Document Summary

Privacy Shield Invalidation (Schrems II)

Download PDF
Our approach to security and privacyOur approach to security and privacy
Back to Trust Center

International transfers of personal data

Last updated: 10 April 2024

Our commitment to data protection

For more information about our commitment to international compliance with applicable data protection laws, please refer to our GDPR and Beyond page.

Adequacy decisions

In accordance with applicable data protection law, where a duly-authorised executive/legislative body has determined that a third country provides an adequate level of data protection, we may freely transfer personal data to systems or sub-processors in that country without further safeguards.

For EU/EEA adequacy decisions, please refer to the European Commission’s official list.

The below U.S. based sub-processors participate in the U.S. Data Privacy Framework (‘DPF’) and benefit from adequacy decisions regarding transfers from the EU/EEA, United Kingdom and Switzerland: 

  • Secure Code Warrior Inc.
  • Amazon Web Services (AWS)
  • Datadog
  • MongoDB
  • Salesforce
  • Zendesk

For up-to-date information, please refer to the official list maintained by the U.S. Department of Commerce (

Restricted transfers

Where information is transferred to a third country not recognised as providing an equivalent level of data protection as the originating country (‘restricted transfer’), we ensure adequate transfer mechanisms and appropriate safeguards are in place to protect personal data.

Contractual safeguards

Our Data Processing Addendum (‘DPA’) includes EU/EEA and UK standard contractual clauses (‘SCCs’) as default and our data privacy team can work with customers in other jurisdictions to supplement these provisions if necessary. Where we rely on the service provider’s standard wording, we ensure SCCs are included if necessary.

For more information related to sub-processors, please read our sub-processors of customer data page.

Technical and organisational measures (‘TOMs’)

Our SOC2 and ISO aligned TOMs ensure a level of security appropriate to the risk for all data processing activities, including restricted transfers. 

Please refer to our TOMs webpage, for more information about how we safeguard information assets against misuse, abuse or compromise. You can also visit our Trust Center and read our Security and Privacy FAQ and Whitepaper.

Ongoing due diligence

We evaluate the security, privacy and confidentiality practices of possible service providers before they process any personal data and on an annual basis thereafter. This includes a point-in-time evaluation of their hosting locations and whether any additional measures are necessary to protect personal data.

Looking for something else?

Our approach to security and privacy

Visit our Trust Center to learn more about the security and privacy practices that safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Trust Center