Data transfer
Transfer Impact Assessment
AutoRFP.ai's Onward Data Transfers
AutoRFP.ai safeguards the personal data our customers entrust us to process when we must transfer that data to a third country – whether for the purposes of support, security, or sub-processing.
AutoRFP.ai transfers Customer Content (as defined in our Privacy Statement and Data Protection Addendum) outside the European Union or the European Economic Area as necessary to provide AutoRFP.ai products and services to you. For example, we have offices around the world, and in some of those offices, our employees may need to access personal data. In a few circumstances, we may have vendors outside the European Union, or our vendors may be in the European Union but have operations in other countries.
The transfer impact assessments below identify and describe the risks associated with data transfers of Customer Content to third countries, as well as any supplementary measures we have taken – or those required our vendors to take – to safeguard Customer Content. Please refer to our Data Protection Addendum for any details, such as the nature of the processing or the retention period of the data, that are not specific to onward transfer. In all cases, the categories of data subjects are AutoRFP.ai customers and their end users. Please see our list of sub-processors to see where we transfer data to our vendors outside the European Union.
United States
Purpose for transfer and any further processing |
|---|
Internal transfer: AutoRFP.ai uses cloud service providers with infrastructure in the United States, and some Customer Content may be stored or processed in the US as part of our service delivery.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): |
|---|
Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred:
Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum. |
|---|
Sensitive data transferred (if applicable):
We do not intentionally transfer any sensitive data to the United States, unless directed to by the controller. |
|---|
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack. |
|---|
Supplemental Security Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack. |
|---|
Supplemental Organizational Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Supplemental Contractual Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Length of processing chain:
Internal transfer: Data is transferred internally within AutoRFP.ai and to our sub-processors. |
|---|
Applicable transfer mechanism:
Internal transfer: Standard Contractual Clauses for onward transfer to our sub-processors. |
|---|
Australia
Purpose for transfer and any further processing |
|---|
Internal transfer: AutoRFP.ai has an office in Australia, and AutoRFP.ai employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): |
|---|
Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred:
Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum. |
|---|
Sensitive data transferred (if applicable):
We do not intentionally transfer any sensitive data to Australia, unless directed to by the controller. |
|---|
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack. |
|---|
Supplemental Security Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack. |
|---|
Supplemental Organizational Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Supplemental Contractual Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Length of processing chain:
Internal transfer: Data is transferred internally within AutoRFP.ai. |
|---|
Applicable transfer mechanism:
Internal transfer: Binding Corporate Rules and Contractual Agreements with our employees. |
|---|
Canada
Purpose for transfer and any further processing |
|---|
Internal transfer: AutoRFP.ai has an office in Vancouver, Canada, and AutoRFP.ai employees may need to access Customer Content for purposes such as support, anti-fraud, or security.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): |
|---|
Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred:
Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum. |
|---|
Sensitive data transferred (if applicable):
We do not intentionally transfer any sensitive data to Canada, unless directed to by the controller. |
|---|
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack. |
|---|
Supplemental Security Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack. |
|---|
Supplemental Organizational Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Supplemental Contractual Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Length of processing chain:
Internal transfer: Data is transferred internally within AutoRFP.ai. |
|---|
Applicable transfer mechanism:
Internal transfer: Binding Corporate Rules and Contractual Agreements with our employees. |
|---|
European Union
Purpose for transfer and any further processing |
|---|
Internal transfer: AutoRFP.ai uses cloud service providers with infrastructure in EU regions, and Customer Content is stored in these regions when selected by the customer.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): |
|---|
Internal transfer: Data is transferred on a continuous basis.
Categories of personal data transferred:
Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum. |
|---|
Sensitive data transferred (if applicable):
We do not intentionally transfer any sensitive data outside the selected EU regions, unless directed to by the controller. |
|---|
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack. |
|---|
Supplemental Security Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack. |
|---|
Supplemental Organizational Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Supplemental Contractual Measures:
Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack. |
|---|
Length of processing chain:
Internal transfer: Data is transferred internally within AutoRFP.ai and to our sub-processors. |
|---|
Applicable transfer mechanism:
Internal transfer: Not applicable for EU-to-EU transfers as these are not considered international data transfers under GDPR. |
|---|