International Data Transfer Notice

Product7 is incorporated in the State of Delaware, United States. As of the date above, Product7 is not a self-certified participant under the EU-US Data Privacy Framework (DPF), the UK Extension to the DPF, or the Swiss-US Data Privacy Framework. The earlier EU-US Privacy Shield Framework was invalidated by the Court of Justice of the European Union in Schrems II (Case C-311/18) on 16 July 2020 and has not been a valid transfer mechanism since.

For all transfers of personal data subject to EU, UK, or Swiss data protection law to a country that has not received an adequacy decision, Product7 relies on Standard Contractual Clauses and supplementary measures as described below.

Product7 incorporates the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) into our Data Processing Agreement (DPA) with all business customers. The applicable module is determined by the role of the parties:

• Module Two (Controller-to-Processor): when our customer is the Controller and Product7 acts as Processor.
• Module Three (Processor-to-Processor): when our customer is itself a Processor and engages Product7 as a Sub-processor.

We also enter into back-to-back SCCs (or equivalent) with each of our own Sub-processors that processes Customer Data outside the EEA. See our Sub-processors page for the current list.

For transfers subject to the UK GDPR, Product7's DPA incorporates the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office, which adapts the EU SCCs for UK use. Customers may also opt for the standalone UK IDTA where required.

For transfers subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply with the following adaptations: references to the GDPR are read as references to the FADP, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority, and the term "Member State" does not exclude Swiss data subjects from exercising their rights in their place of habitual residence.

In line with the requirements set out in Schrems II, Product7 conducts transfer impact assessments (TIAs) for transfers to countries without an adequacy decision. Each TIA evaluates:

• The legal framework of the destination country, including government access laws
• The categories and sensitivity of the personal data transferred
• The technical and organizational measures applied to the data
• Any practical experience or precedent indicating risk

Where a TIA identifies residual risk, we apply supplementary measures such as encryption, pseudonymization, and contractual safeguards before proceeding with the transfer.

Regardless of the transfer mechanism, Product7 applies the following technical and organizational safeguards:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256
• Strict access controls based on least privilege
• Pseudonymization of identifiers in analytical and AI processing pipelines where feasible
• Documented procedures for handling government access requests, including a commitment to challenge any request that we believe to be unlawful or overbroad
• Transparency reporting on government data requests where legally permitted

Customer Data is primarily processed in data centers located in the United States and the European Union. A small number of Sub-processors operate globally distributed edge networks (for example, Cloudflare and Bunny.net) where cached static content may be served from regions closer to the end user. See our Sub-processors page for the locations of each Sub-processor.

Product7 will only disclose personal data to government authorities where legally compelled to do so under a valid order issued by a court of competent jurisdiction or other lawful instrument. Where legally permitted, we will:

• Notify the affected customer prior to disclosure so they may seek a protective order
• Challenge requests that we believe to be unlawful, overbroad, or inconsistent with international human rights standards
• Disclose only the specific data the order requires