Problem Statement
As part of the updated SCC, a Transfer Impact Assessment (TIA) needs to be conducted. This is necessary to manifest that there is no reason to believe that the data importer (customer’s company) will not be able to comply with the SCC due to local laws and practices in the recipient country.
Solution
It’s the customer’s responsibility (data controller/data exporter) to perform the TIAs, not us (data processor). Below are the details:
In the Schrems II judgment, the European Court of Justice indicated that data exporters are responsible for assessing whether the laws and practices of the importing country impinge on the effectiveness of the appropriate safeguards provided by the Art. 46 GDPR tools, such as the Standard Contractual Clauses.
Okta (Workforce and Customer Identity Cloud) does not provide a TIA for Customers since Customers fully own the data they choose to store in their Okta tenant, which varies based on their requirements. However, Okta provides all the information Customers need to perform their own TIA on Trust and Compliance Documentation | Okta and Security, Privacy & Compliance - Auth0 , where they can review our Data Processing Addendum, Sub-processor Information, Security & Privacy Documentation, Law Enforcement Data Request Policy, and APEC for Processors Certification.