This TIA is scoped to international transfers under GDPR Chapter V, following EDPB Recommendations 01/2020 (proportionate approach).
Overview
Item | Description |
Exporter | Limoni Apps BV (EU) |
Importer(s) | Subprocessors (e.g. Microsoft, Shopify, Cloudflare, see Subprocessor list) |
Transfer type | Controller → Processor / Processor → Subprocessor |
Data categories | Merchant data, limited end-customer order data |
Risk profile | Low to moderate |
Storage outside EU | Limited; primarily transient or metadata |
Data Categories Assessed
Category | Includes | Sensitivity |
Merchant identifiers | Name, email, store domain | Low |
End-customer identifiers | Name, email, address, phone | Moderate |
Order data | Products, prices, order ID | Low |
Technical data | Logs, timestamps, pseudonymous IDs | Low |
No special category data (Art. 9 GDPR) is processed.
Subprocessors & Transfer Context
Role of Limoni Apps in the data processing chain
Limoni Apps processes personal data primarily as a data processor on behalf of its merchant customers (controllers). In limited cases (e.g. account administration, billing, customer communications), Limoni Apps acts as an independent controller.
Where Limoni Apps engages third parties to support the provision, security, analytics, or communication features of the service, those third parties act as subprocessors (or processors, where Limoni Apps acts as controller).
Nature of international transfers
Some approved subprocessors are located outside the European Economic Area (EEA) or may process data in third countries, including the United States. Where personal data is transferred to countries without an adequacy decision under Article 45 GDPR, Limoni Apps relies on appropriate safeguards under Article 46 GDPR.
Transfer mechanism and SCC module selection
For international transfers to subprocessors in non-adequate jurisdictions, Limoni Apps relies on the EU Standard Contractual Clauses (SCCs), Commission Implementing Decision (EU) 2021/914, as incorporated into the relevant subprocessor’s Data Processing Agreement (DPA).
Because Limoni Apps most commonly acts as a processor, the applicable SCC configuration is generally: Module 3 – Processor to Processor (P→P)
Where Limoni Apps acts as a controller for specific processing activities, or where a subprocessor’s DPA applies SCCs based on the customer’s role, Module 2 – Controller to Processor (C→P) may apply instead.
Subprocessor SCC evidence table
The table below documents the transfer mechanism and SCC module support per subprocessor, based on each vendor’s published DPA or contractual documentation.
Subprocessor | Transfer & SCC evidence |
Microsoft Azure | Processes data in the EU and United States. International transfers rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). Microsoft’s DPA applies processor-to-processor SCCs (Module 3) where Limoni Apps acts as a processor. |
AWS (incl. Amazon SES) | Processes data in the EU and United States. Transfers are governed by the EU Standard Contractual Clauses (2021). The AWS DPA explicitly supports both Module 2 (Controller→Processor) and Module 3 (Processor→Processor) depending on the customer’s role. |
Cloudflare | Processes data globally, including in non-EEA jurisdictions. Cloudflare applies the EU Standard Contractual Clauses (2021) and relies on the relevant SCC module(s) depending on the customer’s role in the processing. |
Bugsnag (SmartBear) | Processes data in the United States. Transfers rely on the EU Standard Contractual Clauses (2021). Public DPA documentation describes controller-to-processor SCCs (Module 2); Limoni Apps has assessed the safeguards and contractual commitments applicable to its processing context. |
Intercom | Processes data in the EU and United States. Intercom primarily relies on the EU-US Data Privacy Framework, and applies the EU Standard Contractual Clauses (2021) where required. The applicable SCC module is determined based on the customer’s role. |
ClickUp | Processes data in the EU and United States. Transfers rely on the EU Standard Contractual Clauses (2021). ClickUp’s DPA explicitly supports Module 2 (Controller→Processor) where Limoni Apps acts as a controller, and Module 3 (Processor→Processor) where Limoni Apps acts as a process. |
GitBook | Processes data in the EU and United States. Transfers rely on the EU Standard Contractual Clauses (2021), with the applicable module determined by the customer’s role. |
Amazon SES | Processes data primarily in the United States. Covered under the AWS DPA, which incorporates the EU Standard Contractual Clauses (2021) and supports both Module 2 and Module 3 depending on processing roles. |
SendGrid (Twilio) | Processes data in the United States. Transfers rely on the EU Standard Contractual Clauses (2021). Twilio’s DPA explicitly supports both Module 2 (Controller→Processor) and Module 3 (Processor→Processor). |
Shopify | Processes data globally. Where international transfers occur, Shopify relies on the EU Standard Contractual Clauses (2021) using the relevant module(s) based on the processing role of the parties. |
Microsoft Clarity | Processes data in the EU and United States. Covered by Microsoft’s DPA, which incorporates the EU Standard Contractual Clauses (2021) and applies processor-to-processor SCCs (Module 3) where Limoni Apps acts as a processor. |
HubSpot | Processes data in the EU and United States. Transfers rely on the EU Standard Contractual Clauses (2021). HubSpot’s DPA explicitly supports both Module 2 and Module 3 depending on the customer’s role. |
Canny | Processes data in the United States. A Data Processing Agreement is provided contractually. SCC module support is reviewed as part of Limoni Apps’ vendor due-diligence process. |
An up-to-date list of subprocessors, including purposes and data categories, is maintained in the Subprocessor List, which forms part of this Transfer Impact Assessment by reference.
Transfer scope and data minimisation
Transfers to subprocessors are limited to what is necessary for the provision, security, maintenance, and improvement of the service. Each subprocessor is contractually restricted from using personal data for its own independent purposes.
Conclusion on transfer context
Taking into account:
Limoni Apps’ role as a processor,
the use of the 2021 SCCs (primarily Module 3),
documented SCC coverage by subprocessors,
and the limited, purpose-bound nature of the transfers,
Limoni Apps concludes that international transfers to its subprocessors are subject to appropriate safeguards within the meaning of Article 46 GDPR.
Legal Environment Assessment (Third Countries)
Factor | Assessment |
Government surveillance laws | Exist, but limited applicability |
Likelihood of access | Low |
Nature of data | Commercial, low sensitivity |
Identifiability | Often pseudonymous |
Bulk access risk | Low |
No evidence that transferred data is likely to be subject to disproportionate access.
Supplementary Measures Implemented
Technical Measures
TLS 1.2+ encryption in transit
Encryption at rest (AES-256, managed keys)
No long-term storage of end-customer data
Minimal logging of identifiers
Organizational Measures
Least-privilege RBAC
Production access restricted to authorized EU-based admin
Subprocessor vetting & DPAs
Feature-gated access to customer data
Contractual Measures
Vendor DPAs in place
Standard contractual protections
No onward transfer for unrelated purposes
Residual Risk Assessment
Risk | Likelihood | Impact | Conclusion |
Unauthorized access | Low | Moderate | Acceptable |
Government access | Very low | Low | Acceptable |
Data misuse | Very low | Low | Acceptable |
Conclusion
After assessing the nature of the data, the processing context, the legal environment of recipient countries, and the implemented supplementary measures, Limoni Apps BV concludes that international data transfers do not undermine the level of protection guaranteed under GDPR.
No additional safeguards are required at this time.