Every sovereign AI deployment spanning more than one jurisdiction reaches the same point — usually week 2 of the procurement cycle — where the buyer's DPO / GC asks:
This playbook is the one-document answer to all five. It is not a substitute for buyer-side legal review — that happens at MSA signature — but it tells the DPO/GC exactly what DEFONEOS does, what mechanisms we rely on, and where the buyer must do their own homework.
| Tenant tier | Compute location | Storage location | Backup location | Network egress |
|---|---|---|---|---|
| Bronze | EU-West-1 (Ireland) or UK-South (London) | Same region | Same region, encrypted at rest | No cross-border egress by default |
| Silver | EU-West-1 OR UK-South (buyer chooses) | Same region | Same region + encrypted replica | No cross-border egress by default |
| Gold | Buyer-region OR UK/EU single-tenant | Same region, single-tenant | Same region, encrypted replica | No cross-border egress |
| Platinum | Buyer-region single-tenant | Same region, single-tenant | Encrypted, buyer-region only | No cross-border egress |
| Sovereign | Buyer-region single-tenant, dedicated hardware | Same region, dedicated | Encrypted, buyer-region only | No cross-border egress; air-gap option |
| Sovereign-Air-Gap | Buyer-region, physically air-gapped | On-premise buyer hardware | Buyer-managed offline backup | None (air-gapped) |
By default, DEFONEOS does not transfer buyer data across borders. When transfer is unavoidable (e.g. buyer-side audit, support case, model improvement with explicit consent), the 5 named transfer mechanisms below apply.
| # | Mechanism | Regime | When used | Documentation required |
|---|---|---|---|---|
| 1 | Adequacy decision | GDPR Art-45 · UK GDPR Art-45 | Transfer to a jurisdiction deemed adequate | TIA + record of adequacy + monitoring |
| 2 | EU Standard Contractual Clauses (SCCs) + UK Addendum | GDPR Art-46(2)(c) · UK IDTA | Transfer to non-adequate jurisdiction with contractual safeguards | SCCs signed + UK Addendum + TIA + supplementary measures |
| 3 | UK International Data Transfer Agreement (IDTA) | UK GDPR Art-46 · IDTA (2022) | Transfer from UK to non-adequate jurisdiction | IDTA signed + TIA + supplementary measures |
| 4 | Binding Corporate Rules (BCR) | GDPR Art-47 | Intra-group transfers within a multinational | BCR approved by lead supervisory authority + TIA |
| 5 | Derogations Art-49 | GDPR Art-49 · UK GDPR Art-49 | Occasional, non-repetitive, specific situations | Explicit consent OR contract performance OR public interest |
| From \ To | UK | EU-27 | US (DPF) | US (non-DPF) | Canada / Aus / NZ | Japan / Korea / SG / CH / IL / UAE / BR / AR |
|---|---|---|---|---|---|---|
| UK | n/a (same) | Adequacy (UK) | UK-US Data Bridge | SCCs + UK Addendum (IDTA) | Adequacy (UK) | SCCs + UK Addendum (IDTA) |
| EU-27 | Adequacy (EU) | n/a (same) | EU-US DPF | SCCs (Art-46) | Adequacy (EU) | Adequacy (EU) for some + SCCs for rest |
| US (DPF) | UK-US Data Bridge | EU-US DPF | n/a (same) | n/a (same) | Adequacy-equivalent | Case-by-case SCCs |
| AUS / CAN / NZ | Adequacy-equivalent | Adequacy-equivalent | Case-by-case | SCCs | n/a (same) | Adequacy-equivalent |
Decision rule: Pick the row matching the source jurisdiction, then the column matching the destination. If the cell is "Adequacy", no further mechanism required (but TIA still recommended for high-risk). If "SCCs" / "IDTA", buyer and DEFONEOS sign SCCs + UK Addendum (if UK involved) and conduct a TIA. If "Derogations", mechanism 5 applies (occasional only).
Every cross-border transfer requires a TIA. DEFONEOS publishes a TIA template per (source, destination, data type) tuple:
{
"tia_id": "TIA-2026-07-14-UK-to-US-nonDPF",
"source_jurisdiction": "UK",
"destination_jurisdiction": "US (non-DPF certified recipient)",
"data_categories": ["buyer_pii", "model_inference_logs"],
"data_subjects": ["buyer_employees", "buyer_customers"],
"volume_per_month": "estimated 50GB logs + 1M inference calls",
"transfer_mechanism": "SCCs (2021/914) + UK Addendum (IDTA 2022)",
"schrems_ii_assessment": {
"destination_law_practice": "US Foreign Intelligence Surveillance Act §702 + Executive Order 12333",
"buyer_necessity_assessment": "transfer required for model improvement with explicit consent",
"supplementary_measures": [
"End-to-end encryption (AES-256-GCM, customer-managed keys)",
"Pseudonymisation at source (buyer-side pseudonym keys)",
"Strict access controls (DEFONEOS staff with named BFT-cleared role only)",
"Contractual prohibition on US government access disclosure beyond statutory minimum",
"Annual TIA re-assessment with 33-agent BFT council review",
"Real-time transfer log + buyer-facing webhook",
"Data minimisation: only inference logs transferred; PII retained in UK"
]
},
"risk_rating": "MEDIUM (mitigated to LOW with supplementary measures)",
"approved_by": "DEFONEOS DPO + Buyer DPO",
"bft_council_vote": "28-approve / 5-amend / 0-reject (quorum 25/33)",
"signed_at": "2026-07-14T...",
"valid_until": "2027-07-14",
"ed25519_sig": "..."
}
For transfers to non-adequate jurisdictions (US non-DPF, etc.), DEFONEOS implements 7 supplementary measures — the technical, contractual, and organisational controls that bring residual risk down to LOW:
| # | Measure | Type | What it does |
|---|---|---|---|
| 1 | End-to-end encryption | Technical | AES-256-GCM, customer-managed keys (BYOK via HashiCorp Vault / AWS KMS / Azure Key Vault) |
| 2 | Pseudonymisation at source | Technical | Buyer-side pseudonym keys; DEFONEOS never holds raw PII for transfer subjects |
| 3 | Strict access controls | Organisational | Named BFT-cleared DEFONEOS staff only; access logged immutably; quarterly access review |
| 4 | Contractual prohibition | Contractual | DEFONEOS will not voluntarily disclose to US government beyond statutory minimum; binding on subcontractors |
| 5 | Annual TIA re-assessment | Organisational | 33-agent BFT council reviews TIA annually + on destination-jurisdiction legal change |
| 6 | Real-time transfer log | Technical | Buyer-facing webhook + SIGIL-anchored transfer log, per record |
| 7 | Data minimisation | Organisational | Only minimum data necessary transferred; raw PII stays in source jurisdiction |
DEFONEOS US entity is DPF-certified (effective 2026-04-01, certification valid 1 year, renewed annually). For transfers from EU to US, the DPF provides the simplest mechanism:
dataprivacyframework.gov)DPF is currently under EU judicial review (Schrems III litigation); DEFONEOS monitors status and will fall back to SCCs + supplementary measures if DPF is invalidated. Fallback is automatic — no buyer action required.
For UK-to-US transfers, the UK-US Data Bridge (effective 2023-10-12) extends the DPF to UK personal data. DEFONEOS US LLC is also UK Bridge-certified:
The UK Bridge is also under review; same fallback applies.
When no adequacy decision or framework applies, DEFONEOS relies on the EU SCCs (2021/914) + UK Addendum (IDTA 2022). The signed SCC package covers:
SCCs are signed by both parties at MSA signature and re-signed on any material change (sub-processor change, data category change, jurisdiction change).
| Question | Answer lives in |
|---|---|
| "What is your PMS posture?" | defoneos-mod-post-market-monitoring-plan.html |
| "What is your security architecture?" | defoneos-mod-zero-trust-network-architecture.html |
| "What is your AI-BOM?" | defoneos-mod-ai-bom-sbom-card.html |
| "What is your SLA?" | defoneos-mod-sla-tier-card.html |
| "What is your insurance posture?" | defoneos-mod-insurance-liability-bridge.html |
| "EU CRA ready?" | defoneos-mod-eu-cyber-resilience-act-readiness.html |
curl https://csoai.org/defoneos-mod-cross-border-data-transfer-playbook.html | shasum -a 256dataprivacyframework.gov (search "DEFONEOS" or "csoai")dpo@csoai.orgcsoai.org/dpa/sccs.pdfcsoai.org/advisories/subscribedpo@csoai.org