International Data Transfer Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a International Data Transfer Agreement?

The International Data Transfer Agreement has become essential in today's globalized business environment where cross-border data transfers are routine. This agreement is specifically designed to meet the requirements of US federal and state data protection laws while accommodating international standards such as GDPR. It is required when organizations transfer personal data across jurisdictions, particularly when sending data to or from the United States. The agreement details the obligations of both parties, security requirements, data subject rights, and compliance mechanisms, ensuring that personal data maintains appropriate protection standards throughout its journey across borders.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the International Data Transfer Agreement

When your business transfers personal data across international borders, you need a comprehensive International Data Transfer Agreement to ensure compliance with United States privacy laws. This legal document establishes the framework for lawful cross-border data sharing while protecting individual privacy rights and meeting regulatory requirements under federal and state legislation.

When do you need this document?

You require an International Data Transfer Agreement whenever your organization sends or receives personal data across national boundaries. This includes cloud storage arrangements with international providers, outsourcing customer service to overseas vendors, sharing employee data with foreign subsidiaries, or collaborating with international business partners on projects involving personal information. The agreement is particularly crucial when transferring data to or from jurisdictions with different privacy standards than those required under US law. Companies processing California residents' data under CCPA, Virginia residents under VCDPA, or Colorado residents under CPA must ensure adequate safeguards are in place for international transfers.

Key legal considerations

Your International Data Transfer Agreement must address several critical elements to ensure legal compliance and data protection. The agreement should clearly define the roles of data exporter and data importer, specify the categories and purposes of data being transferred, and establish comprehensive security measures including encryption, access controls, and breach notification procedures. You need to include provisions for data subject rights, allowing individuals to access, correct, or delete their personal information even after international transfer. The agreement must also address liability allocation, indemnification clauses, and termination procedures including secure data return or destruction. Regular compliance audits and monitoring provisions ensure ongoing adherence to agreed-upon standards.

Legal requirements in United States

Under United States law, international data transfers must comply with multiple federal and state regulations depending on the nature of your business and the data involved. The FTC Act requires that your data transfer practices not constitute unfair or deceptive acts affecting commerce, while the CFAA prohibits unauthorized access to computer systems containing transferred data. State-level requirements vary significantly: CCPA mandates that businesses provide adequate protection for California residents' data transferred internationally, including the right to opt-out of certain transfers. VCDPA requires similar protections for Virginia residents, while CPA establishes comparable obligations for Colorado residents. Your agreement must incorporate appropriate safeguards such as standard contractual clauses, adequacy determinations, or other approved transfer mechanisms. Additionally, sector-specific regulations like HIPAA for healthcare data or GLBA for financial information may impose additional requirements on your international data transfer arrangements.

GOVERNING LAW

Applicable law

This International Data Transfer Agreement is drafted to comply with United States law. Key legislation includes:

FTC Act: Federal Trade Commission Act - Primary US federal law governing data privacy and unfair or deceptive practices affecting commerce

ECPA: Electronic Communications Privacy Act - Federal law protecting wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored

CFAA: Computer Fraud and Abuse Act - Federal law that prohibits accessing a computer without authorization, or in excess of authorization

CCPA: California Consumer Privacy Act - Comprehensive state-level privacy law providing California residents with data privacy rights

VCDPA: Virginia Consumer Data Protection Act - State law providing privacy rights to Virginia residents and obligations for businesses processing their data

CPA: Colorado Privacy Act - State law establishing privacy rights for Colorado residents and requirements for businesses handling their personal data

GDPR: General Data Protection Regulation - EU's comprehensive data protection law that may apply when transferring data to/from the EU

UK GDPR: United Kingdom General Data Protection Regulation - UK's version of GDPR applicable for data transfers involving the UK

LGPD: Brazilian General Data Protection Law - Brazil's comprehensive data protection law relevant for transfers involving Brazilian data

SCCs: Standard Contractual Clauses - Pre-approved contractual terms for international data transfers, particularly important for EU data transfers

BCRs: Binding Corporate Rules - Internal rules for data transfers within multinational companies approved by privacy regulators

HIPAA: Health Insurance Portability and Accountability Act - Regulates the use and disclosure of healthcare data in the United States

GLBA: Gramm-Leach-Bliley Act - Regulates the collection, use, and disclosure of financial information

FERPA: Family Educational Rights and Privacy Act - Protects the privacy of student education records

COPPA: Children's Online Privacy Protection Act - Regulates the collection and use of personal information from children under 13

Export Control Regulations: Federal regulations controlling the export of sensitive data, technology, and information to foreign countries

Sanctions Regulations: Federal regulations restricting or prohibiting data transfers with certain countries, entities, or individuals

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it