Transfer Impact Assessment — Summary

Version 1.0 | Last Updated: 22 April 2026 | Effective Date: 22 April 2026

What this page is. This is a redacted public summary of the Transfer Impact Assessment ("TIA") we perform under Schrems II (CJEU Case C-311/18) and EDPB Recommendations 01/2020 before we permit any international transfer of personal data from the EEA, the UK, or Switzerland to a third country. Full (unredacted) TIAs covering each material sub-processor are available to business customers (Brands, Partners, enterprise Creators) under NDA on request to dpo@socialgryd.com. This summary is maintained under GDPR Article 30 record-keeping and is reviewed at least annually and on any material change in the law or the facts.

1. Scope and methodology

We apply the six-step EDPB methodology to every personal-data transfer outside the EEA, the UK, or Switzerland:

Know your transfers. We maintain a transfer register covering every sub-processor location, data category, purpose, volume, sensitivity, and onward-transfer path.
Identify the transfer tool. We rely on (a) an EU Commission adequacy decision where available (UK Adequacy 2021, Swiss Adequacy 2000, Japan Adequacy 2019, South Korea Adequacy 2021, EU-US Data Privacy Framework 2023 for certified US recipients), or (b) the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module Two controller-to-processor or Module Three processor-to-processor) with the UK International Data Transfer Agreement ("IDTA") or UK Addendum for UK data, and the Swiss FDPIC addendum for Swiss data.
Assess third-country law and practice. We assess whether the law and practice of the destination country respect the essence of the fundamental rights to privacy and data protection, taking account of the EDPB European Essential Guarantees (EEG) for surveillance measures: (i) clarity and precision of law; (ii) necessity and proportionality; (iii) independent oversight; (iv) effective remedies.
Identify and adopt supplementary measures. Where the legal assessment shows a gap, we apply contractual, organisational, and technical supplementary measures. Technical measures are prioritised (encryption in transit with TLS 1.2+, encryption at rest with AES-256, limited retention, strict access controls, logging).
Procedural steps. We document the TIA, obtain sign-off from the Data Protection Officer, and file a copy in the Record of Processing Activities.
Re-evaluate. We reassess the TIA on any material change in third-country law, on incidents (government access attempts, data breaches), and at least annually.

2. Destinations, legal mechanism, and outcome (summary)

Transfer destination	Recipient(s)	Primary legal mechanism	Supplementary measures	TIA outcome
United States	Google LLC (Firebase, Maps, Cloud), Anthropic PBC (Claude API), Amplitude Inc., Resend Inc., Svix Inc., Shorebird Inc., Stripe Inc., Apple Inc., NCMEC (voluntary CyberTip referrals)	EU-US Data Privacy Framework where the recipient is DPF-certified; otherwise EU SCCs (Module Two or Three as applicable) + UK IDTA/Addendum for UK data	TLS 1.2+ in transit; AES-256 at rest; Zero-Data-Retention (ZDR) with Anthropic (no content stored and no training on user content); Firebase regional data residency in EU-multi-region for primary data stores; Amplitude EU data residency where available; restricted staff access with SSO+MFA; government-access request challenge procedure; breach-notification SLA 24h to SocialGryd	Permitted with supplementary measures. Residual risk assessed as low for non-sensitive categories, moderate for location data (mitigated by coarsening at rest and opt-out controls).
United Kingdom	UK-based sub-processors and occasional UK recipients under the Creator Hub OAuth flows; Estonian-controller to UK-processor flows	UK adequacy decision (EU Commission, 28 June 2021, renewed 2025); the UK is also adequate for Swiss FDPIC purposes	Standard technical and organisational measures; not reliant on SCCs while adequacy is in force	Permitted. Monitored quarterly for any change to UK adequacy status.
Republic of Ireland	Google Ireland Ltd (Firebase EU endpoint)	Intra-EEA — no transfer for GDPR purposes	N/A	Permitted.
India (limited)	Potential Anthropic / Amplitude support access; contractor access under written confidentiality and data-processing terms	EU SCCs + UK IDTA/Addendum as applicable; India has no adequacy decision	Access restricted to pseudonymised metadata; no bulk export; staff background checks; contractual prohibition on onward transfer without notice	Permitted with enhanced monitoring. Reassess if India DPDP Act rules change the risk picture (rules still being finalised).
Brazil, Turkey, South Africa, Indonesia, Vietnam, UAE, Saudi Arabia, Nigeria, and other non-adequate countries	Potential local support and payment-flow access (Stripe sub-processors; Apple App Store and Google Play independent controllers)	Relevant EU SCCs; local legal bases (Brazil LGPD Art 33-V international transfer, UAE PDPL transfer mechanisms, etc.)	Minimisation — only transaction metadata where required; no bulk export of user content; explicit consent prompts where local law requires them	Permitted on a per-transfer basis with documented justification.
Russia, Belarus, Iran, North Korea, Syria, Cuba, so-called DNR/LNR, Russia-occupied territories of Ukraine	None	Not permitted	Hard geoblock at signup and API layer; see Terms §2c	Not permitted.

3. US TIA — essential-guarantees analysis

We recognise that US surveillance law (notably FISA §702, Executive Order 12333, and Executive Order 14086 of 7 October 2022 on Enhancing Safeguards for US Signals Intelligence Activities, as implemented by the Attorney General Regulations 28 CFR Part 201 and the Data Protection Review Court) remains a matter of continued scrutiny. We take the following position:

Necessity and proportionality (EEG 2). EO 14086 introduces proportionality and necessity principles for US signals intelligence, and the DPRC provides a redress mechanism. These are significant improvements over the pre-Schrems-II framework but do not, on their own, render every transfer automatically adequate for every data category.
Independent oversight (EEG 3). The DPRC and the Civil Liberties Protection Officer at ODNI provide oversight; the EU Commission's adequacy decision of 10 July 2023 found these to be "essentially equivalent." Litigation challenging that decision is ongoing but has not suspended its effect.
Effective remedies (EEG 4). EU and UK individuals can submit complaints via their national data-protection authority, who will forward them to the DPRC. We signpost this route to users on request.
Residual risk. For non-sensitive categories (public profile, aggregated metrics) we assess residual risk as low. For sensitive categories (precise location, private messages, biometric data if ever processed) we apply technical supplementary measures (encryption, coarsening, retention limits, ZDR for AI processing) that materially reduce the risk of meaningful access by US authorities.
Monitoring. We track DPRC case outcomes, EDPB opinions, CJEU litigation, and US agency enforcement actions. A material adverse change triggers reassessment within 30 days.

4. Supplementary measures we apply (technical)

TLS 1.2+ for data in transit; HTTP Strict Transport Security; certificate pinning on the mobile app where feasible.
AES-256 encryption at rest for all primary data stores (Firestore, Cloud Storage, Cloud SQL backups).
Zero-Data-Retention (ZDR) for all Claude API calls (Anthropic contractual commitment): no prompts or completions are stored by Anthropic after the API call returns, and no user content is used for model training.
Regional data residency in EU-multi-region for Firestore primary collections where the recipient product supports it.
Retention minimisation and purpose-limited processing (see Privacy Policy §§10-11).
Pseudonymisation of support tickets and telemetry where technically feasible.
Role-based access control with SSO + multi-factor authentication for all staff access to production data.
Immutable access logs; monthly review.

5. Supplementary measures we apply (organisational and contractual)

Executed Data Processing Addenda with every sub-processor listed on /subprocessors, incorporating the EU SCCs, UK IDTA/Addendum, and Swiss FDPIC annex as applicable.
Anti-FISA clauses: contractual obligation on US sub-processors to (i) notify us of any government access request to the extent legally permitted, (ii) challenge overbroad or unlawful requests, (iii) produce annual transparency reports.
Purpose limitation, confidentiality, security, onward-transfer, and breach-notification obligations in every DPA.
Independent oversight: Data Protection Officer review of every new transfer; DPO authority to halt any transfer that no longer meets the TIA standard.
Right to audit sub-processors annually on reasonable notice; we accept third-party audit reports (SOC 2 Type II, ISO 27001, ISO 27701) in lieu of on-site audit where the report scope is sufficient.

6. Government-access requests — our policy

We do not provide law-enforcement, intelligence-service, or other government access to personal data except under valid legal process, reviewed on a case-by-case basis. See our Law Enforcement Guidelines.
We challenge requests that appear overbroad, unlawful, or inconsistent with the essence of EU fundamental rights.
Where law permits, we notify affected users.
We record every request in our Transparency Report pipeline.
Government-access requests received directly by a sub-processor (rather than by us) are required to be notified to us under the DPA, unless the sub-processor is legally prohibited from doing so; in that case they must challenge the prohibition and use any lawful channel to alert us indirectly.

7. Review cycle

Annual full review of every active TIA.
Ad-hoc reassessment on any of: (a) change in third-country surveillance law; (b) new CJEU judgment on transfer mechanisms; (c) EU Commission adequacy-decision change; (d) material vendor incident; (e) change in sub-processor ownership or sub-processor-of-sub-processor location.
Business customers are notified of material adverse TIA-outcome changes via the same 14-day sub-processor notification channel (privacy@socialgryd.com).

8. Requesting the full TIA

Business customers and their counsel (Brands, Partners, enterprise Creators) can request the full unredacted TIA covering any specific sub-processor under a mutual non-disclosure agreement. Contact dpo@socialgryd.com with the subject line "TIA Request — [sub-processor name]." We aim to respond within 10 working days.