Data Transfer Impact Assessment

Last Updated: September 16, 2025

Introduction

This Data Transfer Impact Assessment ("TIA") assists Hund customers (acting as "Data Exporters") in conducting a risk assessment for the transfer of Personal Data in connection with our provision of the Services. This document addresses the requirements of the "Schrems II" ruling of the Court of Justice for the European Union and is intended to be used in conjunction with our Data Processing Addendum ("DPA"), which incorporates the Standard Contractual Clauses ("SCCs").

Under European data protection laws, when Personal Data is transferred to a country without an adequacy decision, the Data Exporter must assess whether the laws and practices of that country prevent the Data Importer (Hund) from fulfilling its obligations under the SCCs.

Scope and Transfer Mechanisms

Hund is based in the United States. We utilize infrastructure sub-processors in various countries to provide optional monitoring regions. The legal basis for transfers to these locations is as follows:

Transfers to Adequate Countries

Transfers to the following monitoring regions are permitted based on an adequacy decision from the European Commission, meaning they are recognized as providing a level of data protection essentially equivalent to that in the EU.

  • United Kingdom
  • Germany
  • France
  • Netherlands
  • Finland

Transfers to Third Countries

Transfers to the following countries are safeguarded by the Standard Contractual Clauses (SCCs). This document provides the required TIA for these transfers:

  • United States
  • Australia
  • Singapore

United States

Our assessment for transfers to the United States is based on the extensive review of US law conducted by the European Commission in its adequacy decision for the EU-US Data Privacy Framework (DPF), published on July 10, 2023.

1. Acknowledgment of US Surveillance Laws

We acknowledge that US laws such as FISA Section 702 and Executive Order 12333 grant US government authorities the power to compel access to data for foreign intelligence and national security purposes. These were the laws identified as problematic in the "Schrems II" ruling.

2. Assessment of the Current US Legal Framework

The European Commission, in its DPF adequacy decision, analyzed the impact of new safeguards introduced into US law, primarily through Executive Order 14086 ("Enhancing Safeguards for United States Signals Intelligence Activities"). The Commission concluded that these new safeguards ensure that any access to EU data by US public authorities will be limited to what is necessary and proportionate, and that effective legal protection against such interference exists.

The key findings from the Commission's decision, which we rely on for this assessment, are:

  • Access to data is limited to what is necessary and proportionate to protect defined national security objectives.
  • Enhanced oversight of intelligence activities ensures compliance with these limitations.
  • A new, two-layer redress mechanism, including an independent Data Protection Review Court (DPRC), is available to EU individuals to investigate and resolve complaints regarding access to their data by US authorities.

3. Conclusion of this TIA

Considering the above, Hund agrees with and adopts the European Commission's finding that the US legal framework, as updated by Executive Order 14086, provides safeguards that are essentially equivalent to those required by EU law.

Therefore, we conclude that we have no reason to believe that the laws and practices in the United States prevent us from fulfilling our obligations under the Standard Contractual Clauses. The SCCs, supplemented by the measures described below, provide an appropriate safeguard for the transfer of Personal Data to the United States.

Supplemental Measures

This TIA also considers guidance set forth in EDPB Recommendations 01/2020 regarding supplementary measures.

In addition to the legal analysis for each country, Hund implements the following supplemental technical, contractual, and organizational measures to further protect all transferred data:

Technical Measures

  • Encryption: All Customer Data is encrypted in transit using strong TLS protocols (TLS 1.2 or higher) and at rest using AES-256.
  • Access Controls: We enforce the Principle of Least Privilege for all access to production systems. Access is logged, monitored, and regularly reviewed.

Contractual Measures

  • Standard Contractual Clauses: Our DPA incorporates the SCCs for all applicable transfers to third countries.
  • Sub-processor Agreements: We have DPAs in place with all our sub-processors that require them to provide at least the same level of data protection as required by our DPA with you.

Organizational Measures

  • Policy for Government Access: We have a strict internal policy for handling government requests for data. We will not disclose data unless legally compelled to do so. We will attempt to redirect the requesting authority to the customer and will notify the customer of the request unless legally prohibited.
  • Transparency: We are committed to transparency regarding government requests and will provide information as legally permitted.

Australia

Field Description
Purpose for transfer and any further processing

Onward transfers: Hund transfers Customer Personal Data to its sub-processor, The Constant Company, LLC, in Australia for the purpose of providing regional uptime monitoring services as initiated and configured by the Customer.

The frequency of the transfer

Onward transfers: Continuous for the duration that a Customer's monitor is configured for the Australian region.

Categories of personal data transferred

Onward transfers: As detailed in Annex I of the Hund Data Processing Addendum (DPA), this primarily includes Log & Performance Data (e.g., IP addresses, server response times) and Monitoring Configuration Data.

Sensitive data transferred (if applicable)

Onward transfers: Determined at the sole discretion of the data exporter (the Customer). Hund's services are not intended for the processing of sensitive data.

Length of processing chain

Onward transfers: Please refer to Hund's sub-processors page.

Applicable transfer mechanism

Onward transfers: Standard Contractual Clauses (SCCs) executed between Hund and The Constant Company, LLC. Hund imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

Australia has various laws and executive powers that could be used to compel companies to disclose personal data. A high-level summary of several key laws is provided below:

  • Crimes Act 1914 and the Criminal Code Act 1995: Permits government agencies to collect both electronic and physical data where there are reasonable grounds to believe there is a criminal offense.
  • The Telecommunications (Interception and Access) Act 1979 (TIAA) and Part 15 of the Telecommunications Act 1997: Grants government bodies powers to oblige service providers to assist law enforcement and intelligence agencies, which can include providing access to data.
  • Surveillance Devices Act 2004 and equivalent state and territory laws: Grants authorities covert access to data under certain conditions.

While aspects of these laws have extraterritorial reach, in practice, compelling access from foreign entities often operates through bilateral processes like mutual legal assistance treaties. It can be difficult to determine the exact frequency and scope of data access, as government authorities are not always required to report publicly on the use of these powers, although independent oversight bodies exist within the legislative framework.

Hund has a strict internal policy for handling government requests for data. Hund will attempt to redirect the requesting authority to the customer and will notify the customer of the request unless legally prohibited. The sub-processor, The Constant Company, LLC, does not publish a public transparency report regarding government requests.

Considering the above assessment and the robust supplementary measures implemented (including strong encryption), we conclude that we have no reason to believe that the laws and practices in Australia prevent our sub-processor from fulfilling its obligations under the Standard Contractual Clauses.

Singapore

Field Description
Purpose for transfer and any further processing

Onward transfers: Hund transfers Customer Personal Data to its sub-processor, The Constant Company, LLC, in Singapore for the purpose of providing regional uptime monitoring services as initiated and configured by the Customer.

The frequency of the transfer

Onward transfers: Continuous for the duration that a Customer's monitor is configured for the Singapore region.

Categories of personal data transferred

Onward transfers: As detailed in Annex I of the Hund Data Processing Addendum (DPA), this primarily includes Log & Performance Data (e.g., IP addresses, server response times) and Monitoring Configuration Data.

Sensitive data transferred (if applicable)

Onward transfers: Determined at the sole discretion of the data exporter (the Customer). Hund's services are not intended for the processing of sensitive data.

Length of processing chain

Onward transfers: Please refer to Hund's sub-processors page.

Applicable transfer mechanism

Onward transfers: Standard Contractual Clauses (SCCs) executed between Hund and The Constant Company, LLC. Hund imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

Singapore has enacted laws that enable the government to obtain access to data, including personal data being processed in Singapore. A high-level summary of key relevant laws is provided below:

  • The Cybersecurity Act (CSA): Authorizes the government to obtain access to data to prevent, manage, and respond to cybersecurity threats and incidents.
  • The Protection from Harassment Act: Prohibits any individual or entity (excluding public agencies) from surveilling individuals.
  • The Computer Misuse Act: Prohibits unauthorized use or interception of a computer service.
  • The Personal Data Protection Act (PDPA): Requires organizations processing personal data in Singapore to adhere to requirements similar to the GDPR. This includes obligations to ensure that equivalent data protection standards are applied to data transferred out of Singapore. However, these requirements may not apply in the context of certain civil, criminal, or administrative investigations.

Hund has a strict internal policy for handling government requests for data. Hund will attempt to redirect the requesting authority to the customer and will notify the customer of the request unless legally prohibited. The sub-processor, The Constant Company, LLC, does not publish a public transparency report regarding government requests.

Considering the above assessment and the robust supplementary measures implemented (including strong encryption), we conclude that we have no reason to believe that the laws and practices in Singapore prevent our sub-processor from fulfilling its obligations under the Standard Contractual Clauses.

Re-evaluation

We will monitor the legal landscape for international data transfers and will re-evaluate these TIAs at appropriate intervals or in the event of any material changes to the legal frameworks assessed herein.