Data transfer

Transfer Impact Assessment
AutoRFP.ai's Onward Data Transfers


AutoRFP.ai safeguards the personal data our customers entrust us to process when we must transfer that data to a third country – whether for the purposes of support, security, or sub-processing.


AutoRFP.ai transfers Customer Content (as defined in our Privacy Statement and Data Protection Addendum) outside the European Union or the European Economic Area as necessary to provide AutoRFP.ai products and services to you. For example, we have offices around the world, and in some of those offices, our employees may need to access personal data. In a few circumstances, we may have vendors outside the European Union, or our vendors may be in the European Union but have operations in other countries.


The transfer impact assessments below identify and describe the risks associated with data transfers of Customer Content to third countries, as well as any supplementary measures we have taken – or those required our vendors to take – to safeguard Customer Content. Please refer to our Data Protection Addendum for any details, such as the nature of the processing or the retention period of the data, that are not specific to onward transfer. In all cases, the categories of data subjects are AutoRFP.ai customers and their end users. Please see our list of sub-processors to see where we transfer data to our vendors outside the European Union.


Frequently Asked Questions

What is a transfer impact assessment?

A transfer impact assessment (TIA) is a comprehensive evaluation that identifies and analyzes the risks associated with transferring personal data from the European Union to third countries that do not have an adequacy decision from the European Commission.

Under the General Data Protection Regulation (GDPR) and guidance from European data protection authorities, organizations must conduct TIAs when relying on Standard Contractual Clauses (SCCs) or other transfer mechanisms to ensure that personal data transferred outside the EU receives an essentially equivalent level of protection.

Our TIA evaluates:

  • The laws and practices in the destination country that may impinge on the effectiveness of safeguards

  • The nature and purpose of the data transfer

  • The categories of personal data being transferred

  • Any additional technical, organizational, and contractual measures needed to ensure adequate protection

This assessment helps us demonstrate compliance with GDPR Article 44-49 (Chapter V) requirements for international data transfers and ensures we maintain the high standards of data protection our customers expect.

What is a transfer impact assessment?

A transfer impact assessment (TIA) is a comprehensive evaluation that identifies and analyzes the risks associated with transferring personal data from the European Union to third countries that do not have an adequacy decision from the European Commission.

Under the General Data Protection Regulation (GDPR) and guidance from European data protection authorities, organizations must conduct TIAs when relying on Standard Contractual Clauses (SCCs) or other transfer mechanisms to ensure that personal data transferred outside the EU receives an essentially equivalent level of protection.

Our TIA evaluates:

  • The laws and practices in the destination country that may impinge on the effectiveness of safeguards

  • The nature and purpose of the data transfer

  • The categories of personal data being transferred

  • Any additional technical, organizational, and contractual measures needed to ensure adequate protection

This assessment helps us demonstrate compliance with GDPR Article 44-49 (Chapter V) requirements for international data transfers and ensures we maintain the high standards of data protection our customers expect.

Is AutoRFP.ai taking supplementary measures to protect personal data?

Yes, AutoRFP.ai implements comprehensive supplementary measures across three key areas to ensure personal data receives adequate protection during international transfers:

Technical Security Measures:

  • End-to-end encryption of data in transit and at rest using industry-standard AES-256 encryption

  • Advanced access controls and authentication mechanisms including multi-factor authentication

  • Network segmentation and monitoring to prevent unauthorized access

  • Regular vulnerability assessments and penetration testing

  • Data pseudonymization and tokenization where technically feasible

Organizational Measures:

  • Strict data minimization principles - we only transfer data that is necessary for the specified purpose

  • Comprehensive staff training on data protection requirements and cross-border transfer obligations

  • Regular audits and compliance monitoring of our transfer practices

  • Incident response procedures specifically addressing international data transfers

  • Clear data retention and deletion policies aligned with our Data Retention Policy

Contractual Measures:

  • Implementation of Standard Contractual Clauses with all sub-processors handling EU personal data

  • Additional contractual obligations beyond SCCs requiring enhanced security measures

  • Binding Corporate Rules for internal transfers within the AutoRFP.ai organization

  • Regular review and updates of contractual arrangements to address evolving regulatory requirements

These measures are regularly reviewed and updated to address changes in legislation, technology, and risk assessments in destination countries.

Is AutoRFP.ai taking supplementary measures to protect personal data?

Yes, AutoRFP.ai implements comprehensive supplementary measures across three key areas to ensure personal data receives adequate protection during international transfers:

Technical Security Measures:

  • End-to-end encryption of data in transit and at rest using industry-standard AES-256 encryption

  • Advanced access controls and authentication mechanisms including multi-factor authentication

  • Network segmentation and monitoring to prevent unauthorized access

  • Regular vulnerability assessments and penetration testing

  • Data pseudonymization and tokenization where technically feasible

Organizational Measures:

  • Strict data minimization principles - we only transfer data that is necessary for the specified purpose

  • Comprehensive staff training on data protection requirements and cross-border transfer obligations

  • Regular audits and compliance monitoring of our transfer practices

  • Incident response procedures specifically addressing international data transfers

  • Clear data retention and deletion policies aligned with our Data Retention Policy

Contractual Measures:

  • Implementation of Standard Contractual Clauses with all sub-processors handling EU personal data

  • Additional contractual obligations beyond SCCs requiring enhanced security measures

  • Binding Corporate Rules for internal transfers within the AutoRFP.ai organization

  • Regular review and updates of contractual arrangements to address evolving regulatory requirements

These measures are regularly reviewed and updated to address changes in legislation, technology, and risk assessments in destination countries.

I don't want my data to leave Europe. Do you offer local or regional storage in the EU?

Yes, AutoRFP.ai offers EU-regional data residency options to customers who require their data to remain within European Union boundaries.

EU Data Residency Features:

  • Customer Content can be stored exclusively in EU-based cloud infrastructure

  • Data processing operations are conducted within EU regions when this option is selected

  • No transfer of Customer Content outside the EU unless explicitly directed by you as the data controller

How to Enable EU Data Residency:

  • EU data residency can be configured during account setup or migrated for existing accounts

  • Contact our support team to discuss your specific data residency requirements

  • Enterprise customers can work with our solutions team to implement custom data residency configurations

Important Considerations:

  • Some limited operational data (such as account metadata and billing information) may still be processed outside the EU for essential service functions

  • EU data residency may affect certain integrations or features that rely on global infrastructure

  • Support and security monitoring may involve limited access by AutoRFP.ai personnel in other regions under strict access controls and audit logging

For customers with strict regulatory requirements or those who prefer to keep all data within EU borders, we recommend discussing your specific needs with our compliance team who can provide detailed guidance on our EU data residency options and any associated considerations.

I don't want my data to leave Europe. Do you offer local or regional storage in the EU?

Yes, AutoRFP.ai offers EU-regional data residency options to customers who require their data to remain within European Union boundaries.

EU Data Residency Features:

  • Customer Content can be stored exclusively in EU-based cloud infrastructure

  • Data processing operations are conducted within EU regions when this option is selected

  • No transfer of Customer Content outside the EU unless explicitly directed by you as the data controller

How to Enable EU Data Residency:

  • EU data residency can be configured during account setup or migrated for existing accounts

  • Contact our support team to discuss your specific data residency requirements

  • Enterprise customers can work with our solutions team to implement custom data residency configurations

Important Considerations:

  • Some limited operational data (such as account metadata and billing information) may still be processed outside the EU for essential service functions

  • EU data residency may affect certain integrations or features that rely on global infrastructure

  • Support and security monitoring may involve limited access by AutoRFP.ai personnel in other regions under strict access controls and audit logging

For customers with strict regulatory requirements or those who prefer to keep all data within EU borders, we recommend discussing your specific needs with our compliance team who can provide detailed guidance on our EU data residency options and any associated considerations.

United States

Purpose for transfer and any further processing

Internal transfer: AutoRFP.ai uses cloud service providers with infrastructure in the United States, and some Customer Content may be stored or processed in the US as part of our service delivery.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Internal transfer: Data is transferred on a continuous basis.

Categories of personal data transferred:

Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum.

Sensitive data transferred (if applicable):

We do not intentionally transfer any sensitive data to the United States, unless directed to by the controller.

Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack.

Supplemental Security Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack.

Supplemental Organizational Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Supplemental Contractual Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Length of processing chain:

Internal transfer: Data is transferred internally within AutoRFP.ai and to our sub-processors.

Applicable transfer mechanism:

Internal transfer: Standard Contractual Clauses for onward transfer to our sub-processors.

Australia

Purpose for transfer and any further processing

Internal transfer: AutoRFP.ai has an office in Australia, and AutoRFP.ai employees may need to access Customer Content for purposes such as support, anti-fraud, or security.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Internal transfer: Data is transferred on a continuous basis.

Categories of personal data transferred:

Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum.

Sensitive data transferred (if applicable):

We do not intentionally transfer any sensitive data to Australia, unless directed to by the controller.

Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack.

Supplemental Security Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack.

Supplemental Organizational Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Supplemental Contractual Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Length of processing chain:

Internal transfer: Data is transferred internally within AutoRFP.ai.

Applicable transfer mechanism:

Internal transfer: Binding Corporate Rules and Contractual Agreements with our employees.

Canada

Purpose for transfer and any further processing

Internal transfer: AutoRFP.ai has an office in Vancouver, Canada, and AutoRFP.ai employees may need to access Customer Content for purposes such as support, anti-fraud, or security.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Internal transfer: Data is transferred on a continuous basis.

Categories of personal data transferred:

Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum.

Sensitive data transferred (if applicable):

We do not intentionally transfer any sensitive data to Canada, unless directed to by the controller.

Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack.

Supplemental Security Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack.

Supplemental Organizational Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Supplemental Contractual Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Length of processing chain:

Internal transfer: Data is transferred internally within AutoRFP.ai.

Applicable transfer mechanism:

Internal transfer: Binding Corporate Rules and Contractual Agreements with our employees.

European Union

Purpose for transfer and any further processing

Internal transfer: AutoRFP.ai uses cloud service providers with infrastructure in EU regions, and Customer Content is stored in these regions when selected by the customer.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Internal transfer: Data is transferred on a continuous basis.

Categories of personal data transferred:

Internal transfer: Customer Content, as defined in AutoRFP.ai's Privacy Statement and Data Protection Addendum.

Sensitive data transferred (if applicable):

We do not intentionally transfer any sensitive data outside the selected EU regions, unless directed to by the controller.

Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

Internal transfer: AutoRFP.ai's applied security measures for internal transfers, details of which are available upon request in our policy pack.

Supplemental Security Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data, available upon request in our policy pack.

Supplemental Organizational Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Supplemental Contractual Measures:

Internal transfer: Please see an overview of the supplementary measures we take to safeguard organizational data, available upon request in our policy pack.

Length of processing chain:

Internal transfer: Data is transferred internally within AutoRFP.ai and to our sub-processors.

Applicable transfer mechanism:

Internal transfer: Not applicable for EU-to-EU transfers as these are not considered international data transfers under GDPR.