Binding policy. Plain language where we can. No surprises buried in footnotes.Last updated: 2026-04-23
We publish changes here before they take effect.
This page explains how Confinity moves personal data across borders and which legal instruments we rely on. It supplements our Privacy Policy, the Sub-processors list, and the DPA template.
Why this page exists
Most of Confinity's sub-processors are EU- or UK-hosted by preference. A few — in particular OpenAI and Deepgram — process data in the United States. For those, the lawful mechanism is the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or the UK International Data Transfer Agreement (2022) or the UK Addendum to the EU SCCs.
Which module applies
The SCCs come in four modules. Our typical relationship is Module 2: Controller → Processor. Confinity is the controller; each sub-processor is a processor.| Sub-processor | Location | Module | Addenda |
| --- | --- | --- | --- |
| OpenAI | United States | 2 | Zero-retention addendum |
| Deepgram | United States | 2 | Voice-sample retention = 0s |
| AWS | Luxembourg / UK | n/a (EEA) | — |
| Cloudflare | Global edge | 2 | UK DTA + EU SCC |
| Resend | US (EU residency) | 2 | EU data residency clause |
| Stripe | Ireland (EEA) | n/a | — |The full per-row SCC text is attached to each sub-processor agreement and made available on request to enterprise customers.
Key safeguards
Transfer Impact Assessment (TIA) completed and documented before any new cross-border flow.
Supplementary measures where the destination country's surveillance laws materially differ from EEA expectations — typically encryption in transit and at rest, minimisation of on-vendor processing, and zero-retention contracts for AI vendors.
Audit rights on every sub-processor DPA, enforced through annual review.
Notification within 72 hours if a sub-processor is compelled to disclose personal data by a foreign authority.
Controller-to-controller transfers
In a small number of cases (for example, transferring billing data to Stripe for invoicing) a sub-processor acts as an independent controller. Those transfers rely on the controller-to-controller module of the SCCs.
Contact
For the full executed text of the SCCs or UK DTA that governs a specific sub-processor, or to request a copy of the most recent Transfer Impact Assessment, email privacy@confinity.com with the subject "SCC request: [vendor]".
References
Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679.
UK International Data Transfer Agreement and UK Addendum to the EU SCCs, March 2022, in force since 21 March 2022.
Schrems II (CJEU C-311/18) — the ruling that requires a case-by-case supplementary-measures assessment for transfers to third countries.