Government and Law Enforcement Requests
Summary
FundApps is committed to protecting client information and privacy while complying with valid legal obligations. This policy explains how FundApps responds to all government and law enforcement requests for client information and how we assess certain relevant United States laws when personal data is transferred to, or accessed from, the U.S.
FundApps’ position: We will not disclose client information without a valid and binding legal demand properly served on us. We object to overbroad, unclear, or otherwise inappropriate demands as a matter of course.
United States Laws Relevant to FundApps
The Court of Justice of the European Union in Schrems II highlighted certain U.S. laws as potentially affecting the level of protection for personal data transferred to the U.S. The most relevant are:
FISA Section 702 ("FISA 702")
FISA 702 allows U.S. government authorities to compel the disclosure of information about non‑U.S. persons located outside the U.S. for foreign intelligence purposes. Orders under FISA 702 must be approved by the Foreign Intelligence Surveillance Court in Washington, D.C.
Under Section 702, the U.S. Attorney General and Director of National Intelligence may jointly authorize surveillance of individuals located outside the U.S. if the surveillance meets these criteria:
It targets only non-U.S. persons reasonably believed to be located outside the U.S.
It aims to acquire foreign intelligence information related to:
actual or potential attacks or other grave hostile acts by a foreign power or its agent;
sabotage, international terrorism, or the international proliferation of weapons of mass destruction by a foreign power or its agent;
clandestine intelligence activities by an intelligence service or network of a foreign power or its agent; or
a foreign power or foreign territory regarding U.S. national defense, security, or the conduct of foreign affairs.
It does not target a particular, known person reasonably believed to be inside the U.S.
It is conducted consistent with the Fourth Amendment of the U.S. Constitution.
In‑scope providers under FISA 702 are "electronic communication service providers" (ECSPs) as defined in 50 U.S.C. § 1881(b)(4), which can include certain remote computing service providers (RCSPs) under 18 U.S.C. §§ 2510 and 2711.
Executive Order 12333 ("EO 12333")
EO 12333 authorizes U.S. intelligence agencies to conduct foreign intelligence activities outside the U.S., including the collection of "signals intelligence" from communications and other data transmitted or accessible via radio, wire, or other electromagnetic means. This may include access to communications infrastructure such as underwater cables.
EO 12333 does not rely on compelled assistance from service providers. Instead, it is understood to rely on the exploitation of vulnerabilities or access points in telecommunications infrastructure.
Further information about these U.S. surveillance laws, their limits, and available safeguards is set out in the U.S. government whitepaper Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (September 2020).
From that whitepaper:
For most companies, concerns about national security access to company data are unlikely to arise because the data they handle is of no interest to the U.S. intelligence community. Ordinary commercial information, such as employee, client, or similar records are typically not targeted.
There are avenues for individual redress, including for EU persons, in relation to unlawful access under FISA 702, including private rights of action for compensatory and punitive damages.
EO 12333 does not, on its own, authorize the U.S. government to compel any company or person to disclose data. Where compelled disclosure is sought, a statutory basis such as FISA 702 is required.
Bulk data collection of the type considered in Schrems II is expressly restricted and subject to specific safeguards.
CLOUD Act
The U.S. CLOUD Act addresses when U.S. law enforcement can require certain providers to disclose data in their possession, custody, or control.
The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant or similar order approved by an independent court, based on probable cause of a specific criminal offence.
The CLOUD Act does not itself provide authority for access in national security investigations and does not permit bulk surveillance.
For a general overview of the CLOUD Act, see the BSA Software Alliance resource: What is the CLOUD Act?.
National Security Letters (NSLs)
NSLs, codified under 18 U.S. Code § 2709, are administrative subpoenas that may require the disclosure of basic subscriber information (such as company name, address, and length of service). NSLs are limited to information relevant to U.S. national security and cannot be used to require the disclosure of the content of client communications or data.
Applicability of FISA 702 / EO 12333 / CLOUD Act / NSLs to FundApps
FundApps is a UK‑headquartered company that uses Amazon Web Services (AWS) as a cloud infrastructure provider. AWS, as a large U.S. cloud service provider, may in some circumstances fall within the scope of FISA 702.
However, the nature of FundApps' business and the type of data we process means that U.S. surveillance laws are highly unlikely to apply to client data in practice:
FundApps provides a specialised regulatory compliance service focused on shareholding disclosure and position monitoring. The data we process consists primarily of portfolio holdings and related compliance information - none of which is typically of interest to intelligence agencies conducting foreign intelligence investigations.
FISA 702 is designed to target communications and information related to terrorism, weapons proliferation, cybersecurity threats, and other matters of national security. The commercial compliance data processed by FundApps does not traditionally fall within these categories.
The U.S. government has publicly stated that "ordinary commercial information, such as employee, client, or similar records are typically not targeted" under FISA 702. FundApps processes exactly this type of ordinary commercial data - shareholding positions, compliance calculations, and business records.
FundApps does not operate internet backbone infrastructure and we do not provide general‑purpose telecommunications or carrier services. The U.S. government has interpreted and applied FISA 702 "upstream" collection primarily to providers that operate such infrastructure and carry traffic for third parties (for example, telecommunications carriers), rather than SaaS providers like FundApps.
EO 12333 does not provide authority to compel private companies such as FundApps to disclose personal data to U.S. authorities. Any compelled disclosure would require a separate statutory basis (such as FISA 702 or the CLOUD Act) and appropriate court authorization.
In the unlikely event that U.S. authorities were interested in any aspect of data processed by FundApps, multiple safeguards would apply, including independent court authorization, necessity and proportionality requirements, and applicable data protection laws (including GDPR and the UK GDPR). Any disclosure would be subject to the protections and procedures described elsewhere in this policy.
Non-U.S. Government Requests
All requests for information from non-U.S. government or law enforcement agencies are reviewed individually, on both a country-by-country and case-by-case basis. This rigorous process is designed to weigh our local legal duties against our core principles, which emphasize safeguarding user privacy and ensuring user safety. The procedures detailed in this policy will govern how all such requests are managed.
Transparency
As of January 2026, FundApps has not received a request from public authorities or law enforcement seeking disclosure of client information or personal data. If this changes, we will review whether and how we can provide appropriate transparency reporting in line with our contractual and legal obligations.
FundApps Guidelines for Law Enforcement and Public Authority Requests
FundApps respects the laws of the jurisdictions in which it operates and the privacy and rights of our clients and end users. Accordingly, FundApps provides information in response to law enforcement or other public authority requests only when we reasonably believe we are legally required to do so.
To protect our clients’ rights, we commit to:
Carefully reviewing each request to ensure that it is valid on its face, issued by a competent authority with appropriate jurisdiction, and within the requesting authority’s lawful powers.
Strictly construing the scope of the request and seeking to narrow or object to requests that are overbroad, unclear, or seek disproportionate volumes of data or information about multiple clients.
Objecting where production is prohibited by applicable law or where the legal process is insufficient to compel production.
Reserving the right to challenge or appeal requests, where available, and to defer disclosure until legally required to do so.
These guidelines are intended as an informational resource. They do not create enforceable obligations, and they do not waive any rights or objections that FundApps may have in relation to any particular request.
Required Legal Process
FundApps requires official, signed, legally valid process issued pursuant to applicable law. FundApps' legal team reviews all requests for client data to ensure they are valid, rejects those that are not valid, and only provides the data specified in the legal order. Moreover, FundApps considers its clients to be the primary owners and responders to requests for their own data. Accordingly, FundApps will always attempt to redirect requesting authorities to seek data directly from the client themselves in nearly all cases, unless we are legally prohibited from doing so. All law enforcement requests must be served through FundApps' designated contact points and must clearly identify the legal basis, the authority issuing the request, and the specific information sought.
Method of Service
Public authorities and law enforcement agencies should serve legal process using FundApps’ designated contact points. As of the date of this policy, these are:
Email: [email protected]
Postal: FundApps Ltd, Attn: Legal, 6th Floor 9, Appold Street, London, United Kingdom, EC2A 2AP
We do not accept service via informal methods such as telephone calls, messages to individual employees, or faxes or emails sent to non‑designated addresses.
Requests seeking witness testimony or service of originating process (for example, claims, complaints, or equivalent) must be served in accordance with applicable civil procedure rules and not via the contact details above.
Client Notification
Unless prohibited by law, court order, or a binding instruction from a competent authority, or where there is a clear indication of illegal conduct in connection with the use of FundApps’ services, our practice is to notify affected clients of requests for their information before we disclose it.
Where legally permissible, we aim to provide advance written notice to allow clients a reasonable opportunity to seek protective measures (for example, to challenge or narrow the request). We may shorten or forego notice where we reasonably consider that doing so is necessary to address an emergency, comply with law, or protect FundApps, our clients, or individuals from harm.
Authorities that believe notification would materially prejudice an investigation should obtain a court order or other legal process that specifically prohibits client notification for an appropriate period.
Emergency Requests
FundApps may respond to emergency requests from law enforcement where there is an imminent risk of death or serious physical harm, and disclosure is necessary to prevent that harm. Emergency requests must clearly identify the requesting authority, explain the nature of the emergency, and describe the specific information needed. Such requests will be assessed case-by-case, consistent with applicable law.
Interaction With Our Data Protection Obligations
Any disclosure of client information under this policy is carried out in accordance with applicable data protection laws.
In particular:
We limit disclosures to what is necessary, proportionate, and legally required.
We assess compatibility with our role as a data processor or controller under relevant Data Processing Agreements and client contracts. Where FundApps is acting as a data processor, we will, to the extent not prohibited by the request, seek to pass the request on to our clients or notify them of such a request in accordance with the terms of applicable agreements and data protection laws.
Where data includes personal data from the UK or EEA, we consider international data transfer requirements and reliance on appropriate legal bases for disclosure.
Scope of Disclosure and Cost Reimbursement
FundApps discloses only the information we are legally required to provide. We do not offer voluntary access to client systems or blanket access to data. Where permitted by law, we may seek reasonable reimbursement of costs, either from law enforcement or directly from the target of the request, for responding to unusually broad, complex, or resource‑intensive requests. We will consult with clients before requesting reimbursement from them directly in response to burdensome requests.
Furthermore, FundApps does not provide any government with direct or unfettered access to client data. We do not build 'backdoors' into any of our products or services, nor do we provide any government with our encryption keys or any ability to break our encryption for the purpose of accessing client information.
Subprocessors and Hosting (AWS)
FundApps uses Amazon Web Services (AWS) as its primary hosting provider. Information about AWS’s own approach to law enforcement and government requests, including relevant safeguards and transparency materials, is available at: Law Enforcement Information Requests - Amazon Customer Service.
Where client data is hosted with sub-processors such as AWS, requests directed to those providers are handled in accordance with their own policies and applicable law. FundApps’ commitments to clients regarding sub-processors and international data transfers are set out in our contractual documentation and Data Processing Agreements.
Last updated