Data residency, vendors outside of EU/EEA

Simployers approach to data protection, vendor management and data jurisdiction

At Simployer, data protection and privacy is integrated and essential to our business. As part of our commitment to compliance with the GDPR, we would like to inform our customers about our use of third-party vendors and the measures we take to ensure the security and privacy of your data.

Use of US-based vendors and hosting partners

In order to deliver a robust and innovative service, we collaborate with a select group of third-party vendors, most of them EU-based but also some based in the United States. For further details on the specific US-based vendors we work with, please refer to our sub-processors list.

Additionally, our hosting partners are part of larger organizations with US-based headquarters, which means that while our service is based in Europe, some aspects of our technical infrastructure are managed by these global partners.

More information about our hosting arrangements is available in our IT Security Policy and Hosting Partners documentation.

Ongoing assessments and data residency

We continuously assess the evolving political and regulatory landscape, including the current status of the US/EU Data Protection Framework. In the event that there are significant changes or if the framework were to cease functioning as expected, we are prepared to exercise our legal options—including the implementation of Standard Contractual Clauses (SCCs) and or Binding Corporate Rules (BCRs) as alternative and legal mechanisms for ongoing data processing between EU and US based vendors.

Moreover, we are proactively exploring technical and practical strategies to enhance our data sovereignty. This includes investigating the feasibility of transitioning customer data to EU-only based vendors and services, thereby further aligning with European data protection principles.

Our commitment to transparency, security, and privacy remains at the forefront of everything we do, and we will continue to keep you informed of any significant changes to our vendor and data handling practices.

 

American cloud providers hosting Simployer (Azure, AWS, GCP)

For the operation and hosting of the Simployer platform, we utilize three of the world’s leading cloud platforms: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). These are all American-owned companies; however, Simployer has chosen them because they offer unmatched scalability, security, and functionality. It is important to emphasize the following:

• Data Storage in the EU/EEA: Simployer guarantees that customer data is not stored on servers outside the EU/EEA when using these cloud platforms. For example, parts of Simployer run in Microsoft Azure data centers in the Netherlands, Ireland, and Norway, and not in Azure regions outside the EU. Similarly, Simployer components using AWS are placed in AWS’s Frankfurt data center in Germany, ensuring that no Simployer data is stored outside the EU. For Google Cloud, only EU data centers are used, again guaranteeing that Simployer does not operate in regions outside the EU/EEA. These strict limitations ensure that personal data effectively maintains European data sovereignty even if the provider is American.

• Professional Cloud Providers with No Direct Data Access: Azure, AWS, and GCP function solely as infrastructure providers for Simployer. They do not have an active role in operating the application or providing customer support. Simployer’s own operations team manages the application, connecting to the cloud infrastructure via secure channels. Our cloud partners (Microsoft, Amazon, Google) are responsible only for maintaining the infrastructure (servers, networks, storage) and ensuring security at the underlying level. They do not have access to customer data and process information only as necessary for the operation of the infrastructure. As a customer, you interact only with Simployer and generally will not notice which cloud provider is being used behind the scenes.

• Agreements and Certifications: Simployer has signed dedicated Data Processing Agreements with Azure, AWS, and GCP as part of their standard cloud service terms. All our hosting partners are certified according to ISO/IEC 27001 (the international standard for information security). They also meet a wide range of other compliance requirements and certifications – for example, related to cloud security, privacy, and industry-specific standards. Microsoft, Amazon, and Google publish comprehensive documentation on their compliance offerings and certifications that customers can benefit from.

By using these three cloud platforms in EU regions, Simployer benefits from world-class technology and security while ensuring that data management remains within the EU and in accordance with local laws. This meets our strict requirements for operational reliability and privacy, as explained in the next section.

 

Technical and legal measures for privacy, security, and compliance

Simployer implements several measures to ensure that the use of the aforementioned subcontractors does not compromise personal privacy or information security. Below are the key technical and legal measures we have put in place:

• Encryption of Data (Technical Measure): All customer data in Simployer is encrypted both at rest and during transit. This means that even if data is physically stored on servers managed by, for example, Microsoft or Amazon, the content remains unreadable without the correct encryption keys. We use encryption at rest via our cloud partners – for example, Azure databases use Transparent Data Encryption and file storage on Azure/AWS/GCP utilizes AES-based encryption mechanisms. This ensures that data on disk is protected against unauthorized access. Furthermore, all traffic in transit between the user’s browser/client and Simployer is encrypted using modern TLS (Transport Layer Security) protocols. This means that when data is sent to or from our solution, it is transmitted over secure, encrypted connections (HTTPS), so that no one can read or alter the information in transit. In summary, even if a subcontractor’s infrastructure were hypothetically compromised, readable personal data would not be exposed.

• Access Control and Limited Data Visibility: As noted, subcontractors do not have active access to personal data. At the cloud provider level, only authorized operations personnel have physical access to the hardware in data centers, and logical access to our systems is strictly regulated. Simployer’s own employees with administrative privileges follow the principle of least privilege and are regularly audited. All access attempts and changes to the infrastructure are logged. Moreover, encryption keys are stored in secure vaults (Key Vaults) so that even the cloud provider cannot access them; only trusted Simployer personnel can retrieve these keys. This ensures that overall control of the data remains with Simployer and our customers, despite the use of external infrastructure.

• Standard Contractual Clauses (SCC) and Other Transfer Mechanisms (Legal Measure): For those few subcontractors where there is a possibility of data transfer to the USA (e.g., Twilio SendGrid, OneSignal), Simployer is leaning on the current and legally valdig Data Privacy Framework "DPF", also having a "back-up" with the EU standard data protection contractual clauses in our agreements. SCCs are templates approved by the EU Commission to ensure that personal data transferred outside the EEA receives the same level of protection as within the EU. In practice, this commits the recipient (e.g., an American company) to follow GDPR principles, cooperate with European supervisory authorities, and provide data subjects with a range of rights. Twilio has additionally implemented Binding Corporate Rules (BCR), which are internal privacy policies approved by the EU, further strengthening their cross-border compliance. These legal tools ensure that even if, for instance, an email address is processed by an American email service, it is subject to extensive agreements that protect privacy.

• Data Processing Agreements with all Subcontractors: Simployer has signed Data Processing Agreements (DPAs) with all subcontractors that process personal data on our behalf. These agreements specify the obligations of the subcontractor under data protection regulations, including confidentiality, security measures (cf. GDPR Article 32), assistance in upholding data subject rights, and mandatory breach notifications. Subcontractors are not permitted to use the data for their own purposes and can only process the data following Simployer’s (and ultimately the customer’s) instructions. These DPAs also ensure that new subcontractors are not engaged without prior notification to customers, who then have the opportunity to object or terminate the agreement.

• Audits, certifications, and controls: The American cloud providers we use are regularly audited by independent third parties for a wide range of security standards. For example, Azure, AWS, and GCP are certified under ISO 27001, SOC 2, and several other standards. Simployer receives regular audit reports from these providers confirming their compliance. Internally, Simployer has also established routines for risk assessment of our providers and conducts security tests (including penetration testing of our solution). We stay updated on changes in data protection laws and recommendations from national data protection authorities and the EU, ensuring that our measures are always adequate.

Together, these technical and legal measures ensure that customer data remains secure even when using global technologies. Data is encrypted and managed within the EU, and providers are bound by European rules and agreements. This provides a high level of security that satisfies GDPR and meets our customers’ expectations for confidentiality.

 

Reality check: The Lack of fully equivalent European alternatives

A natural question is whether one could choose entirely European providers for these services, given concerns about American ownership and data processing.

The reality is that there are currently no European cloud solutions that fully replace the large American platforms across all aspects.

The American players (Microsoft, Amazon, Google, etc.) have invested in global infrastructure and an extensive range of services over many years, which gives them a technological edge. As noted in a recent European technology publication, it is indeed “difficult to find alternatives to the big cloud providers AWS, Google Cloud, and Microsoft Azure”.

There are European cloud providers such as Hetzner, OVHcloud, Scaleway, T-Systems, etc., and these can cover certain needs (for example, basic virtual machines, storage, simple databases). Initiatives like Gaia-X in the EU have encouraged the development of European cloud capacity, however, none of these providers currently offer the comprehensive range of services – especially in advanced areas like machine learning, global content delivery, integrated databases, analytics, AI tools, etc. – that the major providers do. Often, European providers themselves may use parts of infrastructure from AWS or Azure, or they focus on niche markets.

For a comprehensive HR platform like Simployer, which is expected to deliver everything from AI-driven support to HR, secure logins, integrations, and scalability under high load, European-only alternatives would either be immature or fragmented (requiring multiple providers) – which could compromise stability and security.

We continually evaluate the market to see if competitive alternatives emerge that are European only. Until then, we believe that the best way to serve our customers is to use the leading global platforms available today while ensuring that they are operated under our strict guidelines (i.e., using EU data centers, our security measures, and legally binding agreements). This approach gives our customers a service that is both modern and reliable, while also being compliant with data protection laws.