Data Privacy Framework (DPF) FAQs

Why is Guidewire Certified Under the DPF?

Guidewire has certified under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework, to provide our customers with a high level of legal certainty for transatlantic personal data flows from the EU, EEA, UK, Gibraltar, and Switzerland to the U.S. 

The European Commission’s Adequacy Decision means that U.S. companies certified under the DPF are recognized as providing a level of data protection that is essentially equivalent to that of the European Union.

How Does The DPF Interact With Our Existing European and UK Standard Contractual Clauses (EU and UK SCCs)?

Our DPF certification complements and reinforces our existing data transfer methods, such as the use of EU and UK Standard Contractual Clauses. While the EU and UK SCCs remain a valid mechanism for international data transfers from the EU, EEA or the UK to any third country outside of the EEA and the UK, relying on our DPF certification for transfers from the EU, EEA, UK, Gibraltar or Switzerland to the U.S. offers customers maximum legal certainty. Furthermore, this dual approach ensures a fallback mechanism should the DPF ever be invalidated, providing our customers with the most secure and legally compliant methods to transfer data.

How Does Guidewire Handle Government Requests for Data Access?

Guidewire’s commitment to customer data protection is paramount. We contractually guarantee that customers retain full ownership and control over their data, and we do not voluntarily disclose customer information to third parties. If Guidewire were to receive a government data access request, we will follow a rigorous protocol designed to prioritize customer notification and ensure data protection. We will first evaluate the request's legal validity and attempt to redirect the authority to the customer directly, only withholding customer notification if strictly prohibited by law, in which case we will actively seek waivers to communicate with our customer as soon as possible. Where appropriate, Guidewire will challenge requests through judicial channels. Only when legally required, and after all available opportunities to challenge a request have been exhausted, will Guidewire disclose the absolute minimum amount of required information. All actions, from the initial preservation of data to the final case outcome, will be comprehensively documented.