O14 -- Transfer Impact Assessments

Pursuant to Article 46 GDPR, UK GDPR, and EDPB Recommendations 01/2020

Data Transfers to US-based and US-owned Sub-Processors

BMX Holdings Ltd

Trading as Orcha

Version 3.0

12.04.2026

Classification: Confidential

1. Introduction

This Transfer Impact Assessment (TIA) documents the lawfulness and safeguards applicable to personal data transfers from the European Union and United Kingdom to recipients in the United States. It serves as supplementary documentation to Orcha's Data Processing Agreements and Sub-Processor List (O3).

Legal Basis

This TIA is prepared in accordance with:

• Articles 44--49 GDPR (Chapter V: Transfers of Personal Data to Third Countries)
• UK GDPR Chapter V (retained EU law as modified by the International Data Transfer Addendum to the EU SCCs)
• CJEU judgment C-311/18 (Schrems II) and its implications for standard contractual clauses and supplementary measures
• EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with EU data protection law

Scope

This TIA covers personal data transfers to the following US-based and US-owned recipients:

• Anthropic, Inc. (San Francisco, CA) -- Claude API for document data extraction, classification, and tax compliance review
• Google LLC (Mountain View, CA) -- Document AI (OCR), Gemini API (AI processing), and Vertex AI (embeddings) for document processing
• Microsoft Corporation (Redmond, WA) -- Microsoft Entra ID (SSO authentication), Microsoft Graph API (Outlook email sync), and Bot Framework (Teams notifications)
• Slack Technologies, LLC (San Francisco, CA; Salesforce subsidiary) -- Notification delivery to customer-configured Slack channels
• Amazon Web Services EMEA SARL (Luxembourg, EU hosting) -- Cloud infrastructure (US-owned entity, data remains in EU)

Data transfers occur exclusively in connection with the services Orcha provides to its customers and are facilitated through Orcha's processing platform (hosted on AWS Frankfurt, EU).

2. Overview of Data Transfers

3. EDPB Six-Step Assessment

Step 1: Know Your Transfers

Data flows occur as follows:

1. Customer provides documents to the Orcha platform via upload, email forwarding, or OAuth-connected mailboxes
2. Documents are stored at rest in AWS Frankfurt (EU)
3. For AI processing, Orcha makes API calls to Anthropic and Google, transmitting document content, page images (where applicable), and associated metadata necessary for processing
4. The AI sub-processor processes the data and returns a response
5. The response is stored back in AWS Frankfurt

No customer platform credentials are transmitted to AI sub-processors. AI sub-processors are contractually prohibited from retaining input data beyond the processing call or using it for model training.

For authentication and mailbox integrations (Microsoft, Google), Orcha accesses data directly from the identity provider using customer-granted OAuth tokens. For notification channels (Slack, Teams), Orcha transmits notification messages to customer-configured endpoints.

Step 2: Identify the Transfer Tool (Article 46 GDPR)

Orcha relies on the following tools:

• EU Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914, Module 2 (Controller-to-Processor). This module governs transfers where the importer is a data processor acting on behalf of the exporter.
• UK Addendum to the SCCs: ICO International Data Transfer Addendum, Version B1.0, for transfers of UK personal data and UK GDPR compliance.
• EU-US Data Privacy Framework (DPF): Participation by Google, Microsoft, and Amazon in the DPF provides an additional adequacy mechanism under Commission Adequacy Decision C(2023) 4745. The DPF supplements but does not replace the SCCs.

Step 3: Assess Third Country Law (USA)

The United States legal framework governing data access and surveillance is relevant to this assessment:

FISA Section 702

Section 702 of the Foreign Intelligence Surveillance Act permits the US government to conduct surveillance targeting non-US persons reasonably believed to be outside the US. Under this authority, technology providers may be issued directives requiring disclosure of communications data.

Mitigation: Contractual zero-retention commitments at AI sub-processors limit the data available to produce in response to such directives. Transport-level encryption reduces interception risk during transmission.

Executive Order 12333

Executive Order 12333 permits US intelligence agencies to conduct signals intelligence collection, including bulk interception of international communications.

Mitigation: All data transfers occur over encrypted TLS connections. Primary data storage is located in the EU, limiting the exposure of data outside of specific processing calls.

CLOUD Act

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) requires US-based companies to produce data to US law enforcement, regardless of where the data is stored.

Mitigation: Orcha's customer data is stored at rest in AWS Frankfurt, EU. Contractual commitments with AI sub-processors prohibit persistent storage of transmitted data. For AWS, contractual commitments limit storage to the selected EU region.

Executive Order 14086 (October 2022)

This Executive Order introduced proportionality and necessity requirements for US intelligence collection and established a Data Protection Review Court to hear challenges from foreign nationals claiming US intelligence infringement. This order was a critical step toward the EU-US Data Privacy Framework adequacy decision and represents an improvement in US legal safeguards for data subjects.

Overall US Legal Framework Risk Assessment

Risk Level: MEDIUM

Justification: US law permits broad government access to data held by US-based companies. Primary data storage in the EU, transport encryption, and contractual commitments limiting persistence at US-based AI sub-processors reduce -- but do not eliminate -- the practical risk.

Step 4: Identify Supplementary Measures

Orcha implements the following supplementary measures to address US law risks:

Technical Measures

• TLS encryption for all API calls to AI and notification sub-processors
• EU-based primary storage: all customer data at rest remains in AWS Frankfurt
• EU-based OCR and embeddings: Google Document AI (EU region) and Vertex AI embeddings (europe-west1) process data within the EU
• Fully automated AI processing with no human review or access at the sub-processor end
• Encryption at rest for database, object storage, and message queues

Contractual Measures

• Data Processing Agreements (DPAs) executed with sub-processors
• Contractual commitment to no retention of input data beyond the processing call (AI sub-processors)
• Contractual prohibition on use of customer data for model training (AI sub-processors)
• Commitment to notify Orcha of government data access requests (to the extent legally permitted)
• Commitment to challenge overbroad government requests

Organisational Measures

• Annual review of this TIA and assessment of transfer mechanisms
• Continuous monitoring of US legal and regulatory developments (FISA reauthorisation, DPF adequacy challenges)
• Fallback plan: If supplementary measures become insufficient, switch to EU-based processing alternatives

Step 5: Procedural Steps

• Implement supplementary measures prior to data transfers
• Document all technical measures in O1 (Technical and Organisational Measures)
• Document all sub-processor relationships in O3 (Sub-Processor List) and maintain current DPAs
• Ensure SCCs and UK Addendum are properly executed and retained

Step 6: Re-evaluate at Appropriate Intervals

• Annual review: This TIA shall be reviewed and updated annually (next scheduled review: April 2027)
• Ad-hoc review: Material change in US law, CJEU or EDPB guidance, change of sub-processor, DPF adequacy challenge outcome
• Automatic review trigger: Receipt of a government data access request at any sub-processor

4. Individual Transfer Impact Assessment: Anthropic, Inc.

Company Profile

Anthropic, Inc. is a private AI safety company headquartered in San Francisco, California. Anthropic develops the Claude family of large language models and provides API access to these models through a commercial service.

Services Used

Claude API for automated document data extraction, classification, and tax compliance review (invoice line item extraction, vendor identification, field-level data structuring).

Data Flow

Customer documents stored in AWS Frankfurt are transmitted over TLS to Anthropic's API endpoint for processing. The API returns structured extraction results, which are stored back in AWS Frankfurt. Under the applicable DPA, Anthropic does not retain input or output data beyond the API transaction and does not use customer data for model training.

Transfer Mechanism

• EU SCCs Module 2 (Controller-to-Processor) -- Commission Implementing Decision (EU) 2021/914
• UK Addendum to the SCCs (Version B1.0)

US Law Exposure

Anthropic is a private AI company, not a telecommunications provider. This lowers baseline FISA Section 702 exposure compared to major tech conglomerates or telecoms. However, as a US-based company, Anthropic remains subject to FISA, Executive Order 12333, and CLOUD Act obligations.

Risk of receiving a government data access request: Low-to-Medium.

Supplementary Measures Specific to Anthropic

• Contractual no-retention commitment: customer data is not retained beyond the processing call
• Contractual prohibition on using customer data for model training
• Encrypted transit (TLS)
• Annual verification: Orcha shall verify Anthropic's contractual commitments through DPA renewal or annual compliance certification

Risk Determination

Status: ACCEPTABLE WITH CONDITIONS

Conditions: (1) Maintained contractual no-retention commitment; (2) No use of customer data for model training; (3) Annual verification of Anthropic's contractual commitments; (4) Continued encryption of all API traffic.

5. Individual Transfer Impact Assessment: Google LLC

Company Profile

Google LLC is a wholly owned subsidiary of Alphabet Inc., headquartered in Mountain View, California. Google is one of the world's largest technology companies and a known recipient of US government data access requests across multiple business lines.

Services Used

• Google Document AI for optical character recognition (EU region)
• Google Gemini API for AI-powered classification, email triage, post-processing, document matching, supplier verification, and vision transcription
• Google Vertex AI for semantic search embeddings (europe-west1 region)

Data Flow

Customer documents and derived text are transmitted over TLS to Google's processing endpoints. Document AI and Vertex AI process data within EU regions. Gemini API calls are served via Google's global endpoint. Under the applicable DPA, Google does not retain customer data beyond the API transaction and does not use it for model training.

Transfer Mechanism

• EU SCCs Module 2 (Controller-to-Processor)
• UK Addendum to the SCCs
• EU-US Data Privacy Framework (DPF): Google is listed as a DPF-certified organisation. The DPF provides an adequacy mechanism supplementing the SCCs and offers additional procedural safeguards and redress mechanisms.

US Law Exposure

Google is a large technology company with a significant US government and law enforcement client base. Public disclosures indicate that Google receives a substantial volume of government data access requests annually.

Risk of receiving a government data access request: Medium-to-High.

Google's DPF certification demonstrates compliance with enhanced US safeguards (Executive Order 14086) and creates contractual obligations to limit surveillance to what is necessary and proportionate. The DPF also establishes a Data Protection Review Court mechanism allowing foreign nationals to challenge US government surveillance orders.

Supplementary Measures Specific to Google

• Contractual no-retention commitment for Document AI, Gemini API, and Vertex AI
• Contractual prohibition on using customer data for model training
• EU regional processing for Document AI and Vertex AI
• Encrypted transit (TLS)
• DPF certification: Google's participation in the EU-US DPF provides an additional contractual safeguard layer, including:
  • Proportionality and necessity requirements on US government surveillance
  • Data Protection Review Court access for data subjects
  • Commitment to challenge overbroad orders
• Annual verification: Orcha shall verify Google's DPF certification status and contractual commitments annually

Risk Determination

Status: ACCEPTABLE WITH CONDITIONS

Conditions: (1) Maintained DPF certification and continued participation in the EU-US DPF; (2) Contractual no-retention commitment for all used Google AI services; (3) No use of customer data for model training or secondary purposes; (4) Annual verification of DPF certification status and contractual commitments; (5) Continued encryption of all API traffic.

6. Individual Transfer Impact Assessment: Microsoft Corporation

Company Profile

Microsoft Corporation is a US technology company headquartered in Redmond, Washington. Microsoft provides identity, productivity, and cloud services used by Orcha and its customers.

Services Used

• Microsoft Entra ID (formerly Azure Active Directory) for SSO authentication when users sign in with a Microsoft account
• Microsoft Graph API for accessing customer Outlook mailboxes via OAuth (email acquisition)
• Bot Framework for delivering notifications to customer-configured Microsoft Teams channels

Data Flow

For SSO authentication, user identity data (email, name, tenant ID) flows between Microsoft and Orcha as part of the OAuth/OIDC protocol. For Outlook email acquisition, Orcha accesses email data held at Microsoft using customer-granted OAuth tokens; subscription mechanisms are maintained to receive push notifications of new messages. For Teams notifications, Orcha transmits notification messages containing document processing status.

Transfer Mechanism

• EU SCCs Module 2 (Controller-to-Processor)
• UK Addendum to the SCCs
• EU-US Data Privacy Framework (DPF): Microsoft is listed as a DPF-certified organisation

US Law Exposure

Microsoft is a large US technology company subject to FISA, Executive Order 12333, and CLOUD Act obligations. Microsoft regularly receives and responds to government data access requests, and publishes regular transparency reports.

Risk of receiving a government data access request: Medium-to-High.

Microsoft's DPF certification creates contractual obligations for proportionality and redress. Microsoft has publicly committed to challenging overbroad government requests and has litigated such cases.

Supplementary Measures Specific to Microsoft

• Encrypted transit (TLS) for all Graph API and authentication calls
• DPF certification: Provides proportionality requirements and Data Protection Review Court access
• OAuth-based access: Mailbox access requires an explicit customer grant and can be revoked by the customer at any time
• Annual verification: Orcha shall verify Microsoft's DPF certification status annually

Risk Determination

Status: ACCEPTABLE WITH CONDITIONS

Conditions: (1) Maintained DPF certification; (2) Encrypted transit (TLS); (3) Customer-granted OAuth scope for mailbox access; (4) Annual verification of DPF certification status.

7. Individual Transfer Impact Assessment: Slack Technologies, LLC

Company Profile

Slack Technologies, LLC is a US-based communications platform headquartered in San Francisco, California, operated as a subsidiary of Salesforce, Inc.

Services Used

Slack API (chat.postMessage) for delivering notifications to customer-configured Slack workspaces.

Data Flow

When a customer configures a Slack channel as a notification target, Orcha transmits notification messages over TLS to Slack's API. Messages contain document processing status and may include supplier names and document references.

Transfer Mechanism

• EU SCCs Module 2 (Controller-to-Processor)
• UK Addendum to the SCCs

US Law Exposure

As a US-based communications provider, Slack is subject to FISA, Executive Order 12333, and CLOUD Act obligations.

Risk of receiving a government data access request: Medium.

The data transmitted to Slack is limited to notification messages; customer documents themselves are not transferred to Slack.

Supplementary Measures Specific to Slack

• Encrypted transit (TLS)
• Limited data scope: only notification text, not document content
• Customer control: Slack integration is configured by the customer and can be disabled at any time
• Data Processing Agreement (DPA) with Salesforce covering Slack services

Risk Determination

Status: ACCEPTABLE WITH CONDITIONS

Conditions: (1) DPA in place with Salesforce covering Slack services; (2) Encrypted transit (TLS); (3) Limited data scope as described.

8. Individual Transfer Impact Assessment: Amazon Web Services (AWS)

Company Profile

Amazon Web Services EMEA SARL (Luxembourg) provides cloud infrastructure services. AWS is a subsidiary of Amazon.com, Inc. (USA). While Orcha's data is hosted in the EU (AWS Frankfurt, eu-central-1), AWS as a US-owned company is subject to US jurisdiction, which warrants a transfer risk assessment even though data does not leave the EU.

Services Used

Cloud hosting, compute (EC2), relational database (RDS), object storage (S3), message queuing (SQS), authentication (Cognito), key management (KMS), email receiving and sending (SES), secrets management, and backup services. AWS is the primary infrastructure provider for the Orcha platform.

Data Storage and Processing

All customer data at rest is stored exclusively within the AWS Frankfurt data centre (eu-central-1, Germany). No customer data is transferred to or stored in any AWS region outside the EU. AWS provides contractual commitments to process data only in the selected region.

Transfer Mechanism

Primary position: No third-country transfer occurs. Data is processed and stored exclusively in the EU (Frankfurt). However, as AWS is a US-owned entity, the following safeguards apply as a precautionary measure:

• AWS Data Processing Addendum (DPA) incorporating EU SCCs
• UK Addendum to the SCCs
• EU-US Data Privacy Framework (DPF): Amazon is a DPF-certified organisation
• Supplementary contractual commitment to EU-only data processing

US Law Exposure

Amazon is a large US technology company with significant government contracts. FISA Section 702 and CLOUD Act exposure is elevated. However, the critical mitigating factor is that all customer data resides in the EU -- any US government request would face jurisdictional challenges under EU blocking regulations and GDPR Article 48.

Risk of a government data access request affecting EU-stored data: Low.

The EU data residency commitment, combined with GDPR Article 48 protections, creates a strong legal barrier against extraterritorial US access requests.

Supplementary Measures Specific to AWS

• EU data residency: all data stored and processed in AWS Frankfurt (eu-central-1) only
• Encryption at rest: database storage, object storage, and message queues encrypted using AWS-managed encryption; sensitive application fields additionally encrypted using a customer-managed AWS KMS key with automatic annual rotation
• Encryption in transit: TLS for all data transfers
• Access controls: IAM policies restricting access to authorised Orcha personnel only
• DPF certification: Amazon's participation provides additional safeguards
• AWS commitment to challenge government requests: AWS has publicly committed to challenging requests that conflict with EU law
• Annual verification: review of AWS compliance certifications (SOC 2, ISO 27001, BSI C5)

Risk Determination

Status: ACCEPTABLE

Rationale: No actual third-country transfer occurs. Data remains in the EU at all times. AWS's US ownership creates a theoretical jurisdictional risk, but this is effectively mitigated by EU data residency, encryption, and GDPR Article 48 protections. No additional conditions required beyond maintaining the current EU-only hosting configuration.

9. Conclusion and Ongoing Monitoring

Orcha has assessed data transfers to Anthropic, Google, Microsoft, Slack, and AWS in accordance with EDPB Recommendations 01/2020 and the six-step assessment framework. Based on the combination of contractual commitments, transport encryption, EU primary storage, and DPF certification where applicable, transfers are permissible under Article 46 GDPR and UK GDPR Chapter V.

Key Dependencies

• Contractual no-retention and no-training commitments from Anthropic and Google must remain in force
• TLS encryption for all API calls must remain in place
• DPF certifications of Google, Microsoft, and Amazon must remain valid; if revoked or materially weakened, this TIA must be re-evaluated
• EU data residency for AWS-hosted data must be maintained

Monitoring Responsibilities

• Data Protection Contact: Annual review of this TIA, assessment of US legal developments
• Technical Lead: Verification of encryption settings and data transfer configurations
• Managing Director: Escalation of any government data access requests and approval of any changes to transfer mechanisms

Escalation Procedure

• If a sub-processor reports receipt of a government data access request, Orcha shall immediately convene a review of this TIA
• If US law changes materially (e.g., FISA reauthorisation, limitation on proportionality safeguards), Orcha shall trigger an ad-hoc TIA review
• If the EU-US DPF is invalidated or significantly weakened, the status of affected sub-processors shall be re-evaluated within 30 days
• If supplementary measures are deemed insufficient, Orcha shall halt transfers to the affected sub-processor and switch to EU-based alternatives

10. Approval and Signatures

Data Protection Contact / Data Protection Officer

Signature: ________________________ Date: ________________

Technical Lead

Signature: ________________________ Date: ________________

Managing Director

Signature: ________________________ Date: ________________

Change History