π Why Does Data Move to the US?
GoldFynch runs on Google Cloud infrastructure based in North America. When you upload documents, case files, or other data to GoldFynch, that data is stored and processed in the United States. Under UK and EU law, transferring personal data outside the UK/EEA requires us to have specific legal safeguards in place.
We take this seriously. Here's what we've put in place.
π‘οΈ Our Legal Transfer Mechanisms
We rely on two legally recognised instruments to protect your data during international transfers:
These are pre-approved data transfer contracts issued by the European Commission. By signing up to GoldFynch, you and GoldFynch are both bound by these clauses, which guarantee your data receives the same level of protection in the US as it would in the EU. Full details are in our Data Transfer Compliance Pack.
- Module 2 (Controller to Processor) applies as standard
- Governed by Irish law; disputes heard in Irish courts
- Includes enforceable rights for individual data subjects
This is the UK equivalent, issued by the Information Commissioner's Office (ICO) under the Data Protection Act 2018. It adapts the EU SCCs for UK transfers post-Brexit and is a mandatory addition for any UK data leaving the country. Read the full UK International Data Transfer Addendum.
- Adapts EU SCCs for UK GDPR compliance
- Supervised by the UK ICO
- Governed by the law of England and Wales
- Your main GoldFynch contract remains under Iowa/US law
βοΈ What About US Surveillance Laws?
We know this is a concern for many UK and EU customers - especially following the Schrems II ruling in 2020. We've conducted a formal Transfer Impact Assessment (TIA) under Clause 14 of the EU SCCs, which assesses each relevant US law and its practical impact on your data. Here's a plain-language summary:
| US Law | What It Allows | Impact on GoldFynch Customers | Risk |
|---|---|---|---|
| FISA Section 702 | Intelligence collection on foreign nationals from communications providers | GoldFynch's legal/eDiscovery customer base is not a typical intelligence target. Low practical likelihood of access. | Medium-Low |
| National Security Letters | FBI can request subscriber metadata (not content) from communications providers | Limited to metadata. Content of your documents requires a court warrant. | Low |
| CLOUD Act | US courts can order US companies to produce data held abroad | We can challenge disproportionate orders. The US-UK CLOUD Act Agreement (2022) adds judicial oversight. | Low |
| Stored Communications Act | Law enforcement access to stored electronic data | Content access requires a warrant (confirmed by US Supreme Court in Carpenter v. United States, 2018). | Low |
Our formal conclusion: we have no reason to believe US law prevents us from honouring our obligations under the SCCs and UK IDTA. The full TIA is available in our Data Transfer Compliance Pack (Part C).
π How We Protect Your Data in Practice
Encrypted Everywhere
Your data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Google Cloud). Nobody can read it without authorisation.
Strict Access Controls
Role-based access controls and multi-factor authentication mean only authorised GoldFynch personnel can access your data - and only when necessary.
Trusted Sub-Processors
We only use sub-processors (like Google Cloud) who meet equivalent data protection standards. Our full sub-processor list is published in our DPA.
Fast Breach Notification
If a data breach affects your data, we'll notify you within 48 hours - giving you time to meet your own 72-hour reporting obligation to regulators.
Prompt Deletion
When your contract ends, we delete all your personal data within 14 days and provide written confirmation that we've done so.
We'll Fight for Your Data
If we receive a government access request we believe is unlawful or disproportionate, we commit to challenging it before complying.
β Your Rights
Whether you're in the UK or EU, you have the following rights over your personal data held by GoldFynch. Contact us at info@goldfynch.com to exercise any of them.
π Government Access Transparency
Annual Transparency Report
We commit to publishing an annual report on any government requests to access customer data we receive. Here is our current record:
Reporting period: 1 Feb 2026 to 6 March 2026. We will update this section annually.
π Questions or Complaints?
Get in Touch
If you have any questions about how we handle international data transfers, or if you'd like to request a copy of our full Data Transfer Compliance Pack (including the TIA), please contact us:
π§ info@goldfynch.com
π +1-866-319-7983
π 136 S Dubuque Street, Iowa City, IA 52240
If you're in the UK, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you're in the EU, you may complain to your local supervisory authority.
Mazira LLC dba GoldFynch · Iowa City, IA, USA