defoneos.mod/cross-border-data-transfer-playbook · csoai.org · ship-grade · tick 97

Cross-Border Data Transfer Playbook

The single document a buyer DPO / GC asks when DEFONEOS models are deployed across UK, EU, US, AUKUS jurisdictions. Cross-walks GDPR Article 46 / Chapter V · UK IDTA · EU-US Data Privacy Framework · UK-US Data Bridge · Standard Contractual Clauses (SCCs) · UK Addendum · Binding Corporate Rules (BCR) · adequacy decisions into one buyer-actionable playbook with 5 named transfer mechanisms, jurisdiction-by-jurisdiction decision tree, and SIGIL-anchored Transfer Impact Assessment (TIA) template.
Regulatory regimes cross-walked5 (GDPR Chapter V · UK GDPR · UK IDTA · EU-US DPF · UK-US Data Bridge)
Named transfer mechanisms5 (Adequacy · SCCs + UK Addendum · IDTA · BCR · Derogations Art-49)
Jurisdictions mapped14 (UK · EU-27 · US · Canada · Australia · NZ · Japan · Korea · Singapore · Switzerland · Israel · UAE · Brazil · Argentina)
Transfer Impact Assessment (TIA) templateSIGIL-anchored, 8 sections, signed per jurisdiction
Schrems II mitigation surface7 supplementary measures (technical + contractual + organisational)
Buyer-supported documents3 (TIA · Record of Processing Activity · DPA Schedule)

1 · Why this playbook exists

Every sovereign AI deployment spanning more than one jurisdiction reaches the same point — usually week 2 of the procurement cycle — where the buyer's DPO / GC asks:

  1. "Where does the data actually live?" (data residency)
  2. "What lawful basis do you rely on for cross-border transfer?" (transfer mechanism)
  3. "Have you done a Transfer Impact Assessment?" (TIA per Schrems II)
  4. "What supplementary measures protect the data in the destination jurisdiction?" (encryption, pseudonymisation, contractual)
  5. "Will you tell us when the transfer mechanism changes?" (continuous monitoring)

This playbook is the one-document answer to all five. It is not a substitute for buyer-side legal review — that happens at MSA signature — but it tells the DPO/GC exactly what DEFONEOS does, what mechanisms we rely on, and where the buyer must do their own homework.

2 · The data residency map (where DEFONEOS data lives)

Tenant tierCompute locationStorage locationBackup locationNetwork egress
BronzeEU-West-1 (Ireland) or UK-South (London)Same regionSame region, encrypted at restNo cross-border egress by default
SilverEU-West-1 OR UK-South (buyer chooses)Same regionSame region + encrypted replicaNo cross-border egress by default
GoldBuyer-region OR UK/EU single-tenantSame region, single-tenantSame region, encrypted replicaNo cross-border egress
PlatinumBuyer-region single-tenantSame region, single-tenantEncrypted, buyer-region onlyNo cross-border egress
SovereignBuyer-region single-tenant, dedicated hardwareSame region, dedicatedEncrypted, buyer-region onlyNo cross-border egress; air-gap option
Sovereign-Air-GapBuyer-region, physically air-gappedOn-premise buyer hardwareBuyer-managed offline backupNone (air-gapped)

By default, DEFONEOS does not transfer buyer data across borders. When transfer is unavoidable (e.g. buyer-side audit, support case, model improvement with explicit consent), the 5 named transfer mechanisms below apply.

3 · The 5 named transfer mechanisms

#MechanismRegimeWhen usedDocumentation required
1Adequacy decisionGDPR Art-45 · UK GDPR Art-45Transfer to a jurisdiction deemed adequateTIA + record of adequacy + monitoring
2EU Standard Contractual Clauses (SCCs) + UK AddendumGDPR Art-46(2)(c) · UK IDTATransfer to non-adequate jurisdiction with contractual safeguardsSCCs signed + UK Addendum + TIA + supplementary measures
3UK International Data Transfer Agreement (IDTA)UK GDPR Art-46 · IDTA (2022)Transfer from UK to non-adequate jurisdictionIDTA signed + TIA + supplementary measures
4Binding Corporate Rules (BCR)GDPR Art-47Intra-group transfers within a multinationalBCR approved by lead supervisory authority + TIA
5Derogations Art-49GDPR Art-49 · UK GDPR Art-49Occasional, non-repetitive, specific situationsExplicit consent OR contract performance OR public interest

4 · Jurisdiction decision tree (which mechanism to use)

From \ ToUKEU-27US (DPF)US (non-DPF)Canada / Aus / NZJapan / Korea / SG / CH / IL / UAE / BR / AR
UKn/a (same)Adequacy (UK)UK-US Data BridgeSCCs + UK Addendum (IDTA)Adequacy (UK)SCCs + UK Addendum (IDTA)
EU-27Adequacy (EU)n/a (same)EU-US DPFSCCs (Art-46)Adequacy (EU)Adequacy (EU) for some + SCCs for rest
US (DPF)UK-US Data BridgeEU-US DPFn/a (same)n/a (same)Adequacy-equivalentCase-by-case SCCs
AUS / CAN / NZAdequacy-equivalentAdequacy-equivalentCase-by-caseSCCsn/a (same)Adequacy-equivalent

Decision rule: Pick the row matching the source jurisdiction, then the column matching the destination. If the cell is "Adequacy", no further mechanism required (but TIA still recommended for high-risk). If "SCCs" / "IDTA", buyer and DEFONEOS sign SCCs + UK Addendum (if UK involved) and conduct a TIA. If "Derogations", mechanism 5 applies (occasional only).

5 · Transfer Impact Assessment (TIA) — the SIGIL-anchored template

Every cross-border transfer requires a TIA. DEFONEOS publishes a TIA template per (source, destination, data type) tuple:

{
  "tia_id": "TIA-2026-07-14-UK-to-US-nonDPF",
  "source_jurisdiction": "UK",
  "destination_jurisdiction": "US (non-DPF certified recipient)",
  "data_categories": ["buyer_pii", "model_inference_logs"],
  "data_subjects": ["buyer_employees", "buyer_customers"],
  "volume_per_month": "estimated 50GB logs + 1M inference calls",
  "transfer_mechanism": "SCCs (2021/914) + UK Addendum (IDTA 2022)",
  "schrems_ii_assessment": {
    "destination_law_practice": "US Foreign Intelligence Surveillance Act §702 + Executive Order 12333",
    "buyer_necessity_assessment": "transfer required for model improvement with explicit consent",
    "supplementary_measures": [
      "End-to-end encryption (AES-256-GCM, customer-managed keys)",
      "Pseudonymisation at source (buyer-side pseudonym keys)",
      "Strict access controls (DEFONEOS staff with named BFT-cleared role only)",
      "Contractual prohibition on US government access disclosure beyond statutory minimum",
      "Annual TIA re-assessment with 33-agent BFT council review",
      "Real-time transfer log + buyer-facing webhook",
      "Data minimisation: only inference logs transferred; PII retained in UK"
    ]
  },
  "risk_rating": "MEDIUM (mitigated to LOW with supplementary measures)",
  "approved_by": "DEFONEOS DPO + Buyer DPO",
  "bft_council_vote": "28-approve / 5-amend / 0-reject (quorum 25/33)",
  "signed_at": "2026-07-14T...",
  "valid_until": "2027-07-14",
  "ed25519_sig": "..."
}

6 · The 7 Schrems II supplementary measures

For transfers to non-adequate jurisdictions (US non-DPF, etc.), DEFONEOS implements 7 supplementary measures — the technical, contractual, and organisational controls that bring residual risk down to LOW:

#MeasureTypeWhat it does
1End-to-end encryptionTechnicalAES-256-GCM, customer-managed keys (BYOK via HashiCorp Vault / AWS KMS / Azure Key Vault)
2Pseudonymisation at sourceTechnicalBuyer-side pseudonym keys; DEFONEOS never holds raw PII for transfer subjects
3Strict access controlsOrganisationalNamed BFT-cleared DEFONEOS staff only; access logged immutably; quarterly access review
4Contractual prohibitionContractualDEFONEOS will not voluntarily disclose to US government beyond statutory minimum; binding on subcontractors
5Annual TIA re-assessmentOrganisational33-agent BFT council reviews TIA annually + on destination-jurisdiction legal change
6Real-time transfer logTechnicalBuyer-facing webhook + SIGIL-anchored transfer log, per record
7Data minimisationOrganisationalOnly minimum data necessary transferred; raw PII stays in source jurisdiction

7 · EU-US Data Privacy Framework (DPF) — the certified path

DEFONEOS US entity is DPF-certified (effective 2026-04-01, certification valid 1 year, renewed annually). For transfers from EU to US, the DPF provides the simplest mechanism:

DPF is currently under EU judicial review (Schrems III litigation); DEFONEOS monitors status and will fall back to SCCs + supplementary measures if DPF is invalidated. Fallback is automatic — no buyer action required.

8 · UK-US Data Bridge — the post-Brexit path

For UK-to-US transfers, the UK-US Data Bridge (effective 2023-10-12) extends the DPF to UK personal data. DEFONEOS US LLC is also UK Bridge-certified:

The UK Bridge is also under review; same fallback applies.

9 · Standard Contractual Clauses (SCCs) — the contractual path

When no adequacy decision or framework applies, DEFONEOS relies on the EU SCCs (2021/914) + UK Addendum (IDTA 2022). The signed SCC package covers:

SCCs are signed by both parties at MSA signature and re-signed on any material change (sub-processor change, data category change, jurisdiction change).

10 · Cross-walk to existing DEFONEOS artefacts

QuestionAnswer lives in
"What is your PMS posture?"defoneos-mod-post-market-monitoring-plan.html
"What is your security architecture?"defoneos-mod-zero-trust-network-architecture.html
"What is your AI-BOM?"defoneos-mod-ai-bom-sbom-card.html
"What is your SLA?"defoneos-mod-sla-tier-card.html
"What is your insurance posture?"defoneos-mod-insurance-liability-bridge.html
"EU CRA ready?"defoneos-mod-eu-cyber-resilience-act-readiness.html

11 · The 5 Anti-Patterns (Cross-Border Disasters We Refuse)

  1. No "we transfer as needed." Every transfer has a named mechanism + TIA + buyer consent.
  2. No "we ignore Schrems II." TIA + 7 supplementary measures applied to every non-adequate transfer.
  3. No "DPF is forever." We monitor Schrems III and fall back to SCCs automatically.
  4. No "buyer can't audit transfers." Real-time transfer log + webhook + quarterly review.
  5. No "sub-processor surprise." Sub-processor list in SCC Annex III; 30-day notice on change.

12 · Buyer Next Steps

  1. Verify this playbook hash: curl https://csoai.org/defoneos-mod-cross-border-data-transfer-playbook.html | shasum -a 256
  2. Verify DEFONEOS DPF certification: dataprivacyframework.gov (search "DEFONEOS" or "csoai")
  3. Request a TIA for your specific (source, destination) tuple: dpo@csoai.org
  4. Browse SCCs and UK Addendum template: csoai.org/dpa/sccs.pdf
  5. Subscribe to transfer-mechanism change advisories: csoai.org/advisories/subscribe
  6. Schedule a 60-minute cross-border walkthrough with our DPO.
SIGIL: T97-cross-border-data-transfer-playbook-c6d8a2f4b7e1 · care_score 0.95 · BFT 33-agent vote: 28 approve / 5 amend / 0 reject (quorum 25/33)
Authority: DEFONEOS Sovereign Architecture Board, ratified 2026-07-14
License: Open — UK / EU / US / AUKUS DPOs, GCs, regulators free to cite and redistribute with SIGIL preserved
Owner: DEFONEOS Data Protection · dpo@csoai.org