One Identity may transfer personal data from the EU, UK, or Switzerland to the US and other countries, relying on Standard Contractual Clauses as the legal transfer mechanism.
This analysis describes what OneLogin's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
International data transfers to countries without equivalent data protection laws create risk that your data may be subject to different legal standards, including potential government access regimes, once it leaves the EU/EEA.
Interpretive note: The policy does not confirm whether Transfer Impact Assessments have been conducted or whether One Identity participates in the EU-US Data Privacy Framework, creating uncertainty about the completeness of the transfer compliance framework.
The updated policy discloses that OneLogin may record calls with consent and use AI to analyze call transcripts, chat conversations, and sales emails for multiple purposes including follow-up task identification, call summarization, sales analytics, communication effectiveness analysis, and forecast modeling. Under the revised terms, recorded call audio and video may be reviewed for employee training, monitoring, and coaching purposes. The policy also states that OneLogin will save chat and call conversation data to inform future interactions. These practices apply when you communicate with OneLogin via phone calls, chat, email, text, or other teleconference solutions. You should review the updated disclosure to understand how your communication data will be processed and retained.
View change record →The updated policy removes explicit language describing how OneLogin uses AI to analyze customer communications. Previously, the policy stated that call audio and video would be recorded with consent and analyzed using AI to identify follow-up tasks, summarize calls, and conduct sales analytics; that chatbot conversations would be analyzed and saved; and that sales emails would be analyzed to determine communication efficacy and forecast next steps. These specific AI analysis practices are no longer described in the updated policy. The revised language also narrows one stated data use purpose, changing 'answers or services you have asked or licensed' to 'services you have purchased.' No consumer opt-out mechanisms or alternative disclosures are provided in the change text.
View change record →The provision was reframed to explicitly mention the United States as a destination and removed reference to 'adequacy decision' and 'equivalent mechanisms,' instead focusing on the lower level of protection in destination countries.
View full change record →If you are based in the EU, UK, or Switzerland, your personal data may be transferred to the United States under Standard Contractual Clauses, which provide contractual protections but do not eliminate all risks associated with US data access laws. EU users retain the right to lodge a complaint with their national DPA if they have concerns about these transfers.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
OneLogin has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area, the United Kingdom, or Switzerland, please be aware that we may transfer your personal information to countries outside of these regions, including to the United States, where data protection laws may not provide the same level of protection as those in your home country. We use Standard Contractual Clauses approved by the European Commission to facilitate such transfers.— Excerpt from OneLogin's OneLogin Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V governing international transfers of personal data, and equivalent provisions under UK GDPR and the Swiss Federal Act on Data Protection. The European Commission's Standard Contractual Clauses (2021 version) are the stated transfer mechanism. Post-Schrems II (Case C-311/18), organizations relying on SCCs must conduct Transfer Impact Assessments to verify that the destination country's law does not undermine the protections the SCCs provide. The EU-US Data Privacy Framework, adopted in 2023, may also be relevant if One Identity is a certified participant, though the policy does not reference this framework. 2) GOVERNANCE EXPOSURE: Medium. The policy asserts SCCs as the transfer mechanism without disclosing whether Transfer Impact Assessments have been conducted for US transfers or whether supplementary measures are in place. EU DPAs have increasingly scrutinized US transfers under US surveillance laws (including FISA Section 702), and organizations relying solely on SCCs without documented TIAs face regulatory risk. 3) JURISDICTION FLAGS: EU/EEA, UK, and Swiss users face the highest exposure. The UK's International Data Transfer Agreement framework applies separately from EU SCCs and requires its own assessment. Swiss transfers are governed by the revised nFADP, which has its own transfer mechanism requirements. Organizations with EU employee or customer data processed through One Identity should assess whether their own transfer compliance programs account for One Identity's downstream transfers. 4) JURISDICTION FLAGS: Enterprise customers should request documentation of One Identity's Transfer Impact Assessments, the specific version of SCCs in use (2021 EU SCCs or earlier), and whether the EU-US Data Privacy Framework certification applies. DPAs with One Identity should specify the transfer mechanisms applicable to processor-to-subprocessor transfers and require notification of any changes to sub-processor locations. 5) COMPLIANCE CONSIDERATIONS: Legal teams should verify that One Identity has updated its SCCs to the 2021 European Commission standard and that TIAs are documented for US and other third-country transfers. If One Identity participates in the EU-US Data Privacy Framework, this should be confirmed via the DPF list. Organizations subject to sector-specific transfer restrictions (financial services, healthcare) should conduct additional assessments of transfer adequacy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
International data transfers to countries without equivalent data protection laws create risk that your data may be subject to different legal standards, including potential government access regimes, once it leaves the EU/EEA.
If you are based in the EU, UK, or Switzerland, your personal data may be transferred to the United States under Standard Contractual Clauses, which provide contractual protections but do not eliminate all risks associated with US data access laws. EU users retain the right to lodge a complaint with their national DPA if they have concerns about these transfers.
ConductAtlas has identified this type of provision across 10 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OneLogin.