Below is a concise security guidance document for EU-based Swif.ai customers explaining how our use of Standard Contractual Clauses (SCCs) helps protect and lawfully transfer personal data under the GDPR framework.
1. Overview of Standard Contractual Clauses (SCCs)
Standard Contractual Clauses (SCCs) are legal instruments approved by the European Commission to ensure that personal data leaving the European Economic Area (EEA) continues to receive a high level of protection. When EU personal data is transferred to a third country that has not received an adequacy decision from the European Commission—such as the United States—SCCs provide a GDPR-compliant mechanism to safeguard these data flows.
2. Swif.ai’s Commitment to Data Protection
Data Processing in Accordance with GDPR
Swif.ai acts as a processor for our customers’ data and is committed to processing personal data strictly under customers’ instructions, in line with GDPR obligations. Where we are engaged in cross-border data transfers, we implement SCCs to ensure equivalent data protection standards.Supplementary Technical and Organizational Measures
SCCs require more than simply signing an agreement. To meet European data protection requirements and provide additional safeguards, Swif.ai implements:Encryption In Transit and At Rest: We use robust encryption protocols (e.g., TLS for data in transit) and secure, industry-standard encryption for data at rest.
Access Controls and Monitoring: We employ role-based access controls, multi-factor authentication for administrative access, and continuous logging/monitoring of systems.
Security by Design: Our platform is developed with privacy and security in mind from the outset, reducing the risk of unauthorized access or misuse of personal data.
Transparent Sub-Processors: We maintain an up-to-date list of sub-processors who may help deliver our services (e.g., cloud providers). Each sub-processor is contractually bound by obligations at least as strict as those in the SCCs, including equivalent technical and organizational measures.
Risk Assessments for Data Transfers
Swif.ai regularly evaluates any potential risks to personal data when it is transferred outside the EEA. We conduct Transfer Impact Assessments (TIAs) where needed to ensure that, in practice, the receiving country’s laws and our supplementary measures together offer “essentially equivalent” protection to EU data subjects.
3. Key Protections Afforded by SCCs
Data Subject Rights
EU individuals’ rights—such as the right to access, rectification, and erasure—continue to be protected. Under SCCs, Swif.ai must assist customers in fulfilling these data subject rights requests when they involve personal data held on our platform.Onward Transfers
If personal data must be shared with any sub-processor or partner, the same contractual obligations and protections in the SCCs apply to ensure data is not transferred to other entities without equivalent safeguards.Notification of Requests
If Swif.ai receives a legally binding request for disclosure of EU personal data (e.g., from public authorities), we will promptly notify the customer (unless prohibited by law) so that appropriate measures (like contesting the request) can be taken.Accountability and Liability
The SCCs define the responsibilities and liabilities of both Swif.ai and our customers in the event of a data breach or non-compliance. This clear chain of accountability ensures swift response and remediation.
4. Practical Steps for EU Customers
Execute the Appropriate SCC Module
When entering a Data Processing Agreement (DPA) with Swif.ai, ensure the relevant module of the European Commission’s updated SCCs for controller-processor or processor-processor relationships is properly signed, depending on your business’s setup.Review Swif.ai’s Sub-Processors
Stay informed about any sub-processors who may process your data. We maintain transparency on sub-processor lists and will notify you of material changes, giving you the option to object if necessary.Leverage Encryption and Security Options
Make full use of available security configurations in the Swif.ai platform, such as enforcing device disk encryption or customizing policies for remote wipe and lock. These measures fortify data protection beyond the legal framework.Maintain Compliance Documentation
Keep records of your processing activities and confirm that the details in our shared documentation (e.g., Transfer Impact Assessment, sub-processor details) support your internal compliance efforts. This documentation is crucial for GDPR accountability and audit readiness.
5. Ongoing Compliance and Updates
Swif.ai monitors evolving EU data protection requirements, regulatory guidance (e.g., from the European Data Protection Board), and case law (such as Schrems II). If changes require updates to SCCs, or the adoption of additional supplementary measures, we will proactively work with our customers to keep their data transfer mechanisms valid and compliant.
Conclusion
By employing the European Commission’s Standard Contractual Clauses, along with strong technical and organizational security measures, Swif.ai ensures that EU personal data receives a level of protection on par with GDPR requirements—even if it is processed outside the EEA. These provisions underscore our commitment to safeguarding customer data and supporting GDPR compliance throughout the entire device management and security lifecycle.
If you have questions or need further assistance, please reach out to Swif.ai’s Data Protection team or consult your organization’s legal counsel.
For more information on our security practices—including technical controls, compliance certifications, and FAQs—visit
Swif.ai Security Resources.