Privacy Procurement
EU/UK privacy and transfer paperwork
This is GhostSync's public procurement path for customer DPA review, SCC or UK transfer paperwork, and reusable subprocessor diligence before EU/UK production use.
Last updated: April 3, 2026
What is in the packet
Customer Data Processing Addendum
Processor terms, data categories, security measures, and deletion posture for merchant data handled on the merchant's behalf.
EU/UK Transfer Addendum
GhostSync's SCC and UK Addendum posture for restricted transfers, plus the supplementary controls used in the current launch scope.
Subprocessor and regional transfer appendix
A reusable map of providers, regions, and the transfer posture used for each service dependency.
GhostSync maintains these documents as the default starting point for EU/UK diligence. Executed copies are still issued through the privacy/legal request path so the right contracting details and transfer module are attached before production use.
How to request execution
GhostSync's launch posture is still a small North American cohort. EU/UK production use is a gated path: merchants can review this packet publicly, then request the execution copy through privacy/legal before go-live.
- Merchant legal entity name
- Billing country and whether the review is for EEA, UK, or both
- Signer name and title
- Whether the merchant acts as controller, processor, or both
- Any questionnaire, redlines, or procurement-portal instructions
GhostSync will use that context to send the matching DPA and transfer paperwork instead of relying on a generic one-size-fits-all attachment.
Transfer-mechanism posture
GhostSync's transfer package is built around the European Commission's June 4, 2021 SCCs for restricted EEA transfers and the UK Addendum to those SCCs for UK restricted transfers. The exact module depends on whether the merchant is acting as controller, processor, or both for the reviewed data flow.
EEA transfers:SCC-based path for controller to processor or processor to processor use cases, depending on the merchant's role.
UK transfers: UK Addendum attached to the EU SCC packet where a UK-restricted transfer is involved.
Go-live rule:if GhostSync cannot document the right transfer path for the merchant's review, EU/UK production use should stay blocked.
Procurement packet companions
Review these public materials alongside the packet when answering vendor diligence or security questionnaires.
Subprocessors and transfer posture
| Provider | Region | Categories | Transfer posture |
|---|---|---|---|
| Amazon Web Services (AWS) | United States | merchant account data, supplier uploads, sync logs, application telemetry | US-hosted infrastructure path. Covered through the GhostSync packet when EEA/UK merchant data is routed into core app workloads. |
| Shopify | Canada / United States | product catalog data, inventory quantities | Canada / US platform path. The packet documents the cross-border API flow and the exact controller/processor chain for the merchant review. |
| Stripe | United States | billing customer IDs, subscription status, payment records | US billing path. Billing metadata may require transfer coverage during EU/UK procurement review. |
| SendGrid | United States | supplier email envelopes, inbound attachments, transactional email metadata | US email-routing path for inbound supplier mail and optional transactional delivery. |
| Amazon SES | United States | notification email metadata | US notification-delivery path handled under GhostSync's AWS provider posture. |
| OpenAI | United States | sample onboarding files | US onboarding-only path for AI-assisted template generation. Not used in the deterministic daily runtime. |
| Plausible Analytics | European Union | anonymous page analytics | EU-hosted analytics path. No additional third-country transfer is expected for the base analytics store. |