Skip to main content
Clozo

Transfer Impact Assessment (TIA) — Summary

Last updated: 13 May 2026

Following the CJEU's Schrems II judgment (C-311/18, July 2020), controllers transferring personal data to third countries must document a Transfer Impact Assessment under GDPR Articles 44-49 and EDPB Recommendations 01/2020. This page is the public executive summary of Clozo's internal TIA, available in full to AEPD inspectors and data subjects on request to legal@useclozo.com.

Sub-processors covered by this TIA

Four US-based sub-processors: Resend Inc. (transactional email), Anthropic PBC (AI text enhancement, used as a core service feature under Art. 6(1)(b) GDPR — PII-scrubbed before transmission, no opt-in required), Cloudflare Inc. (CDN + edge security + R2 storage), PostHog Inc. (consent-gated product analytics), and Functional Software, Inc. (Sentry — error monitoring, EU region used, SCC signed). Each operates under either active EU-US Data Privacy Framework (DPF) certification, or Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914 of 4 June 2021), or both. Note: Stripe Payments Europe Ltd. (Ireland, EU) is the data importer of record for payments — no third-country transfer; any onward US sub-processing falls under Stripe's own SCC chain, re-evaluated annually. The full list with country, transfer mechanism, and data categories is published at /subprocessors.

Sub-processors NOT requiring a TIA

Crisp IM SAS (France), Geoapify GmbH (Germany), Gotenberg (self-hosted on Railway EU), VIES (EU institution): all operate within the EU/EEA and require no TIA. Sentry uses its EU region where available.

Six-step EDPB methodology applied

(1) Know your transfers — every US importer documented with data categories and volume; (2) Identify transfer tool — DPF primary, SCCs backup; (3) Assess third-country law — US FISA 702 + EO 12333 + CLOUD Act analysed per importer; (4) Identify supplementary measures — encryption in transit (TLS 1.3) and at rest (AES-256-equivalent), PII scrubbing before transmission to Anthropic (apps/common/ai_scrub), hashed identifiers for marketing attribution (Google sub-processor not used by Clozo as of v1), data minimisation; (5) Implement procedural and contractual measures — DPAs signed with each US sub-processor; (6) Re-evaluate at appropriate intervals — annual review + on any Schrems-III court ruling, DPF withdrawal, or sub-processor change.

Conclusion

DPF certification plus SCCs Module 2/3 plus the supplementary measures listed above provide a level of protection essentially equivalent to GDPR Article 46. Residual risk (US government access via FISA 702) is materially reduced for the specific transfers Clozo performs because (a) Anthropic data is PII-scrubbed before transmission, (b) payment data is processed by Stripe Payments Europe Ltd. (Ireland, EU — no US transfer), (c) transactional email content via Resend is non-marketing and small-volume, (d) Cloudflare traffic is logged metadata only with no plaintext business content, (e) Sentry receives stack traces only with PII scrubbing enabled. Anthropic is explicitly NOT EU-US DPF certified — SCCs are its sole transfer mechanism, documented in DPA §7 and Privacy Policy §6.

Request the full TIA

AEPD inspectors and data subjects exercising Article 15 rights may request the full internal TIA document by emailing legal@useclozo.com. The full document includes per-importer threat models, transparency reports, and counsel review status. The internal TIA is subject to Spanish DPO/counsel review (target 2026-Q3) before promotion from DRAFT to ACTIVE status.

Back to sign in·Privacy Policy·DPA·Sub-processors·Terms of Service·Legal Notice