Data Transfers Addendum

This Data Transfers Addendum ("DTA") supplements our Data Processing Agreement and outlines the mechanisms and safeguards for international transfers of personal data.

Version 1.2, March 2025

Last Updated: March 5, 2025

International Data Transfers Overview

As a global cloud service provider, Actualize processes personal data in multiple jurisdictions worldwide. We implement appropriate safeguards for international data transfers in compliance with applicable data protection laws, including GDPR, UK GDPR, and Swiss data protection laws.

Schrems II Compliance

Following the Court of Justice of the European Union's decision in the Schrems II case, we have implemented additional safeguards for data transfers to countries outside the EEA, UK, and Switzerland that have not been deemed to provide adequate protection for personal data.

Transfer Mechanisms

Standard Contractual Clauses (SCCs)

We implement the EU Commission's Standard Contractual Clauses (2021) for data transfers from the EEA to third countries. These contractual safeguards ensure that recipients of personal data provide appropriate protection.

UK International Data Transfer Agreement (IDTA)

For transfers from the UK, we implement the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office.

Swiss Transborder Data Flow Agreement

For transfers from Switzerland, we implement the Swiss Transborder Data Flow Agreement, with appropriate adaptations to the EU SCCs as required by the Swiss Federal Data Protection and Information Commissioner.

Adequacy Decisions

Where the EU Commission, UK Government, or Swiss authorities have issued adequacy decisions for certain countries, territories, or specific sectors, we may transfer personal data to these recipients without additional safeguards.

Additional Safeguards

In addition to the above transfer mechanisms, we implement the following technical, organizational, and contractual safeguards:

Transfer Impact Assessments
We conduct and document transfer impact assessments for data transfers to non-adequate countries to evaluate the level of protection provided.
End-to-End Encryption
We implement strong encryption for data in transit and at rest to ensure that even if data is accessed without authorization, it remains protected.
Access Controls
We implement strict access controls and authentication requirements to ensure that only authorized personnel can access personal data.
Data Minimization
We limit the amount of personal data transferred to what is strictly necessary for the provision of our services.
Transparency
We provide clear information about our data transfer mechanisms and the countries where personal data may be processed.

Data Transfer Mechanisms by Region

Region	Countries	Transfer Mechanisms	Additional Safeguards
European Economic Area (EEA)	Austria, Belgium, Bulgaria, Croatia, Cyprus...	Not applicable - Adequate level of protection	Not required
United Kingdom	United Kingdom	UK International Data Transfer Agreement (IDTA) UK Addendum to the EU SCCs	Transfer Impact Assessment Encryption in transit and at rest Access controls
Switzerland	Switzerland	Swiss Transborder Data Flow Agreement	Transfer Impact Assessment Encryption in transit and at rest Access controls
Adequate Jurisdictions	Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey...	EU Commission Adequacy Decision	Not required
United States	United States	EU Standard Contractual Clauses (2021) UK International Data Transfer Addendum	Transfer Impact Assessment Schrems II additional safeguards Enhanced encryption Access controls Strict purpose limitation
Asia Pacific	Australia, Hong Kong, India, Indonesia, Malaysia...	EU Standard Contractual Clauses (2021) UK International Data Transfer Addendum	Transfer Impact Assessment Encryption in transit and at rest Access controls Data minimization
Other Regions	Brazil, Mexico, South Africa, United Arab Emirates, Other countries	EU Standard Contractual Clauses (2021) UK International Data Transfer Addendum	Transfer Impact Assessment Encryption in transit and at rest Access controls Data minimization

Subprocessors and Data Transfers

Actualize may engage subprocessors to process personal data on our behalf. We ensure that all subprocessors provide sufficient guarantees to implement appropriate technical and organizational measures and comply with applicable data protection laws.

View Subprocessors List

Limitations and Challenges

Despite our efforts to implement strong safeguards, we acknowledge that there may be circumstances where these safeguards could be limited by the legal requirements of the countries where personal data is processed.

In such cases, we will promptly notify you and work to find alternative solutions, which may include processing the data in a different location or implementing additional technical measures.

For questions about this Data Transfers Addendum or our data transfer mechanisms, please contact our Data Protection Officer at dpo@zerosumdefense.co.