Data Transfers

Last updated: 2026-06-12

1. Starting Point: Data Stays in the EU

Andri AI B.V. is a Dutch company. Customer data is stored and processed within the European Union, in AWS regions eu-west-1 (Ireland) and eu-central-1 (Frankfurt), with no replication outside the EU and with self-managed encryption keys. AI processing takes place via AWS Bedrock in the EU region; customer data does not leave the EU in the process. International transfers of customer data are therefore the exception at Andri, not the rule.

2. When Do Transfers Occur?

A limited number of sub-processors partly operate outside the EEA. In those cases:

  • Vercel (frontend hosting), Clerk (authentication) and Stripe (payments): transfers to the US take place under Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.
  • Transfers to countries benefiting from an adequacy decision of the European Commission (such as Switzerland and the United Kingdom) are permitted without additional measures.
  • The current list of all our sub-processors is maintained on the sub-processors page.

3. Customers in the United Kingdom

For UK customers: transfers from the UK to the EEA are permitted under the UK GDPR and the UK adequacy regulations, as the EEA is recognised as adequate by the UK. Andri acts as a processor in the Netherlands. Where a customer nevertheless requires the UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs, this can be agreed as part of the data processing agreement.

4. Transfer Mechanisms and Order of Precedence

If multiple transfer mechanisms could apply to a transfer of Personal Data, one applies, in the following order of precedence:

  • An adequacy decision of the European Commission (Art. 45 GDPR)
  • The EU Standard Contractual Clauses (SCCs, Art. 46(2)(c) GDPR), Module 2 (controller to processor) or Module 3 (processor to sub-processor), depending on the roles
  • The UK International Data Transfer Addendum, where the UK GDPR applies
  • Any other mechanism permissible under applicable data protection law and included in the data processing agreement

Where SCCs apply, they provide appropriate safeguards with enforceable data subject rights and effective legal remedies (Art. 46 GDPR), including processing only on documented instructions, purpose limitation, data minimisation, storage limitation, security of processing, and conditions for onward transfers.

5. Details of the Processing

5.1 Categories of Data Subjects

  • Users (lawyers and staff of the customer)
  • Clients of the customer
  • Third parties whose personal data appears in case documents (opposing parties, witnesses, participants in proceedings)

5.2 Categories of Personal Data

  • Contact information and professional details
  • Case data and user-uploaded documents
  • Usage data and technical data

Sensitive data, including legal case details, is processed only insofar as strictly necessary for the provision of the services and with additional safeguards (see Section 6).

6. Technical and Organisational Measures

Our information security management system is ISO 27001 certified by Kiwa (certificate number K-0229199/1, verifiable online). Core measures:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication, role-based access control and least privilege, with regular access reviews
  • Technically enforced tenant isolation between customers
  • Logging and monitoring, with independent penetration testing by Fox-IT / NCC Group
  • Backup, disaster recovery, network and physical security (AWS data centres)

7. Sub-processor Management

  • Written contracts with obligations equivalent to or stricter than our data processing agreement
  • Current list maintained on the sub-processors page
  • Changes are announced in writing at least 30 days in advance; customers may object within 14 days on serious grounds related to GDPR compliance or security
  • Andri remains fully liable for performance by sub-processors

8. Data Breach Notification

In the event of a security incident, we notify the customer without undue delay, where possible within 24 hours and no later than within 72 hours, with a detailed incident report and full cooperation in investigations and any notifications to supervisory authorities and data subjects.

9. Audit and Termination

  • Customers are entitled to an annual audit (at their own expense), in consultation and without disrupting our business processes
  • We maintain detailed documentation of processing activities and cooperate with supervisory authorities
  • Upon termination of the services, all personal data is returned or deleted, subject to statutory retention obligations

10. Relationship to the Data Processing Agreement

This page is an informative summary of how Andri handles international data transfers. The binding terms are set out in the data processing agreement (DPA) that every customer concludes with Andri; in the event of any discrepancy between this page and the data processing agreement, the data processing agreement prevails.

11. Contact Information