International Data Transfers via Standard Contractual Clauses

What it is

Squarespace stores and processes data in the United States, and transfers personal information from the EU and UK using standard contractual clauses, a legally recognized but periodically scrutinized transfer mechanism.

Why it matters (compliance & governance perspective)

EU and UK users' personal data is subject to US legal frameworks once transferred, and the adequacy of standard contractual clauses as a transfer mechanism has been subject to legal challenge and regulatory scrutiny.

Consumer impact (what this means for users)

If you are an EU or UK user, your personal data is transferred to and stored in the United States under standard contractual clauses, which may afford different levels of protection than EU or UK data protection law provides domestically.

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (Articles 44-49) governing international data transfers, and UK GDPR equivalent provisions. The Court of Justice of the EU's Schrems II ruling (Case C-311/18) established that transfers to the US require supplementary measures in addition to SCCs where US surveillance law creates risks for data subjects. The European Commission issued updated SCCs in 2021, and compliance teams should verify Squarespace's SCCs are current. The Irish DPC is the primary supervisory authority. GOVERNANCE EXPOSURE: Medium. SCCs are a recognized transfer mechanism, but post-Schrems II requirements for transfer impact assessments and supplementary measures create ongoing compliance obligations. Organizations relying on Squarespace for EU or UK data processing should verify that adequate TIAs have been conducted and that SCCs reflect the 2021 updated versions. JURISDICTION FLAGS: EU/EEA and UK users face the most direct exposure. The EU-US Data Privacy Framework may also be relevant depending on whether Squarespace is certified under that framework, though the policy does not specify this. UK-specific transfer mechanisms under the UK GDPR also apply separately. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams onboarding Squarespace as a vendor for EU or UK operations should request copies of applicable SCCs, confirm they cover all relevant processing activities, and assess whether transfer impact assessments have been completed. Sub-processor chains should be mapped to identify all jurisdictions where data may be processed. COMPLIANCE CONSIDERATIONS: Organizations using Squarespace for EU or UK customer data should include Squarespace's international transfer arrangements in their GDPR Article 30 records of processing activities. Legal teams should periodically review whether Squarespace's transfer mechanisms remain current with evolving regulatory guidance and court decisions.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Dual Controller and Processor Role Structure medium
• Third-Party Advertising and Analytics Data Sharing medium
• Corporate Transaction Data Transfer medium
• California Resident Privacy Rights and Opt-Out low
• EU and UK Data Subject Rights low
• Cookies and Tracking Technologies medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.