What makes Spock different from ChatGPT, Claude, and other AI tools?

Other AI gives you suggestions. Spock gives you finished work. Upload massive files, run multi-step workflows, connect to your tools. It works like a senior expert, not a chatbot.

Is my data private with Spock?

Your data stays yours. No training on your files. No sharing. Encrypted storage in EU data centers with full GDPR and POPIA compliance.

Is there a free trial for Spock?

No trial, but zero risk. Start with full access. If Spock doesn't work for you within 7 days, we'll refund you completely. No forms, no hassle.

How do I get help with Spock?

Email us directly at Louis@spock.chat or Tertius@spock.chat. When you sign up, you'll also get access to our WhatsApp community for quick questions.

Transfer Impact Assessment Summary | Trust Center | Spock

OVERVIEW

Spock has conducted comprehensive Transfer Impact Assessments (TIAs) for all US-based AI sub-processors used in our services, in accordance with GDPR Article 46 and EDPB Recommendations 01/2020. This summary provides transparency about our international data transfers and the safeguards we have implemented. This TIA covers US AI sub-processors only.

Sub-Processors Assessed:

Anthropic PBC (Claude AI)
OpenAI OpCo, LLC (ChatGPT & API)
Google Ireland Ltd / Google LLC (Gemini)
Groq, Inc. (Groq AI)

Overall Conclusion: All transfers to these sub-processors are lawful under GDPR Article 46(2)(c) using Standard Contractual Clauses, supplemented by appropriate technical and organizational measures. Residual risk levels are assessed as LOW to LOW-MEDIUM.

LEGAL FRAMEWORK

Transfer Mechanism

Primary: Standard Contractual Clauses (EU SCCs 2021/914)

Module 2: Controller to Processor
Module 3: Processor to Sub-processor

All sub-processors have executed SCCs incorporated into their Data Processing Addendums (DPAs).

US Laws Assessed

Our TIAs evaluated the following US surveillance and data access laws:

FISA Section 702

Permits targeted foreign intelligence surveillance
Requires Foreign Intelligence Surveillance Court (FISC) approval
Applies to non-US persons outside the US
Assessment: LOW risk for enterprise AI data (not typical intelligence target)

Executive Order 12333

Authorizes foreign signals intelligence collection
Cannot compel service providers to disclose data
Assessment: VERY LOW risk (encryption protects; cannot compel providers)

CLOUD Act

Permits law enforcement warrants for criminal investigations
Requires judicial approval and probable cause
Assessment: VERY LOW risk (business AI data rarely relevant to criminal cases)

Safeguards Identified:

Judicial oversight (FISC for FISA 702, federal judges for CLOUD Act)
Minimization procedures
Presidential Policy Directive 28 (PPD-28) protections
Available redress mechanisms

SUPPLEMENTARY MEASURES

We require all sub-processors to implement comprehensive supplementary measures beyond Standard Contractual Clauses:

Technical Measures

Measure	Implementation	Effectiveness
Encryption in Transit	TLS 1.2/1.3 for all communications	ESSENTIAL - Protects against interception
Encryption at Rest	AES-256 for stored data	ESSENTIAL - Protects stored data
Data Minimization	Only necessary data processed	VERY EFFECTIVE - Reduces exposure
Short Retention	7-30 days maximum	HIGHLY EFFECTIVE - Limits exposure window
Access Controls	MFA, RBAC, least privilege	ESSENTIAL - Prevents unauthorized access
Monitoring & Logging	24/7 SOC, SIEM, audit trails	EFFECTIVE - Enables detection

Contractual Measures

Measure	Implementation	Effectiveness
Standard Contractual Clauses	Executed directly or implicitly with all sub-processors	ESSENTIAL - Legal framework
No AI Training Commitment	Enterprise data not used for model training	VERY EFFECTIVE - No indefinite retention
Incident Notification	72-hour maximum notification	EFFECTIVE - Enables breach response
Audit Rights	SOC 2 reports, questionnaires	EFFECTIVE - Provides oversight
Sub-processor Approval	Customer notification and objection rights	EFFECTIVE - Controls onward transfers

Organizational Measures

Sub-processors maintain the following (specific certifications vary by provider; see individual assessments below):

ISO 27001 certification (Anthropic, OpenAI, Google)
SOC 2 Type II reports (Anthropic, OpenAI, Google)
24/7 Security Operations Centers
Documented incident response procedures
Regular third-party security audits
Vendor risk management programs

SUB-PROCESSOR SPECIFIC SUMMARIES

1. Anthropic PBC (Claude AI)

Location: United States (San Francisco, CA)

Risk Assessment: LOW-MEDIUM

Key Strengths:

7-day API retention (industry-leading short retention)
ISO 27001, ISO 42001 (AI Management), SOC 2 Type II certified
No training on enterprise customer data
Zero Data Retention (ZDR) option available
Strong encryption and access controls

Data Protection Highlights:

API logs retained for only 7 days by default
Optional 30-day retention available via DPA amendment
Zero Data Retention option for maximum data isolation
Data processed in Google Cloud Platform infrastructure
Comprehensive AI-specific security controls (ISO 42001)

Why Transfers Are Lawful: Anthropic's 7-day retention period is the shortest in the industry, significantly limiting the window for potential government access. Combined with strong encryption, no-training commitments, and multiple security certifications, the residual risk is LOW-MEDIUM and acceptable under GDPR Article 46(2)(c).

2. OpenAI OpCo, LLC (ChatGPT & API)

Location: United States (San Francisco, CA) / Ireland (EU entity available)

Risk Assessment: LOW-MEDIUM

Key Strengths:

30-day API retention maximum
EU data residency option available for eligible customers
ISO 27001, 27017, 27018, 27701, SOC 2 Type II certified
No training on enterprise/business customer data by default
EU-US Data Privacy Framework (DPF) certified

Data Protection Highlights:

API data automatically deleted after 30 days
EU data residency keeps customer content at rest in Europe
ChatGPT Enterprise retention controlled by workspace admin
Multiple ISO certifications covering cloud security and privacy
Comprehensive transparency reporting

Why Transfers Are Lawful: OpenAI's optional EU data residency significantly reduces US law exposure for stored data. Combined with 30-day maximum retention, strong encryption, no-training commitments, and comprehensive certifications, the residual risk is LOW-MEDIUM and acceptable under GDPR Article 46(2)(c). EU residency option further reduces risk.

3. Google Ireland Ltd / Google LLC (Gemini)

Location: Ireland (EU) / United States

Risk Assessment: LOW

Key Strengths:

EU data processing via Google Ireland Ltd for EEA customers
Regional data centers in EU available
ISO 27001, 27017, 27018, 27701, 42001, SOC 1/2/3 certified
FedRAMP High authorization (US government level security)
No training on enterprise Workspace/Cloud data
Mature, enterprise-grade security program

Data Protection Highlights:

EEA customers' data processed by Google Ireland Ltd under GDPR
Cloud Data Processing Addendum (CDPA) with SCCs built-in
Regional data residency options available
Extensive compliance certifications (HIPAA, FedRAMP, etc.)
Stateless processing for many Gemini operations
Enterprise-grade access controls and encryption

Why Transfers Are Lawful: Google's EU-based processing entity (Google Ireland Ltd), regional data centers, mature security program, and comprehensive certifications provide exceptionally strong protection. Google's enterprise infrastructure and no-training commitments further reduce risk. Residual risk is LOW and well within acceptable limits for GDPR Article 46(2)(c) transfers.

4. Groq, Inc. (Groq AI)

Location: United States

Risk Assessment: LOW-MEDIUM

Key Strengths:

Zero Data Retention (ZDR) option available by default
No training on customer data by default
Data stored in Google Cloud Platform (GCP) US region
Standard Contractual Clauses (Module 2 & 3) in place
Short retention periods for specific features (30 days max)

Data Protection Highlights:

Customer data not retained by default (ZDR available)
Only retained if specific features enabled (batch processing, fine-tuning)
30-day maximum retention for batch processing jobs
Data can be deleted earlier by customer
Encryption in transit and at rest
Access controls and monitoring in place

Why Transfers Are Lawful: Groq's Zero Data Retention option eliminates retention risk entirely for most use cases. For features requiring retention, 30-day maximum with customer deletion control provides strong protection. No-training commitment prevents indefinite incorporation into models. Residual risk is LOW-MEDIUM and acceptable under GDPR Article 46(2)(c).

RISK ASSESSMENT SUMMARY

Overall Risk Levels

Sub-Processor	Residual Risk	Primary Mitigation
Anthropic (Claude)	LOW-MEDIUM	7-day retention, no training, strong certs
OpenAI (ChatGPT/API)	LOW-MEDIUM	30-day retention, EU residency option, no training
Google (Gemini)	LOW	EU entity, regional data centers, mature program
Groq	LOW-MEDIUM	Zero data retention option, no training

Common Risk Mitigations Across All Sub-Processors

Short Retention Periods: 7-30 days maximum (or zero for Groq)
No AI Training: Enterprise data not used to train models
Strong Encryption: TLS 1.2/1.3 in transit, AES-256 at rest
Access Controls: MFA, RBAC, audit logging
Certifications: ISO 27001, SOC 2 Type II (Anthropic, OpenAI, Google); Groq relies on GCP infrastructure controls
Limited Intelligence Value: Business AI data not typically of foreign intelligence interest
Targeted, Not Bulk: Current US law interpretations require specific targets, not bulk collection

Why Residual Risk Is Acceptable

While US surveillance laws create theoretical access possibilities, the practical risk is LOW to LOW-MEDIUM because:

Data Retention Is Minimal: 7-30 days limits what exists to access
Business AI Data: Not typically of foreign intelligence interest
Technical Barriers: Encryption provides strong protection
No Training: Data not incorporated into models permanently
Targeted, Not Bulk: Current US law interpretations require specific targets
Supplementary Measures: Comprehensive technical and organizational protections in place

ONGOING MONITORING

Spock actively monitors all sub-processor transfers through:

Quarterly Activities

Review sub-processor security bulletins and updates
Monitor for sub-processor list changes
Track US surveillance law developments
Review usage patterns for data minimization opportunities

Annual Activities

Review SOC 2 Type II reports for sub-processors that hold them
Verify current ISO and other certifications where applicable
Review transparency reports (where published)
Update Transfer Impact Assessments
Assess continued necessity of each sub-processor

Immediate Triggers for Reassessment

Material change to US surveillance laws
Security incident affecting sub-processor
Loss of security certifications
Changes to data retention policies
Introduction of AI training on enterprise data
New CJEU case law affecting US transfers
Sub-processor disclosure of government data request

CUSTOMER CONTROLS

How We Minimize Data Transfers

Data Minimization: We process only the minimum necessary data
Pre-Transfer Review: Sensitive data is anonymized or masked where possible
Purpose Limitation: Data transferred only for specific AI processing purposes
Short Retention: Automatic deletion after processing complete or maximum retention period

How Customers Can Further Reduce Risk

Use data minimization: Avoid including unnecessary personal data in prompts
Use synthetic data: For testing and development, use non-personal data
Regular reviews: Periodically assess whether AI processing is still necessary
Incident awareness: Report any concerns about data exposure promptly

TRANSPARENCY AND ACCOUNTABILITY

Documentation Available:

This TIA Summary
Sub-processor list (updated quarterly)
Data Processing Addendum (available on website)
Privacy Policy

REGULATORY COMPLIANCE

These Transfer Impact Assessments have been conducted in accordance with:

GDPR Article 46 (Transfer mechanisms)
EDPB Recommendations 01/2020 (Supplementary measures for international transfers)
CNIL Practical Guide (Transfer Impact Assessment methodology, January 2025 update)
Schrems II Judgment (C-311/18, requirements for US transfers)
EU Standard Contractual Clauses 2021/914

CONCLUSION

Based on comprehensive Transfer Impact Assessments, Spock has determined that transfers of personal data to our US-based AI sub-processors are lawful under GDPR Article 46(2)(c) when using Standard Contractual Clauses supplemented by the technical and organizational measures described above.

Key Takeaways:

All sub-processors have executed Standard Contractual Clauses
Comprehensive supplementary measures in place (technical, contractual, organizational)
Short retention periods (7-30 days) minimize exposure
No training on enterprise customer data
Security certifications including ISO 27001, SOC 2 (varies by provider)
Low practical risk due to nature of business AI data
Ongoing monitoring and annual reassessment
Customer controls available to further minimize risk

Residual Risk Level: LOW to LOW-MEDIUM across all sub-processors

We remain committed to protecting personal data and will continue to monitor these transfers, implementing additional safeguards as needed to ensure ongoing GDPR compliance.

For Questions or Concerns:

Data Protection Officer: Louis@spock.chat
Legal Department: Legal@spock.chat
Privacy Policy: https://spock.chat/privacy

This summary is provided for transparency purposes. Full Transfer Impact Assessments are maintained confidentially and available to customers, regulators, and auditors upon legitimate request.