UK Standard Contractual Clauses
International Data Transfer Addendum (IDTA)
Effective Date: January 15, 2024
Overview
This UK International Data Transfer Addendum ("UK Addendum") supplements our Data Processing Agreement and applies to the transfer of personal data from the United Kingdom to countries outside the UK that do not have an adequacy decision under UK GDPR.
Note: This addendum is based on the UK Information Commissioner's Office (ICO) International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0.
Purpose and Scope
This UK Addendum ensures that personal data transferred from the UK to ShortStack's infrastructure receives an adequate level of protection as required by UK GDPR.
Applies To:
- • Data transfers from UK-based customers to ShortStack
- • Transfers to subprocessors located outside the UK
- • Cross-border data processing activities
Does Not Apply When:
- • Data remains within the UK
- • Transfer is to a country with a UK adequacy decision
- • Other appropriate safeguards are in place
Key Terms
Exporter
The UK-based customer (Data Controller) transferring personal data to ShortStack.
Importer
ShortStack (Data Processor) receiving and processing personal data on behalf of the Exporter.
Restricted Transfer
Transfer of personal data from the UK to a country without a UK GDPR adequacy decision.
Transfer Details
Description of Transfer
Data Subjects
End users of Customer's campaigns
Categories of Data
Contact info, demographics, submissions
Sensitive Data
None (unless specifically submitted by Data Controller)
Frequency
Continuous during Service provision
Processing Locations
Personal data may be processed in the following locations:
- • Primary: United States (AWS data centers)
- • Backup: Multiple geographic regions for redundancy
- • Subprocessors: See our Subprocessors List
Safeguards and Guarantees
ShortStack implements the following safeguards to protect transferred personal data:
Technical Measures
- • End-to-end encryption for data in transit and at rest
- • Multi-factor authentication and access controls
- • Regular security audits and penetration testing
- • Intrusion detection and prevention systems
Organizational Measures
- • Staff training on UK GDPR requirements
- • Confidentiality agreements with all personnel
- • Data protection impact assessments
- • Incident response and breach notification procedures
Legal Measures
- • Contractual data protection obligations
- • Rights to audit compliance
- • Obligation to cooperate with supervisory authorities
- • Commitment to UK data protection principles
Data Subject Rights
Data subjects whose personal data is transferred under this addendum have the following rights:
Supervisory Authority
For UK-based data subjects, the relevant supervisory authority is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Website: ico.org.uk
Helpline: 0303 123 1113
Government Access Requests
ShortStack commits to:
- • Notify the Data Controller of any government access requests unless legally prohibited
- • Challenge overly broad or unlawful requests where possible
- • Limit disclosure to the minimum required by law
- • Document all requests and responses for transparency
To date, ShortStack has not received any government access requests for customer data under this addendum.
Termination and Data Return
Upon termination of this addendum:
- 1. ShortStack will cease all processing of transferred personal data
- 2. Data will be returned to the Data Controller or securely deleted within 90 days
- 3. Certification of deletion will be provided upon request
- 4. Backup copies will be securely deleted according to retention schedules
Contact Information
For questions about the UK Standard Contractual Clauses: