International Data Transfers — Standard Contractual Clauses
Last modified: July 8, 2026
This document sets out WorkComposer's EU/EEA, UK, and Switzerland to United States transfer mechanism under GDPR Article 46. It comprises the EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module Two (Controller → Processor) — with the annexes completed, together with a transfer-impact assessment. WorkComposer's planned primary transfer mechanism is certification under the EU–US Data Privacy Framework (DPF) and its UK and Swiss extensions; these SCCs are the working mechanism and remain in place as the fallback thereafter.
1. Plain-English summary
WorkComposer Inc is based in the United States and hosts its production systems on Amazon Web Services in the United States (region us-east-1). When a Customer in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland uses our Services, Personal Data about that Customer's Monitored Users is transferred to and stored in the United States.
Under the EU General Data Protection Regulation (GDPR), transfers of Personal Data to a country without an EU “adequacy decision” require an approved safeguard (Article 46). For these transfers WorkComposer relies on the European Commission's Standard Contractual Clauses (SCCs) adopted in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as completed below. For UK transfers the SCCs are supplemented by the UK International Data Transfer Addendum (IDTA Addendum) issued under s.119A of the UK Data Protection Act 2018. For Swiss transfers the SCCs apply with the adaptations required by the Swiss Federal Act on Data Protection (FADP), as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
If you are an EU/EEA/UK/Swiss Customer, the legal mechanism that authorizes your data reaching our US infrastructure is these SCCs, incorporated into our Data Processing Agreement (the “DPA”).
2. Which SCC Module applies
- Module Two (Controller → Processor) is the operative Module for WorkComposer and is completed in this document. It applies in the typical case: the Customer is the Controller of the Personal Data (for example, an employer monitoring its own staff) and appoints WorkComposer as its Processor.
- Module Three (Processor → Processor) applies where a Customer is itself a processor acting for another controller and engages WorkComposer as a sub-processor. Where that is the case, the equivalent Module Three clauses of Decision (EU) 2021/914 apply mutatis mutandis, with the same annexes completed as below (the exporter's own controller stands behind the Customer).
Onward transfers by WorkComposer to its Subprocessors (see the Subprocessor list and Annex III below) are made under back-to-back contractual terms consistent with the SCCs, as required by Clause 8.8.
3. How the SCCs are incorporated and executed
- the Customer is the data exporter (Controller);
- WorkComposer Inc is the data importer (Processor);
- both Parties are deemed to have signed the SCCs as of the DPA's effective date, and the annexes below (Annex I, Annex II, Annex III) are deemed completed accordingly;
- the docking clause (Clause 7) is included, so that additional entities may accede to the SCCs by agreement.
Where a term of the DPA and a term of the SCCs conflict with respect to a transfer the SCCs govern, the SCCs prevail (DPA Section 2.3).
4. Clause selections (Module Two)
| Clause | Selection | Notes |
|---|---|---|
| Clause 7 — Docking clause | Included | Allows additional parties to accede. |
| Clause 9 — Use of sub-processors | Option 2 — General written authorization | Notice period for changes = 30 days, aligned with DPA Section 7.3. Current list at Annex III / the Subprocessor list. |
| Clause 11 — Redress | Optional independent dispute-resolution body omitted | The mandatory redress mechanism (data subjects may lodge complaints and pursue judicial remedy) applies regardless. |
| Clause 17 — Governing law | Law of Ireland | Clause 17 requires the law of an EU Member State that allows third-party-beneficiary rights. |
| Clause 18 — Choice of forum and jurisdiction | Courts of Ireland (tracking Clause 17) | Must be the courts of an EU Member State. |
Note. Clause 17 does not permit a US/Delaware governing law for the SCCs themselves. The DPA's general Delaware governing-law clause (DPA Section 13.2) is expressly carved out for SCC-governed transfers, which are governed by the Member-State law selected above.
Annex I — Description of the transfer
Annex I.A — List of Parties
- Name: The Customer — the organization that has entered into the Agreement and accepted the DPA. Identity, address, and contact details are those provided by the Customer in its account / the Agreement.
- Role: Controller (or, where the Customer is itself a processor, processor — see Module Three note in Section 2).
- Activities relevant to the transfer: Procuring and configuring WorkComposer's employee time-tracking and workforce-monitoring Services to monitor its own personnel.
- Signature and date: Deemed executed on acceptance of the DPA (Section 3 above).
- Contact person: As designated in the Customer's account (the account Owner / administrator) or as the Customer notifies to WorkComposer.
- Name: WorkComposer Inc, a Delaware corporation.
- Registered office: 651 N Broad St, Suite 206, Middletown, DE 19709, United States.
- Mailing address: 9450 SW Gemini Dr, PMB 94875, Beaverton, OR 97008-7105, United States.
- Role: Processor.
- Activities relevant to the transfer: Providing the Services (receiving, storing, and Processing Monitored-User activity data and account data on the Customer's documented instructions) on US-based AWS infrastructure.
- Contact person: Privacy contact, privacy@workcomposer.com.
- Signature and date: Deemed executed on acceptance of the DPA (Section 3 above).
Annex I.B — Description of the transfer
- The Customer's Monitored Users — its employees, workers, and contractors whose activity is monitored, measured, or recorded through the Services.
- The Customer's Authorized Users — administrators and account owners who access and administer the Services on the Customer's behalf.
- Screenshots (periodic captures of the Monitored User's screen);
- Activity levels (keyboard/mouse activity indicators, idle time);
- Application and URL usage (names of applications used, window titles, and websites/URLs visited);
- Worked-time records (work start/stop times, session durations, timesheets);
- Approximate location derived from IP address, where enabled;
- Account and contact data (name, email address, job title/role, organization, profile settings);
- Device and technical/log data (IP address, device/OS identifiers, log data);
- Billing/payment data for Authorized Users / account owners (processed via the payment Subprocessor).
- None intended. WorkComposer does not intentionally collect special-category Personal Data (Article 9 GDPR).
- Incidental capture: Because screenshots and application/URL data reflect whatever is on a Monitored User's screen, they may incidentally capture special-category data (for example, health, religious, or trade-union information visible on screen) or other sensitive content. WorkComposer does not target such data and relies on the Customer's data-minimization configuration — for example screenshot-frequency limits and, where available, screenshot blurring or exclusions — and on the Customer's lawful basis, to control any such incidental Processing. Restrictions applied: access is limited to authorized personnel on a need-to-know basis, data is encrypted in transit and at rest, and retention is limited (see Annex II).
Frequency of the transfer: Continuous, for the duration of the Agreement.
Nature of the processing: Collection, recording, storage, organization, structuring, transmission, display, and deletion of Monitored-User activity data and account data, as necessary to provide the Services.
Purpose(s) of the transfer and further processing: Provision of WorkComposer's B2B employee time-tracking and workforce-monitoring Services to the Customer (time and activity tracking, screenshots, application/URL tracking, worked-time reporting, and any monitoring posture the Customer enables), together with account administration, billing, security, and support.
Retention period (or criteria): Tracking data (screenshots, activity, application/URL, and worked-time data) is retained for one (1) year from collection and then automatically deleted (per WorkComposer's Data Retention Policy), or deleted earlier on account deletion. Account and Personal Data are deleted on account deletion or termination of the Agreement, subject to routine backup cycles from which data is purged in the ordinary course and to any legal-retention requirement.
Subprocessors — subject-matter, nature, and duration: See Annex III. Each Subprocessor Processes Customer Personal Data only for the duration of the Agreement and only to the extent necessary for the stated purpose, under a written contract with data-protection terms consistent with these SCCs.
Annex I.C — Competent supervisory authority
- If the exporter is established in an EU Member State, the competent authority is the supervisory authority of that Member State (as identified under the GDPR).
- If the exporter is not established in an EU Member State but has appointed an EU representative under Article 27 GDPR, the competent authority is that of the Member State in which the representative is established.
- If the exporter is not established in the EU and is not required to appoint an Article 27 representative (e.g. it falls within Art. 27(2)), the competent authority is that of the Member State in which the data subjects whose data is transferred are located.
For WorkComposer as importer, the recommended lead/competent authority is the Irish Data Protection Commission (DPC), consistent with the Irish governing-law selection in Section 4.
Annex II — Technical and organizational measures
These are the technical and organizational measures the data importer (WorkComposer) has implemented, and are the same measures set out in DPA Annex II (Article 32 GDPR). Summarized:
- In transit: Transport Layer Security (TLS) version 1.3, terminated at the load balancer.
- At rest — database: self-hosted MongoDB stored on encrypted Amazon EBS volumes (EBS encryption enabled).
- At rest — object storage: Amazon S3 server-side encryption, enforced on stored screenshots and files.
2. Access control and least privilege. Access to production systems and Customer Personal Data is restricted to authorized personnel on a need-to-know basis under the principle of least privilege; two-factor authentication is enabled on administrative access; administrative interfaces are network-restricted (VPN-gated). Service authentication includes password sign-in with rate-limiting, two-factor authentication, and OAuth.
3. Network security. Production systems run within an isolated network environment; access is restricted by security groups / firewall rules permitting only necessary traffic.
4. Data minimization. Processing is limited to what is necessary to provide the Services; Customer-configurable controls (screenshot frequency and, where available, blurring/exclusions) let the Customer reduce collection.
5. Backups. Encrypted Amazon EBS snapshots.
6. Logging and monitoring. Production-system logging and monitoring, including audit logging of administrative actions.
7. Confidentiality and subprocessor safeguards. Personnel and contractors are bound by confidentiality obligations; Subprocessors are engaged under written contracts with data-protection terms consistent with these SCCs.
8. Retention and deletion. Tracking data auto-deleted after one (1) year by a scheduled process; self-service account deletion available.
WorkComposer does not claim SOC 2, ISO 27001, or PCI-DSS certification, and does not state a specific at-rest cipher grade for S3.
Annex III — List of Subprocessors
The Customer has authorized (Clause 9, Option 2 — general written authorization) the engagement of the following Subprocessors. The current list is maintained on our Subprocessor list.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting, object storage (S3), email (SES), queues (SQS) | United States (us-east-1) |
| Stripe, Inc. | Payment processing | United States (with its own SCCs for onward transfers) |
| Google LLC | reCAPTCHA Enterprise, OAuth sign-in, Analytics | United States |
| Usercentrics GmbH | Cookie-consent management | European Union (Germany) |
5. Transfer Impact Assessment (Schrems II)
This section documents WorkComposer's transfer-impact assessment (TIA) supporting reliance on the SCCs, as expected following Schrems II (Case C-311/18) and the EDPB's Recommendations 01/2020 on supplementary measures.
5.1 The transfer
Personal Data of EU/EEA (and UK/Swiss) Monitored Users and Authorized Users is transferred to WorkComposer Inc in the United States and stored/processed on AWS us-east-1. The categories and purposes are in Annex I.B. The importer is a private US company acting as a processor.
5.2 Law of the destination country (US government access)
- FISA Section 702 (50 U.S.C. § 1881a) — permits US authorities to compel “electronic communication service providers” (ECSPs) to assist in targeting non-US persons abroad. This was central to the Schrems II invalidation of Privacy Shield.
- Executive Order 12333 — governs signals-intelligence collection outside the US, including in transit; it does not itself compel providers but describes bulk-collection activity.
Since Schrems II, the US enacted Executive Order 14086 (October 2022) and implementing regulations introducing proportionality/necessity limits and a two-layer redress mechanism (the Data Protection Review Court) for EU individuals; these underpin the EU–US Data Privacy Framework adequacy decision (July 2023). WorkComposer intends to certify under the DPF as its primary mechanism; this TIA supports the SCC fallback in the interim and thereafter.
5.3 Risk assessment for this data
- Nature of the data: workforce productivity and time-tracking data (screenshots of ordinary work activity, activity levels, app/URL usage, worked time). This is not the kind of data (e.g. communications content of intelligence interest, data of national-security relevance) that US signals-intelligence programs typically target. The likelihood of a FISA 702 directive or EO 12333 collection aimed at this data is low.
- Nature of the importer: WorkComposer is a small B2B SaaS provider, not a large communications platform of the type historically subject to 702 directives. WorkComposer has received no government access requests for Customer Personal Data to date.
- Onward-transfer posture: the Subprocessors are established providers (AWS, Stripe, Google, Usercentrics) with their own transfer safeguards.
5.4 Supplementary measures
- Encryption in transit — TLS 1.3.
- Encryption at rest — encrypted EBS volumes for the database; enforced S3 server-side encryption for object storage; encrypted EBS snapshot backups.
- Access controls — least-privilege access, two-factor authentication on administrative access, VPN-gated administrative interfaces, network isolation.
- Data minimization — Customer-configurable collection limits (screenshot frequency, and where available blurring/exclusions) and a one-year retention limit that shrinks the standing data set exposed to any request.
- Processing only on documented instructions — WorkComposer Processes Customer Personal Data only on the Customer's documented instructions and does not use it for its own purposes.
- Government-request handling — WorkComposer commits, to the extent legally permitted, to (i) review the legality of any government request for Customer Personal Data, (ii) challenge requests that are overbroad or unlawful, and (iii) notify the affected Customer before disclosing, unless legally prohibited from doing so.
- Transparency — WorkComposer will document and, where lawful, report government access requests it receives.
5.5 Conclusion
Taking into account the nature of the transferred data (routine workforce-monitoring data of low intelligence interest), the profile of the importer (a small B2B SaaS processor that has received no government requests), the post-Schrems II US legal reforms (EO 14086 and the DPF), and the supplementary technical, organizational, and contractual measures above, WorkComposer assesses that the transfer of Customer Personal Data to the United States under these SCCs, with the measures described, provides a level of protection essentially equivalent to that required under EU law. On this basis, the transfer may proceed under the SCCs with these supplementary measures. WorkComposer will reassess this position if the relevant law changes materially, if it receives a government access request, or upon obtaining DPF certification (after which the DPF becomes the primary mechanism and the SCCs remain in place as the fallback).
6. UK and Swiss transfers
- United Kingdom: the SCCs above are supplemented by the UK International Data Transfer Addendum (IDTA Addendum, version B.1.0). Addendum Tables 1–4 are completed by reference to Annex I (parties and transfer description), the Clause selections in Section 4, and Annex II (security measures); the “Approved Addendum” mechanism applies.
- Switzerland: the SCCs apply with the FADP adaptations recognized by the FDPIC — references to the GDPR are read as references to the FADP where the FADP applies, the FDPIC is the competent authority for Swiss data, and the clauses protect Swiss-resident individuals (including, where applicable, legal entities during the transitional period).
7. Questions
For questions about international data transfers, contact privacy@workcomposer.com.
WorkComposer Inc — International Data Transfers. DPF certification is the planned primary mechanism (tracked separately). This is provided as part of WorkComposer's Services and does not constitute legal advice.