Document Summary

Privacy Shield Invalidation (Schrems II)

Download PDF
Our approach to security and privacyOur approach to security and privacy
Back to Trust Center

International transfers of personal data

Last updated: 27 November 2023

Our commitment to data protection

For more information about our commitment to international compliance with applicable data protection laws, please refer to our GDPR and Beyond page.

Adequacy decisions

In accordance with applicable data protection law, where a duly-authorised executive/legislative body has determined that a third country provides an adequate level of data protection, we may freely transfer personal data to systems or sub-processors in that country without further safeguards.

For EU/EEA adequacy decisions, please refer to their official list.

Below is a list of our U.S. based sub-processors that participate in the U.S. Data Privacy Framework (‘DPF’) and benefit from adequacy decisions regarding transfers from the EU/EEA, United Kingdom and Switzerland. For up-to-date information, please refer to the official list maintained by the U.S. Department of Commerce:

Restricted transfers

Where information is transferred to a third country not recognised as providing an equivalent level of data protection as the originating country (‘restricted transfer’), we ensure adequate transfer mechanisms and appropriate safeguards are in place to protect personal data.

Contractual safeguards

Our Data Processing Addendum (‘DPA’) includes EU/EEA and UK standard contractual clauses (‘SCCs’) as default and our data privacy team can work with customers in other jurisdictions to supplement these provisions if necessary. Where we rely on the service provider’s standard wording, we ensure SCCs are included if necessary.

For more information related to sub-processors, please read our sub-processors of customer data page.

Technical and organisational measures

We have implemented technical and organisational measures (‘TOMs’) to ensure a level of security appropriate to the risk for all data processing activities, including restricted transfers. 

To review our ISO 27001 and 27701 aligned measures, please refer to our TOMs webpage. For more information about how we safeguard information assets against misuse, abuse or compromise, you can also visit our Trust Center and read our Security and Privacy FAQ and Whitepaper.

Ongoing due diligence

We evaluate the security, privacy and confidentiality practices of possible service providers before they process any personal data and on an annual basis thereafter. This includes a point-in-time evaluation of their hosting locations and whether any additional measures are necessary to protect personal data.

Looking for something else?

Our approach to security and privacy

Visit our Trust Center to learn more about the security and privacy practices that safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Trust Center