International Data Transfer Agreement / Addendum to the EU Commission Standard Contractual Clauses

Introduction

The UK Information Commissioners Office is the home of GDPR and data protection for UK companies.

Exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.

The IDTA and Addendum replaced standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”.

International Data Transfer Agreement

Context

Transfer of ‘data’ in context here represents emails, logs, screenshots etc that a customer (perhaps based in the EEA) may supply or make available to JEMHC support staff based in the UK. Our Jira support system is in the USA, information supplied is therefore ‘exported’ from the EEA under this agreement to the USA, where its accessed (technically, re-exported) to the UK JEMHC support staff. Further processing may result in that data being transferred to/from other systems in the US as part of our support function.

Data provided below is applicable to the International Data Transfer Agreement VERSION A1.0, in force 21 March 2022.

Part 1: Tables

Table 1: Parties and signature

Restating our details, customer details do not need supplying here.

Importer (who receives the Restricted Transfer)

Full legal name

The Plugin People Ltd

Full legal name

The Plugin People Ltd

Main address

Pure Offices, Cheltenham Office Park,
Hatherley Lane, Cheltenham,
Gloucestershire, GL51 6SH, UK

Company Number

08404380

Key Contact

Andy Brook, CTO, andy@thepluginpeople.com

Table 2: Transfer Details

UK country’s law that governs the IDTA

England and Wales

UK country’s law that governs the IDTA

England and Wales

Primary place for legal claims to be made by the Parties

England and Wales

The status of the Exporter : (In relation to the Processing of the Transferred Data)

Exporter is a Controller

The status of the Importer : (In relation to the Processing of the Transferred Data:)

Importer is the Exporter’s Processor or Sub-Processor

Whether UK GDPR applies to the Importer:

UK GDPR applies to the Importer’s Processing of the Transferred Data

Linked Agreement

The Cloud EULA accepted through subscription

Term

The term of the subscription

Ending the IDTA before the end of the Term

The Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing

Ending the IDTA when the Approved IDTA changes

neither Party

Can the Importer make further transfers of the Transferred Data?

The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data)

Specific restrictions when the Importer may transfer on the Transferred Data

there are no specific restrictions

Review Dates

We retain support data for 7 years to help us understand problems that customer have had historically. We execute periodic purges of such old data. Customers can ask for supplied data to be removed at the closure of a support case, which be handled on a case by case basis.

Table 3: Transferred Data

Transferred Data : (The personal data to be sent to the Importer under this IDTA consists of:)

The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to

Transferred Data : (The personal data to be sent to the Importer under this IDTA consists of:)

The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to

Special Categories of Personal Data and criminal convictions and offences: (The Transferred Data includes data relating to:)

None of the above

 

Relevant Data Subjects

The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to

Purpose

The purposes will update automatically if the information is updated in the Linked Agreement referred to

Table 4: Security Requirements

Security of Transmission

Our support system uses secure HTTPS transport

‘flagged’ support emails are made using secure HTTPS transport

Security of Storage

Data supplied in support is secured by the Jira platform, Data ‘flagged' is secured by the JEMHC production application which uses encryption at rest

Security of Processing

Full time employees participate in support and have access to ‘flagged’ data. Customer data is processed locally and on remote Jira instance sites. Data can also be reprocessed through external services as part of support. secure HTTPS transport is used at all times for such transfers

Organisational security measures

We use 2fa for Jira account security and access to ‘flagged’ data

Technical security minimum requirements

Access is limited to authorized named employees who are subject to a role based permissions policy

Data is encrypted at rest (applies to webhooks, raw emails in/out)

Field level encryption is used for sensitive values

Updates to the Security Requirements

The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to

Part 2: Extra Protection Clauses

Extra Protection Clauses:

none

Extra Protection Clauses:

none

(i) Extra technical security protections

2 factor authentication wherever possible

The deployment works on a least privilege basis with group access policies for different environments (DEV/UAT/PROD)

Outbound SMTP mail must use TLS or SSL

Inbound POP/IMAP mail retrieval must use SSL

Mail stored as part of auditing is purged by policy after 30 days

Webhook ‘event’ data is purged by policy after 7 days to allow for review by customer and avoid data loss in cases where the monthly Capacity Plan is consumed or Plan Upgrade lapses, ie customer has 7d to purchase more capacity before webhook data will be lost.

A ‘dead end’ mailhost is used for consuming mail sent during testing with customer supplied email data to ensure no data can ‘leak’ to actual recipients.

Support closure requires JEMHC support staff to confirm via checkbox that local copies of data from support/flagged mail have been purged.

MS Windows is not used for development

(ii) Extra organisational protections

Access to cloud development environment is limited to cloud team only, named users

(iii) Extra contractual protections

none

Part 3: Commercial Clauses

Commercial Clauses

none

Commercial Clauses

none

Part 4: Mandatory Clauses

As per International Data Transfer Agreement VERSION A1.0, in force 21 March 2022