Transfer Impact Assessment (TIA) — Stub
As of 2026-05-06 · Version 1.0.0
Note: This is a preliminary stub. The final TIA is produced jointly with the Controller's data protection officer before production go-live and made available on request.
1. Context
The platform uses cloud providers (Vercel, Supabase) with US parent companies, while physical data processing takes place in EU data centres (Frankfurt am Main, fra1 / eu-central-1). This TIA assesses the risks of indirect third-country exposure and documents supplementary measures.
2. Legal Framework
- CJEU "Schrems II" (C-311/18) — third-country transfers only at an "essentially equivalent level of protection"
- EDPB Recommendation 01/2020 — TIA methodology in 6 steps
- Standard Contractual Clauses 2021/914 as a basis
- GDPR Art. 44-49 — general international transfer rules
3. Data Processed
- Supplier master data (company name, address, VAT ID)
- Contact data (name, email, phone)
- Bank details (IBAN, BIC) — encrypted at rest (AES-256)
- Contract data (orders, offers, prices)
- Certificates, mill certificates (technical)
No special categories under Art. 9 GDPR.
4. Risk Assessment — US Authority Access
FISA 702: applies to "Electronic Communication Service Providers"; Vercel + Supabase potentially covered.
CLOUD Act: extraterritorial access by US authorities to data in the custody of US companies — including EU data centres.
Probability for our data categories: low. Supplier master data + IBANs have no nexus to US intelligence interests. Sector: B2B Mittelstand, not politically sensitive.
Severity if it occurs: medium. IBAN disclosure would be economically relevant but no personal injury.
5. Supplementary Measures (TOMs per EDPB)
- Encryption at rest: AES-256 (Supabase Postgres TDE; storage buckets encrypted)
- Encryption in transit: TLS 1.3
- End-to-end encryption infrastructure: ECDH key exchange for sensitive E2EE content (keys remain with Controller, no platform plaintext access)
- Access logging: audit log for all security-critical actions (IBAN changes in particular)
- Pseudonymisation: user IDs in logs are UUIDs without name reference
- Contractual lock-in to EU region: Frankfurt region pinning; re-localisation requires consent
- Data minimisation: no US-specific data categories (e.g. SSN) stored
6. Residual Risk Assessment
With the supplementary measures and the low likelihood of occurrence, the residual risk is assessed as acceptable. A reassessment takes place at least annually or upon material changes (new subprocessor, changed EU/US legal framework).
7. Updates
| Date | Trigger | Responsible |
|---|---|---|
| 2026-05-06 | Initial creation (stub) | Gluth Systemtechnik GmbH |
| TBD | Finalisation with Controller DPO | TBD |
8. Availability
The final TIA is not public; it is provided on Controller's written request. Requests to: info@gluth.eu.