Data transfers outside primary jurisdiction use SCCs, BCRs, or adequacy decisions

Why it matters

GDPR Art. 44 prohibits transfers of EU personal data to third countries without an appropriate safeguard — Standard Contractual Clauses (SCCs), Binding Corporate Rules, or a valid adequacy decision such as the EU-US Data Privacy Framework. Most AI-built apps on Supabase, Vercel, or AWS use US-region infrastructure by default and integrate US-based analytics and email services, making every EU user's data a cross-border transfer requiring documentation. GDPR Art. 28 additionally requires written agreements with all processors, which must address the transfer mechanism. ISO-27001:2022 A.5.34 requires privacy controls to account for jurisdictional data flow restrictions. Undocumented transfers are a standalone violation even if the underlying data handling is otherwise lawful.

Remediation

Inventory every service that touches EU personal data, then sign or accept each vendor's DPA and confirm SCCs are included. Most major vendors publish DPA acceptance flows in their account settings.

Cross-border transfer checklist:
1. Identify data flows: database region (Supabase → which region?),
   email (SendGrid US?), analytics (GA4 → Google US servers)
2. For each service:
   - Stripe DPA: stripe.com/legal/dpa (SCCs included)
   - SendGrid DPA: sendgrid.com/policies/dpa
   - Google (GA4): business.safety.google/adsprocessorterms
   - Vercel DPA: vercel.com/legal/dpa
3. Accept each DPA via account settings or by emailing legal@vendor.com
4. Log in your data register: service, data shared, DPA date, transfer mechanism
5. Add to privacy policy: "We transfer data to [country] governed by SCCs
   approved by the European Commission."

Alternatively, provision EU-region infrastructure (Supabase EU, AWS eu-west-1) to reduce the volume of transfers requiring documentation.

Detection

ID: data-protection.storage-retention.cross-border-transfers
Severity: medium
What to look for: Enumerate every relevant item. Identify where data is physically stored and processed. Check database hosting region (Supabase project region, AWS RDS region, PlanetScale region). Check backup locations. Identify all third-party services that receive personal data (analytics, email, payment, support) and determine their data processing locations. For EU-based users: any data leaving the EU/EEA requires a legal transfer mechanism. Check third-party DPAs for their transfer mechanism (most major vendors — Stripe, Sendgrid, Google, AWS — publish their SCCs). Check if the application's privacy policy discloses data transfer locations and the legal mechanism used.
Pass criteria: At least 1 of the following conditions is met. If data crosses jurisdictions (e.g., EU data processed on US servers), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or a valid adequacy decision (e.g., EU-US Data Privacy Framework) is documented and in place for all parties in the data chain. Privacy policy discloses data transfer destinations.
Fail criteria: EU user data is processed outside the EU/EEA with no documented transfer mechanism. Third-party services that receive EU personal data have no signed DPA with SCCs.
Skip (N/A) when: All data processing occurs within the primary jurisdiction (e.g., purely EU-based company with all services hosted in EU, processing only EU users' data with no US-based third parties).
Detail on fail: Example: "Database hosted in US-East (Supabase default). EU user data transferred without documented SCCs. Analytics (Google Analytics) and email (SendGrid) also process EU data — DPAs with SCCs not documented.".

Remediation: For EU-to-US transfers, ensure SCCs are in place with each third-party processor:

Steps to establish transfer compliance:
1. Inventory all third-party services that receive personal data and their data locations
2. For each service: check their DPA page (usually at vendor.com/legal/dpa or /privacy/dpa)
   - Stripe DPA: stripe.com/legal/dpa (includes SCCs for EU-US transfers)
   - Sendgrid DPA: sendgrid.com/policies/dpa
   - Google Analytics: business.safety.google/adsprocessorterms
   - AWS: aws.amazon.com/compliance/gdpr-center
3. Sign/accept each DPA (often done via account settings or by emailing legal@vendor.com)
4. Document in your data register: service name, data type shared, DPA signed date, transfer mechanism
5. Add to privacy policy: "We transfer data to [country] for [purpose]. Transfer is governed by
   Standard Contractual Clauses approved by the European Commission."

If you control your hosting, consider using EU-region infrastructure (Supabase EU, AWS eu-west-1) to reduce the number of transfers requiring documentation.

External references

gdpr · Art. 46 — Transfers subject to appropriate safeguards

gdpr · Art. 45 — Transfers on the basis of an adequacy decision

gdpr · Art. 28 — Processor obligations including cross-border disclosure

iso-27001:2022 · A.5.34 — Privacy and protection of PII

gdpr · Art. 44 — General principle for transfers

Why it matters

Remediation

Inventory every service that touches EU personal data, then sign or accept each vendor's DPA and confirm SCCs are included. Most major vendors publish DPA acceptance flows in their account settings.

Cross-border transfer checklist:
1. Identify data flows: database region (Supabase → which region?),
   email (SendGrid US?), analytics (GA4 → Google US servers)
2. For each service:
   - Stripe DPA: stripe.com/legal/dpa (SCCs included)
   - SendGrid DPA: sendgrid.com/policies/dpa
   - Google (GA4): business.safety.google/adsprocessorterms
   - Vercel DPA: vercel.com/legal/dpa
3. Accept each DPA via account settings or by emailing legal@vendor.com
4. Log in your data register: service, data shared, DPA date, transfer mechanism
5. Add to privacy policy: "We transfer data to [country] governed by SCCs
   approved by the European Commission."

Alternatively, provision EU-region infrastructure (Supabase EU, AWS eu-west-1) to reduce the volume of transfers requiring documentation.

Detection

ID: data-protection.storage-retention.cross-border-transfers
Severity: medium
What to look for: Enumerate every relevant item. Identify where data is physically stored and processed. Check database hosting region (Supabase project region, AWS RDS region, PlanetScale region). Check backup locations. Identify all third-party services that receive personal data (analytics, email, payment, support) and determine their data processing locations. For EU-based users: any data leaving the EU/EEA requires a legal transfer mechanism. Check third-party DPAs for their transfer mechanism (most major vendors — Stripe, Sendgrid, Google, AWS — publish their SCCs). Check if the application's privacy policy discloses data transfer locations and the legal mechanism used.
Pass criteria: At least 1 of the following conditions is met. If data crosses jurisdictions (e.g., EU data processed on US servers), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or a valid adequacy decision (e.g., EU-US Data Privacy Framework) is documented and in place for all parties in the data chain. Privacy policy discloses data transfer destinations.
Fail criteria: EU user data is processed outside the EU/EEA with no documented transfer mechanism. Third-party services that receive EU personal data have no signed DPA with SCCs.
Skip (N/A) when: All data processing occurs within the primary jurisdiction (e.g., purely EU-based company with all services hosted in EU, processing only EU users' data with no US-based third parties).
Detail on fail: Example: "Database hosted in US-East (Supabase default). EU user data transferred without documented SCCs. Analytics (Google Analytics) and email (SendGrid) also process EU data — DPAs with SCCs not documented.".

Remediation: For EU-to-US transfers, ensure SCCs are in place with each third-party processor:

Steps to establish transfer compliance:
1. Inventory all third-party services that receive personal data and their data locations
2. For each service: check their DPA page (usually at vendor.com/legal/dpa or /privacy/dpa)
   - Stripe DPA: stripe.com/legal/dpa (includes SCCs for EU-US transfers)
   - Sendgrid DPA: sendgrid.com/policies/dpa
   - Google Analytics: business.safety.google/adsprocessorterms
   - AWS: aws.amazon.com/compliance/gdpr-center
3. Sign/accept each DPA (often done via account settings or by emailing legal@vendor.com)
4. Document in your data register: service name, data type shared, DPA signed date, transfer mechanism
5. Add to privacy policy: "We transfer data to [country] for [purpose]. Transfer is governed by
   Standard Contractual Clauses approved by the European Commission."

If you control your hosting, consider using EU-region infrastructure (Supabase EU, AWS eu-west-1) to reduce the number of transfers requiring documentation.

External references

gdpr · Art. 46 — Transfers subject to appropriate safeguards

gdpr · Art. 45 — Transfers on the basis of an adequacy decision

gdpr · Art. 28 — Processor obligations including cross-border disclosure

iso-27001:2022 · A.5.34 — Privacy and protection of PII

gdpr · Art. 44 — General principle for transfers

Data transfers outside primary jurisdiction use SCCs, BCRs, or adequacy decisions

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Data transfers outside primary jurisdiction use SCCs, BCRs, or adequacy decisions

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History