on a new transatlantic Privacy Shield project, the preeminence of the Cloud Act and FISA on the one hand, and the proximity of the new DORA regulation on the other, have left corporate and organizational management in a complex and risky situation regarding their ability to adopt Cloud and SaaS solutions.
The first solution to make Cloud and SaaS solutions compliant
The CNIL confirmed in an official letter on January 10, 2023 regarding Astran’s solution (ex SPLiT): "As described, the services consider that the SPLiT (Astran) solution is an effective additional technical measure within the meaning of EDPS recommendations 01/2020, aimed respectively at "storage of data for backup purposes and for other purposes that do not require access to the data in clear text" and "fractional or multiparty processing".
Indeed, Astran’s S5 solution introduces a patented data fragmentation technology (Secret Sharing) that ensures confidentiality, security, and stored data’s compliance, while avoiding the burden of encryption keys.
The CNIL confirms that Astran’s solution "does not require explicit management of encryption keys, provided that its generation is in line with the state of the art". It validates the use of Astran’s solution in particular for archiving and multiparty processing use cases (such as the use of SaaS solutions).
The CNIL also specifies that data thus protected remains personal data according to the European GDPR and recommends at this stage the use of European clouds by Astran on certain parts of its architecture.
In practice, for many companies and public organizations, the technical solution developed by Astran now allows to adopt SaaS and cloud solutions, European or not, in full compliance.
Astran’s S5 solution can be used via compatible S3 APIs or via code-free plug-ins natively integrated into the SaaS solutions on the market.
CNIL's actions in favor of innovative companies
Astran wishes to salute the CNIL's action in favor of innovative companies in the sector, which is of vital importance to create tomorrow's European champions and to provide effective technical solutions to help companies comply with regulations.
Indeed, the CNIL first identified Astran (ex-Astrachain) in the context of an innovation sandbox organized by the CNIL. And the CNIL did not fail to respond in a precise and diligent manner to the formal request for Astran’s advice concerning the ability of its solution to meet the requirements of the GDPR in a context of data transfers risk outside the European Union.
About Astran
Astran (ex-Astrachain) is building the only zero-trust cloud storage solution.
Astran’s S5 solution introduces a patented data fragmentation technology (Secret Sharing) to ensure privacy, security and compliance of stored data, while avoiding the burden of encryption keys. Astran’s S5 solution is compatible with all cloud storage providers and systems, and integrates natively with Salesforce and all compatible S3 applications.
Astran is trusted by large private and public companies to store their sensitive data in the cloud, and has been approved by the CNIL for cloud data archiving and multi-party processing.
