International Data Transfers

Geodd LLC is established in the United States.

Geodd provides AI infrastructure services, including:

• Inferencing
• Serverless Inferencing
• Dedicated Inferencing
• Dedicated GPU
• Bare Metal Infrastructure

Where Customer Personal Data is transferred to, processed in, or accessed from a country that has not been recognized as providing an adequate level of data protection under applicable data protection laws, Geodd uses appropriate transfer safeguards as described in its Data Processing Agreement.

These safeguards may include:

• EU Standard Contractual Clauses
• UK International Data Transfer Addendum
• Swiss FADP adaptations, where applicable
• Transfer Impact Assessment support
• Supplementary technical and organizational measures

For EU customers, API inference is hosted in EU data center infrastructure by default.

For EU/UK customers using EU, UK, EEA, or other selected regional infrastructure, Geodd processes API requests for inference in the applicable selected region, except where access or transfer is required for:

• Support
• Security
• Debugging
• Service operations
• Billing
• Legal obligations
• Compliance
• Abuse or fraud prevention
• Customer-selected non-EU infrastructure

Geodd may also use subprocessors and operational support locations as described in its Data Processing Agreement and Subprocessor List.

Where Geodd offers Customer a choice of infrastructure region, Customer is responsible for selecting the region appropriate for its use of the Services.

If Customer selects infrastructure located outside the EU, EEA, UK, Switzerland, or another relevant jurisdiction, Customer acknowledges and instructs Geodd that Customer Personal Data submitted to the Services may be transferred to and processed in that selected region for the purpose of providing the Services.

For example, if an EU or UK Customer selects or enables non-EU infrastructure for inference, API requests may be routed outside the EU or UK for inference processing.

Customer is responsible for determining whether the selected region is appropriate for its workloads, users, legal obligations, and data protection requirements.

Support and administrative access may occur from Geodd operational locations, including Sri Lanka, where necessary for:

• Support
• Security
• Debugging
• Service operations
• Billing
• Legal obligations
• Compliance
• Abuse or fraud prevention

Geodd limits such access based on role, operational need, and applicable safeguards.

Safeguards may include:

• MFA
• Role-based access controls
• Access logging
• Encryption
• Staff confidentiality obligations
• Staff training
• Transfer safeguards where applicable

Where the GDPR applies and Customer Personal Data is transferred to a country that has not been recognized as providing an adequate level of protection, the parties agree that the EU Standard Contractual Clauses apply as described in Geodd’s Data Processing Agreement.

The applicable module depends on Customer’s role:

• Module Two: applies where Customer is a controller and Geodd is a processor.
• Module Three: applies where Customer is a processor and Geodd is a subprocessor.

For purposes of the EU Standard Contractual Clauses:

• Customer is the data exporter.
• Geodd is the data importer.
• The processing details are described in Geodd’s Data Processing Agreement.
• The technical and organizational measures are described in Geodd’s Security Measures page.
• The subprocessors are described in Geodd’s Subprocessor List.
• The optional docking clause applies.

The full EU Standard Contractual Clauses are available from the European Commission at: https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_en

Where the UK GDPR applies and Customer Personal Data is transferred to a country that has not been recognized as providing an adequate level of protection, the UK International Data Transfer Addendum applies together with the EU Standard Contractual Clauses.

The UK Addendum is incorporated by reference at: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf

For purposes of the UK Addendum:

• The information in Geodd’s Data Processing Agreement, Security Measures page, Subprocessor List, and this International Data Transfers page will populate the relevant tables and annexes of the UK Addendum.
• Customer is the data exporter.
• Geodd is the data importer.
• The applicable EU SCC module is Module Two where Customer is a controller and Geodd is a processor.
• The applicable EU SCC module is Module Three where Customer is a processor and Geodd is a subprocessor.
• If there is any conflict between Geodd’s Data Processing Agreement and the UK Addendum, the UK Addendum will control to the extent required by UK Data Protection Laws.

Where the Swiss Federal Act on Data Protection applies, the EU Standard Contractual Clauses will be interpreted to protect personal data subject to Swiss data protection law.

For Swiss transfers:

• References to the GDPR will include the Swiss FADP where applicable.
• References to EU Member States will include Switzerland where applicable.
• The competent authority may include the Swiss Federal Data Protection and Information Commissioner.
• The EU Standard Contractual Clauses will be interpreted to provide an adequate level of protection for Swiss personal data.

Upon reasonable request, Geodd will provide information reasonably necessary to assist Customer in assessing international transfers of Customer Personal Data.

This may include information about:

• Applicable transfer mechanisms
• Processing locations
• Subprocessors
• Technical and organizational measures
• Supplementary measures
• Relevant security practices

Geodd is not required to disclose confidential, commercially sensitive, or security-sensitive information where disclosure could compromise the security of the Services, Geodd, its infrastructure, or other customers.

Geodd implements supplementary measures designed to protect Customer Personal Data in connection with international transfers and remote access.

These measures may include:

• TLS encryption in transit
• Encryption at rest where applicable
• API key hash storage
• Role-based access controls
• MFA for administrative access
• Firewalls and WAF
• Private networks where applicable
• Customer isolation through dedicated endpoints where applicable
• Access logging
• Vulnerability management
• Incident response processes
• Staff confidentiality obligations
• Access limited based on job role and operational need
• Data minimization for API prompts and outputs

For AI model API services, Geodd processes prompts, inputs, outputs, request bodies, and response bodies transiently to provide the requested inference response. Unless separately agreed in writing, Geodd does not store API prompts, API inputs, API outputs, completions, API request bodies, API response bodies, uploaded files, embeddings, customer datasets, or fine-tuning data.

Geodd does not use API data for model training and does not conduct human review of prompts or outputs by default.

Geodd may use subprocessors to provide, secure, support, and operate the Services.

Geodd’s Subprocessor List is available at: geodd.io/legal/subprocessors

The Subprocessor List describes vendors, purposes, categories of data processed, region or processing location information, transfer mechanisms, and notes.

Geodd provides at least 30 days’ prior notice before adding or replacing a Subprocessor that will process Customer Personal Data, as described in Geodd’s Data Processing Agreement.

Geodd may use third-party suppliers for physical hardware, rack space, power, cooling, connectivity, physical maintenance, and physical security.

Geodd does not treat physical infrastructure suppliers as subprocessors unless they process Customer Personal Data on behalf of Geodd.

Physical infrastructure suppliers are not treated as subprocessors where they do not have logical, administrative, operational, support, storage, backup, monitoring, encryption-key, or readable access to Customer Personal Data, workloads, prompts, outputs, logs, backups, storage, or runtime environments.

Emergency access by physical infrastructure suppliers is limited to physical premises, rack, cabling, power, hardware replacement, cooling, connectivity, and physical security. It does not include logical access to systems, workloads, storage, logs, encryption keys, or Customer Personal Data.

Customer is responsible for:

• Selecting the infrastructure region appropriate for its use of the Services.
• Determining whether Customer Personal Data may lawfully be transferred to or processed in the selected region.
• Ensuring that Customer has a lawful basis for submitting Customer Personal Data to the Services.
• Providing required notices to Data Subjects.
• Obtaining required consents, authorizations, or permissions.
• Assessing whether Customer’s use of the Services complies with applicable data protection laws.
• Avoiding unnecessary submission of sensitive or regulated data.
• Configuring Customer-controlled workloads, credentials, applications, models, datasets, and access permissions securely.

Where Customer selects non-EU, non-UK, or non-adequate infrastructure, Customer acknowledges and instructs Geodd that Customer Personal Data may be transferred to and processed in that selected region for the purpose of providing the Services.

Geodd may update this International Data Transfers page from time to time to reflect changes in:

• Applicable law
• Transfer mechanisms
• Processing locations
• Subprocessors
• Infrastructure options
• Security measures
• Operational practices

Where required by Geodd’s Data Processing Agreement, Geodd will provide notice before adding or replacing a Subprocessor that will process Customer Personal Data.

For privacy or data protection questions, contact: [email protected]

For security questions, contact: [email protected]