Transfer Impact Assessment Frequently Asked Questions

Last updated: Aug 1, 2025

This Frequently Asked Questions (FAQ) document is intended to provide information and enable customers who are personal data exporters of data originating in the EU/EEA and UK to carry out a Transfer Impact Assessment (TIA).

Please note that the following statements do not and are not intended to constitute legal advice. Instead, all statements are for general informational purposes only. That said, it is your decision, as a data controller, to conduct your own assessments and to take additional technical or organizational measures as necessary.

1. Question: Is your company a provider of a “remote computing service,” as that term is defined in 18 U.S.C. § 1711?"
   The term “remote computing service” means the provision to the public of computer storage or processing services by means of an electronic communications system. See 18 U.S.C.§ 2711(2).

   Answer: The definition is very broad and for some of its products such as its SaaS solutions, Progress may be considered a provider of a “remote computing service.”

2. Question: Is your company a provider of an “electronic communications service,” as that term is defined in 18 U.S.C. § 2510?
   The term "electronic communication service" means any service that enables users to send or receive wire and/or electronic communications. See 18 USC § 2510(15). The term “electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.

   Answer: The definition is very broad and for some of its products, Progress may be considered provider of an “electronic communications service.”

3. Question: When choosing a Progress cloud-based product, is it possible that personal data may be accessible to U.S. government agencies via, for example, the U.S. Cloud Act or Foreign Intelligence Surveillance Act (FISA) Section 702 or Executive Order (EO)12333?

   Answer: Progress Software does not provide any government with direct and unfettered access to customers’ data, nor do we provide any government with encryption keys or the ability to break our encryption. As outlined in more detail below, Progress requires a court order, subpoena, search warrant or equivalent legal process in the applicable jurisdiction before giving access to any such third-party – and, even then, we may dispute it. More information on how Progress handles law enforcement requests can be found on https://www.progress.com/trust-center/law-enforcement-guidelines.

4. Question: What are the safeguards applied by Progress for international data transfers?

   Answer: Progress Software makes available to the customers who determine that under the applicable End User License Agreement (EULA) or Terms of Service will supply us with personal data to be processed on their behalf and/or as a service provider, a Data Processing Addendum (DPA) that addresses the requirements of Art. 28 of General Data Protection Regulation (GDPR), UK GDPR, Brazilian Federal Law 13,709 ("LGPD"), California Consumer Privacy Act (CCPA), Swiss Data Protection Law and incorporates the new set of Standard Contractual Clauses adopted by the European Commission for international data transfers as well as the UK Data Transfer Addendum (“UK DTA”) issued by the Commissioner under S119A(1) Data Protection Act 2018., in each case as may be amended, superseded or replaced from time to time. More information on our privacy practices is available on https://www.progress.com/legal/privacy-center

5. Question: What are the security measures for international data transfers?

   Answer: Progress Software has implemented controls under the ISO27001 standard for its IT services which support general administrative functions and SOC2, type II for most of our products as available on https://www.progress.com/trust-center

6. Question: How does Progress handle request from a U.S. government agency for access to personal data?

   Answer: Progress Software requires an official, signed, legally valid document issued pursuant to federal or local law and rules. Specifically, we require a subpoena or its equivalent. If such document is received, Progress Software legal team reviews the government demands for customer data and may engage with outside counsel to ensure the requests are valid and submitted through competent government body within the scope of their powers and may eventually challenge such request depending on the applicable laws and regulations. More information on how Progress handles law enforcement requests can be found on https://www.progress.com/trust-center/law-enforcement-guidelines.

7. Question: Did Progress ever receive any government requests under U.S. CLOUD Act or Foreign Intelligence Surveillance Act (FISA) Section 702 or Executive Order (EO)12333 concerning customers, including those based in EMEA?

   Answer: As of the time of the publication of this note Progress Software has not been served with a government request to access customer personal data under U.S. CLOUD Act or Foreign Intelligence Surveillance Act (FISA) Section 702 or Executive Order (EO)12333.