Cloud’s data storage : Astran, first effective technical measure post Schrems II approved by the CNIL

Table of Contents

Paris, January 2, 2023 - Astran, the software editor building zero trust storage in the clouds,  becomes the first effective technical measure approved by the French Data Protection  Authority (CNIL) in the context of the use of non-European cloud solutions, in particular for  data archiving and multi-party processing.  

A technical and regulatory deadlock? 

Companies subject to the European GDPR were in a deadlock since the invalidation of the  Privacy Shield in 2020 by the Schrems II ruling. Indeed, their management was caught  between the need to accelerate digital transformation - notably by using SaaS solutions and  accelerating their move to the cloud - and the need to ensure that there is no risk of regulated  data transfers outside the European Union. 

This situation was further exacerbated by the January 2022 Europe-wide Google Analytics  case law, which clarified that companies are subject to an obligation of result regarding data  privacy protection with respect to transfers outside the European Union. 

Despite efforts to converge on a new transatlantic Privacy Shield project, the preeminence of  the Cloud Act and FISA on the one hand, and the proximity of the new DORA regulation on  the other, have left corporate and organizational management in a complex and risky  situation regarding their ability to adopt Cloud and SaaS solutions. 

The first solution to make Cloud and SaaS solutions compliant 

The CNIL confirmed in an official letter on January 10, 2023 regarding Astran’s solution (ex SPLiT): "As described, the services consider that the SPLiT (Astran) solution is an effective  additional technical measure within the meaning of EDPS recommendations 01/2020, aimed  respectively at "storage of data for backup purposes and for other purposes that do not  require access to the data in clear text" and "fractional or multiparty processing". 

Indeed, Astran’s S5 solution introduces a patented data fragmentation technology (Secret  Sharing) that ensures confidentiality, security, and stored data’s compliance, while avoiding  the burden of encryption keys. 

The CNIL confirms that Astran’s solution "does not require explicit management of encryption  keys, provided that its generation is in line with the state of the art". It validates the use of Astran’s solution in particular for archiving and multiparty processing use cases (such as the  use of SaaS solutions). 

The CNIL also specifies that data thus protected remains personal data according to the  European GDPR and recommends at this stage the use of European clouds by Astran on  certain parts of its architecture.

In practice, for many companies and public organizations, the technical solution developed  by Astran now allows to adopt SaaS and cloud solutions, European or not, in full  compliance. 

Astran’s S5 solution can be used via compatible S3 APIs or via code-free plug-ins natively  integrated into the SaaS solutions on the market. 

CNIL's actions in favor of innovative companies 

Astran wishes to salute the CNIL's action in favor of innovative companies in the sector, which  is of vital importance to create tomorrow's European champions and to provide effective  technical solutions to help companies comply with regulations. 

Indeed, the CNIL first identified Astran (ex-Astrachain) in the context of an innovation sandbox  organized by the CNIL. And the CNIL did not fail to respond in a precise and diligent manner  to the formal request for Astran’s advice concerning the ability of its solution to meet the  requirements of the GDPR in a context of data transfers risk outside the European Union. 

About Astran 

Astran (ex-Astrachain) is building the only zero-trust cloud storage solution.  

Astran’s S5 solution introduces a patented data fragmentation technology (Secret Sharing) to ensure privacy,  security and compliance of stored data, while avoiding the burden of encryption keys. Astran’s S5 solution is compatible with all cloud storage providers and systems, and integrates natively with  Salesforce and all compatible S3 applications. 

Astran is trusted by large private and public companies to store their sensitive data in the cloud, and has been  approved by the CNIL for cloud data archiving and multi-party processing.

Return to Resources ->