GDPR Chapter V (Arts. 44–46) prohibits transferring EU personal data outside the EU/EEA unless a lawful transfer mechanism is in place — adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules. Most AI-built applications transfer EU data to the US routinely: a US-hosted database, US-based analytics, a US email provider. Each transfer without a documented mechanism is an independent violation. Post-Schrems II, relying on 'the vendor is reputable' is not a legal basis. Standard Contractual Clauses are included in most major vendor DPAs — but only if those DPAs are accepted. Undocumented transfers are also a disclosure failure under Art. 13(1)(f).
Low because most transfers are covered by SCCs embedded in accepted vendor DPAs — the primary risk is documentation failure rather than actual data exposure, but undocumented transfers remain an independent Art. 44 violation.
Map every international data transfer and confirm the transfer mechanism for each. Document the findings in your privacy policy.
## International Transfers — Transfer Mechanism Audit
| Service | Data Location | Mechanism | Status |
|---------------|---------------|----------------------------------|-----------|
| Supabase DB | EU (eu-west-1)| No transfer — EU hosted | Confirmed |
| Stripe | US | SCCs (included in Stripe DPA) | DPA accepted 2026-01-15 |
| SendGrid | US | SCCs (included in SendGrid DPA) | DPA accepted 2026-01-15 |
| Google GA4 | US | SCCs + EU-US DPF participation | Accepted via GA Admin |
| Vercel CDN | Global | SCCs (Vercel DPA) | DPA accepted 2026-01-15 |
Add to your privacy policy: "We transfer personal data to the United States. Transfers are governed by Standard Contractual Clauses approved by the European Commission, or the EU-US Data Privacy Framework where applicable." Consider EU-region database hosting (Supabase eu-central-1, AWS eu-west-1) to reduce transfer scope.
ID: gdpr-readiness.data-processing.cross-border-safeguards
Severity: low
What to look for: Identify where user data is physically stored and processed. Check database hosting region (Supabase project region, AWS RDS region, PlanetScale region). Check the data center regions of third-party services (most US-based SaaS process EU data in US data centers). For EU-user applications, any transfer of personal data outside the EU/EEA requires a legal transfer mechanism. The three primary mechanisms are: (1) adequacy decision (e.g., EU-US Data Privacy Framework, UK adequacy), (2) Standard Contractual Clauses (SCCs) — included in most major vendor DPAs, (3) Binding Corporate Rules (BCRs). Check whether the privacy policy discloses data transfer destinations and the mechanism used. Count all instances found and enumerate each.
Pass criteria: For each international data transfer (EU data processed outside EU/EEA), a lawful transfer mechanism is documented — either an adequacy decision, SCCs (typically included in the vendor DPA), or BCRs. The privacy policy discloses transfer destinations and mechanisms. Infrastructure choices are documented. At least 1 implementation must be confirmed.
Fail criteria: EU user data is processed outside the EU/EEA with no documented transfer mechanism. Vendor DPAs have not been accepted, meaning no SCCs are in place. Privacy policy does not disclose international transfers.
Skip (N/A) when: All data processing occurs within the EU/EEA — EU-region database hosting, no US-based third-party services processing personal data. Document this clearly if true.
Detail on fail: Example: "Database hosted in US-East. EU user data transferred to US without documented SCCs. Analytics (GA4) and email (SendGrid) also process EU data in the US — no SCCs documented.".
Remediation: Document and validate transfer mechanisms for each international transfer:
Transfer Mechanism Steps:
1. Audit your data map: list all services that receive EU personal data and their location
2. For US-based services: check EU-US Data Privacy Framework participation
(dataprivacyframework.gov — search for vendor name)
3. Most major vendor DPAs include SCCs — confirm:
- Stripe DPA: includes EU SCCs (Module 2, controller-to-processor)
- Google Workspace/GA4: includes SCCs via Google's data processing terms
- AWS: SCCs available in AWS Artifact
4. Document in privacy policy:
"We transfer personal data to the United States and other countries. These transfers
are governed by Standard Contractual Clauses approved by the European Commission,
or the EU-US Data Privacy Framework where applicable."
5. Consider EU-region hosting to reduce transfer scope:
- Supabase: select eu-central-1 region on project creation
- AWS: use eu-west-1, eu-central-1, or eu-north-1 regions
- Vercel: enable Edge Network regional routing for EU users