Skip to main content
Pricing Templates
Legal

UK Standard Contractual Clauses

International Data Transfer Addendum (IDTA)

Effective Date: January 15, 2024

Overview

This UK International Data Transfer Addendum ("UK Addendum") supplements our Data Processing Agreement and applies to the transfer of personal data from the United Kingdom to countries outside the UK that do not have an adequacy decision under UK GDPR.

Note: This addendum is based on the UK Information Commissioner's Office (ICO) International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0.

Purpose and Scope

This UK Addendum ensures that personal data transferred from the UK to ShortStack's infrastructure receives an adequate level of protection as required by UK GDPR.

Applies To:

  • • Data transfers from UK-based customers to ShortStack
  • • Transfers to subprocessors located outside the UK
  • • Cross-border data processing activities

Does Not Apply When:

  • • Data remains within the UK
  • • Transfer is to a country with a UK adequacy decision
  • • Other appropriate safeguards are in place

Key Terms

Exporter

The UK-based customer (Data Controller) transferring personal data to ShortStack.

Importer

ShortStack (Data Processor) receiving and processing personal data on behalf of the Exporter.

Restricted Transfer

Transfer of personal data from the UK to a country without a UK GDPR adequacy decision.

Transfer Details

Description of Transfer

Data Subjects

End users of Customer's campaigns

Categories of Data

Contact info, demographics, submissions

Sensitive Data

None (unless specifically submitted by Data Controller)

Frequency

Continuous during Service provision

Processing Locations

Personal data may be processed in the following locations:

  • Primary: United States (AWS data centers)
  • Backup: Multiple geographic regions for redundancy
  • Subprocessors: See our Subprocessors List

Safeguards and Guarantees

ShortStack implements the following safeguards to protect transferred personal data:

Technical Measures

  • • End-to-end encryption for data in transit and at rest
  • • Multi-factor authentication and access controls
  • • Regular security audits and penetration testing
  • • Intrusion detection and prevention systems

Organizational Measures

  • • Staff training on UK GDPR requirements
  • • Confidentiality agreements with all personnel
  • • Data protection impact assessments
  • • Incident response and breach notification procedures

Legal Measures

  • • Contractual data protection obligations
  • • Rights to audit compliance
  • • Obligation to cooperate with supervisory authorities
  • • Commitment to UK data protection principles

Data Subject Rights

Data subjects whose personal data is transferred under this addendum have the following rights:

Access: Request copies of their personal data
Rectification: Correct inaccurate data
Erasure: Request deletion of data
Restriction: Limit processing activities
Portability: Receive data in portable format
Objection: Object to certain processing

Supervisory Authority

For UK-based data subjects, the relevant supervisory authority is:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane

Wilmslow, Cheshire SK9 5AF

United Kingdom

Website: ico.org.uk

Helpline: 0303 123 1113

Government Access Requests

ShortStack commits to:

  • • Notify the Data Controller of any government access requests unless legally prohibited
  • • Challenge overly broad or unlawful requests where possible
  • • Limit disclosure to the minimum required by law
  • • Document all requests and responses for transparency

To date, ShortStack has not received any government access requests for customer data under this addendum.

Termination and Data Return

Upon termination of this addendum:

  1. 1. ShortStack will cease all processing of transferred personal data
  2. 2. Data will be returned to the Data Controller or securely deleted within 90 days
  3. 3. Certification of deletion will be provided upon request
  4. 4. Backup copies will be securely deleted according to retention schedules

Contact Information

For questions about the UK Standard Contractual Clauses: