CJEU C-311/18 — Schrems II
Transfer Impact Assessment
Evaluation of personal data transfers outside the European Economic Area under the Schrems II framework.
Version 0.1 — internal draft. Pending review by external certified DPO and specialised data-protection counsel. This page shows the executive summary. The signed 1.0 version will be published after full legal review.
What is a TIA and why does AudioMap have one?
In July 2020, the CJEU invalidated the EU-US Privacy Shield (Schrems II judgment, C-311/18). Since then, any transfer of personal data outside the EEA requires a documented Transfer Impact Assessment justifying how the data is protected in the receiving country.
AudioMap processes the vast majority of data on European infrastructure (Hetzner DE, AssemblyAI EU, Vertex EU, Cloudflare R2 EU). Only two subprocessors involve international transfer: Stripe (payments) and Sentry (observability).
Scope
This TIA covers the only two active international transfers from AudioMap. All other subprocessors process within the EEA.
Evaluated transfers
| Sub-procesador | Destino | Datos | Mecanismo | Riesgo |
|---|---|---|---|---|
| Stripe Inc. | US | Email, tokenised card data, billing. NO service content. | EU-U.S. Data Privacy Framework + SCC (EU 2021/914 Mod 2) | LOW |
| Functional Software dba Sentry | US (storage in EU region Frankfurt) | Stack traces, breadcrumbs, HTTP metadata. NO user content nor biometrics. | EU-U.S. Data Privacy Framework + SCC + EU region configuration | LOW |
US legal framework analysis
The relevant US legal framework for international transfers includes:
- FISA Section 702: allows mass surveillance without individual judicial warrant of "non-US persons" communications.
- Executive Order 12333: broadens external surveillance powers.
- CLOUD Act 2018: allows US authorities to demand data stored by US companies even if the data is physically outside the US.
Conclusion: US legislation offers lower protection than GDPR. This requires supplementary technical and organisational measures.
Supplementary measures applied
- TLS in-transit encryption for all transfers
- At-rest encryption at destination (AES-256)
- Minimisation: only data strictly necessary for each subprocessor purpose
- Stripe: card tokenisation — AudioMap never receives PAN; service content never reaches Stripe
- Sentry: EU region config + aggressive sensitive-data scrubbing + 10% sample rate + 90d retention
- Standard Contractual Clauses (SCC) as fallback if DPF falls
- DPA Art. 28 GDPR signed with 24h breach notification clause
- Public subprocessor list at /legal/subprocessors with 30d prior notice of changes
Contingency plan (if DPF falls)
NOYB and other organisations litigate to invalidate the EU-U.S. Data Privacy Framework, as Privacy Shield (2020) and Safe Harbor (2015) were invalidated. AudioMap maintains a contingency plan:
- If DPF falls for Stripe: SCC signed as fallback. Mollie (European PSP, NL) evaluated as alternative. 4-6 week migration.
- If DPF falls for Sentry: SCC signed. GlitchTip self-hosted in Hetzner DE evaluated. 2 week migration.
- "Full sovereignty mode": local Whisper + Vertex EU + Hetzner DE allow operating without any US transfer except payments. Documented as option for B2B customers with extreme requirements.
Conclusion
The two active international transfers are legitimate with the applied safeguards. Residual risk is low because:
- Stripe and Sentry do not receive service content (audio, transcripts).
- AudioMap is not a plausible target of US mass surveillance.
- Contractual (SCC) and technical (EU alternatives) fallback mechanisms exist.
Next scheduled review: 12 May 2027, or immediate if CJEU invalidates DPF.
Related documents: DPIA, AEPD compliance, Subprocessors, Data residency.