GoldFynch runs on Google Cloud infrastructure based in North America. When you upload documents, case files, or other data to GoldFynch, that data is stored and processed in the United States. Under UK and EU law, transferring personal data outside the UK/EEA requires us to have specific legal safeguards in place.
We take this seriously. Here's what we've put in place.
We rely on two legally recognised instruments to protect your data during international transfers:
These are pre-approved data transfer contracts issued by the European Commission. By signing up to GoldFynch, you and GoldFynch are both bound by these clauses, which guarantee your data receives the same level of protection in the US as it would in the EU. Full details are in our Data Transfer Compliance Pack.
This is the UK equivalent, issued by the Information Commissioner's Office (ICO) under the Data Protection Act 2018. It adapts the EU SCCs for UK transfers post-Brexit and is a mandatory addition for any UK data leaving the country. Read the full UK International Data Transfer Addendum.
We know this is a concern for many UK and EU customers — especially following the Schrems II ruling in 2020. We've conducted a formal Transfer Impact Assessment (TIA) under Clause 14 of the EU SCCs, which assesses each relevant US law and its practical impact on your data. Here's a plain-language summary:
| US Law | What It Allows | Impact on GoldFynch Customers | Risk |
|---|---|---|---|
| FISA Section 702 | Intelligence collection on foreign nationals from communications providers | GoldFynch's legal/eDiscovery customer base is not a typical intelligence target. Low practical likelihood of access. | Medium-Low |
| National Security Letters | FBI can request subscriber metadata (not content) from communications providers | Limited to metadata. Content of your documents requires a court warrant. | Low |
| CLOUD Act | US courts can order US companies to produce data held abroad | We can challenge disproportionate orders. The US-UK CLOUD Act Agreement (2022) adds judicial oversight. | Low |
| Stored Communications Act | Law enforcement access to stored electronic data | Content access requires a warrant (confirmed by US Supreme Court in Carpenter v. United States, 2018). | Low |
Our formal conclusion: we have no reason to believe US law prevents us from honouring our obligations under the SCCs and UK IDTA. The full TIA is available in our Data Transfer Compliance Pack (Part C).
Your data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Google Cloud). Nobody can read it without authorisation.
Role-based access controls and multi-factor authentication mean only authorised GoldFynch personnel can access your data — and only when necessary.
We only use sub-processors (like Google Cloud) who meet equivalent data protection standards. Our full sub-processor list is published in our DPA.
If a data breach affects your data, we'll notify you within 48 hours — giving you time to meet your own 72-hour reporting obligation to regulators.
When your contract ends, we delete all your personal data within 14 days and provide written confirmation that we've done so.
If we receive a government access request we believe is unlawful or disproportionate, we commit to challenging it before complying.
Whether you're in the UK or EU, you have the following rights over your personal data held by GoldFynch. Contact us at info@goldfynch.com to exercise any of them.
We commit to publishing an annual report on any government requests to access customer data we receive. Here is our current record:
Reporting period: 1 Feb 2026 to 6 March 2026. We will update this section annually.
If you have any questions about how we handle international data transfers, or if you'd like to request a copy of our full Data Transfer Compliance Pack (including the TIA), please contact us:
info@goldfynch.com
+1-866-319-7983
136 S Dubuque Street, Iowa City, IA 52240
If you're in the UK, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you're in the EU, you may complain to your local supervisory authority.