SCC + UK DTA — International data transfers

Last updated: 2026-04-23

This page explains how Confinity moves personal data across borders and which legal instruments we rely on. It supplements our Privacy Policy, the Sub-processors list, and the DPA template.

Why this page exists

Most of Confinity's sub-processors are EU- or UK-hosted by preference. A few — in particular OpenAI and Deepgram — process data in the United States. For those, the lawful mechanism is the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or the UK International Data Transfer Agreement (2022) or the UK Addendum to the EU SCCs.

Which module applies

The SCCs come in four modules. Our typical relationship is Module 2: Controller → Processor. Confinity is the controller; each sub-processor is a processor. | Sub-processor | Location | Module | Addenda | | --- | --- | --- | --- | | OpenAI | United States | 2 | Zero-retention addendum | | Deepgram | United States | 2 | Voice-sample retention = 0s | | AWS | Luxembourg / UK | n/a (EEA) | — | | Cloudflare | Global edge | 2 | UK DTA + EU SCC | | Resend | US (EU residency) | 2 | EU data residency clause | | Stripe | Ireland (EEA) | n/a | — | The full per-row SCC text is attached to each sub-processor agreement and made available on request to enterprise customers.

Key safeguards

Transfer Impact Assessment (TIA) completed and documented before any new cross-border flow.
Supplementary measures where the destination country's surveillance laws materially differ from EEA expectations — typically encryption in transit and at rest, minimisation of on-vendor processing, and zero-retention contracts for AI vendors.
Audit rights on every sub-processor DPA, enforced through annual review.
Notification within 72 hours if a sub-processor is compelled to disclose personal data by a foreign authority.

Controller-to-controller transfers

In a small number of cases (for example, transferring billing data to Stripe for invoicing) a sub-processor acts as an independent controller. Those transfers rely on the controller-to-controller module of the SCCs.

Contact

For the full executed text of the SCCs or UK DTA that governs a specific sub-processor, or to request a copy of the most recent Transfer Impact Assessment, email privacy@confinity.com with the subject "SCC request: [vendor]".

References

Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679.
UK International Data Transfer Agreement and UK Addendum to the EU SCCs, March 2022, in force since 21 March 2022.
Schrems II (CJEU C-311/18) — the ruling that requires a case-by-case supplementary-measures assessment for transfers to third countries.

Preparing the pageOne moment - fetching quietly.