GDPR Articles 44-49 | Schrems II

Transfer Impact Assessment

Assessment of international data transfers to third countries

Executive Summary

MultiComply transfers personal data to third countries (primarily the United States) through our subprocessors. Following the Schrems II judgment (CJEU C-311/18), we have conducted this Transfer Impact Assessment to evaluate the lawfulness and security of these transfers.

Transfers Assessed

EU-US DPF Certified

With Supplementary Measures

Overall Conclusion

Based on our assessment, the international data transfers conducted by MultiComply are lawful under GDPR Chapter V, relying on the following transfer mechanisms:

EU-US Data Privacy Framework adequacy decision for DPF-certified recipients
Standard Contractual Clauses incorporated in processor Data Processing Agreements
Technical supplementary measures including encryption at rest and in transit
All recipients maintain robust security certifications (SOC 2, ISO 27001, PCI-DSS)
Data minimization principles are applied across all transfers

Individual Transfer Assessments

Supabase Inc.

United States

MEDIUM RISK

Purpose of Transfer

Encrypted database backups for disaster recovery

Data Categories

• User account data (name, email)
• Generated documents
• Activity logs
• Form responses

Legal Basis for Transfer

Standard Contractual Clauses (EU Commission 2021/914) incorporated in Supabase DPA

Protected by SCCs

Third Country Laws Assessment (US)

FISA 702:Potentially applicable (Supabase is a US company)

CLOUD Act:Potentially applicable

Technical Measures Available:

All data encrypted at rest with AES-256 (keys stored in EU)
Encryption in transit with TLS 1.3
Supabase cannot decrypt data without EU-held keys
Access controls limiting US personnel access to encrypted data only
Supabase has committed to challenging unlawful government requests

ISO 27001

SOC 2 Type II

HIPAA

Last assessed: 2025-11-25 | Next review: 2026-05-25

Stripe, Inc.

United States

LOW RISK

Purpose of Transfer

Payment processing and subscription management

Data Categories

• Name and email
• Billing address
• Payment card details (tokenized)
• Transaction history

Legal Basis for Transfer

EU-US Data Privacy Framework (DPF) certified + SCCs as backup mechanism

Protected by DPF

Protected by SCCs

Third Country Laws Assessment (US)

FISA 702:Potentially applicable

CLOUD Act:Potentially applicable

Technical Measures Available:

Card data tokenized - raw card numbers never stored or transmitted
PCI-DSS Level 1 compliance (highest security standard)
Strong Customer Authentication (SCA) for EU payments
Data minimization - only necessary payment data processed
Stripe has robust legal challenge procedures

PCI-DSS Level 1

SOC 2 Type II

ISO 27001

Last assessed: 2025-11-25 | Next review: 2026-05-25

Cloudflare, Inc.

United States (Global Edge Network)

LOW RISK

Purpose of Transfer

Security services, CAPTCHA, DDoS protection

Data Categories

• IP addresses
• Browser fingerprints
• Request metadata
• User agent strings

Legal Basis for Transfer

EU-US Data Privacy Framework (DPF) certified + EU-approved Binding Corporate Rules

Protected by DPF

Protected by SCCs

BCRs Approved

Third Country Laws Assessment (US)

FISA 702:Limited applicability (metadata only, no content)

CLOUD Act:Potentially applicable

Technical Measures Available:

Only metadata processed (no document content)
Turnstile CAPTCHA is privacy-first (no tracking cookies)
Data automatically deleted after short retention period
Cloudflare has BCRs approved by EU DPAs
EU traffic primarily processed in EU data centers

ISO 27001

SOC 2 Type II

EU BCRs

EU Cloud CoC

Last assessed: 2025-11-25 | Next review: 2026-05-25

Assessment Methodology

This Transfer Impact Assessment follows the methodology recommended by the European Data Protection Board (EDPB) in Recommendations 01/2020 on measures that supplement transfer tools.

Step 1: Know Your Transfers

Mapped all transfers to third countries via subprocessors

Step 2: Identify Transfer Tools

Verified SCCs and BCRs are in place with all recipients

Step 3: Assess Third Country Laws

Analyzed US surveillance laws (FISA 702, CLOUD Act) applicability

Step 4: Supplementary Measures

Implemented technical measures (encryption) to prevent access in clear

Legal References

Questions About Data Transfers

If you have questions about our international data transfers or wish to request copies of our Data Processing Agreements with subprocessors, please contact us:

Contact Privacy Team

Transfer Impact Assessment

Assessment of international data transfers to third countries

Executive Summary

Transfers Assessed

EU-US DPF Certified

With Supplementary Measures

Overall Conclusion

Based on our assessment, the international data transfers conducted by MultiComply are lawful under GDPR Chapter V, relying on the following transfer mechanisms:

EU-US Data Privacy Framework adequacy decision for DPF-certified recipients
Standard Contractual Clauses incorporated in processor Data Processing Agreements
Technical supplementary measures including encryption at rest and in transit
All recipients maintain robust security certifications (SOC 2, ISO 27001, PCI-DSS)
Data minimization principles are applied across all transfers

Individual Transfer Assessments

Supabase Inc.

United States

MEDIUM RISK

Purpose of Transfer

Encrypted database backups for disaster recovery

Data Categories

• User account data (name, email)
• Generated documents
• Activity logs
• Form responses

Legal Basis for Transfer

Standard Contractual Clauses (EU Commission 2021/914) incorporated in Supabase DPA

Protected by SCCs

Third Country Laws Assessment (US)

FISA 702:Potentially applicable (Supabase is a US company)

CLOUD Act:Potentially applicable

Technical Measures Available:

All data encrypted at rest with AES-256 (keys stored in EU)
Encryption in transit with TLS 1.3
Supabase cannot decrypt data without EU-held keys
Access controls limiting US personnel access to encrypted data only
Supabase has committed to challenging unlawful government requests

ISO 27001

SOC 2 Type II

HIPAA

Last assessed: 2025-11-25 | Next review: 2026-05-25

Stripe, Inc.

United States

LOW RISK

Purpose of Transfer

Payment processing and subscription management

Data Categories

• Name and email
• Billing address
• Payment card details (tokenized)
• Transaction history

Legal Basis for Transfer

EU-US Data Privacy Framework (DPF) certified + SCCs as backup mechanism

Protected by DPF

Protected by SCCs

Third Country Laws Assessment (US)

FISA 702:Potentially applicable

CLOUD Act:Potentially applicable

Technical Measures Available:

Card data tokenized - raw card numbers never stored or transmitted
PCI-DSS Level 1 compliance (highest security standard)
Strong Customer Authentication (SCA) for EU payments
Data minimization - only necessary payment data processed
Stripe has robust legal challenge procedures

PCI-DSS Level 1

SOC 2 Type II

ISO 27001

Last assessed: 2025-11-25 | Next review: 2026-05-25

Cloudflare, Inc.

United States (Global Edge Network)

LOW RISK

Purpose of Transfer

Security services, CAPTCHA, DDoS protection

Data Categories

• IP addresses
• Browser fingerprints
• Request metadata
• User agent strings

Legal Basis for Transfer

EU-US Data Privacy Framework (DPF) certified + EU-approved Binding Corporate Rules

Protected by DPF

Protected by SCCs

BCRs Approved

Third Country Laws Assessment (US)

FISA 702:Limited applicability (metadata only, no content)

CLOUD Act:Potentially applicable

Technical Measures Available:

Only metadata processed (no document content)
Turnstile CAPTCHA is privacy-first (no tracking cookies)
Data automatically deleted after short retention period
Cloudflare has BCRs approved by EU DPAs
EU traffic primarily processed in EU data centers

ISO 27001

SOC 2 Type II

EU BCRs

EU Cloud CoC

Last assessed: 2025-11-25 | Next review: 2026-05-25

Assessment Methodology

This Transfer Impact Assessment follows the methodology recommended by the European Data Protection Board (EDPB) in Recommendations 01/2020 on measures that supplement transfer tools.

Step 1: Know Your Transfers

Mapped all transfers to third countries via subprocessors

Step 2: Identify Transfer Tools

Verified SCCs and BCRs are in place with all recipients

Step 3: Assess Third Country Laws

Analyzed US surveillance laws (FISA 702, CLOUD Act) applicability

Step 4: Supplementary Measures

Implemented technical measures (encryption) to prevent access in clear

Legal References

Questions About Data Transfers

If you have questions about our international data transfers or wish to request copies of our Data Processing Agreements with subprocessors, please contact us:

Contact Privacy Team

Transfer Impact Assessment

Executive Summary

Overall Conclusion

Individual Transfer Assessments

Supabase Inc.

Purpose of Transfer

Data Categories

Legal Basis for Transfer

Third Country Laws Assessment (US)

Technical Measures Available:

Stripe, Inc.

Purpose of Transfer

Data Categories

Legal Basis for Transfer

Third Country Laws Assessment (US)

Technical Measures Available:

Cloudflare, Inc.

Purpose of Transfer

Data Categories

Legal Basis for Transfer

Third Country Laws Assessment (US)

Technical Measures Available:

Assessment Methodology

Step 1: Know Your Transfers

Step 2: Identify Transfer Tools

Step 3: Assess Third Country Laws

Step 4: Supplementary Measures

Legal References

Questions About Data Transfers

Related Documents

Transfer Impact Assessment

Executive Summary

Overall Conclusion

Individual Transfer Assessments

Supabase Inc.

Purpose of Transfer

Data Categories

Legal Basis for Transfer

Third Country Laws Assessment (US)

Technical Measures Available:

Stripe, Inc.

Purpose of Transfer

Data Categories

Legal Basis for Transfer

Third Country Laws Assessment (US)

Technical Measures Available:

Cloudflare, Inc.

Purpose of Transfer

Data Categories

Legal Basis for Transfer

Third Country Laws Assessment (US)

Technical Measures Available:

Assessment Methodology

Step 1: Know Your Transfers

Step 2: Identify Transfer Tools

Step 3: Assess Third Country Laws

Step 4: Supplementary Measures

Legal References

Questions About Data Transfers

Related Documents