One Identity may transfer personal data from the EU, UK, or Switzerland to the US and other countries, relying on Standard Contractual Clauses as the legal transfer mechanism.
This analysis describes what OneLogin's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
International data transfers to countries without equivalent data protection laws create risk that your data may be subject to different legal standards, including potential government access regimes, once it leaves the EU/EEA.
Interpretive note: The policy does not confirm whether Transfer Impact Assessments have been conducted or whether One Identity participates in the EU-US Data Privacy Framework, creating uncertainty about the completeness of the transfer compliance framework.
The updated policy discloses that OneLogin may record calls with consent and use AI to analyze call transcripts, chat conversations, and sales emails for multiple purposes including follow-up task id…
If you are based in the EU, UK, or Switzerland, your personal data may be transferred to the United States under Standard Contractual Clauses, which provide contractual protections but do not eliminate all risks associated with US data access laws. EU users retain the right to lodge a complaint with their national DPA if they have concerns about these transfers.
How other platforms handle this
Where Zendesk transfers personal data outside of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses approved by the European Commission, to ensure that your personal data receives an adequate level of pro...
Pinterest, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When we transfer your personal data from the EEA, Switzerland, or the UK to...
If you are located in the European Economic Area, United Kingdom, or Switzerland, we transfer your personal data to the United States and other countries that may not provide the same level of data protection as your home country. We rely on Standard Contractual Clauses approved by the European Comm...
Monitoring
OneLogin has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are located in the European Economic Area, the United Kingdom, or Switzerland, please be aware that we may transfer your personal information to countries outside of these regions, including to the United States, where data protection laws may not provide the same level of protection as those in your home country. We use Standard Contractual Clauses approved by the European Commission to facilitate such transfers.— Excerpt from OneLogin's OneLogin Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V governing international transfers of personal data, and equivalent provisions under UK GDPR and the Swiss Federal Act on Data Protection. The European Commission's Standard Contractual Clauses (2021 version) are the stated transfer mechanism. Post-Schrems II (Case C-311/18), organizations relying on SCCs must conduct Transfer Impact Assessments to verify that the destination country's law does not undermine the protections the SCCs provide. The EU-US Data Privacy Framework, adopted in 2023, may also be relevant if One Identity is a certified participant, though the policy does not reference this framework. 2) GOVERNANCE EXPOSURE: Medium. The policy asserts SCCs as the transfer mechanism without disclosing whether Transfer Impact Assessments have been conducted for US transfers or whether supplementary measures are in place. EU DPAs have increasingly scrutinized US transfers under US surveillance laws (including FISA Section 702), and organizations relying solely on SCCs without documented TIAs face regulatory risk. 3) JURISDICTION FLAGS: EU/EEA, UK, and Swiss users face the highest exposure. The UK's International Data Transfer Agreement framework applies separately from EU SCCs and requires its own assessment. Swiss transfers are governed by the revised nFADP, which has its own transfer mechanism requirements. Organizations with EU employee or customer data processed through One Identity should assess whether their own transfer compliance programs account for One Identity's downstream transfers. 4) JURISDICTION FLAGS: Enterprise customers should request documentation of One Identity's Transfer Impact Assessments, the specific version of SCCs in use (2021 EU SCCs or earlier), and whether the EU-US Data Privacy Framework certification applies. DPAs with One Identity should specify the transfer mechanisms applicable to processor-to-subprocessor transfers and require notification of any changes to sub-processor locations. 5) COMPLIANCE CONSIDERATIONS: Legal teams should verify that One Identity has updated its SCCs to the 2021 European Commission standard and that TIAs are documented for US and other third-country transfers. If One Identity participates in the EU-US Data Privacy Framework, this should be confirmed via the DPF list. Organizations subject to sector-specific transfer restrictions (financial services, healthcare) should conduct additional assessments of transfer adequacy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
International data transfers to countries without equivalent data protection laws create risk that your data may be subject to different legal standards, including potential government access regimes, once it leaves the EU/EEA.
If you are based in the EU, UK, or Switzerland, your personal data may be transferred to the United States under Standard Contractual Clauses, which provide contractual protections but do not eliminate all risks associated with US data access laws. EU users retain the right to lodge a complaint with their national DPA if they have concerns about these transfers.
ConductAtlas has identified this type of provision across 10 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OneLogin.