We were concerned with this prior to signing on with Marketo, and we have two separate instances. One for or North American communications and one for our EMEA communications. We were told that the login and data accessed/used in the EMEA instance was held on EU data centers. I'm hoping we are good to go from that perspective.
While that may be the case, the issue still remains: I sit in the US. But need access to all of our lead data across the world - e.g., what if I want to open up a lead record from Germany? Or what if I need to download an Excel file of a smart list that contains leads from many European countries?
Exactly, Dan -- once the data is at rest in the US we may be in violation. Even it's "just" a report run on the authoritative data, it's just as bad: if it weren't in violation to mirror part of your database in the states. the law would have no meaning.
However, I do wonder about singleton lookups, like looking at a single lead record from the States over the web. That may be an area where we gain some wiggle room.
You are probably safe with regards to data location and compliance with EU laws, but at the cost of productivity. This will impair sharing of best practices and you will carry the risk of getting duplicates that you will never be able to reconcile and merge.
Do you also have 2 separate CRM instances ?
Yes, we have two separate CRM instances as well. If someone from outside our North American territory fills out a form or is imported, there is a webhook and program that pulls them and then sends the records to out EU instance and then removes them from the original Marketo instance, and vice-versa for the EU to NA.
Like you, Marketo takes privacy seriously. We treat the data that you collect and use on our platform with the utmost sensitivity and employ strict policies and appropriate protections to help ensure the privacy of that information.
Marketo is responding to the recent invalidation of the Safe Harbor Program by developing an addendum to our services agreement that will incorporate the standard contractual clauses, which is an alternative mechanism for transferring personal data outside the EU in compliance with EU data protection law.
More information on the availability of the addendum will be available soon. Check here for updates Update from Marketo on the EU-US Safe Harbor Framework
We are a TRUSTe customer and listening to their webinar now on the ruling. For those who are concerned, if you have a legal team in your company and or an InfoSecurity team, make sure they are involved and have a plan in place on how you will be approaching next steps. At the end of the day the ruling is effecting immediately.
That said, it sounds like there is "more information to follow" from the EU governing body regarding this ruling.
With regards to SalesForce:
"Salesforce is immediately making available a data processing addendum that incorporates the European Commission's standard contractual clauses, commonly referred to as 'model clauses'." Source: How worried is Silicon Valley about Safe Harbour? - BBC News
We're in the same boat and have "EU model clauses" in place instead. This is really going to affect those mid-market companies that relied 100% on Safe Harbor.