Back to Legal

Data Transfers
Addendum

Last updated: February 22, 2026

This Data Transfers Addendum (“Addendum”) supplements the Data Processing Addendum and the Platform Agreement. It describes the mechanisms Cyrenza, Inc. (“Cyrenza”) uses to ensure lawful international transfers of personal data.

1. Scope

1.1. This Addendum applies where Cyrenza transfers Personal Data from the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland to countries that have not received an adequacy decision from the relevant authority.

2. Primary Processing Location

2.1. The Services are primarily operated from data centers located in the United States.

2.2. Enterprise customers may specify data residency requirements. See the Security Addendum for details on data residency options.

3. Transfer Mechanisms

3.1 Standard Contractual Clauses (EEA)

3.1.1. For transfers of Personal Data from the EEA, Cyrenza relies on the Standard Contractual Clauses (“SCCs”) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).

3.1.2. The applicable modules are:

  • Module 2 (Controller to Processor): Where Customer (as Controller) transfers Personal Data to Cyrenza (as Processor).
  • Module 3 (Processor to Sub-Processor): Where Cyrenza transfers Personal Data to its subprocessors.

3.1.3. The SCCs are incorporated into this Addendum by reference. In the event of conflict between this Addendum and the SCCs, the SCCs shall prevail.

3.2 UK International Data Transfer Addendum

3.2.1. For transfers of Personal Data from the United Kingdom, Cyrenza relies on the UK International Data Transfer Addendum to the EU SCCs (“UK IDTA”), issued by the Information Commissioner’s Office under Section 119A of the UK Data Protection Act 2018.

3.2.2. The UK IDTA supplements the SCCs for purposes of UK transfers.

3.3 Swiss Transfers

3.3.1. For transfers from Switzerland, the SCCs apply as recognized by the Swiss Federal Data Protection and Information Commissioner, with applicable modifications for Swiss law.

4. Supplementary Measures

4.1. In addition to the SCCs, Cyrenza implements the following supplementary measures to protect transferred Personal Data:

4.1.1 Technical Measures

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3).
  • Per-tenant encryption keys managed through hardware-backed key management.
  • Pseudonymization and field-level encryption for sensitive data.
  • Multi-tenancy isolation with cryptographic separation between tenants.
  • Data loss prevention and PII detection scanning.

4.1.2 Organizational Measures

  • Access to Personal Data is restricted to authorized personnel on a need-to-know basis.
  • Personnel with access to Personal Data are subject to confidentiality obligations.
  • Regular security training for all employees.
  • Documented incident response procedures with defined notification timelines.

4.1.3 Contractual Measures

  • Data processing agreements with all subprocessors.
  • Subprocessors are contractually prohibited from using Personal Data for purposes other than providing the contracted services.
  • AI model providers are contractually prohibited from using Customer Data for model training.

5. Transfer Impact Assessment

5.1. Cyrenza has conducted a Transfer Impact Assessment considering:

  • The legal framework of the United States regarding government access to data.
  • The types of Personal Data transferred.
  • The technical and organizational safeguards in place.
  • The risk to data subjects’ rights and freedoms.

5.2. Based on this assessment, Cyrenza has determined that the supplementary measures described in Section 4, combined with the SCCs, provide an adequate level of protection for transferred Personal Data.

5.3. Cyrenza will reassess the Transfer Impact Assessment periodically and in response to material changes in the legal landscape.

6. Government Access Requests

6.1. Cyrenza’s practices regarding government access requests are described in our Law Enforcement Request Policy.

6.2. Cyrenza has not received any orders requiring bulk or indiscriminate access to Customer Data, and would challenge any such order to the extent permitted by law.

6.3. Cyrenza will notify the affected customer of a government access request before disclosure, unless legally prohibited from doing so.

7. Data Subject Rights

7.1. Data subjects whose Personal Data is transferred under this Addendum retain all rights provided under the applicable data protection law and the SCCs, including the right to lodge a complaint with a supervisory authority and to seek judicial remedy.

8. Subprocessor Transfers

8.1. Where Cyrenza engages subprocessors in countries without an adequacy decision, Cyrenza ensures that appropriate transfer mechanisms (including SCCs Module 3) are in place.

8.2. A current list of subprocessors and their locations is maintained at the Subprocessor List.

Built on trust. Ready to work.

The policies you've just read aren't just compliance — they're how we build. Deploy AI Knowledge Workers with enterprise-grade security, privacy by design, and full transparency across every industry.

Analyzing documents and extracting insights

Working now...