Data Transfer Impact Assessment for United States
In light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board, Ideanote conducts impact assessments for data transfers that are part of the Ideanote Service.
This Data Transfer Impact Assessment (“DTIA”) identifies and describes the risk as well as safeguards Ideanote has put in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland ("Europe") to the United States and Ideanote's ability to comply with its obligations as "data exporter".
In its Schrems II decision the Court of Justice of the EU clarified that the use of standard contractual clauses (“SCC”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfers and the country of destination.
Please see the Ideanote Data Protection Addendum (“DPA”) for a description of the nature of the processing of data. Ideanote has put in place supplemental measures to protect personal data for transfers to third parties in the United States. To see where we transfer data to our vendors outside the server location, see our list of sub-processors.
Assessment of the country of destination
The following US laws relevant to EU-U.S. data transfer were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA 702
- Executive Order 12333
- Cloud Act
As the United States does not afford personal data a level of protection that is essentially equivalent to those that the GDPR provides additional technical, organizational, or contractual measures are needed.
Purpose for transfer and any further processing:
Ideanote uses several sub-processors who store data in the United States and whose employees may access personal data in the United States. Please see our list of sub-processors for specific information and data flows.
Frequency
Ideanote transfers data on a continuous basis, as the Service is used.
Categories of Personal Data
- End-user Email Addresses
- End-user Names
- End-user IP
- Customer Credit Card Details
- Customer Contact IP
- Customer Address
- Customer Credit Card Details
- Customer Contact Name
- Customer Contact Email
Please see our list of sub-processors for specific information about the processor of the categories of personal data sent or processed in the United States.
Sensitive Data
We do not intentionally transfer any sensitive Data to the United States. When Customers use Credit Card payment they transact with our payment processor (Stripe Inc.) which handles sensitive Credit Card details in the United States but we are not involved in that transfer.
Law Enforcement Requests
Each Ideanote sub-processor has a law enforcement request policy in place and will notify Ideanote, where permitted by law, before disclosing information in response to a request.
Processing Chain Length
Data is transferred externally to our sub-processors.
Applicable Transfer Mechanism
Where customer personal data originating from Europe is transferred by Ideanote to third-party sub-processors in the United States, Ideanote has entered into DPAs with SCCs with those parties.
Supplemental Vendor Measures
Each Ideanote sub-processor has agreed to contractual measures that are at least as restrictive as those Ideanote has agreed to with Customers. Please see our list of sub-processors for specific information on certifications and compliance, technical and organizational security measures of the individual sub-processor.
Additional Measures
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
- Each Ideanote sub-processor processing personal data in the United States has a law enforcement request policy in place and will notify Ideanote, where permitted by law, before disclosing information in response to a request.
- Each Ideanote sub-processor processing personal data in the United States is certified to comply with standards equal to or higher than those of Ideanote, for example SOC2 Type 2.
- Each Ideanote sub-processor processing personal data in the United States has a limited retention period for this data.
- The categories of personal data are separated and not all available to the same sub-processor. Some are processing end-user email addresses but not IP addresses. A second is processing IP addresses. A third is processing Customer Credit card details.
- Where possible, data is encrypted and anonymized and retention periods are minimized.
- Ideanote provides data protection training to all Ideanote staff.
Please see our list of sub-processors for specific information about the vendor measures and additional measures for data sent to the United States.
While laws like “FISA 702” can be used to obtain information from Non-US citizens, the personal data sent to the United States is minimal and not tied to further data points. A name might be identified with an email address but not an IP address and not with any behavioural information or content.
Ideanote (as “data exporter”) considers the risks for individuals’ rights in transferring and processing the limited set of categories of European personal data in/to the United States as low.
With the nature of transfer of personal data outlined in this document Ideanote and the additional measures taken by Ideanote and the third party vendors Ideanote does not see the need for additional supplementary measures at this time.
Re-evaluation
Ideanote will review and, if necessary, reconsider the risks associated with its sub-processors as well as the measures implemented by itself and by third parties at regular intervals, at least annually.