Adobe Transparency Center

Overview
Content Policies
Government Guidelines
Reports
How to Report

Government and Third-Party Requests for User Data

 

Our Principles

Adobe may, on occasion, receive a request from a government authority seeking access to data belonging to a user or enterprise customer. Adobe may also receive such requests from parties to civil litigation. Our goal is always to protect our users’ and enterprise customers’ data while complying with applicable laws. The below principles inform Adobe’s approach to these requests and apply to all user data hosted by Adobe.

  • Validity. Adobe’s Trust & Safety team reviews each request for user and enterprise customer information to ensure they are valid and rejects those that do not appear to be valid.
  • Specificity and Proportionality. We only accept requests that target specific accounts and identifiers, and provide only the information specified.
  • Enterprise Customer Control. We believe our enterprise customers have control over their data. If we receive a request for enterprise customer data, we will ask the requesting entity to re-direct their request to the affected customer so the customer can engage with the entity directly.
  • Notice. Unless prohibited by law or under exceptional circumstances (e.g., threats to life), Adobe always notifies a user or an enterprise about valid requests for their information.
  • No Backdoors. Adobe has not built ‘backdoors’ for any government – foreign or domestic – into our products or services. All government requests for user data must come through the front door (i.e., be served by valid legal process upon the appropriate Adobe entity). Adobe vigorously opposes legislation in the U.S. and overseas that would in any way weaken the security of our products or our users’ privacy protections.
  • Transparency. Every year, Adobe publishes a Transparency Report explaining how many requests for user information we received and how we responded. 

Adobe provides these guidelines to law enforcement and other governmental authorities seeking non-public information about Adobe’s users and customers. These guidelines do not apply to the following requests:

1. Legal requests for user or customer data by civil litigants or criminal defendants Civil Requests Guidelines ; or

2. Legal requests for Adobe corporate data, including employee information and product details.

These guidelines primarily apply to requests for information pertaining to Adobe’s consumer users, which make up the overwhelming majority of requests that Adobe receives. You may learn more about our approach to requests for our enterprise customer data for our enterprise customer data.

 

Requirements for All Government Requests

Please submit through your inquiry in our Government Request Portal at: https://app.kodexglobal.com/adobe/signin

The online portal will guide you through the following steps on how to submit a request:

1. Verify your email address via the link sent to your email (only valid law enforcement or government domains will be accepted).
2. Fill in the required fields in the webform.
3. Upload a copy of any relevant documents in PDF format (for example, a copy of the subpoena or search warrant, as well as any non-disclosure order you may have).

Our online portal also allows you to add information, ask us questions, and download the information when it is available.

All law enforcement requests must meet the following criteria:

  • Be addressed to the appropriate Adobe entity, based on the location of the Adobe customer(s) or user(s). For Adobe users in North America, any requests must be addressed to Adobe, Inc. For Adobe users outside of North America, any requests must be addressed to Adobe Ireland.
  • Be signed by a judicial officer (except for preservation requests, which may be signed by an authorized individual on behalf of the government entity).
  • Be recently issued and not be expired.
  • Contain contact details for the requesting officer or entity where Adobe can send a response or follow-up with additional questions.
  • Reference the specific Adobe products or services pertaining to the request.
  • Include an Adobe identifier, such as an Adobe ID or email address (e.g., not just a name), that will allow us to search for and disclose accurate information.
  • Be clear and not overly broad, specifically asking for the categories of data sought and specifying the relevant period.

 

Government Requests for Adobe Users in North America

In addition to the “Requirements for All Government Requests ” above, law enforcement requests pertaining to Adobe's North American users are governed by U.S. law, including the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712. Here are the types of requests we accept and the information we may disclose in response to them:
 

Subpoena

2703(d) Court Order

Search Warrant
  • Basic subscriber information such as name, email address and login IP addresses.
  • Billing information such as address and limited payment instrument information.
  • Transactional information such as upload IP addresses, modification IPs and to whom a document was sent. 
  • Content such as photos, videos and documents.
  • Email communications between Adobe and the user.

These requests may also be personally served at, mailed to, or faxed to our San Jose office:

Adobe, Inc.

Attn: Law Enforcement Requests

345 Park Ave.

San Jose, CA 95110

Fax: +1 415-723-7869

 

Government Requests for Adobe Users Outside North America

In addition to the “Requirements for All Government Requests” above, law enforcement requests seeking data regarding Adobe users outside of North America are administered by Adobe Ireland. Adobe Ireland may comply with a valid court order issued under Irish law and may voluntarily comply with other locally valid orders under limited circumstances where the following criteria are met:

  • The order has a particular legal basis and meets applicable requirements in the domestic law of the requesting country; and
  • The order pertains to the bona-fide prevention, detection, or investigation of certain criminal offenses impacting Adobe and its provision of services in the jurisdiction, such as a fraudulent purchase, in the relevant jurisdiction.

Adobe will challenge or reject any non-U.S. request that does not meet the requirements above and reserves the right to make changes to these requirements at any time. We scrutinize all requests on a country-by-country and case-by-case basis to balance our local legal obligations against our own principles and our commitment to keeping our users safe and protecting their privacy. Where those principles conflict with local law, we may reject a request, even if the request is proper under local law.

Requestors may always make a request pursuant to a Treaty on Mutual Legal Assistance in Criminal Matters (MLAT), a CLOUD Act agreement, or letters rogatory.

Law enforcement requests must be addressed to and served on Adobe Ireland directly at the address below:

Adobe Systems Software Ireland Limited
Attn: Law Enforcement Requests
4-6 Riverwalk, City West Business Campus
Saggart, Dublin 24, Ireland
Fax: +353 1 686-5636

 

Notice to Users and Enterprise Customers

It is Adobe policy to give notice to our consumer users and enclose a redacted copy of the request whenever a government agency seeks access to their information, unless we are legally prohibited from doing so.

For requests where U.S. law applies, make sure any Non-Disclosure Order (NDO) you serve on Adobe is time-limited and expires on a specific date or after a specific period (such as 90 or 180 days). For example, if we receive an NDO under 18 U.S.C § 2705(b), we will delay notice for the time period specified in the order and then notify the user once the order expires. Indefinite NDOs are not constitutionally valid in the U.S., and we challenge them in court. For requests subject to laws outside the U.S., we review and analyze our obligations on a case-by-case basis.

As a courtesy, we generally try to provide notice to the requesting party one week before the NDO is set to expire. Ultimately it is up to the requesting party to calendar the nondisclosure period and notify Adobe of any extensions. Once the statutory period has ended, Adobe provides notice to our users when they are the subject of an NDO.

This policy also applies to our enterprise customers, to whom we will provide notice to an organization administrator in accordance with the relevant enterprise terms. Prior to providing any such notice to our enterprise customers, we will always first seek to redirect the request from the government agency directly to the enterprise, consistent with U.S. Department of Justice policy. You may learn more about our approach to Enterprise Customer requests in the section titled Enterprise Requests.

The overwhelming majority of requests to Adobe seek individual user data, not data pertaining to our enterprise customers. In the rare instance where Adobe receives a request targeting disclosure of enterprise customer data, consistent with U.S. Department of Justice policy, Adobe always first seeks to redirect the government agency to obtain the data directly from the enterprise. If such redirect efforts fail and a request otherwise meets the Government Requests Guidelines above, then Adobe will provide notice and enclose a redacted copy of the request to an enterprise administrator in accordance with the relevant enterprise terms prior to disclosing the information to the government agency, unless we are legally prohibited from doing so.

When we receive a preservation request from an agency investigating a crime, Adobe will preserve then-existing user data for 90 days (about 3 months) in anticipation of receiving valid legal process. We require preservation requests to meet the same substantive requirements as outlined above.

If law enforcement provides Adobe with information that gives us a reasonable, good faith belief that there is a risk of imminent harm (i.e., death or serious physical injury) to a person, and that we have information in our possession that may avert that harm, we may choose to disclose limited information to mitigate that risk of harm, provided that such disclosure is consistent with Adobe’s policies and applicable law. 

  • If you believe that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay, please submit an emergency disclosure request via our Government Request Portal

  • You will be asked to provide the factual basis for the request so that we may evaluate it under 18 U.S.C. § 2702.

  • We provide emergency disclosure responses only when enough information is provided for Adobe to, in good faith, believe that the exigent situation requires disclosure of user information, as outlined in 18 U.S.C. § 2702.

  • We do not disclose information for emergency requests unless they are from law enforcement.

On occasion, Adobe receives legal demands for user and customer data from civil litigation parties. Adobe adheres to the same principles for all civil proceeding legal requests as it does for government agency requests for user data, requiring non-governmental civil litigants to follow the applicable laws, rules, and procedures for requesting customer data. It is also Adobe’s policy to notify users before data is disclosed.

If you are law enforcement seeking user or customer data related to a criminal matter, please refer to our Government Requests Guidelines (above).

 

Requirements for All Civil Requests

All civil requests must meet the following criteria:

  • Reference to the specific Adobe products or services pertaining to the request. 

  • Include an Adobe identifier, such as an Adobe ID or email address (not just names, for example), that will allow us to search for and disclose accurate information.

  • Be clear and not overly broad, specifically asking for the categories of data sought. For content requests, we require specific lawful consent of the account owner. 

     

CSC can be contacted directly at 1-800-927-9800 for information on how to serve legal process on Adobe Inc.

Adobe Inc. accepts civil requests for user and customer data issued from the Santa Clara Superior Court, the U.S. District Court for the Northern District of California, or out of state legal process properly domesticated through a California court. We may object to any civil requests that do not meet these requirements or those pertaining to all requests above. These requests must be served through the appropriate office of Adobe’s registered service agent, Corporation Service Company (or “CSC”). Contact CSC directly at 1-800-927-9800 for information on how to serve legal process on Adobe Inc. Civil Requests for Adobe Users Outside North America.

For civil requests pertaining to users located outside of North America, Adobe Ireland is the data controller responsible for the personal user data processed by Adobe’s consumer products and services. These requests must be served through appropriate legal channels according to rules applicable to the service of Irish court orders. 

The length of time Adobe keeps different types of user data varies depending upon the nature of the service and type of data at issue. Please see Adobe’s Privacy Policy for more information.

Unless otherwise agreed upon, we provide responsive records in an electronic format. We may seek reimbursement for costs associated with producing information pursuant to legal process and as permitted by law. We may also seek additional reimbursement for costs incurred in responding to unusual or burdensome requests.