See the steps we ensure your privacy and protection with Ideanote
In light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board, Ideanote conducts impact assessments for data transfers that are part of the Ideanote Service.
This Data Transfer Impact Assessment (“DTIA”) identifies and describes the risk as well as safeguards Ideanote has put in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland ("Europe") to the United States and Ideanote's ability to comply with its obligations as "data exporter".
In its Schrems II decision the Court of Justice of the EU clarified that the use of standard contractual clauses (“SCC”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfers and the country of destination.
Please see the Ideanote Data Protection Addendum (“DPA”) for a description of the nature of the processing of data. Ideanote has put in place supplemental measures to protect personal data for transfers to third parties in the United States. To see where we transfer data to our vendors outside the server location, see our list of sub-processors.
The following US laws relevant to EU-U.S. data transfer were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
As the United States does not afford personal data a level of protection that is essentially equivalent to those that the GDPR provides additional technical, organizational, or contractual measures are needed.
Ideanote uses several sub-processors who store data in the United States and whose employees may access personal data in the United States. Please see our list of sub-processors for specific information and data flows.
Ideanote transfers data on a continuous basis, as the Service is used.
Please see our list of sub-processors for specific information about the processor of the categories of personal data sent or processed in the United States.
We do not intentionally transfer any sensitive Data to the United States. When Customers use Credit Card payment they transact with our payment processor (Stripe Inc.) which handles sensitive Credit Card details in the United States but we are not involved in that transfer.
Each Ideanote sub-processor has a law enforcement request policy in place and will notify Ideanote, where permitted by law, before disclosing information in response to a request.
Data is transferred externally to our sub-processors.
Where customer personal data originating from Europe is transferred by Ideanote to third-party sub-processors in the United States, Ideanote has entered into DPAs with SCCs with those parties.
Each Ideanote sub-processor has agreed to contractual measures that are at least as restrictive as those Ideanote has agreed to with Customers. Please see our list of sub-processors for specific information on certifications and compliance, technical and organizational security measures of the individual sub-processor.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
Please see our list of sub-processors for specific information about the vendor measures and additional measures for data sent to the United States.
While laws like “FISA 702” can be used to obtain information from Non-US citizens, the personal data sent to the United States is minimal and not tied to further data points. A name might be identified with an email address but not an IP address and not with any behavioural information or content.
Ideanote (as “data exporter”) considers the risks for individuals’ rights in transferring and processing the limited set of categories of European personal data in/to the United States as low.
With the nature of transfer of personal data outlined in this document Ideanote and the additional measures taken by Ideanote and the third party vendors Ideanote does not see the need for additional supplementary measures at this time.
Ideanote will review and, if necessary, reconsider the risks associated with its sub-processors as well as the measures implemented by itself and by third parties at regular intervals, at least annually.