Spock

Transfer Impact Assessment Summary

Public Trust Center Version

Entity: Bookt Holdings Inc., a Delaware corporation, trading as "Spock" ("Spock", "we", "us", "our")

OVERVIEW

Spock has conducted comprehensive Transfer Impact Assessments (TIAs) for all US-based AI sub-processors used in our services, in accordance with GDPR Article 46 and EDPB Recommendations 01/2020. This summary provides transparency about our international data transfers and the safeguards we have implemented. This TIA covers US AI sub-processors only.

Sub-Processors Assessed:

  1. Anthropic PBC (Claude AI)
  2. OpenAI OpCo, LLC (ChatGPT & API)
  3. Google Ireland Ltd / Google LLC (Gemini)
  4. Groq, Inc. (Groq AI)

Overall Conclusion: All transfers to these sub-processors are lawful under GDPR Article 46(2)(c) using Standard Contractual Clauses, supplemented by appropriate technical and organizational measures. Residual risk levels are assessed as LOW to LOW-MEDIUM.

LEGAL FRAMEWORK

Transfer Mechanism

Primary: Standard Contractual Clauses (EU SCCs 2021/914)

  • Module 2: Controller to Processor
  • Module 3: Processor to Sub-processor

All sub-processors have executed SCCs incorporated into their Data Processing Addendums (DPAs).

US Laws Assessed

Our TIAs evaluated the following US surveillance and data access laws:

FISA Section 702

  • Permits targeted foreign intelligence surveillance
  • Requires Foreign Intelligence Surveillance Court (FISC) approval
  • Applies to non-US persons outside the US
  • Assessment: LOW risk for enterprise AI data (not typical intelligence target)

Executive Order 12333

  • Authorizes foreign signals intelligence collection
  • Cannot compel service providers to disclose data
  • Assessment: VERY LOW risk (encryption protects; cannot compel providers)

CLOUD Act

  • Permits law enforcement warrants for criminal investigations
  • Requires judicial approval and probable cause
  • Assessment: VERY LOW risk (business AI data rarely relevant to criminal cases)

Safeguards Identified:

  • Judicial oversight (FISC for FISA 702, federal judges for CLOUD Act)
  • Minimization procedures
  • Presidential Policy Directive 28 (PPD-28) protections
  • Available redress mechanisms

SUPPLEMENTARY MEASURES

We require all sub-processors to implement comprehensive supplementary measures beyond Standard Contractual Clauses:

Technical Measures

MeasureImplementationEffectiveness
Encryption in TransitTLS 1.2/1.3 for all communicationsESSENTIAL - Protects against interception
Encryption at RestAES-256 for stored dataESSENTIAL - Protects stored data
Data MinimizationOnly necessary data processedVERY EFFECTIVE - Reduces exposure
Short Retention7-30 days maximumHIGHLY EFFECTIVE - Limits exposure window
Access ControlsMFA, RBAC, least privilegeESSENTIAL - Prevents unauthorized access
Monitoring & Logging24/7 SOC, SIEM, audit trailsEFFECTIVE - Enables detection

Contractual Measures

MeasureImplementationEffectiveness
Standard Contractual ClausesExecuted directly or implicitly with all sub-processorsESSENTIAL - Legal framework
No AI Training CommitmentEnterprise data not used for model trainingVERY EFFECTIVE - No indefinite retention
Incident Notification72-hour maximum notificationEFFECTIVE - Enables breach response
Audit RightsSOC 2 reports, questionnairesEFFECTIVE - Provides oversight
Sub-processor ApprovalCustomer notification and objection rightsEFFECTIVE - Controls onward transfers

Organizational Measures

All sub-processors maintain:

  • ISO 27001 certification (Information Security Management)
  • SOC 2 Type II reports (Security, Confidentiality, Privacy)
  • 24/7 Security Operations Centers
  • Documented incident response procedures
  • Regular third-party security audits
  • Vendor risk management programs

SUB-PROCESSOR SPECIFIC SUMMARIES

1. Anthropic PBC (Claude AI)

Location: United States (San Francisco, CA)

Risk Assessment: LOW-MEDIUM

Key Strengths:

  • 7-day API retention (industry-leading short retention)
  • ISO 27001, ISO 42001 (AI Management), SOC 2 Type II certified
  • No training on enterprise customer data
  • Zero Data Retention (ZDR) option available
  • Strong encryption and access controls

Data Protection Highlights:

  • API logs retained for only 7 days by default
  • Optional 30-day retention available via DPA amendment
  • Zero Data Retention option for maximum data isolation
  • Data processed in Google Cloud Platform infrastructure
  • Comprehensive AI-specific security controls (ISO 42001)

Why Transfers Are Lawful: Anthropic's 7-day retention period is the shortest in the industry, significantly limiting the window for potential government access. Combined with strong encryption, no-training commitments, and multiple security certifications, the residual risk is LOW-MEDIUM and acceptable under GDPR Article 46(2)(c).

2. OpenAI OpCo, LLC (ChatGPT & API)

Location: United States (San Francisco, CA) / Ireland (EU entity available)

Risk Assessment: LOW-MEDIUM

Key Strengths:

  • 30-day API retention maximum
  • EU data residency option available for eligible customers
  • ISO 27001, 27017, 27018, 27701, SOC 2 Type II certified
  • No training on enterprise/business customer data by default
  • EU-US Data Privacy Framework (DPF) certified

Data Protection Highlights:

  • API data automatically deleted after 30 days
  • EU data residency keeps customer content at rest in Europe
  • ChatGPT Enterprise retention controlled by workspace admin
  • Multiple ISO certifications covering cloud security and privacy
  • Comprehensive transparency reporting

Why Transfers Are Lawful: OpenAI's optional EU data residency significantly reduces US law exposure for stored data. Combined with 30-day maximum retention, strong encryption, no-training commitments, and comprehensive certifications, the residual risk is LOW-MEDIUM and acceptable under GDPR Article 46(2)(c). EU residency option further reduces risk.

3. Google Ireland Ltd / Google LLC (Gemini)

Location: Ireland (EU) / United States

Risk Assessment: LOW

Key Strengths:

  • EU data processing via Google Ireland Ltd for EEA customers
  • Regional data centers in EU available
  • ISO 27001, 27017, 27018, 27701, 42001, SOC 1/2/3 certified
  • FedRAMP High authorization (US government level security)
  • No training on enterprise Workspace/Cloud data
  • Mature, enterprise-grade security program

Data Protection Highlights:

  • EEA customers' data processed by Google Ireland Ltd under GDPR
  • Cloud Data Processing Addendum (CDPA) with SCCs built-in
  • Regional data residency options available
  • Extensive compliance certifications (HIPAA, FedRAMP, etc.)
  • Stateless processing for many Gemini operations
  • Enterprise-grade access controls and encryption

Why Transfers Are Lawful: Google's EU-based processing entity (Google Ireland Ltd), regional data centers, mature security program, and comprehensive certifications provide exceptionally strong protection. Google's enterprise infrastructure and no-training commitments further reduce risk. Residual risk is LOW and well within acceptable limits for GDPR Article 46(2)(c) transfers.

4. Groq, Inc. (Groq AI)

Location: United States

Risk Assessment: LOW-MEDIUM

Key Strengths:

  • Zero Data Retention (ZDR) option available by default
  • No training on customer data by default
  • Data stored in Google Cloud Platform (GCP) US region
  • Standard Contractual Clauses (Module 2 & 3) in place
  • Short retention periods for specific features (30 days max)

Data Protection Highlights:

  • Customer data not retained by default (ZDR available)
  • Only retained if specific features enabled (batch processing, fine-tuning)
  • 30-day maximum retention for batch processing jobs
  • Data can be deleted earlier by customer
  • Encryption in transit and at rest
  • Access controls and monitoring in place

Why Transfers Are Lawful: Groq's Zero Data Retention option eliminates retention risk entirely for most use cases. For features requiring retention, 30-day maximum with customer deletion control provides strong protection. No-training commitment prevents indefinite incorporation into models. Residual risk is LOW-MEDIUM and acceptable under GDPR Article 46(2)(c).

RISK ASSESSMENT SUMMARY

Overall Risk Levels

Sub-ProcessorResidual RiskPrimary Mitigation
Anthropic (Claude)LOW-MEDIUM7-day retention, no training, strong certs
OpenAI (ChatGPT/API)LOW-MEDIUM30-day retention, EU residency option, no training
Google (Gemini)LOWEU entity, regional data centers, mature program
GroqLOW-MEDIUMZero data retention option, no training

Common Risk Mitigations Across All Sub-Processors

  1. Short Retention Periods: 7-30 days maximum (or zero for Groq)
  2. No AI Training: Enterprise data not used to train models
  3. Strong Encryption: TLS 1.2/1.3 in transit, AES-256 at rest
  4. Access Controls: MFA, RBAC, audit logging
  5. Certifications: ISO 27001, SOC 2 Type II minimum
  6. Limited Intelligence Value: Business AI data not typically of foreign intelligence interest
  7. Targeted, Not Bulk: Current US law interpretations require specific targets, not bulk collection

Why Residual Risk Is Acceptable

While US surveillance laws create theoretical access possibilities, the practical risk is LOW to LOW-MEDIUM because:

  • Data Retention Is Minimal: 7-30 days limits what exists to access
  • Business AI Data: Not typically of foreign intelligence interest
  • Technical Barriers: Encryption provides strong protection
  • No Training: Data not incorporated into models permanently
  • Targeted, Not Bulk: Current US law interpretations require specific targets
  • Supplementary Measures: Comprehensive technical and organizational protections in place

ONGOING MONITORING

Spock actively monitors all sub-processor transfers through:

Quarterly Activities

  • Review sub-processor security bulletins and updates
  • Monitor for sub-processor list changes
  • Track US surveillance law developments
  • Review usage patterns for data minimization opportunities

Annual Activities

  • Review SOC 2 Type II reports for all sub-processors
  • Verify current ISO and other certifications
  • Review transparency reports (where published)
  • Update Transfer Impact Assessments
  • Assess continued necessity of each sub-processor

Immediate Triggers for Reassessment

  • Material change to US surveillance laws
  • Security incident affecting sub-processor
  • Loss of security certifications
  • Changes to data retention policies
  • Introduction of AI training on enterprise data
  • New CJEU case law affecting US transfers
  • Sub-processor disclosure of government data request

CUSTOMER CONTROLS

How We Minimize Data Transfers

  1. Data Minimization: We process only the minimum necessary data
  2. Pre-Transfer Review: Sensitive data is anonymized or masked where possible
  3. Purpose Limitation: Data transferred only for specific AI processing purposes
  4. Short Retention: Automatic deletion after processing complete or maximum retention period

How Customers Can Further Reduce Risk

  • Use data minimization: Avoid including unnecessary personal data in prompts
  • Use synthetic data: For testing and development, use non-personal data
  • Regular reviews: Periodically assess whether AI processing is still necessary
  • Incident awareness: Report any concerns about data exposure promptly

TRANSPARENCY AND ACCOUNTABILITY

Documentation Available:

  • This TIA Summary
  • Sub-processor list (updated quarterly)
  • Data Processing Addendum (available on website)
  • Privacy Policy

REGULATORY COMPLIANCE

These Transfer Impact Assessments have been conducted in accordance with:

  • GDPR Article 46 (Transfer mechanisms)
  • EDPB Recommendations 01/2020 (Supplementary measures for international transfers)
  • CNIL Practical Guide (Transfer Impact Assessment methodology, January 2025 update)
  • Schrems II Judgment (C-311/18, requirements for US transfers)
  • EU Standard Contractual Clauses 2021/914

CONCLUSION

Based on comprehensive Transfer Impact Assessments, Spock has determined that transfers of personal data to our US-based AI sub-processors are lawful under GDPR Article 46(2)(c) when using Standard Contractual Clauses supplemented by the technical and organizational measures described above.

Key Takeaways:

  • All sub-processors have executed Standard Contractual Clauses
  • Comprehensive supplementary measures in place (technical, contractual, organizational)
  • Short retention periods (7-30 days) minimize exposure
  • No training on enterprise customer data
  • Multiple security certifications (ISO 27001, SOC 2, etc.)
  • Low practical risk due to nature of business AI data
  • Ongoing monitoring and annual reassessment
  • Customer controls available to further minimize risk

Residual Risk Level: LOW to LOW-MEDIUM across all sub-processors

We remain committed to protecting personal data and will continue to monitor these transfers, implementing additional safeguards as needed to ensure ongoing GDPR compliance.

For Questions or Concerns:

  • Data Protection Officer: Louis@spock.chat
  • Legal Department: Legal@spock.chat
  • Privacy Policy: https://spock.chat/privacy

This summary is provided for transparency purposes. Full Transfer Impact Assessments are maintained confidentially and available to customers, regulators, and auditors upon legitimate request.

Last updated: January 2025