Sibros Compliance - GDPR


Consumer Data Privacy by Design 

Schedule Demo

General Data Protection Regulation

The General Data Protection Regulation (GDPR) represents one of the most significant privacy laws in the world, and Sibros' Deep Connected Platform™ (“Platform”) incorporates robust data protection and security controls and features to support compliance with data privacy regulations. This page provides our customers with important access to key information and resources about privacy and compliance at Sibros, including how Sibros and our Platform enable our customers to comply with privacy and data protection requirements.

Key Platform Features

Sibros' innovative IoT-based SaaS offerings take a proactive approach to cybersecurity and data protection by providing a comprehensive set of tools and functionality that allow our customers to effectively manage their data protection compliance obligations.

Lock icon

Data Access

Access to end-user data, vehicle health diagnostics, maintenance suggestions, and driver habits via the customer-built API or via the customer dashboard made available through the customer web portal.

Security icon

Cybersecurity Protocols

Full vehicle lifecycle cybersecurity management to effectively identify, categorize, and prevent system vulnerabilities and cyberattacks.

Conversation icon

User Communication

Utilization of in-vehicle infotainment systems and mobile applications to obtain user consent for data usage changes and OTA software update installation.

Time icon


Ongoing in-depth threat analyses and risk assessments provide data for security adaptations and additional measures to protect against novel threats and attack methods.

Security Icon

Security Measures

Implementation of appropriate technical and organizational measures designed to ensure an adequate level of security for customer data, as required under Art. 32 GDPR

Badge icon

Certifications and Training

Certified under: ISO 27001, ISO 9001, TISAX and SOC 2 Type II. Regular security procedure training for relevant Sibros personnel.

Customer FAQs

Key Terms

Data Controller or controller
A legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor or processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Identifiable natural person
One who can be identified directly or indirectly.

Personal data
Any information relating to an identified or identifiable natural person (i.e., a ‘data subject’).

Data subject
An identifiable natural person about whom certain personal data relates.

A data processor who is engaged by another processor to process personal data on behalf of a controller. For purposes of these FAQs, the term “subprocessor” refers to vendors, service providers, and other processors that have been engaged by Sibros to provide certain services that include the processing of personal data on behalf of our customers.

What roles do Sibros and our customers play under the GDPR?

Under the GDPR, Sibros acts as a data processor for the personal data that Sibros processes on behalf of our customers through their use of the Deep Connected PlatformTM.  Sibros will only collect, access, store, and process this data as instructed by our customers. 

Sibros customers are the data controllers for the personal data that is collected and processed through their use of our Deep Connected Platform because they “determine the purposes and means” of processing this data. Customers determine what data is collected and for what purpose(s), including the timing and frequency, and have the ability to create and run custom reports on their data.

How does Sibros comply with the GDPR?

Sibros has implemented various systems, procedures, and documentation to comply with and support our customers’ compliance with the GDPR, including the following:

Customer DPA and Data Transfer (SCCs) Terms:  

Sibros’ Data Processing Agreement (our “Customer DPA”) includes standard data protection terms applicable to the processing of personal data and the provision of our services, which are tailored to address the unique aspects of Sibros' services and reflect our data security procedures. Our Customer DPA incorporates:

  • Data processing terms as required by Art. 28 of the GDPR;
  • Module 2 (controller to processor) of the EU Standard Contractual Clauses (the “SCC”);  
  • The UK International Data Transfer Addendum (“IDTA”) approved by the Information Commissioner’s Office (“ICO”) for applicable data transfers subject to the UK GDPR and  
  • A description of the technical and organizational measures Sibros has implemented and will maintain to ensure the security of customer data.

Subprocessor Compliance: 

Sibros has taken a number of actions to ensure that its use of subprocessors complies with applicable data protection obligations.  

  • Sibros has identified and maintains a list of its subprocessors, which can be accessed HERE.  Sibros may add or delete subprocessors at any time. Customers can subscribe to subprocessor update notifications from Sibros, and such notifications will be sent prior to processing of customer data by a new subprocessor. Customers may raise objections regarding new subprocessors in accordance with the terms of our Customer DPA with the respective customers.  
  • Sibros has entered into data processing agreements (including the SCCs and UK IDTA as applicable) with its subprocessors, which include equivalent terms to those which apply to Sibros under its Customer DPA.  
  • Sibros conducts due diligence and security reviews of its subprocessors prior to their processing of any customer personal data.
  • Key subprocessors include Amazon Web Services (AWS) and Google Cloud Platform (GCP), which have their own GDPR compliance programs in place, available here:
  • AWS: 
  • GCP: and

Data Transfers: 

Our Deep Connected Platform products and services, as well as our technical support and corporate operations, are provided from the United States, Germany, France, the UK, and India. We employ a range of measures to ensure that customer data is secure and safe and to maintain the integrity, accuracy, and confidentiality of that data when it is transferred to these jurisdictions.  These measures include entering into agreements that include GDPR-compliant data processing terms and the EU SCCs and UK IDTA as applicable.  Sibros has also implemented procedures and updated its practices to respond to the Schrems II decision by the European Court of Justice.  See below for more information.

Data De-Identification: 

Sibros protects and manages the usage of PII, especially geolocation, and performs de-identification actions including deletion or obfuscation of personal data and identifiers associated with the end user, VIN, and GUID(s), including by masking or deleting other unique identifiers such as ESN. The remaining disassociated data is also subject to further data exclusion and masking, which may include random staggering of the data, character shuffling, random dictionary substitution, or deletion of data to make it statistically improbable that the remaining data can be correlated with a particular vehicle or end user.

How does Sibros help customers provide adequate notice and disclosures to data subjects?

As the data controller, our customers are responsible for providing notice and obtaining any required consent from data subjects. As the data processor, Sibros provides customers the opportunity to display and link to a GDPR-compliant privacy notice and, where relevant, consent language addressed to the end-users, i.e., the data subjects.  Our customers are responsible for providing the relevant notice or consent language and for managing any applicable notices and consents and configurations for such. 

Notice and consent language and implementation is configured for each customer during the onboarding process and can be updated and configured as necessary thereafter. Customers configure how and when consent is requested, logged, and subsequently stored. For example, Sibros provides customers with a mechanism for obtaining mandatory electronic consent for log collection and Over the Air (OTA) updates. Customers must obtain end-user consent and send or transmit confirmation of such consent to Sibros before initiating data collection from or deploying FOTA updates to a particular vehicle through the Platform.  

How does Sibros help customers respond to data subject requests?

Our customers, as the controllers of end-user personal data processed within the Platform, may have certain legal obligations to respond to data subject requests under the GDPR and other applicable regulations. Within our customer portals, customers have the ability to create and export custom end-user reports for some data. The ability to request the deletion of specific end-user data and otherwise manage end-user data is available via Support tickets under the category “Data Privacy Request.” Customers can submit a support ticket in the customer portal to request Sibros support for processing data subject requests. Sibros has established processes, as described below, to facilitate and support our customers in responding to data subject requests regarding Platform data.

Access and Data Portability 

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Access Request” in their respective customer portal to request Sibros’ assistance in preparing and exporting a portable copy of end-user data associated with a particular Vehicle Identification Number (“VIN”).  To request an end-user access report, customers must provide the VIN for the relevant end user’s vehicle.  Data Access Request reports are provided to customers as a downloadable TAR File.

+ End User Access Report Format and Download

End-user access reports are compiled by Sibros as a TAR file and are usually processed within 10 business days.  Sibros will provide customers with a secure download link to access the report.  The link and end-user access report (TAR File) are available for 60 days, after which they expire.  

Deletion Requests

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Deletion Request” in the customer portal to initiate an end-user deletion request for data associated with a particular VIN.   To request deletion of personal data regarding a specific end-user, customers must provide the VIN for the end user.  Sibros processes deletion requests by deleting and/or disassociating the vehicle and device data from a particular end user within the Platform.  Archived data that is stored as part of Sibros’ data back-ups are not subject to deletion and disassociation, unless the backup data is restored by Sibros. However, backups are regularly deleted or overwritten (usually within 180 days).   

+ Deletion Process

End user VIN is deleted from the relevant GUID asset table(s), which map vehicle and device-related data to a specific VIN within the Platform, and the relevant GUID(s) for the vehicle are also deleted from the Asset tables, which severs the link between the end user and the corresponding vehicle and device-related data within the Platform.  At this point, the device data cannot be associated with an end user without external data sources. It may take up to 15 days for a deletion request to be fully processed.

Other Data Subject Requests

Sibros collects vehicle and device data as it is generated by the vehicle or device and, as such, is not able to verify inaccuracy or “correct” any vehicle and device data that is generated and processed within the Platform. To request support from Sibros to process a correction or other data subject request, customers may submit an “Other Data Request” ticket and provide the relevant VIN for the end user. 

Does Sibros' customer DPA work for global companies?

Yes, Sibros has customers in many jurisdictions worldwide, which is why our data processing terms are drafted broadly to address data protection requirements around the globe. Our Customer DPA incorporates the core privacy principles on which many international data protection law regimes are built and uses the strict GDPR framework as baseline language.

Will Sibros review law enforcement requests to ensure requests for disclosure of data are reviewed and managed appropriately?

Yes. As an important privacy safeguard, Sibros is committed to ensure that law enforcement, intelligence agency, or other government requests for disclosure of data will be carefully scrutinized and that Sibros will only disclose the minimum amount of data necessary in response to a request. Where requests are unlawful or unfounded, Sibros will take appropriate steps to challenge these.

Has Sibros received requests from law enforcement to disclose data in the past?

No, to date, Sibros has not received any request from law enforcement to disclose data from or about its customers.

How does Sibros address SCHREMS II?

In the wake of the new EU Standard Contractual Clauses and the Schrems II ruling by the Court of Justice of the European Union (CJEU), Sibros wants to provide our customers with the information needed to evaluate and assess transfers of personal information outside the European Economic Area (EEA) and the United Kingdom (UK), specifically regarding access from the United States.

What impact does SCHREMS II have on our customers?

Under certain laws, including the GDPR, the UK GDPR, and Swiss Privacy laws, companies may only transfer personal information outside the EEA/UK/Switzerland where either of the following is true: 

  • The recipient country provides an adequate level of data protection (as determined by the EU Commission)/ICO or 
  • A valid transfer mechanism, as approved by the relevant regulatory body, is in place between the data exporter (customer) and data importer (Sibros), such as the EU Standard Contractual Clauses (SCCs).

Previously acknowledged as a ‘valid transfer mechanism’ the EU-US and CH-US Privacy-Shield Framework were invalidated by the Schrems II ruling as a means on which companies can rely upon to transfer data from the EU or Switzerland to the United States. 

Does that mean Sibros and its customers cannot rely on Standard Contractual Clauses (SCCS) anymore?

No, in principle, the CJEU upheld the validity of the SCCs (available at as a lawful transfer mechanism but, in addition, now requires companies to evaluate and assess its global transfers and evaluate on a case-by-case basis, whether the privacy and surveillance laws of the recipient country, as well as the technical and organizational security measures deployed by the data importer, ensure a level of data protection adequate to the level required by applicable EEA/UK/Swiss law.

What do customers need to do to address SCHREMS II, and does Sibros help?

In addition to executing the new EU Standard Contractual Clauses (SCCs) available at, and the UK Addendum, available at, Customers must also conduct a “Schrems II Transfer Assessment” when relying on the new SCCs. Sibros provides these FAQs to help its customers understand what compliance mechanisms Sibros has put in place and to help customers comply with their own compliance requirements.

Does Sibros' Data Protection Addendum (DPA) include the Standard Contractual Clauses (SCCS)?

Yes, where transfers of EEA/UK/Swiss originating personal data to the United States are at stake (“Relevant Transfers”), the customer and Sibros generally rely on executed SCCs and the UK Addendum as relevant. The SCCs and UK Addendum are part of Sibros' Customer Data Processing Addendum.

Is Sibros certified under the data privacy framework/ data bridge?

Sibros has been closely monitoring developments regarding the new EU-US and Swiss-US Data Privacy Frameworks (“DPFs”), which has been approved and signed in July of 2023. For more information, see In addition, the U.S. and UK governments have announced a deal in principle to establish the "UK Extension" to the EU-U.S. Data Privacy Framework. If established, both would then allow U.S. companies that certify to the DPF to transfer personal data from the EEA/UK to the US, respectively. Sibros is in the process of evaluating the published documentation and a self-certification under the DPFs.

What additional factors should be taken into consideration when determining whether a transfer of personal data from the EU to the US is unlawful?
  • The CJEU and European Data Protection Board (EDPB)  both refer to (1) security controls and (2) contractual safeguards as additional considerations to determine the lawfulness of transfers.  
  • In our view, data controllers (i.e., our customers) must consider the (1) likelihood and (2) risk of harm in relation to the specific types of personal data being transferred.  We note that the US Government confirmed in a white paper that the majority of data being transferred by companies is of no interest to intelligence agencies and that, therefore, most companies never even receive an order for disclosure of data. 
  • Thus, as a controller, our customers should look not just at the laws of the third country (in our case, the United States) but also at additional contractual or security-based safeguards agreed to between you and Sibros, as well as the likelihood and risk of harm to data subjects for the transfers of data that may take place.

What factors may be relevant to a customer’s risk-based assessment?

Customers may wish to take the following factors into account: 

  • Most US companies do not deal in data that is of any interest to US intelligence agencies and will never receive orders from agencies for disclosure of data.  This was confirmed in a recent white paper published by the US government.  
  • Sibros' Data Processing Agreement (DPA) includes a number of contractual safeguards (including the Security Control measures listed in Annex II to the SCCs)– as part of and in addition to the SCCs - which mitigate against the risks identified by the CJEU.
  • Sibros has updated its customer agreements to include the new version of the SCCs/ UK Addendum.
  • The Security Controls that Sibros has put in place to mitigate against the risk of interception of / misuse of data by third parties which include: 
  • Maintains industry standard compliances as documented here.
  • Applicable technical and organizational safeguards.
Where are Sibros’ cloud provider subprocessors located?

Sibros uses Amazon Web Services (AWS) and Google Cloud Platform (GCP) for cloud hosting and computing services. Sibros' own instances are generally located in the United States. However, additional regions of the AWS and GCP instance may be agreed upon with the customer, for example, in the EU and certain APAC regions.

Is a transfer of data from the EU/UK to the US automatically unlawful if it is possible that Sibros is subject to FISA 702 or EO 12,333?

No. We are not of the view that any and all transfers to the US are unlawful simply because the possibility that Sibros may be subject to FISA 702 or EO 12,333 cannot be excluded.  In addition, the Schrems II decision calls for case-by-case assessments, and the European Data Protection Board (EDPB) FAQs encourage controllers to look at “the circumstances of the transfer,” including the supplementary measures and safeguards in place to protect the data, which supports the argument that not all transfers are automatically unlawful.  Many EU supervisory authorities have agreed that an approach of carrying out a risk-based assessment is the way to go, indicating that other factors than FISA 702 should be taken into consideration during the risk assessment process. 

Customers should take their own advice on this matter.  However, to help you with your risk assessments, we have put together information in these Customer FAQs for you.

What is the difference between FISA and EO 12,333?

FISA applies to the collection of foreign intelligence involving non-US persons where the collection occurs within the US and the collection of foreign intelligence regarding US persons, whereas EO 12,333 applies to a non-US person located outside the United States.

Is Your Fleet Data Secure? 

Contact us to schedule a demo and learn more.

Schedule Demo
OTA data logger