Data Transfer Impact Assessment
Last updated: April 2026 · Next review: October 2026
Purpose. This Data Transfer Impact Assessment documents HumanKey's analysis of personal data transfers outside the European Economic Area (EEA) in line with the European Data Protection Board's Recommendations 01/2020 on measures that supplement transfer tools (final version, 18 June 2021) following the Court of Justice of the European Union's Schrems II ruling.
§1. Introduction and Scope
HumanKey provides AI crawler analytics and bot detection services to website publishers and e-commerce operators. To deliver the Services, HumanKey engages a limited set of sub-processors, some of which are established outside the EEA. This assessment documents the transfer impact analysis for those transfers and the supplementary measures HumanKey applies to ensure a level of protection essentially equivalent to the GDPR.
This assessment should be read alongside HumanKey's Data Processing Agreement, Data Protection Impact Assessment summary, and Sub-Processors page.
1.1 Legal basis for transfer
HumanKey relies on the following transfer mechanisms under Chapter V of the GDPR:
- Standard Contractual Clauses (SCCs). The European Commission's standard contractual clauses (Decision (EU) 2021/914) are the default mechanism for transfers to sub-processors that are not DPF-certified. Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor) are applied as appropriate.
- EU-US Data Privacy Framework (DPF). Where a sub-processor is actively certified under the Data Privacy Framework, HumanKey relies on the DPF adequacy decision of 10 July 2023 alongside (not in place of) the SCCs as a defence in depth.
1.2 Scope of assessment
This assessment covers every sub-processor on HumanKey's published sub-processor list that (a) is established outside the EEA, or (b) is a controlled subsidiary of a parent entity established outside the EEA and may therefore be subject to third-country legal process. Sub-processors operating exclusively within the EEA (Neon Frankfurt, Railway Amsterdam, Sentry EU region) are documented here for completeness but do not require a Chapter V mechanism beyond the Article 28 DPA.
§2. Destination-country analysis
The only destination country for HumanKey sub-processor transfers is the United States of America. The categories of data, purpose, frequency, and transfer mechanism are documented below following the methodology in Annex 3 of the EDPB Recommendations.
2.1 United States
| Purpose for transfer | Operational infrastructure (compute, CDN, DNS, object storage), payment processing, transactional email delivery, error monitoring, and aggregate AI advisory analytics. |
| Frequency | Continuous for operational infrastructure; event-driven for email, monitoring, and AI advisory analytics. |
| Categories of data transferred | Pseudonymised IP hashes (SHA-256 + daily rotating salt), truncated user-agent strings (200-character maximum), page URLs, HTTP referrer domain and path, aggregated statistics, administrator account details (email, name), billing metadata (company name, address, VAT ID) for the payment processor only. |
| Sensitive data | None. HumanKey does not process special categories of personal data within the meaning of Art. 9 GDPR. |
| Length of processing chain | One layer of sub-processing. HumanKey does not authorise its sub-processors to engage onward sub-processors without HumanKey's prior written consent. |
| Transfer mechanism | EU Standard Contractual Clauses (Decision (EU) 2021/914, Module 2 or 3) for every US-incorporated sub-processor. EU-US Data Privacy Framework certification applied in addition where the sub-processor is listed on the DPF participant list. |
| Relevant destination-country laws | Section 702 of the Foreign Intelligence Surveillance Act (FISA); Executive Order 12333; the Clarifying Lawful Overseas Use of Data Act (CLOUD Act); the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (Executive Order 14086 of 7 October 2022), which created the Data Protection Review Court that underpins the 2023 DPF adequacy decision. |
This assessment is based on publicly available legal authorities. It does not purport to resolve the ongoing debate around the adequacy of United States law following Schrems II and is not legal advice.
§3. Supplementary measures
HumanKey applies technical, contractual, and organisational supplementary measures to ensure that personal data transferred to United States sub-processors benefits from a level of protection essentially equivalent to the GDPR.
3.1 Technical measures
- IP pseudonymisation at the application layer. HumanKey hashes visitor IP addresses with a daily rotating salt before the data ever reaches any sub-processor. The salt is derived from the current UTC date and is never persisted. Cross-day linkage from the stored hash alone is not possible.
- User-Agent truncation. User-Agent strings are truncated to 200 characters before storage, reducing fingerprint surface while preserving the signal needed for bot classification.
- Session recording input masking (feature-flag disabled). The HumanKey recorder pipeline masks password inputs and any element marked
data-privacy="mask"client-side before events would be transmitted to storage. Masked content never leaves the visitor's browser. Note: session recording is currently feature-flag disabled on all plans per the S164 strategic pivot to Bot Evidence Reports; dormant code remains for potential Enterprise-custom activation on request. - EU jurisdiction for session recording storage (dormant). The session recording pipeline, if enabled for a specific Enterprise-custom engagement, stores events in a Cloudflare R2 bucket configured with EU-jurisdiction restrictions; playback is proxied through the HumanKey API so no direct bucket URL is exposed to client browsers. This pipeline is not active on any standard plan as of S164.
- Aggregate-only flow to the AI sub-processor. Only aggregated, non-identifiable statistics are transmitted to HumanKey's AI advisory sub-processor. No row-level personal data traverses that boundary.
- Short-lived authentication tokens. Administrator JWT access tokens have a 15-minute lifetime; refresh tokens rotate on every use.
- Encryption in transit and at rest. TLS 1.2 or higher with HSTS for all transport; AES-256 at rest via the managed database platform.
3.2 Contractual measures
- Standard Contractual Clauses executed with every US-incorporated sub-processor listed on HumanKey's Sub-Processors page.
- Sub-processor notification with 14-day advance notice (SMB tier) or 30-day advance notice (Enterprise tier) as set out in Article 6 of the HumanKey DPA.
- Contractual audit rights (13-month independent audit report or one onsite audit per calendar year for SCC-relying Controllers) under Article 5.8 of the HumanKey DPA.
- Incident notification without undue delay upon HumanKey becoming aware of a Personal Data Breach (Article 8 of the HumanKey DPA).
- Zero-retention default on the AI advisory sub-processor's API; opt-in training explicitly disabled by contract.
3.3 Organisational measures
- Published sub-processor list maintained as the single source of truth, updated with at least 14 days advance notice (30 days for Enterprise tier).
- Documented request-handling channel for law-enforcement and supervisory authority requests. All such requests are routed through the HumanKey legal contact form.
- Semi-annual DPIA review (April and October) and event-driven reviews triggered by any material change to the sub-processor stack or to destination-country law.
- GDPR data-subject rights tooling (JSON export, cascading deletion, rectification) is available to every Controller regardless of plan tier and does not depend on any US sub-processor being reachable.
§4. Re-evaluation
This assessment is reviewed semi-annually (April and October) and whenever:
- A new sub-processor is added or replaced.
- A material change in a destination country's surveillance law or judicial oversight framework becomes publicly known.
- A publicly reported compelled-access order is issued against any named sub-processor in a way that would affect HumanKey's transfer analysis.
- The European Data Protection Board, the European Commission, or the Court of Justice of the European Union issues new guidance or a judgment materially affecting Chapter V transfers.
The most recent review was completed in April 2026. The next scheduled review is October 2026.
This Transfer Impact Assessment is provided as a public-facing summary of HumanKey's transfer posture. It is not legal advice. Last updated: April 2026.