1 Introduction
2 International Data Transfer Agreement
- 2.1 Context
- 2.2 Part 1: Tables
  - 2.2.1 Table 1: Parties and signature
    - 2.2.1.1 Importer (who receives the Restricted Transfer)
  - 2.2.2 Table 2: Transfer Details
  - 2.2.3 Table 3: Transferred Data
  - 2.2.4 Table 4: Security Requirements
- 2.3 Part 2: Extra Protection Clauses
- 2.4 Part 3: Commercial Clauses
- 2.5 Part 4: Mandatory Clauses

Introduction

The UK Information Commissioners Office is the home of GDPR and data protection for UK companies.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

Exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replaced standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”.

International Data Transfer Agreement

Context

Transfer of ‘data’ in context here represents emails, logs, screenshots etc that a customer (perhaps based in the EEA) may supply or make available to JEMHC support staff based in the UK. Our Jira support system is in the USA, information supplied is therefore ‘exported’ from the EEA under this agreement to the USA, where its accessed (technically, re-exported) to the UK JEMHC support staff. Further processing may result in that data being transferred to/from other systems in the US as part of our support function.

Data provided below is applicable to the International Data Transfer Agreement VERSION A1.0, in force 21 March 2022.

Part 1: Tables

Table 1: Parties and signature

Restating our details, customer details do not need supplying here.

Importer (who receives the Restricted Transfer)

Full legal name	The Plugin People Ltd

Full legal name	The Plugin People Ltd
Main address	Pure Offices, Cheltenham Office Park, Hatherley Lane, Cheltenham, Gloucestershire, GL51 6SH, UK
Company Number	08404380
Key Contact	Andy Brook, CTO, andy@thepluginpeople.com

Table 2: Transfer Details

UK country’s law that governs the IDTA	England and Wales

UK country’s law that governs the IDTA	England and Wales
Primary place for legal claims to be made by the Parties	England and Wales
The status of the Exporter : (In relation to the Processing of the Transferred Data)	Exporter is a Controller
The status of the Importer : (In relation to the Processing of the Transferred Data:)	Importer is the Exporter’s Processor or Sub-Processor
Whether UK GDPR applies to the Importer:	UK GDPR applies to the Importer’s Processing of the Transferred Data
Linked Agreement	The Cloud EULA accepted through subscription
Term	The term of the subscription
Ending the IDTA before the end of the Term	The Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing
Ending the IDTA when the Approved IDTA changes	neither Party
Can the Importer make further transfers of the Transferred Data?	The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data)
Specific restrictions when the Importer may transfer on the Transferred Data	there are no specific restrictions
Review Dates	We retain support data for 7 years to help us understand problems that customer have had historically. We execute periodic purges of such old data. Customers can ask for supplied data to be removed at the closure of a support case, which be handled on a case by case basis.

Table 3: Transferred Data

Transferred Data : (The personal data to be sent to the Importer under this IDTA consists of:)	The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to

Transferred Data : (The personal data to be sent to the Importer under this IDTA consists of:)

The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to

Special Categories of Personal Data and criminal convictions and offences: (The Transferred Data includes data relating to:)

None of the above

Relevant Data Subjects

The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to

Purpose

The purposes will update automatically if the information is updated in the Linked Agreement referred to

Table 4: Security Requirements

Security of Transmission	Our support system uses secure HTTPS transport ‘flagged’ support emails are made using secure HTTPS transport
Security of Storage	Data supplied in support is secured by the Jira platform, Data ‘flagged' is secured by the JEMHC production application which uses encryption at rest
Security of Processing	Full time employees participate in support and have access to ‘flagged’ data. Customer data is processed locally and on remote Jira instance sites. Data can also be reprocessed through external services as part of support. secure HTTPS transport is used at all times for such transfers
Organisational security measures	We use 2fa for Jira account security and access to ‘flagged’ data
Technical security minimum requirements	Access is limited to authorized named employees who are subject to a role based permissions policy Data is encrypted at rest (applies to webhooks, raw emails in/out) Field level encryption is used for sensitive values
Updates to the Security Requirements	The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to

Part 2: Extra Protection Clauses

Extra Protection Clauses:	none

Extra Protection Clauses:

none

(i) Extra technical security protections

2 factor authentication wherever possible

The deployment works on a least privilege basis with group access policies for different environments (DEV/UAT/PROD)

Outbound SMTP mail must use TLS or SSL

Inbound POP/IMAP mail retrieval must use SSL

Mail stored as part of auditing is purged by policy after 30 days

Webhook ‘event’ data is purged by policy after 7 days to allow for review by customer and avoid data loss in cases where the monthly Capacity Plan is consumed or Plan Upgrade lapses, ie customer has 7d to purchase more capacity before webhook data will be lost.

A ‘dead end’ mailhost is used for consuming mail sent during testing with customer supplied email data to ensure no data can ‘leak’ to actual recipients.

Support closure requires JEMHC support staff to confirm via checkbox that local copies of data from support/flagged mail have been purged.

MS Windows is not used for development

(ii) Extra organisational protections

Access to cloud development environment is limited to cloud team only, named users

(iii) Extra contractual protections