Alephic transfers limited categories of European Personal Data to the United States as part of delivering our services. This policy describes our process for assessing the risks of those transfers and the safeguards we apply to protect that data.
1. When We Conduct a Transfer Impact Assessment
We conduct a Transfer Impact Assessment (TIA) before initiating any new data transfer involving European Personal Data to a country outside the EEA that does not have an EU adequacy decision, or when there is a material change in the legal framework of a destination country.
For existing transfers, we review our assessments at least annually or when triggered by a significant legal or regulatory development (such as a new court ruling or change in surveillance legislation).
2. Scope of Assessment
Each TIA evaluates:
- Categories of data: What personal data is transferred, its sensitivity, and volume.
- Transfer mechanism: The legal basis for the transfer (e.g., Standard Contractual Clauses, EU-US Data Privacy Framework).
- Destination country laws: Whether the destination country's legal framework provides adequate protection, including government surveillance powers and data protection legislation.
- Supplementary measures: Technical, organizational, and contractual safeguards in place to mitigate identified risks.
- Sub-processor chain: Whether onward transfers occur and the protections applied at each stage.
3. Current Transfer Assessment: United States
Alephic's infrastructure is hosted in the United States. The European Personal Data we transfer is limited to EY employee email addresses processed by Clerk for authentication, along with standard web request metadata (IP addresses, device identifiers) processed by Vercel.
Our assessment of US transfers considers:
- EU-US Data Privacy Framework: The European Commission issued an adequacy decision in July 2023, recognizing that the US provides adequate protection for data transferred under this framework.
- Executive Order 14086: Introduces principles of necessity and proportionality for US signals intelligence, and establishes the Data Protection Review Court as an independent redress mechanism for EU individuals.
- Low risk profile: The data transferred (email addresses for authentication) is of low intelligence value and is not the type typically targeted by surveillance authorities.
- Standard Contractual Clauses: We maintain EU-approved SCCs with all sub-processors as an additional safeguard.
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) with keys managed by cloud providers via their key management services.
4. Risk Mitigation Measures
Based on our assessments, we apply the following supplementary measures:
- Data minimization: We transfer only the minimum personal data necessary for authentication and service delivery.
- Encryption: End-to-end encryption for data in transit and at rest across all infrastructure components.
- Access controls: Role-based access with multi-factor authentication; only authorized personnel can access production systems.
- Contractual protections: Data Processing Agreements and SCCs with all sub-processors, including commitments to challenge government requests (see our Law Enforcement and Government Data Request Policy).
- Vendor due diligence: Sub-processors vetted for SOC 2 Type II certification or equivalent security standards.
5. Documentation and Records
All TIA records are maintained by the Data Protection Officer, including the assessment methodology, findings, risk ratings, and decisions taken. Records are retained for a minimum of three years and are available to supervisory authorities and clients upon request.
6. Review
This policy is owned by Noah Brier and reviewed at least annually. Updates are communicated company-wide and published on our website.
For questions about this policy or to request a copy of our current Transfer Impact Assessment, contact [email protected].