Stub — counsel review pending

Standard Contractual Clauses

Standard Contractual Clauses for cross-border transfers of EU personal data to US-based sub-processors. EU Commission 2021/914 modules.

Authoritative source: legal/scc.md in the platform repository. Each section flagged [REVIEW] in the source awaits external counsel input before going live.

Counsel review in progress

Showly is finalizing this document with counsel. For the binding version applicable to your account, contact legal@showly.ai.

Module selection

The EU Commission's 2021 SCCs (Implementing Decision (EU) 2021/914) ship in four modules. Showly relies on the combination below:

Module 2 binds Showly as the processor for our Customer (the controller). Customers requiring EU data residency rely on Module 2 with Showly.
Module 3 binds Showly to our US-based sub-processors (Stripe, Resend, OpenAI, Anthropic, Sentry, etc.). Module 3 is the processor→processor module — it's what carries the customer's data lawfully across the border under our responsibility.

[REVIEW] Counsel must confirm the module combination is appropriate for the platform's intended geography (notably AP / Pacific customers, where local data-residency law may require additional instruments).

Annexes (completion status)

The SCCs are not standalone — they require Annexes describing the specifics of the transfer. The current state of completion:

Annex I Parties (Customer ↔ Showly). Auto-filled at DPA signature time.
Annex I.B Description of the transfer (data categories, frequency, retention). [REVIEW] counsel-final wording pending; the technical content tracks /legal/sub-processors.
Annex II Technical and organisational measures (TOMs). Sourced from docs/showly-platform-soc2-readiness.md and the platform security controls. [REVIEW] for formal wording.
Annex III List of sub-processors (Module 3). Synchronised with the live Sub-processors page.

Schrems II safeguards

For transfers to the US specifically, the SCCs alone are no longer sufficient post-Schrems II (CJEU C-311/18). Showly's supplementary measures:

Encryption in transit — TLS 1.2+ enforced everywhere; pinned cert chains for sub-processor traffic where the upstream supports it.
Encryption at rest — Cloud KMS CMEK envelope encryption on Postgres, GCS, and backup buckets. Enterprise tier supports BYOK.
Pseudonymisation — visitor analytics use a visitor_hash that is re-salted daily; raw IPs and user-agent strings are never persisted.
Government access transparency — Showly's transparency report (published annually) discloses lawful access requests in aggregate. [REVIEW] confirm the first publication cadence with counsel.

UK addendum

For transfers involving UK personal data, the SCCs are paired with the UK Information Commissioner's International Data Transfer Addendum (the UK Addendum to the EU SCCs). Customers in the UK receive a DPA bundle that includes the UK Addendum by default.

Signing

The SCCs are incorporated into the Data Processing Addendum by reference. Signing the DPA binds both parties to the SCCs and the relevant Annexes. Enterprise customers may request standalone SCCs via legal@showly.ai.

This page summarises the current draft. The repository holds the full structural document — see the legal/scc.md referenced above. Substantive language is intentionally conservative until counsel review concludes.