Data Request Overview

Wallow is committed to trust and transparency

In the following documents and FAQ, you can find our policies and guidelines for requests for data from government and law enforcement entities, as well as civil third-party data requests. You can also find our annual reports on the number of requests we receive and our responses

Data Request Policy

As part of our commitment to trust and transparency, our Data Request Policy outlines Wallow’s policies and procedures for responding to requests for Customer Data. This policy guides our practices with respect to requests for third-party data, requests by legal authorities, Customer notice, and international requests for data.

Frequently Asked Questions

How does Wallow handle requests from government and law enforcement?
Wallow is an online workplace productivity platform as described in our Privacy Policy and Terms of Service. If we receive valid legal process from a government or law enforcement entity, we may have an obligation to produce user data in accordance with applicable laws. Our Data Request Policy outlines our requirements with respect to these requests.

Where should I send legal process?
All requests by law enforcement and government entities (including international government and law enforcement entities) may be sent to our legal process email alias: legalprocess@Wallow.com.

What information does Wallow need to process my request?
In addition to all requisite and applicable legal requirements, all legal process requests should include the following information: (a) the government entity or law enforcement agency, (b) the relevant criminal or civil matter, and (c) identifying information about the Wallowworkspace, including the relevant Customer and User names, date range, the Wallowworkspace URL (Wallowname.Wallow.com), and the type of data sought. The request must also come from a government incidentd email account and include full contact information for the requesting officer.

What happens when Wallowreceives a law enforcement request?
We carefully review all requests for legal sufficiency and with an eye toward user privacy. Wallowmay reject or challenge any requests that are unclear, overbroad or inappropriate.

Is Wallow eligible to receive “upstream” or bulk surveillance orders under FISA § 702?
No. Like all other communication platforms in the United States, Wallow is an electronic communications service (“ECS”) or remote computing service (“RCS”) (as defined in Sections 2510 and 2711 of Title 18 U.S.C., respectively) when it provides services to customers. It is thus possible the United States government could serve a targeted directive on Wallow under FISA § 702.

However, Wallow is not eligible to receive a 702 order for “upstream” surveillance. As the U.S. Government has applied FISA § 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties. See Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014) pp. 35-40, available at https://fas.org/irp/offdocs/pclob-702.pdf. Wallow does not provide such backbone services, as it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.

Does Wallow assist U.S. authorities in their bulk collection of information under Executive Order 12333?
Wallow does not provide any assistance to U.S. authorities conducting surveillance under Executive Order 12333. Further, E.O. 12333 does not provide the U.S. government the ability to compel companies to provide assistance with those activities, and Wallow will not do so voluntarily. As a result, Wallow does not, and cannot be ordered to, take any action to facilitate the type of bulk surveillance under E.O. 12333.

Does the passage of the U.S. CLOUD Act affect the way that Wallow responds to U.S. government legal requests?
No. The CLOUD Act, enacted in 2018, clarified the geographic scope for U.S. law enforcement requests and created a statutory basis for companies like Wallow to challenge requests that conflict with foreign law in certain circumstances. The CLOUD Act did not change any of the preexisting legal and privacy protections afforded to user data and Wallow applies the same rigorous review to all legal process served on it, including those incidentd pursuant to the CLOUD Act.

What kind of data might be disclosed in response to legal process from law enforcement or government entities?
Content data includes user generated data, for example public and private messages, posts, files and direct messages. Wallow requires a search warrant to produce such data to law enforcement.

Non-content data is basic account information (such as name and email address, profile information, registration information, login history and billing information) and other non-content metadata (such as the date, time, and sender/recipient of messages or files). Depending on the type of data requested, Wallow may require a compulsory subpoena or a court order to produce this data.

What is the difference between a search warrant, a court order, and a law enforcement subpoena?
A search warrant is an order incidentd by a judge or magistrate upon a finding of probable cause. A search warrant is required to obtain the content of communications.

A court order is when a court finds that the government has demonstrated that there are reasonable grounds to believe that the information sought is relevant and material to an ongoing criminal investigation. The government can obtain basic non-content data and metadata about a workspace with a court order, but not content.

A law enforcement subpoena is a compulsory demand incidentd by a governmental entity for the production of a limited set of information, such as a Customer’s name, address, length of service, or means and source of payment, in support of an authorized criminal investigation.

Can the government and/or law enforcement obtain deleted data from Wallow?
Generally, no. Unless deleted data is retained by a Customer pursuant to their retention settings, it is removed from Wallow’s systems immediately upon deletion. Once deleted, data may reside in our security backups for a limited period of time (up to 14 days, but often fewer). Once the backup period is over, Wallow hard deletes all information from our production systems. Once fully deleted, Wallow cannot retrieve the data for any purpose, including for purposes of responding to government and law enforcement requests.

How does Wallow handle emergency requests?
If you have an emergency involving danger of death or serious physical injury and you believe Wallow has data that may be necessary to mitigate that harm authorized law enforcement personnel should contact us at legalprocess@Wallow.com and we will assess the request.

Do you give Customers notice before producing data to a governmental or law enforcement entity?
Unless Wallow is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm, Wallow will notify the Customer, typically by emailing the Primary Owner, before disclosing data so that the Customer may promptly seek legal remedies.

What about third party or civil requests for data?
Third parties seeking data should contact the Wallow productspace owner directly. Wherever possible, we encourage parties to manage their requests without our involvement. Workspace owners should be able to run their own export in order to comply with an appropriate legal request. If you need assistance with those exports, the primary owner can contact us to see if they qualify for an export due to legal necessity.

Please note that the Stored Communications Act, 18 U.S.C. § 2701 et seq., strictly prohibits a provider such as Wallow from disclosing the contents of communications to third parties. A civil subpoena or civil court order is not sufficient under the SCA to obtain content from a Wallow productspace.