Version 1.0 | Effective Date: 6 March 2026 | Document Reference: GF-DTCP-001
This Compliance Pack consolidates GoldFynch's international data transfer documentation into a single reference instrument. It comprises four interconnected documents:
| Document | Reference | Purpose |
|---|---|---|
| Part A - Updated Standard Contractual Clauses (2021) | GF-SCC-001 | Replaces outdated Annex 2 of the GoldFynch DPA with the 2021 EU SCCs |
| Part B - UK International Data Transfer Addendum | GF-IDTA-001 | Adapts the 2021 EU SCCs for UK personal data transfers |
| Part C - Transfer Impact Assessment | GF-TIA-001 | Documents formal assessment of US law under Clause 14 SCCs / UK IDTA |
| Part D - Supplementary Measures Register | GF-SMR-001 | Records all technical, contractual and organisational safeguards |
This Pack supplements and forms part of the GoldFynch Data Processing Addendum ("DPA") and Terms of Service ("Principal Agreement"). Capitalised terms not defined herein have the meanings given in the DPA.
Replaces: Annex 2 of the GoldFynch Data Processing Addendum (Directive 95/46/EC SCCs) Legal basis: Commission Implementing Decision (EU) 2021/914 of 4 June 2021
The following Module applies to GoldFynch's processing of Company Personal Data:
| Module | Description | Applicable Scenario |
|---|---|---|
| Module 2 | Controller to Processor | Company (Controller) → GoldFynch (Processor) - primary module |
| Module 3 | Processor to Processor | Where Company itself acts as Processor for a third-party Controller |
For the purposes of this Part A, Module 2 applies by default unless the Company notifies GoldFynch in writing that Module 3 applies to its use case.
These Standard Contractual Clauses ("Clauses") set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council, for the transfer by the data exporter to the data importer of the personal data as specified in Annex I.
These Clauses set out appropriate safeguards for the transfer of personal data to a third country (the United States), which does not ensure an adequate level of protection. These Clauses shall not be modified except to select the appropriate Module(s) or to add or update information in the Annexes.
Data subjects may invoke and enforce these Clauses as third-party beneficiaries against the data exporter and/or data importer, including where data subjects' rights have been infringed as a result of the processing of their personal data.
An entity that is not a party to these Clauses may, with the agreement of the parties, accede to these Clauses at any time, either as a data exporter or data importer by completing the Annexes and signing Annex I.A.
GoldFynch, as data importer, shall:
The competent supervisory authority is determined as follows:
| Transfer Context | Supervisory Authority |
|---|---|
| EEA transfers (where data exporter is EU-established) | The supervisory authority of the Member State where the data exporter is established |
| UK transfers | UK Information Commissioner's Office (ICO) (via UK IDTA - see Part B) |
Both parties warrant, as of the date of these Clauses, that they have no reason to believe that the laws and practices applicable to the processing by the data importer - including any requirements to disclose personal data or measures authorising public authorities' access - prevent the data importer from fulfilling its obligations under these Clauses.
GoldFynch's formal assessment of US law is set out in full in Part C (Transfer Impact Assessment) of this Compliance Pack.
GoldFynch commits to:
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The parties select the law of the Republic of Ireland.
(Note: For UK transfers, Clause 17 is amended by the UK IDTA (Part B) to refer to the law of England and Wales.)
Any dispute arising from these Clauses shall be resolved by the courts of the Republic of Ireland.
(Note: For UK transfers, Clause 18 is amended by the UK IDTA (Part B) to refer to the courts of England and Wales.)
| Data Exporter (Company) | Data Importer (GoldFynch) | |
|---|---|---|
| Name | As identified in the GoldFynch account or Order Form | Mazira LLC dba GoldFynch |
| Address | As registered on the Company account | 136 S Dubuque Street, Iowa City, IA 52240 |
| Contact | As registered on the Company account | info@goldfynch.com |
| Role | Controller (or Processor where Module 3 applies) | Processor |
| Activities | Use of GoldFynch e-discovery and document management platform | Cloud-based e-discovery and document management services |
| Signature/Date | Deemed signed on acceptance of Principal Agreement | Anith Mathai, CEO - [Date of Signup] |
| Element | Detail |
|---|---|
| Categories of data subjects | Legal professionals; clients of legal professionals; employees; managers; accountants; administrators; payees; individuals referenced in Company Content |
| Categories of personal data | (1) Account/identifying data: name, email, phone number, billing address, credit card details, account preferences; (2) Usage data: IP address, browser type, ISP, location, date/time stamp, clickstream; (3) Company Content: emails, legal documents, ESI and other electronically stored information uploaded by Company |
| Special categories of data | Not routinely processed; Company must notify GoldFynch if special category data is included in Company Content |
| Frequency of transfer | Continuous, for the duration of the Principal Agreement |
| Nature of processing | Storage, indexing, search, retrieval, organisation and e-discovery processing of Company Content; account management and billing |
| Purpose of transfer | Provision of GoldFynch e-discovery and document management services under the Principal Agreement |
| Retention period | For the duration of the Principal Agreement; deletion within 14 days of Cessation Date (DPA section 10) |
| Transfer Type | Supervisory Authority |
|---|---|
| EEA transfers | Supervisory authority of the Member State where the data exporter is established |
| UK transfers | UK Information Commissioner's Office (ICO) |
The following measures are implemented by GoldFynch as data importer:
| Category | Measures |
|---|---|
| Encryption | TLS 1.2+ for data in transit; encryption at rest for all Company Content on Google Cloud Platform |
| Access control | Role-based access controls; least-privilege principle; multi-factor authentication for administrative access |
| Physical security | Company Content hosted on Google Cloud (North America - US); Google Cloud data centres are ISO 27001, SOC 2 Type II certified |
| Availability | Redundant cloud infrastructure; automated backups; disaster recovery procedures |
| Incident response | Documented data breach response procedure; 48-hour notification commitment (see Part B, section 7) |
| Personnel | Confidentiality obligations for all personnel with access to Company Personal Data; data protection training |
| Sub-processor oversight | Due diligence on all sub-processors; written contracts imposing equivalent data protection obligations |
| Audit | Audit rights available to Company per DPA section 11 |
| Data minimisation | Processing limited to what is necessary for provision of services |
Sub-processors authorised under Clause 9 (General Written Authorisation) are listed in the GoldFynch DPA, Annex 1, Appendix 1 (Sub-processors Register). All currently authorised sub-processors are located in North America - US.
The current sub-processors list is available at https://goldfynch.com/GoldFynch-Data-Processing-Addendum.html and will be updated with at least 14 days' notice of any changes.
Legal basis: s.119A Data Protection Act 2018; ICO IDTA Version B1.0 (in force 21 March 2022) Reference: GF-IDTA-001
This UK Addendum supplements and forms part of the Standard Contractual Clauses set out in Part A of this Compliance Pack ("SCCs"), adapting them for the transfer of personal data from the United Kingdom to the United States, as required by the UK GDPR and Data Protection Act 2018.
This Addendum constitutes the International Data Transfer Addendum (IDTA) issued by the ICO under s.119A DPA 2018.
The following amendments apply to the Part A SCCs where they relate to UK personal data:
| SCC Provision | Amendment for UK Transfers |
|---|---|
| References to "Regulation (EU) 2016/679" | Read as UK GDPR |
| References to "EU", "Union", "Member State" | Read as including the United Kingdom |
| References to "supervisory authority" | Read as the UK ICO |
| References to "Member State law" | Read as the law of England and Wales, Scotland or Northern Ireland (as applicable) |
| Clause 8.9 (data transfers within group) | Not applicable |
| Clause 13 (Supervision) | Competent supervisory authority is the UK ICO |
| Clause 17 (Governing Law) | Governed by the law of England and Wales |
| Clause 18 (Jurisdiction) | Disputes resolved in the courts of England and Wales |
| Data Exporter (Company) | Data Importer (GoldFynch) | |
|---|---|---|
| Name | As identified in GoldFynch account | Mazira LLC dba GoldFynch |
| Address | As registered on Company account | 136 S Dubuque Street, Iowa City, IA 52240 |
| Contact | As registered on Company account | info@goldfynch.com |
| Role | Controller | Processor |
All Annex I and Annex II information is as set out in Part A (sections A13 and A14) of this Compliance Pack.
UK Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
This UK Addendum is governed by the law of England and Wales. This is a mandatory requirement of the ICO's IDTA and applies to this Addendum only.
The GoldFynch Terms of Service and DPA (other than this UK Addendum) continue to be governed by the law of the State of Iowa, United States.
For UK transfers, the GoldFynch DPA is amended as follows:
GoldFynch shall assist Company in fulfilling UK data subject rights requests under:
For breaches affecting UK personal data, GoldFynch shall notify Company without undue delay and, where feasible, within 48 hours, to enable Company to meet its 72-hour reporting obligation to the ICO under Article 33 UK GDPR.
If the ICO issues a revised or replacement Addendum: - GoldFynch will provide 30 days' written notice to Customers - Company may terminate affected Services within that period if the revised Addendum does not provide adequate protection - Absent objection within 30 days, the revised Addendum is deemed accepted
This UK Addendum is incorporated automatically into the GoldFynch DPA for all Customers whose processing involves UK personal data. Acceptance of the Principal Agreement constitutes acceptance of this UK Addendum.
Legal basis: Clause 14, EU SCCs (2021/914); ICO IDTA Part 2 Section III; EDPB Recommendations 01/2020 Reference: GF-TIA-001
| Element | Detail |
|---|---|
| Data Exporter(s) | GoldFynch Customers in the EEA/UK |
| Data Importer | Mazira LLC dba GoldFynch, Iowa City, Iowa |
| Transfer Mechanism | 2021 EU SCCs (Module 2) + UK IDTA |
| Infrastructure | Google Cloud Platform, North America - US |
| Data Assessed | All Company Personal Data as defined in DPA and Annex I.B above |
| Factor | Assessment |
|---|---|
| Applicability | GoldFynch may fall within the broad ECSP definition |
| Nature of access | Targeted foreign intelligence collection; not bulk surveillance |
| Practical likelihood | Low - GoldFynch's legal/eDiscovery customer base is not a surveillance target |
| Post-Schrems II position | Addressed by EO 14086 and DPRC for DPF-certified companies; GoldFynch relies on SCCs + this TIA |
| Residual risk | Medium-Low |
| Factor | Assessment |
|---|---|
| Applicability | Low direct applicability - affects overseas signals collection; GoldFynch operates US-only infrastructure |
| Residual risk | Very Low |
| Factor | Assessment |
|---|---|
| Applicability | GoldFynch may be within scope as an electronic communications provider |
| Scope | Metadata only; content requires separate court order |
| Gag order risk | May prevent notification to Customer; GoldFynch commits to notify to the fullest extent permitted |
| Residual risk | Low-Medium |
| Factor | Assessment |
|---|---|
| Applicability | GoldFynch is within scope as a remote computing service |
| Content access | Requires warrant post-Carpenter v. United States (2018) |
| Residual risk | Low-Medium |
| Factor | Assessment |
|---|---|
| Applicability | Applies to GoldFynch as a US-based provider |
| Mitigation | Challenge mechanism available; US-UK CLOUD Act Agreement (2022) provides judicial oversight |
| Residual risk | Medium |
| Factor | Detail |
|---|---|
| Nature of data | Legal and e-discovery content - not a typical intelligence target |
| Customer base | Legal professionals and law firms - low surveillance risk profile |
| No special categories | GoldFynch does not routinely process health, biometric or political data |
| US-only infrastructure | No cross-border data transit risk |
| Encryption | All data encrypted in transit (TLS 1.2+) and at rest |
| No prior access requests | GoldFynch has not received any FISA order, NSL or equivalent request to date |
| EO 14086 | Introduced proportionality and necessity requirements on US signals intelligence |
| Risk Area | Likelihood | Impact | Residual Risk |
|---|---|---|---|
| FISA 702 access | Low | High | Medium-Low |
| NSL (metadata) | Low | Medium | Low |
| CLOUD Act / law enforcement | Low | Medium | Low |
| EO 12333 | Very Low | Medium | Very Low |
| Overall | Low-Medium (Acceptable) |
GoldFynch has no reason to believe that US law and practice applicable to the processing of personal data under these Clauses - including any requirements to disclose personal data or measures authorising public authority access - prevents GoldFynch from fulfilling its obligations under the SCCs and UK IDTA.
This warranty is based on: the nature of GoldFynch's services and customer base; the technical and organisational measures in place; GoldFynch's commitment to challenge unlawful access requests; the absence of prior government access requests; the US-UK CLOUD Act Agreement (2022); and the safeguards introduced by Executive Order 14086.
| Trigger | Action |
|---|---|
| Annual (every 12 months) | Full review and re-approval |
| Material change in US surveillance law | Immediate review |
| Government access request received | Immediate review; seek legal advice |
| New data categories or sub-processors | Review and update scope |
| New ICO / EDPB guidance | Review and update to reflect guidance |
Reference: GF-SMR-001
| Measure | Description | Standard/Certification |
|---|---|---|
| Encryption in transit | TLS 1.2+ for all data transmitted to/from GoldFynch | Industry standard |
| Encryption at rest | All Company Content encrypted at rest on Google Cloud | Google Cloud encryption (AES-256) |
| Access controls | Role-based access; least-privilege; MFA for admin access | ISO 27001 aligned |
| Network security | Firewalls, intrusion detection, DDoS protection via Google Cloud | Google Cloud infrastructure |
| Vulnerability management | Regular security patching and updates | Ongoing |
| Penetration testing | Periodic third-party security testing | Annually |
| Measure | Description |
|---|---|
| 2021 EU SCCs (Module 2) | Primary transfer mechanism for EEA transfers - Part A |
| UK IDTA | Transfer mechanism for UK transfers - Part B |
| Sub-processor contracts | All sub-processors bound by equivalent data protection obligations per DPA section 6.4 |
| Government access notification | GoldFynch to notify Customers of access requests to fullest extent permitted by law |
| Challenge commitment | GoldFynch commits to challenge unlawful or disproportionate government access requests |
| Transparency reporting | Annual aggregate report on government access requests received |
| Measure | Description |
|---|---|
| Data minimisation | Processing limited to what is necessary for service provision |
| Retention limits | Deletion within 14 days of Cessation Date (DPA section 10) |
| Staff training | All personnel with access to Company Personal Data trained on data protection obligations |
| Incident response | Documented breach response procedure; 48-hour notification for UK data |
| Sub-processor due diligence | Due diligence conducted on all sub-processors prior to engagement |
| Annual TIA review | Formal annual review of this Compliance Pack |
GoldFynch commits to publishing an annual transparency report disclosing:
First report to be published by: 6 March 2027
| Version | Date | Author | Summary of Changes |
|---|---|---|---|
| 1.0 | 6 March 2026 | Anith Mathai | Initial issue |
| Role | Name | Date |
|---|---|---|
| Prepared by | Anith Mathai, CEO | 6 March 2026 |
| Approved by | Anith Mathai, CEO | 6 March 2026 |
| Document | Location |
|---|---|
| GoldFynch Terms of Service | https://goldfynch.com/terms.html |
| GoldFynch Data Processing Addendum | https://goldfynch.com/GoldFynch-Data-Processing-Addendum.html |
| GoldFynch Privacy Policy | https://goldfynch.com/privacy.html |
| UK GDPR International Data Transfer Addendum | https://goldfynch.com/uk-data-transfer-addendum.html |
| International Data Transfers: Customer Notice | https://goldfynch.com/data-transfers.html |
| GoldFynch Sub-processors Register | DPA Annex 1, Appendix 1 |
| GoldFynch Legal Documents | https://goldfynch.com/legal.html |
| GoldFynch Security Policy | Available on request |
This Compliance Pack must be reviewed in its entirety by 6 March 2027 or sooner if a review trigger in section C6 is met.
Mazira LLC dba GoldFynch | 136 S Dubuque Street, Iowa City, IA 52240 info@goldfynch.com | +1-866-319-7983 | https://goldfynch.com © 2026 Mazira LLC. All rights reserved.