Transfer Risk Assessment — United States
Subject: Onward transfers of Customer Personal Data from Cadences.work (Nozemans Software Pte Ltd, Singapore) to sub-processors located in the United States: Vercel, OpenAI, Postmark, Google (Analytics), GitLab. Sub-processor role: Processor or sub-processor under GDPR Article 28. Transfer mechanism: 2021 EU SCCs (Module 3 where Cadences acts as processor and engages a sub-processor; Module 2 where the customer's controller engagement is direct), supplemented by EU-US Data Privacy Framework where the sub-processor is self-certified. Last reviewed: 2026-04-30. Owner: Lauren ten Hoor (DPO, Nozemans Software Pte Ltd). Review cadence: annually, or on any material change to US surveillance law (in particular FISA-702 reauthorisation, Executive Order 14086 implementation, or new Schrems-style litigation).
1. Description of the transfers
Cadences.work, established in Singapore, engages US-based sub-processors that may, from time to time and depending on configuration, process Customer Personal Data of EU data subjects.
| Sub-processor | Role | Data type | EU data localisation |
|---|---|---|---|
| Vercel | Application hosting + domain registrar | All data in transit; logs; domain registration metadata | Functions pinned to EU regions; CDN cache global |
| Supabase | Database / Auth / Storage | All persistent customer data | EU region (Ireland, eu-west-1) |
| OpenAI | AI inference | Feedback text submitted for AI processing | USA (Cadences is on OpenAI tier 1; EU residency available on Enterprise plans and on the roadmap) |
| Postmark | Transactional email | Email recipient + subject + body | USA |
| Google (GA4) | Aggregate analytics | IP (anonymised), device info, page views | USA (Google data infrastructure); standard gtag.js integration without EU server-side tagging |
| Stripe | Subscription billing | Billing contact, VAT/GST IDs, tokenised card metadata | EU establishment in Ireland; payment-network routing global |
| GitLab | Source code hosting | No customer personal data | USA |
(Supabase is included for completeness; its processing happens in the EU and therefore is not a US transfer in practice.)
2. Legal regime in the United States
2.1 EU-US Data Privacy Framework (DPF)
Adopted by EU Commission adequacy decision of 10 July 2023. Self-certifying US organisations are presumed to provide an adequate level of protection. Certification status of relevant sub-processors:
| Sub-processor | DPF certified? |
|---|---|
| Vercel | To be verified — see https://www.dataprivacyframework.gov |
| OpenAI | To be verified |
| Postmark / ActiveCampaign | To be verified |
| Google LLC | Yes |
| GitLab | To be verified — see https://www.dataprivacyframework.gov |
Where a sub-processor is DPF-certified, the SCCs continue to apply as a complementary safeguard but the DPF provides primary adequacy.
2.2 US surveillance law
The principal concern raised by the Schrems II judgment relates to:
- Foreign Intelligence Surveillance Act (FISA), Section 702: authorises the US government to compel "electronic communication service providers" to assist in surveillance of non-US persons reasonably believed to be located outside the US. Reformed by the 2024 Reauthorization Act with additional oversight requirements.
- Executive Order 12333: governs intelligence collection abroad, including from servers physically located outside the US that are accessible to US-based providers.
- CLOUD Act (2018): allows US authorities to compel US-based providers to disclose data they control regardless of where the data is physically stored.
Mitigating developments since Schrems II:
- Executive Order 14086 (October 2022) introduced a "necessary and proportionate" standard, a Civil Liberties Protection Officer, and a Data Protection Review Court for redress.
- The EU-US DPF built on EO 14086 to provide adequacy.
That said, EU privacy advocates continue to challenge the regime; a Schrems III ruling cannot be ruled out, which is why supplementary measures remain necessary.
3. Practical assessment per sub-processor
Vercel
- Type of data: data in transit through edge functions; structured logs.
- Sensitivity: low — most processing is request-routing; persistent customer data is not stored on Vercel.
- Mitigation: function execution pinned to EU regions; sensitive data in logs is masked by the application before logging.
OpenAI
- Type of data: feedback content submitted for AI processing. Identifiers are excluded by the application unless the user pastes them into a free-text field.
- Sensitivity: medium — feedback text can be qualitative and personal.
- Mitigation: all AI features are experimental and disabled by default — engaged only when a customer organisation administrator explicitly opts in; can be re-disabled at any time. Cadences does not train any model on customer data. Provider-side training and retention behaviour is governed by OpenAI's API terms; Cadences is on tier 1, and the provider's standard ≤30-day abuse-monitoring retention applies. Zero-retention and EU-residency inference are available on OpenAI Enterprise plans and are on the roadmap as customer demand justifies the upgrade.
Postmark
- Type of data: email recipient, subject, body.
- Sensitivity: medium — email bodies contain invitation links, employee names, and review-cycle context.
- Mitigation: email content avoids embedding sensitive feedback; deep-links require authentication on Cadences.
Google (Google Analytics 4)
- Type of data: anonymised IP, device info, page views, hashed pseudo-IDs.
- Sensitivity: low — no direct identifiers; IPs not stored by GA4 (used only transiently for coarse geolocation); loaded only after explicit consent.
- Mitigation: IP anonymisation, Google Signals disabled, advertising features disabled, consent gating, 14-month event-data retention.
GitLab
- Type of data: source code only — no Customer Personal Data.
- Out of scope of this TRA for personal data purposes.
4. Supplementary measures
| Measure | Status |
|---|---|
| 2021 EU SCCs in every sub-processor DPA | Implemented |
| Encryption in transit (TLS 1.2+) and at rest | Implemented |
| Data minimisation in prompts to LLM providers | Implemented |
| EU-region pinning where the sub-processor offers it | Implemented (Vercel functions in dub1, Supabase eu-west-1); roadmap (OpenAI Enterprise EU as customer demand justifies) |
| Cookie consent gating for analytics | Implemented |
| Sub-processor transparency-report monitoring | Active |
| Annual review of sub-processor DPF certification status | Active |
| Customer notification of any binding US-authority access request received | Required by SCC Clause 15 |
5. Conclusion
Taking into account:
- the EU-US Data Privacy Framework providing presumptive adequacy where sub-processors are certified,
- the supplementary measures in §4,
- the limited scope of personal data sent to each US sub-processor (especially that persistent customer data does not leave Supabase EU),
- the contractual obligations on each sub-processor under the SCCs and our DPA,
we assess that the onward transfers to US-based sub-processors can be carried out in compliance with the GDPR.
Risk areas to monitor:
- A successful Schrems III-style challenge to the DPF.
- OpenAI's plans for EU-resident inference; if available on our plan, migrate to EU residency.
- Sub-processors' DPF certifications must be renewed annually — verify in each annual review.
6. Sign-off
| Role | Name | Date |
|---|---|---|
| Data Protection Officer | Lauren ten Hoor | 2026-04-30 |
| Director | Lauren ten Hoor | 2026-04-30 |