International Data Transfers

SCC Annex Details

Annex I: Parties and Transfer Details

• Data Exporter: You (User/Customer) acting as data controller
• Data Importer: KC Meta Ventures, Inc. (operating Clients.ai) and authorized sub-processors acting as processors
• Data Subjects: Your customers, leads, contacts, and end-users whose personal data you process using the Services
• Categories of Data: As specified in Privacy Policy Section 3 and this page (contact information, usage data, communications, payment data)
• Sensitive Data: None intentionally collected (Users prohibited from processing special category data under GDPR Article 9 via the Services)
• Processing Frequency: Continuous for duration of subscription
• Competent Supervisory Authority: Irish Data Protection Commission (lead supervisory authority for cross-border processing under GDPR one-stop-shop mechanism for EEA data subjects); for UK data subjects, UK Information Commissioner's Office

Annex II: Technical and Organizational Measures (TOMs)

Clients.ai implements the following security measures as detailed in our Security Policy:

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based access controls (RBAC), principle of least privilege, multi-factor authentication (MFA) support
• Audit Logging: Comprehensive audit logs retained for 12 months minimum
• Security Certifications: SOC 2 Type II certified controls, ISO 27001 certification (in progress)
• Penetration Testing: Annual third-party penetration testing and vulnerability assessments
• Pseudonymization: PII pseudonymized where feasible for analytics and AI training
• Incident Response: Security incident response plan with 72-hour breach notification commitment (GDPR Article 33 alignment)
• Employee Training: Mandatory annual data protection and security training for all personnel with data access

Annex III: Sub-Processors

Current list of sub-processors with access to personal data transferred to third countries:

• Amazon Web Services (AWS) - USA - Cloud infrastructure, compute, storage
• OpenAI, Inc. - USA - AI model inference, content generation (pseudonymized data only)
• Stripe, Inc. - USA/Ireland - Payment processing (dual processing with EU entity Stripe Payments Europe, Ltd.)
• SendGrid (Twilio Inc.) - USA - Transactional email delivery

For complete sub-processor list including EEA-based processors, see clients.ai/legal/sub-processors.

SCC Governing Law and Jurisdiction

• Clause 17 (Governing Law): SCCs governed by the law of the EU Member State where you (data exporter) are established. For non-EU data exporters, Irish law applies as the fallback governing law.
• Clause 18 (Jurisdiction): Courts of the EU Member State where you are established have jurisdiction to resolve SCC disputes. For non-EU data exporters, courts of Ireland have exclusive jurisdiction.
• Third-Party Beneficiary Rights: Data subjects are third-party beneficiaries under Clauses 3, 11, and 18 and may enforce their rights directly against the data importer and/or data exporter.

Step 1: Legal Framework Analysis (USA)

Assessment of U.S. surveillance laws and government access frameworks:

FISA Section 702 (Foreign Intelligence Surveillance Act)

• Risk: FISA Section 702 permits NSA and FBI to collect electronic communications of non-U.S. persons located outside the United States without individualized warrants (targeting "foreign intelligence information")
• Assessment: Clients.ai data unlikely to be of interest to U.S. intelligence agencies
  • Data type: B2B SaaS usage data (LinkedIn automation, marketing analytics) - not communications content, not personal communications, not politically sensitive
  • No evidence of FISA Section 702 bulk collection targeting similar B2B marketing SaaS platforms
  • Our user base and data categories do not align with "foreign intelligence information" targeting criteria
• Conclusion: Risk assessed as LOW for FISA Section 702 targeting

Executive Order 12333

• Risk: Executive Order 12333 authorizes intelligence collection activities outside the United States with minimal court oversight; potential for incidental collection of data in transit
• Mitigation: End-to-end encryption (TLS 1.3 in transit, AES-256 at rest) reduces exploitability of any incidentally collected encrypted data
• Conclusion: Residual risk remains but encrypted data provides strong technical barrier to unauthorized access

CLOUD Act (Clarifying Lawful Overseas Use of Data Act)

• Risk: CLOUD Act allows U.S. law enforcement to compel U.S.-based service providers to produce data stored anywhere in the world, subject to legal process (court orders, subpoenas)
• Assessment:
  • Lawful legal process required (not warrantless bulk access)
  • Clients.ai has received ZERO national security letters, FISA orders, or law enforcement data requests since launch (2022) - see Transparency Report
  • AWS Transparency Report (2023) shows less than 0.01% of enterprise customers receive government legal demands annually
• Contractual Protections: SCCs require sub-processors to (a) immediately notify Clients.ai of government data requests (unless legally prohibited), (b) challenge overly broad or unlawful requests, and (c) provide transparency reporting
• Conclusion: CLOUD Act risk exists but assessed as LOW given data type, lack of access history, and contractual safeguards

Redress Mechanisms for Non-U.S. Persons

• Limitation Identified: Non-U.S. persons lack effective judicial redress for FISA Section 702 surveillance under U.S. law (no standing to challenge FISA orders in U.S. courts)
• GDPR Implication: Noted as a residual risk per EDPB Recommendations 01/2020; addressed through supplementary technical measures (see Step 3 below)

Step 2: Practical Access Assessment

• Nature of Data: LinkedIn automation and B2B sales/marketing use case data - NOT communications content, NOT personal communications, NOT politically sensitive, NOT national security-relevant
• Sub-Processor Jurisdictions: AWS (USA - us-east-1 Virginia, us-east-2 Ohio regions), OpenAI (USA - Azure backend), Stripe (dual USA/Ireland with EU entity), SendGrid (USA)
• Access History:
  • Zero government access requests to Clients.ai since launch (2022)
  • Zero national security letters or FISA orders received
  • AWS Transparency Report indicates less than 0.01% of enterprise customers receive legal demands annually
• Business Context Risk Assessment: Niche B2B SaaS tool for marketing automation - outside typical national security or law enforcement targeting scope
• Overall Practical Risk Rating: LOW - combination of data type, business context, and lack of access history indicates minimal likelihood of government access requests

Step 3: Supplementary Measures Implemented

In accordance with EDPB Recommendations 01/2020, Clients.ai implements the following supplementary technical and organizational measures beyond Standard Contractual Clauses:

• Measure 1 - Encryption with Key Segregation:
  • AES-256 encryption at rest for all data stored by USA sub-processors
  • TLS 1.3 encryption in transit for all data transmissions
  • Encryption keys managed exclusively in Canada using AWS KMS (Canada ca-central-1 region) - USA sub-processors cannot access plaintext data without key material held in adequate jurisdiction
  • Effectiveness: Even if U.S. government compels disclosure of encrypted data from AWS, data is cryptographically unusable without Canadian-held decryption keys
• Measure 2 - Pseudonymization for AI Processing:
  • User PII pseudonymized before transmission to USA-based AI training (OpenAI API)
  • OpenAI receives only anonymized datasets with direct identifiers removed (no names, email addresses, or contact details)
  • Pseudonymization mapping tables stored exclusively in Canada; re-identification possible only with Canadian database access
  • Effectiveness: Reduces exploitability of any government access to AI training data - data not re-identifiable without Canadian infrastructure access
• Measure 3 - Data Minimization and Segmentation:
  • Only operationally necessary data sent to USA sub-processors
  • Lead Data contact details (email addresses, phone numbers, LinkedIn profiles) stored exclusively in Canada - NOT transferred to USA sub-processors
  • AWS hosts encrypted application infrastructure but detailed user profiles and sensitive Lead Data remain in Canada-only database instances
  • Effectiveness: Minimizes volume and sensitivity of data exposed to third-country legal frameworks
• Measure 4 - Enhanced Contractual Commitments:
  • SCCs supplemented with additional clauses requiring sub-processors to: (a) immediately notify Clients.ai of government data requests (unless legally prohibited by gag order); (b) challenge overly broad, unlawful, or disproportionate requests; (c) provide annual transparency reporting; (d) submit to annual compliance attestations
  • Effectiveness: Provides contractual enforcement mechanism and early warning system for government access attempts
• Measure 5 - Transparency Reporting:
  • Annual Transparency Report published at clients.ai/transparency disclosing number and type of government requests received (if any)
  • Warrant canary discontinued in 2024 (legal advice: ineffective post-gag orders and creates false sense of security)
  • Effectiveness: Provides public accountability and visibility into government access requests
• Measure 6 - Regular TIA Review and Updates:
  • TIA reviewed annually and upon material changes to: (a) third-country surveillance laws; (b) sub-processor locations or jurisdictions; (c) categories of data transferred; (d) security measures or encryption standards
  • Effectiveness: Ensures ongoing compliance with evolving legal landscape and EDPB guidance

Step 4: Balancing Assessment and Conclusion

• Effectiveness of Supplementary Measures: ADEQUATE
  • Encryption with Canadian-held keys + pseudonymization + data minimization combine to reduce exploitability of any government access to near-zero utility
  • Even if U.S. government obtains encrypted data, inability to access decryption keys (held in adequate jurisdiction Canada) renders data cryptographically protected
• Residual Risk Assessment: LOW
  • Encrypted data inaccessible without Canadian-held keys
  • Pseudonymized AI training data not re-identifiable without Canadian database access
  • Business context (B2B SaaS, LinkedIn marketing automation) outside national security targeting scope
  • Zero government access requests to date (2022-present)
• EDPB Recommendations 01/2020 Compliance:
  • Supplementary measures aligned with EDPB guidance on encryption at rest/in transit, pseudonymization, and key segregation (keys held in EU/adequate jurisdictions)
  • Case-by-case assessment conducted specific to Clients.ai data types, sub-processors, and use cases
• Schrems II CJEU Compliance Conclusion:
  • Transfers to USA sub-processors lawful under Standard Contractual Clauses + supplementary measures
  • Supplementary measures provide level of protection essentially equivalent to that guaranteed within EEA, consistent with Schrems II requirements (Case C-311/18)
  • TIA documentation demonstrates compliance with data exporter obligation to verify appropriate safeguards (GDPR Article 46)