INTL-01

Will data be collected from or processed in or stored in the European Economic Area (EEA)?

Explanation

This question is asking whether your service or system will handle data (collect, process, or store) within the European Economic Area (EEA), which includes EU member states plus Iceland, Liechtenstein, and Norway. Why it matters: This question directly relates to GDPR (General Data Protection Regulation) applicability. If you handle data in the EEA, you are subject to GDPR compliance requirements, which include strict data protection standards, data subject rights, breach notification requirements, and potentially significant penalties for non-compliance. The question is being asked in a security assessment because: 1. GDPR compliance creates specific legal obligations for your organization 2. It may require specific technical and organizational measures to protect personal data 3. It affects data transfer mechanisms if data moves outside the EEA 4. It influences how you structure your data processing agreements When answering this question, be specific about: - Whether you have any infrastructure (servers, data centers) in the EEA - If you collect data from EEA residents - If you process data in the EEA (even if temporarily) - If you use third-party services that store data in the EEA Be honest and thorough, as incorrect information could lead to compliance issues later.

Guidance

See GDPR Chapter 1, Art. 4, for definitions.

Example Responses

Example Response 1

Yes, our service collects and processes data in the EEA We maintain data centers in Frankfurt, Germany and Dublin, Ireland where customer data is stored and processed Additionally, we collect data from EEA residents through our web application We have implemented comprehensive GDPR compliance measures including Data Protection Impact Assessments, appointed a Data Protection Officer, maintain records of processing activities, and have established data subject request procedures All third-party processors we use in the EEA are bound by Data Processing Agreements that meet GDPR Article 28 requirements.

Example Response 2

No, we do not collect data from, process in, or store data in the EEA Our infrastructure is entirely based in North America with data centers in the US and Canada We do not actively market to or target EEA residents, and our terms of service explicitly state that our services are not intended for use by EEA residents Our technical measures include geolocation filtering that prevents account creation from EEA IP addresses We regularly audit our user base to ensure we maintain this separation.

Example Response 3

Partially While we don't maintain any infrastructure within the EEA, we do collect data from EEA residents who use our service This data is immediately transferred to our US-based data centers for processing and storage We recognize this means we are subject to GDPR requirements despite not having a physical presence in the EEA We're currently working to implement appropriate safeguards for international data transfers, including Standard Contractual Clauses, but we have not yet completed our GDPR compliance program This represents a compliance gap that we're actively addressing through our 12-month roadmap.

Context

Tab
Privacy
Category
International Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron