International Data Transfer Disclosure

International Data Transfer Disclosure

International Data Transfer Disclosure

1. Overview of International Transfers

Status: Huma does not hold SecNumCloud 3.2 certification. However, we maintain hosting infrastructure primarily within the European Economic Area (EEA) and implement strict controls for any limited transfers outside the EEA.

As a health data processor certified under the French Health Data Host (HDS) framework, Huma is required to publicly disclose all arrangements for transferring personal health data (Données de Santé à Caractère Personnel - DSCPs) outside the European Economic Area.

This page provides:

  • A complete list of sub-processors and their data locations

  • Details of non-EEA access by third-country legislation

  • Risks associated with unauthorized access under third-country law

  • Supplementary safeguards implemented to mitigate those risks

  • Data subject rights and remedies

3. Transfer Details & Sub-Processor Information

Huma engages the following sub-processors who may access or process personal health data:

Amazon Web Services (AWS) – Cloud Infrastructure

Role

Sub-processor

Primary Data Location

Ireland & Frankfurt (EU)

Parent Company Country

United States

Data Processing Activity

Cloud hosting, storage, compute, and managed services for Huma platform infrastructure

Data Elements

Personal health data (DSCPs), user identifiers, application data, system logs, and backups as required to deliver the platform. All health data is stored exclusively in EEA regions.

Safeguards

  • Primary data residency in EEA (eu-west-1 / eu-central-1)

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest

  • Standard Contractual Clauses (2021/914/EU) for any US parent access

  • AWS Data Processing Addendum incorporating GDPR Article 28

  • RBAC, VPC network isolation, and CloudTrail audit logging

  • ISO 27001, SOC 2 Type II, and CSA STAR certified infrastructure

  • No onward transfers outside EEA without prior written approval

DocuSign – Electronic Signature Service

Role

Sub-processor

Primary Data Location

Ireland (EU)

Parent Company Country

United States

Data Processing Activity

Prescription approval signatures, clinical document signing

Data Elements

Signer name, email address, signature timestamp, signed prescription PDF (encrypted, may include patient identifiers such as ID or initials). No direct health data is processed – documents are created and encrypted by Huma prior to DocuSign access.

Safeguards

  • TLS 1.2+ encryption in transit

  • AES-256 encryption at rest in DocuSign EU data centres

  • Standard Contractual Clauses with supplementary safeguards

  • No onward transfers outside the EEA

Google Cloud Platform (GCP) – Cloud Infrastructure

Role

Sub-processor

Primary Data Location

Belgium & Frankfurt (EU)

Parent Company Country

United States

Data Processing Activity

Cloud hosting, storage, compute, and managed database services for Huma platform components

Data Elements

Personal health data (DSCPs), user identifiers, application data, system logs, and backups as required to deliver the platform. All health data is stored exclusively in EEA regions.

Safeguards

  • Primary data residency in EEA (europe-west1 / europe-west3)

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest

  • Standard Contractual Clauses (2021/914/EU) for any US parent access

  • Google Cloud Data Processing Addendum incorporating GDPR Article 28

  • VPC Service Controls, IAM, and Cloud Audit Logs

  • ISO 27001, SOC 2 Type II, and ISO 27701 certified infrastructure

  • No onward transfers outside EEA without prior written approval

Intercom - Customer Communication & Support

Role

Sub-processor

Primary Data Location

Ireland (EU)

Parent Company Country

United States

Data Processing Activity

In-app messaging, support communications, user feedback

Data Elements

Limited to user contact details, message metadata, interaction logs (cookies, IP addresses), and feedback. No health data or patient message content is transferred – clinical messages remain within Huma's secure environment.

Safeguards

  • Primary processing in Ireland (EEA)

  • Standard Contractual Clauses (2021/914/EU) for any US access

  • End-to-end encryption where available

  • Strict access controls and audit trails

  • Data Processing Agreement with Sub-Processor Addendum

Jira / Atlassian – Project & Issue Tracking

Role

Sub-processor

Primary Data Location

EU (Atlassian Cloud – EU region)

Parent Company Country

Australia / United States

Data Processing Activity

Internal issue tracking, incident management, and development project coordination

Data Elements

Limited to staff identifiers, issue descriptions, and operational metadata used in internal workflows. No patient health data (DSCPs) is intentionally processed within Jira; any incidental inclusion is subject to data minimisation controls.

Safeguards

  • EU data residency elected via Atlassian Data Residency programme

  • Standard Contractual Clauses (2021/914/EU) for any non-EEA access

  • Atlassian Cloud Data Processing Addendum incorporating GDPR Article 28

  • SSO, MFA, and RBAC enforced; access limited to authorised staff

  • SOC 2 Type II and ISO 27001 certified infrastructure

  • Data minimisation policy: staff trained not to log patient identifiers in issue tracking systems

Mixpanel – Product Analytics

Role

Sub-processor

Primary Data Location

United States

Parent Company Country

United States

Data Processing Activity

Product analytics, user behaviour tracking, feature usage analysis

Data Elements

Anonymised or pseudonymised usage event data, device identifiers, IP addresses, and interaction metadata. No clinical health data or patient identifiers are transferred; data is pseudonymised by Huma prior to ingestion.

Safeguards

  • Data pseudonymisation and anonymisation applied by Huma prior to transfer

  • Standard Contractual Clauses (2021/914/EU) governing the transfer

  • Mixpanel Data Processing Agreement incorporating GDPR Article 28

  • IP anonymisation enabled; data minimisation applied at point of collection

  • Contractual prohibition on secondary use and data broker sales

Pendo – Product Analytics & In-App Guidance

Role

Sub-processor

Primary Data Location

United States

Parent Company Country

United States

Data Processing Activity

In-app user guidance, onboarding flows, product analytics, and feature adoption tracking

Data Elements

Pseudonymised user identifiers, interaction metadata, session data, and device information. No clinical health data or DSCPs are transferred; identifiers are pseudonymised by Huma prior to transfer.

Safeguards

  • Data pseudonymisation applied by Huma prior to transfer

  • Standard Contractual Clauses (2021/914/EU) governing the transfer

  • Pendo Data Processing Agreement incorporating GDPR Article 28

  • Contractual restriction on secondary use, data monetisation, and onward transfer

Twilio (Secure Communications Infrastructure)

Role

Sub-processor

Primary Data Location

Ireland & Germany (EU)

Parent Company Country

United States

Data Processing Activity

Message delivery metadata, contact details, communication routing

Data Elements

Limited to phone numbers, email addresses, and message delivery metadata required for routing. No message content or health data is transferred.

Safeguards

  • Primary processing in EU data centres (Ireland, Germany)

  • Twilio Binding Corporate Rules (BCRs) for intra-group transfers

  • Standard Contractual Clauses (2021/914/EU) for US access

  • UK International Data Transfer Addendum (IDTA) for UK data

  • Supplementary technical and organizational measures

4. Risk Assessment – Requirement 30

As required by HDS Requirement 30, we identify and assess the risks of unauthorized access to DSCPs under third-country legislation:


HIGH LEGISLATIVE RISK

US CLOUD Act & FISA Amendments

Applicable to: DocuSign, Intercom, Twilio (all US parent companies)

Description: The US Clarifying Lawful Overseas Use of Data (CLOUD) Act allows US federal authorities to compel US companies (and foreign subsidiaries under US control) to disclose stored data without a foreign warrant. FISA Amendments Section 702 allows warrantless collection of foreign communications.

Potential Unauthorized Access: US law enforcement, intelligence agencies (NSA, FBI, CIA, DHS) may demand access to personal data for national security purposes without European judicial oversight or data subject notification.

Residual Risk Level: Medium-High – While primary processing occurs in the EU, limited support/routing operations in the US create exposure risk.

MEDIUM LEGISLATIVE RISK

Absence of Adequate Data Protection Framework

Applicable to: All US-based processors

Description: The US does not have a comprehensive federal data protection law equivalent to the GDPR. Data protection is fragmented across sector-specific laws (HIPAA, HITECH, COPPA) with significant gaps.

Potential Unauthorized Access: US companies have broad discretion in data use, monetization, and third-party sharing absent contractual restrictions. Less stringent oversight of data handling practices.

Residual Risk Level: Low-Medium – Mitigated by SCCs, DPAs, and contractual restrictions limiting data use to processing activities only.


LOW LEGISLATIVE RISK

Commercial Data Broker Market

Applicable to: All US processors

Description: The US data broker market allows third parties to purchase personal data from companies, subject to limited restrictions.

Potential Unauthorized Access: Unlikely in healthcare context due to HIPAA restrictions on Huma's processors; however, data outside HIPAA scope (user contact details, IP addresses) could theoretically be sold.

Residual Risk Level: Low – Substantially mitigated by contractual prohibitions on secondary use and data broker sales.


MEDIUM LEGISLATIVE RISK

Australian Assistance and Access Act 2018

Applicable to: Jira / Atlassian (Australian parent company)

Description: Australia's Assistance and Access Act 2018 (the "AA Act") allows Australian government agencies to compel technology companies to provide access to encrypted communications and stored data. Atlassian, as an Australian-headquartered company, is subject to this legislation regardless of where data is stored.

Potential Unauthorised Access: Australian intelligence and law enforcement agencies may issue Technical Assistance Notices (TANs) or Technical Capability Notices (TCNs) compelling Atlassian to provide access to data or build access capabilities, without equivalent European judicial oversight.

Residual Risk Level: Low–Medium — Mitigated by EU data residency, SCCs, DPA, and the fact that no patient health data is intentionally processed within Jira. Limited to operational and staff metadata only.


HIGH LEGISLATIVE RISK

US CLOUD Act & FISA Amendments (Analytics Processors)

Applicable to: Mixpanel, Pendo (US parent companies)

Description: As with DocuSign, Intercom, and Twilio, both Mixpanel and Pendo are US-incorporated entities subject to the CLOUD Act and FISA Section 702. US federal authorities may compel disclosure of stored data without a foreign warrant or data subject notification.

Potential Unauthorised Access: US law enforcement and intelligence agencies may demand access to data held by Mixpanel and Pendo, including pseudonymised identifiers and usage analytics.

Residual Risk Level: Medium — Substantially mitigated by pseudonymisation and anonymisation applied by Huma prior to transfer, meaning data accessible to these processors cannot readily be re-identified without Huma's internal identifiers. No clinical content is transferred.


Summary of Non-European Regulations Requiring Access Disclosure

Regulation

Country

Scope

Risk to DSCPs

Mitigation

CLOUD Act (2018)

USA

Compelled disclosure by federal authorities

High – Direct access demand without EU judicial review

SCCs, DPA, UK IDTA; limited US processing; EU data residency

FISA § 702

USA

Warrantless collection for national security

High – Intelligence agency access without warrant

SCCs, supplementary safeguards, minimal US access

Federal Rules of Evidence / Discovery

USA

Civil litigation disclosure

Low – Limited to specific disputes; subject to protective orders

Contractual dispute resolution; limited scope

Absence of GDPR Equivalent

USA

Data use and retention discretion

Medium – Broad corporate discretion in data handling

Contractual DPA; processing limitations; no secondary use

5. Data Protection Safeguards

Huma implements multiple layers of safeguards to ensure the level of data protection guaranteed by GDPR is not undermined, in line with the EDPB's Recommendations 01/2020 (post-Schrems II):

Technical Safeguards

  • Data Minimization: Only essential personal data is transferred to sub-processors; health data remains within Huma's EEA infrastructure

  • Encryption in Transit: All transfers use TLS 1.2+ minimum; sensitive documents encrypted end-to-end

  • Encryption at Rest: AES-256 encryption for data stored in sub-processor systems

  • Pseudonymization: Where applicable, data is pseudonymized before transfer to limit re-identification risk

  • Access Controls: Role-based access control (RBAC) and principle of least privilege; audit logging of all data access

  • Network Segmentation: Health data processing segregated from general platform infrastructure

  • Data Location Controls: Primary processing geographically restricted to EEA data centres; limited exceptions documented and monitored

Contractual Safeguards

  • Standard Contractual Clauses (SCCs): All non-EEA transfers governed by European Commission-approved SCCs (Decision 2021/914/EU)

  • UK International Data Transfer Addendum (IDTA): For UK-originating data, transfers to non-UK/EEA entities governed by the UK IDTA (in addition to SCCs)

  • Binding Corporate Rules (BCRs): Twilio's BCRs provide EDPB-approved framework for intra-group transfers

  • Data Processing Agreements (DPAs): All sub-processors bound by DPA incorporating GDPR Article 28 and GDPR Chapter V requirements

  • Supplementary Measures Addendum: Explicit contractual commitments to implement EDPB Recommendations 01/2020

  • Limitation on Processing: Contractual prohibition on secondary use, data broker sales, or transfer to third parties without Huma's written consent

  • Sub-processor Chains: No sub-processor may engage further sub-processors without prior written approval by data controller and Huma

Organizational Safeguards

  • Data Protection Impact Assessments (DPIAs): Comprehensive DPIA conducted for each transfer arrangement; periodic review and update

  • Sub-processor Due Diligence: Annual security assessments and SOC 2 Type II audits (or equivalent) of sub-processors

  • Incident Response Plan: Documented procedures for breach notification, containment, and remediation within 72 hours per GDPR Article 33

  • Data Subject Rights Processes: Mechanisms to fulfill access, rectification, erasure, and portability requests within legal timeframes

  • Privacy Training: Annual GDPR and HDS compliance training for all staff handling personal data

  • Regulatory Cooperation: Commitment to cooperate with CNIL, DPA, and other data protection authorities on investigations and audits

  • Monitoring & Audit: Quarterly compliance monitoring; annual third-party audit of transfer arrangements

Recourse & Remedies

  • Legal Recourse in EU: Data subjects may lodge complaints with their national data protection authority (CNIL for France)

  • Right to Judicial Remedy: Data subjects may pursue judicial remedies in EU/EEA courts against unauthorized access under Article 79 GDPR

  • Contractual Indemnification: Huma contractually indemnifies customers against fines and damages arising from sub-processor breaches

  • Escalation Procedure: Data subjects may escalate concerns to Huma's Data Protection Officer (DPO) for investigation and remedy

6. Complete Transfer Matrix (Requirement 31)

The following table provides a comprehensive overview of all data transfer arrangements:

Sub-Processor

Data Processing Activity

Data Origin (From)

Primary Location (To)

Non-EEA Access

Legal Basis

Risk Level

Safeguards

AWS

Cloud infrastructure, storage, compute

France, Portugal, Czech Republic, Sweden, UK

Ireland & Frankfurt (EU)

No – health data remains in EEA

GDPR Article 46 (SCCs)

Low

TLS 1.2+, AES-256, SCCs, VPC isolation, CloudTrail, SOC 2 Type II

DocuSign

Prescription document signature & approval

France, Portugal, Czech Republic, Sweden, UK

Ireland (EU)

No – data remains in EU

GDPR Article 46 (SCCs)

Low

TLS 1.2+, AES-256, SCCs, no onward transfer

GCP

Cloud infrastructure, storage, managed databases

France, Portugal, Czech Republic, Sweden, UK

Belgium & Frankfurt (EU)

No – health data remains in EEA

GDPR Article 46 (SCCs)

Low

TLS 1.2+, AES-256, SCCs, VPC Service Controls, IAM, SOC 2 Type II

Intercom

In-app messaging, support communications

France, Portugal, Czech Republic, Sweden, UK

Ireland (EU) / Limited US

Yes – US limited support access

GDPR Article 46 (SCCs + supplementary measures)

Medium

SCCs, DPA, UK IDTA, access controls, audit logs

Jira (Atlassian)

Issue tracking, incident management

France, Portugal, Czech Republic, Sweden, UK

EU (Atlassian Cloud) / Limited non-EEA

Yes – limited non-EEA access possible

GDPR Article 46 (SCCs)

Low–Medium

SCCs, DPA, EU data residency, SSO/MFA/RBAC, data minimisation policy

Mixpanel

Product analytics, usage tracking

France, Portugal, Czech Republic, Sweden, UK

United States

Yes – primary processing in US

GDPR Article 46 (SCCs + supplementary measures)

Medium

SCCs, DPA, pseudonymisation prior to transfer, no secondary use

Pendo

In-app guidance, product analytics

France, Portugal, Czech Republic, Sweden, UK

United States

Yes – primary processing in US

GDPR Article 46 (SCCs + supplementary measures)

Medium

SCCs, DPA, pseudonymisation prior to transfer, contractual restrictions

Twilio

Message delivery, communication routing

France, Portugal, Czech Republic, Sweden, UK

Ireland & Germany (EU) / Limited US

Yes – US support & routing access

GDPR Article 46 (SCCs + BCRs + supplementary measures)

Medium

SCCs, BCRs, UK IDTA, DPA, encryption, strict access controls

Key Finding: Primary storage and processing of health data (DSCPs) occurs exclusively within the EEA (UK and EU data centres). Limited non-EEA access is restricted to metadata, support operations, and communication routing – never clinical content. All transfers protected by European Commission-approved Standard Contractual Clauses and supplementary technical/organizational safeguards.

7. Data Subject Rights & Remedies

Under GDPR and HDS certification, data subjects (patients) retain full rights regarding their personal health data:

GDPR Data Subject Rights

  • Right to Access (Article 15): Request a copy of your personal data held by Huma

  • Right to Rectification (Article 16): Correct inaccurate or incomplete personal data

  • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")

  • Right to Restriction (Article 18): Restrict processing of your data pending dispute resolution

  • Right to Portability (Article 20): Receive your data in a structured, portable format

  • Right to Object (Article 21): Object to processing for legitimate interests

  • Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing


How to Exercise Your Rights

To exercise any of the above rights, submit a written request to:

Huma Data Protection Officer (DPO)
Email: dpo@huma.ai
Address: Huma Ltd , 13th Floor, Millbank Tower, 21-24 Millbank, London, SW1P 4QP, United Kingdom.
Response time: 30 calendar days (extendable to 60 days for complex requests)


Right to Lodge a Complaint

If you believe your rights have been violated, you have the right to lodge a complaint with your national data protection authority:

For France:
Commission Nationale de l'Informatique et des Libertés (CNIL)
Phone: +33 1 53 73 22 22
Online complaint form


Right to Judicial Remedy

You may seek judicial remedies in the courts of your country of residence for damages arising from unlawful processing or unauthorized access. Huma provides contractual indemnification for damages resulting from sub-processor breaches.


Right to Be Informed About Data Transfers

This page serves as your notice of international data transfers. Huma commits to:

  • Maintain transparency about all sub-processor arrangements

  • Update this disclosure within 30 days of any material change (new processor, change of location, change of safeguards)

  • Notify data subjects of any data breach involving non-EEA access within 72 hours per GDPR Article 33

  • Cooperate with data protection authorities on investigations


Important Notice

This disclosure is provided in compliance with HDS Requirement 31 (Article R1111-15 of the French Code de la Santé Publique) and GDPR Chapter V. It reflects Huma's commitment to transparency and data protection in the processing of personal health data.

Assessment of Adequacy: While Huma does not hold SecNumCloud 3.2 certification, we maintain equivalent data protection through:

  • Primary EEA data residency for all health data

  • European Commission-approved Standard Contractual Clauses (2021/914/EU)

  • EDPB Recommendations 01/2020 supplementary safeguards

  • Comprehensive technical, contractual, and organizational controls

  • Regular third-party security audits (SOC 2 Type II)

Regulatory Authority: For inquiries regarding this disclosure or Huma's HDS compliance, contact the CNIL or your local data protection authority.

Last Updated: March 20, 2026

Version: 1.0 – HDS Compliance Edition

This page is reviewed and updated quarterly, or upon material change to data transfer arrangements.