Standard Contractual Clauses (SCCs)

Last changed: Feb 27th, 2026

SCC Attachment — International Data Transfer Safeguards

(Attachment to the SantaClues Data Processing Agreement)

This document incorporates the Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.

The SCCs apply where personal data processed under the SantaClues Services is transferred to a third country without an adequacy decision.

This attachment forms part of the Data Processing Agreement (DPA) between:

Controller: Customer using the SantaClues Services
Processor: SantaClues AS

1. Applicable SCC Modules

The following modules apply depending on the roles of the parties.

Module 2 — Controller → Processor

Applies to transfers where:

Controller (Customer)
→ transfers personal data →
SantaClues (Processor)

This module governs the transfer of personal data to SantaClues when SantaClues processes personal data on behalf of the Controller in connection with the Services.

Module 3 — Processor → Subprocessor

Applies to transfers where:

SantaClues (Processor)
→ transfers personal data →
Subprocessors engaged to provide the Services.

This module governs onward transfers to subprocessors used by SantaClues.

2. Clause Selections

The following SCC clause options are selected.

Clause 7 — Docking Clause

Included.

The docking clause permits additional controllers or processors to accede to the SCCs as parties where required.

Clause 9 — Use of Subprocessors

Option 2 — General Authorisation

SantaClues has general authorisation to engage subprocessors, subject to the notification and objection mechanism described in the Data Processing Agreement.

The list of authorised subprocessors is provided in Annex III.

Clause 11 — Redress

The optional independent dispute resolution mechanism is not selected.

Data subjects retain rights to pursue remedies under applicable law.

Clause 17 — Governing Law

The SCCs are governed by the law of the Member State in which the Controller is established, provided that such law allows for third-party beneficiary rights.

If the Controller is not established in the EEA, the SCCs shall be governed by the law of Ireland.

Clause 18 — Choice of Forum

Disputes arising under the SCCs shall be resolved in the courts of the EU Member State whose law governs the SCCs.

3. Annex I — Description of Transfers

The description of transfers under the SCCs corresponds to the processing operations described in:

Annex I — Description of Processing

This includes:

  • audio stream ingestion
  • speech-to-text transcription
  • transcript storage
  • automated analysis using LLM providers
  • generation of coaching metrics
  • logging of prompt inputs and outputs
  • report generation and export

The categories of:

  • data subjects
  • personal data
  • processing operations
  • processing purposes

are fully described in the DPA Annex I and are incorporated by reference.

Important operational realities include:

  • transcripts may contain personal data
  • transcript content may be transmitted to LLM providers
  • prompt logs may contain transcript excerpts
  • no automated redaction or anonymisation is performed prior to processing

4. Annex II — Technical and Organisational Measures

The security measures applicable to the SCCs are described in:

Annex II — Technical and Organisational Measures

This document describes:

  • infrastructure security
  • access control
  • TLS encryption in transit
  • retention and deletion mechanisms
  • logging practices
  • incident response procedures

No additional security claims beyond those described in Annex II apply.

5. Annex III — Subprocessors

The subprocessors authorised under the SCCs are listed in:

Annex III — Subprocessors

This annex identifies:

  • infrastructure providers
  • transcription providers
  • LLM providers
  • operational services

including their service function and processing location.

6. Transfers to Third Countries

Where personal data processed under the Services is transferred outside the European Economic Area, SantaClues relies on:

  • Standard Contractual Clauses (EU 2021/914)
  • Transfer Impact Assessments

EU-only processing is not enforced by system architecture, and certain subprocessors may process personal data outside the EEA.

Controllers should consider such transfers as part of their own compliance assessments.

7. Transfer Impact Assessments

Where personal data is transferred to a third country lacking an adequacy decision, SantaClues conducts Transfer Impact Assessments (TIAs).

TIAs evaluate:

  • legal environment of the destination country
  • government access risk
  • contractual safeguards
  • technical and organisational measures

Separate TIAs are maintained for relevant subprocessors.

8. Hierarchy of Documents

In the event of conflict between the SCCs and other contractual documents:

  1. The Standard Contractual Clauses prevail for international transfers.
  2. The Data Processing Agreement governs processor obligations.
  3. The Terms of Service apply to the provision of the Services.

Real-Time Coaching That Helps Every Sales Rep Sell Smarter. Like a seasoned coach in your corner — only this one listens quietly, learns fast, and gives your reps the right nudge at the perfect moment.

Menu
Home
Features
FAQ
Pricing
System
Log in
Sign up
Dashboard
Contact
hello@santaclues.ai
Santa Claus, 123 Elf Road, North Pole, 88888
© 2026 🎅 SantaClues | All rights reserved
Compliance center
Privacy policy
Terms and conditions
Made with 🧙 by Swml