Transfer Impact Assessment
Assessment of international data transfers to third countries
Executive Summary
MultiComply transfers personal data to third countries (primarily the United States) through our subprocessors. Following the Schrems II judgment (CJEU C-311/18), we have conducted this Transfer Impact Assessment to evaluate the lawfulness and security of these transfers.
Overall Conclusion
Based on our assessment, the international data transfers conducted by MultiComply are lawful under GDPR Chapter V when considering:
- Standard Contractual Clauses are in place with all recipients
- Technical supplementary measures (encryption) prevent access to data in clear
- All recipients maintain robust security certifications
- Data minimization principles are applied
- Recipients have committed to challenging unlawful government requests
Individual Transfer Assessments
Supabase Inc.
United States
Purpose of Transfer
Encrypted database backups for disaster recovery
Data Categories
- • User account data (name, email)
- • Generated documents
- • Activity logs
- • Form responses
Legal Basis for Transfer
Standard Contractual Clauses (EU Commission 2021/914, Module 2)
Third Country Laws Assessment (US)
Supplementary Measures Applied:
- All data encrypted at rest with AES-256 (keys stored in EU)
- Encryption in transit with TLS 1.3
- Supabase cannot decrypt data without EU-held keys
- Access controls limiting US personnel access to encrypted data only
- Supabase has committed to challenging unlawful government requests
Stripe, Inc.
United States
Purpose of Transfer
Payment processing and subscription management
Data Categories
- • Name and email
- • Billing address
- • Payment card details (tokenized)
- • Transaction history
Legal Basis for Transfer
Standard Contractual Clauses (EU Commission 2021/914, Module 2)
Third Country Laws Assessment (US)
Supplementary Measures Applied:
- Card data tokenized - raw card numbers never stored or transmitted
- PCI-DSS Level 1 compliance (highest security standard)
- Strong Customer Authentication (SCA) for EU payments
- Data minimization - only necessary payment data processed
- Stripe has robust legal challenge procedures
Cloudflare, Inc.
United States (Global Edge Network)
Purpose of Transfer
Security services, CAPTCHA, DDoS protection
Data Categories
- • IP addresses
- • Browser fingerprints
- • Request metadata
- • User agent strings
Legal Basis for Transfer
Standard Contractual Clauses + Binding Corporate Rules
Third Country Laws Assessment (US)
Supplementary Measures Applied:
- Only metadata processed (no document content)
- Turnstile CAPTCHA is privacy-first (no tracking cookies)
- Data automatically deleted after short retention period
- Cloudflare has BCRs approved by EU DPAs
- EU traffic primarily processed in EU data centers
Assessment Methodology
This Transfer Impact Assessment follows the methodology recommended by the European Data Protection Board (EDPB) in Recommendations 01/2020 on measures that supplement transfer tools.
Step 1: Know Your Transfers
Mapped all transfers to third countries via subprocessors
Step 2: Identify Transfer Tools
Verified SCCs and BCRs are in place with all recipients
Step 3: Assess Third Country Laws
Analyzed US surveillance laws (FISA 702, CLOUD Act) applicability
Step 4: Supplementary Measures
Implemented technical measures (encryption) to prevent access in clear
Legal References
Questions About Data Transfers
If you have questions about our international data transfers or wish to request copies of our Data Processing Agreements with subprocessors, please contact us:
Contact Privacy TeamRelated Documents
This Transfer Impact Assessment is reviewed semi-annually or when significant changes occur to our data transfer arrangements.
Last updated: November 25, 2025