Cross-Border Data Transfers
- Executive Summary
- Working Knowledge
- Technical Spec
Cross-border data transfers are one of the most legally complex and commercially sensitive areas of global privacy law. When personal data moves from one jurisdiction to another — especially from the EU to the US — specific legal mechanisms must be in place. The invalidation of Safe Harbor (2015) and Privacy Shield (2020) by the EU Court of Justice demonstrated that these mechanisms can change overnight, and platforms that are not prepared for this volatility face existential risk.
ReGenesis takes a pragmatic, phased approach. At launch, all data resides in AWS us-east-1 (US East) — simple, single-region, no cross-border transfer complexity. As the platform expands internationally, regional data residency activates with EU data stored in an EU region (e.g., eu-west-1 Ireland), supported by Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), and the EU-US Data Privacy Framework where applicable.
The critical subprocessor consideration is the LLM providers (Anthropic and/or OpenAI). Coaching content that flows through AI inference pipelines must be handled with the same transfer safeguards as all other personal data. The architecture ensures that LLM calls can be routed to region-appropriate endpoints, and the DPA with LLM providers explicitly addresses data handling, retention, and transfer mechanisms.
Why Cross-Border Transfers Matter
When personal data crosses national borders, different privacy laws apply. The EU's GDPR (Chapter V, Articles 44-49) is the strictest: it prohibits transfers of personal data outside the EU/EEA unless specific conditions are met.
Why this affects ReGenesis:
- The platform's servers are in the US at launch
- EU-based enterprise clients may want to enroll EU employees
- LLM providers (Anthropic, OpenAI) may process data in the US
- Backup and disaster recovery may involve multiple regions
The Legal Mechanisms
| Mechanism | What It Is | When It Applies | Status |
|---|---|---|---|
| EU-US Data Privacy Framework (DPF) | US-EU agreement allowing certified companies to transfer data | When ReGenesis or its subprocessors are DPF-certified | Active since 2023; may face legal challenges |
| Standard Contractual Clauses (SCCs) | Pre-approved contract clauses from the EU Commission | In all DPAs with EU-based controllers | Reliable fallback; requires supplementary measures |
| Transfer Impact Assessment (TIA) | Analysis of whether destination country law undermines protections | Required when relying on SCCs | Must be completed for each transfer route |
| Adequacy Decision | EU Commission declares a country's laws "adequate" | Simplest mechanism — no additional safeguards needed | US has partial adequacy via DPF |
| Binding Corporate Rules (BCRs) | Internal rules for intra-group transfers | For future multinational corporate clients | Not needed at launch |
The Phased Approach
Data Residency
Data residency means keeping data in a specific geographic region. Some enterprise clients (especially in regulated industries like finance and healthcare) contractually require that their data never leaves a specific jurisdiction.
The ReGenesis approach:
- US-first launch: All data in AWS us-east-1
- EU expansion: EU client data in AWS eu-west-1 (Ireland) by default
- Client override: Enterprise clients can specify their preferred AWS region in the DPA
- Regional isolation: Data in one region does not replicate to another unless explicitly configured
When Sasha processes coaching content through an LLM (Anthropic or OpenAI), that data temporarily exists in the LLM provider's infrastructure. Contracts with LLM providers must ensure:
- No training on ReGenesis data
- No retention beyond the inference request
- Data processing in a region compatible with the client's data residency requirements
- SCCs or equivalent transfer mechanism if data crosses borders
Subprocessor Management
ReGenesis uses subprocessors — third parties that process personal data on the platform's behalf. Enterprise clients (as data controllers) have the right to know who the subprocessors are and to object to changes.
Current Subprocessor Register
| Subprocessor | Service | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| AWS | Cloud infrastructure | All platform data | US (us-east-1), EU (eu-west-1 planned) | DPF + SCCs |
| Anthropic | LLM inference (Claude) | Coaching content for AI processing | US | DPF + SCCs + no-retention clause |
| OpenAI (contingency) | LLM inference (GPT) | Coaching content for AI processing | US | DPF + SCCs + no-retention clause |
| Auth0/Clerk | Authentication | User identity data | US | DPF + SCCs |
| Stripe | Payment processing | Billing data (not coaching content) | US | DPF + SCCs |
| SendGrid/SES | Email delivery | Email addresses, notification content | US | DPF + SCCs |
Subprocessor Change Notification
When a subprocessor is added or changed:
- 14-day advance notice to all enterprise clients (controllers)
- Client can object within the notice period
- If objection, ReGenesis works with the client to find an alternative or provide assurances
- If no resolution, client may terminate the affected processing
LLM Provider Specific Considerations
The relationship with LLM providers (Anthropic, OpenAI) deserves special attention because coaching content is the most sensitive data the platform processes, and it flows through their inference pipelines.
Key Contractual Requirements for LLM Providers
- Zero retention: LLM provider must not retain prompt or completion data beyond the inference request
- No training: ReGenesis data must not be used to train or fine-tune the provider's models
- Data isolation: Platform API calls must be logically isolated from other customers
- Regional endpoints: Ability to route calls to region-specific API endpoints (EU endpoint for EU data)
- Audit rights: Right to audit or receive audit reports (SOC 2) from the provider
- Incident notification: Provider must notify ReGenesis of any security incident affecting platform data
- Sub-subprocessor transparency: Provider must disclose their own subprocessors
Anthropic-Specific Notes
- Anthropic's commercial API (as distinct from consumer Claude) offers zero-retention processing
- Anthropic is a US company; data processed in US unless EU endpoint is available
- Anthropic's DPA addresses GDPR transfer requirements
- Monitor for EU regional endpoint availability
Many EU enterprise clients will ask: "Where does our data live?" Having a clear, simple answer — "Data stays in the EU region, processed by EU-based infrastructure, with AI calls routed to EU endpoints where available" — is a deal-closer. The architecture described here makes that answer possible.