Scope
This procedure applies to any transfer of personal data from a sender in the EEA, the UK, or Switzerland to:- Neuroscale’s US-based AWS infrastructure (production, backups, logs).
- Neuroscale’s US-based Vultr infrastructure (production compute, Vultr Object Storage).
- Neuroscale employees or contractors located outside the EEA/UK/Switzerland accessing the data.
- Sub-processors located outside the EEA/UK/Switzerland.
- Any onward transfer from any of the above.
Transfer mechanisms — order of preference
Neuroscale uses the following mechanisms, in priority order:1. Adequacy decision
Where the recipient country is the subject of a European Commission adequacy decision (Art. 45) or the equivalent UK / Swiss adequacy regulation, no further mechanism is required. Adequate jurisdictions as of this writing include the UK, Switzerland, Japan, South Korea, Canada (commercial), New Zealand, Israel, and the United States for organizations certified under the EU-US Data Privacy Framework.2. EU-US Data Privacy Framework (DPF)
For US-bound transfers, Neuroscale’s primary mechanism is certification under the EU-US Data Privacy Framework, including the UK Extension and the Swiss-US DPF, administered by the US Department of Commerce.- DPF certification status: As of the effective date of this procedure, Neuroscale is not yet certified under the EU-US Data Privacy Framework, the UK Extension, or the Swiss-US DPF. The General Counsel files Neuroscale’s initial self-certification at dataprivacyframework.gov prior to the first live EU/UK/Swiss data flow into Neuroscale’s US operations; until then, the SCC route below (with the UK IDTA addendum and the Swiss FDPIC adoption notes) is the operative mechanism. Annual recertification is required by 31 U.S.C. §7016 and the DPF Principles; the Privacy Officer (General Counsel) sets a recurring recertification reminder in the Compliance Calendar 30 days before the certification anniversary and submits the recertification through the DPF portal before the anniversary lapses. The Trust Center and the Privacy Notice are updated to reflect DPF status only after a successful certification confirmation is received from the U.S. Department of Commerce.
- Where Neuroscale is DPF-certified for the categories of data at issue, the DPF is a self-sufficient transfer mechanism for transfers from the EEA/UK/Switzerland to Neuroscale’s US operations.
- Onward transfers from Neuroscale to non-DPF-certified recipients require an additional mechanism (typically SCCs).
3. Standard Contractual Clauses (SCCs)
For transfers not covered by adequacy or the DPF — and as a belt-and-suspenders measure for some DPF transfers — Neuroscale relies on the EU Commission’s modular SCCs adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021:| Module | When used |
|---|---|
| Module One — controller-to-controller | When Neuroscale (controller) shares personal data with another controller in a third country (rare for Neuroscale) |
| Module Two — controller-to-processor | When an EEA customer (controller) is sending data to Neuroscale (processor) — built into our Customer DPA template |
| Module Three — processor-to-processor | When Neuroscale (processor for an EEA customer) onward-transfers to a sub-processor — built into our sub-processor agreements |
| Module Four — processor-to-controller | When Neuroscale returns data to an EEA controller (rare) |
4. UK Addendum / IDTA
For transfers originating in the UK, Neuroscale appends to the SCCs either the International Data Transfer Addendum to the EU SCCs (the “UK Addendum”) or the standalone International Data Transfer Agreement (IDTA), both as published by the UK Information Commissioner’s Office (ICO) and in force from March 2022.5. Swiss revisions
For transfers originating in Switzerland, Neuroscale follows the Swiss Federal Data Protection and Information Commissioner (FDPIC) guidance: the EU SCCs are used with Swiss-specific modifications (replace references to the GDPR with the revFADP, replace “EU” / “Member State” with “Switzerland” or the appropriate authority, recognize legal-person data in scope under Swiss law where applicable until repeal).6. Derogations (Art. 49)
Used only as a last resort, on a case-by-case basis, with General Counsel sign-off, where no other mechanism is available — explicit informed consent, contract necessity, important reasons of public interest, legal claims, vital interests, or the limited-occasional-non-repetitive derogation. Binding Corporate Rules (BCRs) are not currently in scope for Neuroscale.Transfer Impact Assessment (TIA)
Following the CJEU’s judgment in Schrems II (C-311/18) and the EDPB’s Recommendations 01/2020 on supplementary measures, every transfer relying on SCCs (or the UK Addendum / IDTA) requires a Transfer Impact Assessment documenting:- The transfer itself — exporter, importer, categories of data, categories of data subjects, purpose, frequency, format (in clear or pseudonymized).
- The legal regime in the recipient country — relevant surveillance laws, government-access powers, redress mechanisms, judicial-review rights. For US importers, this includes FISA §702, EO 12333, EO 14086 (the redress mechanism agreed in the DPF context), and CLOUD Act considerations.
- The likelihood of access in practice given the importer’s sector, the data type, and the relevant authorities’ track record.
- Supplementary measures:
- Technical — strong encryption in transit (TLS 1.2+) and at rest (AWS KMS), pseudonymization where feasible, no clear-text access by personnel in third countries with disproportionate surveillance, key management with the data exporter or in an adequate jurisdiction where required.
- Contractual — government-access challenge clauses (already in the SCCs), audit rights, transparency reports, notification of access requests where lawful.
- Organizational — strict access controls (see Access Management), training on government-access requests, internal escalation procedures, publication of transparency report.
- Conclusion — whether the transfer can proceed, with which supplementary measures, and any residual risk.
Sub-processor onboarding
When Neuroscale engages a sub-processor that may receive personal data of EEA/UK/Swiss data subjects, the Vendor Risk Assessment is augmented with:- Confirmation of the sub-processor’s location(s) and any third-country processing.
- Execution of SCCs Module Three (processor-to-processor), or, where the sub-processor is a controller, Module One.
- UK Addendum / IDTA for UK-origin data.
- Swiss revisions for Swiss-origin data.
- A TIA (above) before go-live.
- Listing on the public Subprocessor List, with the location and SCC mechanism noted.
Customer DPAs (Neuroscale as processor)
For our SaaS product, Neuroscale is the processor and the customer is the controller. Neuroscale’s Customer DPA template:- Incorporates SCCs Module Two by reference, pre-completed where possible.
- Attaches the UK Addendum and Swiss-revisions language.
- Names the categories of data, data subjects, processing operations, and retention.
- Lists current sub-processors by reference to the public list.
- Commits Neuroscale to assist the customer with DSRs (see Data Subject Rights).
Roles and responsibilities
| Role | Responsibility |
|---|---|
| General Counsel (Privacy Officer; also acting as voluntary DPO — see DPO independence note) | Approves transfer mechanisms; signs SCCs and IDTAs; owns TIA program; liaison to EEA supervisory authorities. If Art. 37 mandatory DPO is later triggered, an independent DPO is retained. |
| CISO | Maintains the list of cross-border data flows; assesses technical supplementary measures; signs technical sections of TIAs |
| CFO | Owns contract execution and counter-signature workflow |
| CTO | Maintains the customer-facing DPA workflow |
Records
The following records are maintained:- Signed SCCs, UK Addenda, IDTAs, DPF self-certifications — retained for the life of the underlying processing + 6 years. See Records Retention Schedule.
- TIAs — retained for 6 years from the end of the underlying transfer.
- Sub-processor list (current) — published.
- Sub-processor change-notice log — retained for 3 years.
- Government data-access requests received and Neuroscale’s response — retained permanently. Aggregate statistics are published in a public transparency report on the Trust Center on a semi-annual cadence (covering the calendar half-years Jan–Jun and Jul–Dec), released within 60 days of the end of each reporting period, where publication is lawful and not under non-disclosure obligation. The report includes: number of requests received, number complied with in whole or in part, number rejected on legal grounds, request types (subpoena, court order, search warrant, NSL, MLAT, foreign-government request), and country of requestor. Where a non-disclosure order or sealing requirement prevents disclosure of a specific request, the request is excluded from the published count and a footnote indicates that gagged requests exist. The Privacy Officer (General Counsel) drafts the report and the CEO approves before publication.
Cross-references
- Third-Party Management Policy
- Vendor Risk Assessment
- Data Management Policy
- Data Subject Rights Procedure
- DPIA Procedure
- Records Retention Schedule
- Subprocessor List
- Customer DPA template
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |