International transfers of personal data
Last updated: 27 November 2023
For more information about our commitment to international compliance with applicable data protection laws, please refer to our GDPR and Beyond page.
In accordance with applicable data protection law, where a duly-authorised executive/legislative body has determined that a third country provides an adequate level of data protection, we may freely transfer personal data to systems or sub-processors in that country without further safeguards.
For EU/EEA adequacy decisions, please refer to their official list.
Below is a list of our U.S. based sub-processors that participate in the U.S. Data Privacy Framework (‘DPF’) and benefit from adequacy decisions regarding transfers from the EU/EEA, United Kingdom and Switzerland. For up-to-date information, please refer to the official list maintained by the U.S. Department of Commerce:
Where information is transferred to a third country not recognised as providing an equivalent level of data protection as the originating country (‘restricted transfer’), we ensure adequate transfer mechanisms and appropriate safeguards are in place to protect personal data.
Our Data Processing Addendum (‘DPA’) includes EU/EEA and UK standard contractual clauses (‘SCCs’) as default and our data privacy team can work with customers in other jurisdictions to supplement these provisions if necessary. Where we rely on the service provider’s standard wording, we ensure SCCs are included if necessary.
For more information related to sub-processors, please read our sub-processors of customer data page.
Technical and organisational measures
We have implemented technical and organisational measures (‘TOMs’) to ensure a level of security appropriate to the risk for all data processing activities, including restricted transfers.
To review our ISO 27001 and 27701 aligned measures, please refer to our TOMs webpage. For more information about how we safeguard information assets against misuse, abuse or compromise, you can also visit our Trust Center and read our Security and Privacy FAQ and Whitepaper.
Ongoing due diligence
We evaluate the security, privacy and confidentiality practices of possible service providers before they process any personal data and on an annual basis thereafter. This includes a point-in-time evaluation of their hosting locations and whether any additional measures are necessary to protect personal data.