Documentation Index
Fetch the complete documentation index at: https://docs.salesfrank.com/llms.txt
Use this file to discover all available pages before exploring further.
Transfer Impact Assessments (TIAs)
SalesFrank — Another Side Ventures Free Zone LLC
Prepared in accordance with the recommendations of the European Data Protection Board (EDPB) — Recommendations 01/2020 on measures that supplement transfer tools (Version 2.0, adopted on 18.06.2021)
Controller (Data Exporter): Another Side Ventures Free Zone LLC, Al Shohada Road, Ras Al Khaimah, UAE
EU Representative pursuant to Art. 27 GDPR: Thomas Bergmann, info@salesfrank.com
Date of initial assessment: March 2026
Next scheduled review: September 2026
TIA No. 1: ElevenLabs, Inc.
1. Identification of the Data Transfer
1.1 Data Exporter
| Field | Details |
|---|
| Name | Another Side Ventures Free Zone LLC |
| Role | Processor (in relation to the customer as the controller) |
| Registered office | Ras Al Khaimah, UAE |
| EU Representative | Thomas Bergmann, info@salesfrank.com |
| Data Protection Contact | info@salesfrank.com |
1.2 Data Importer
| Field | Details |
|---|
| Name | ElevenLabs, Inc. |
| Role | Sub-processor |
| Registered office | New York, USA |
| Website | elevenlabs.io |
| DPA concluded | Yes — ElevenLabs Standard Data Processing Agreement |
| SCCs concluded | Yes — Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 04.06.2021, Module 3 (Processor → Sub-processor) |
| EU-US Data Privacy Framework | Certification check: [to be verified at time of assessment at dataprivacyframework.gov] |
1.3 Types of Personal Data Transferred
| Data Category | Description | Personal Data Relevance |
|---|
| Audio data (Speech-to-Text) | Real-time audio stream of the called person’s voice during the phone call | Yes — voice constitutes biometric data in the broader sense; identifiable in combination with phone number |
| Text data (Text-to-Speech) | LLM-generated response text that is converted into speech | No — does not contain personal data of the called person; synthetically generated text |
1.4 Purpose of the Transfer
The transfer is carried out exclusively for the purpose of:
- Speech synthesis (Text-to-Speech): Conversion of AI-generated text responses into natural-sounding audio output for the phone call
- Speech recognition (Speech-to-Text): Real-time transcription of the called person’s spoken words into text, which is subsequently processed by the LLM
1.5 Nature of Processing
The processing by ElevenLabs takes the form of transient real-time stream processing (Real-Time Streaming):
- Audio data is sent as a continuous data stream to the ElevenLabs API
- Processing occurs in real time in the RAM of ElevenLabs servers
- The result (transcribed text or synthesized speech) is immediately streamed back to the processor
- No permanent storage of audio data or transcripts takes place at ElevenLabs after completion of the real-time processing
- Processing time per request is typically a few seconds
1.6 Frequency and Volume
- Processing occurs with every phone call made via the platform
- Volume: depends on the number and duration of phone calls made by the respective customer
- Typical call duration: 30 seconds to 5 minutes per call
1.7 Categories of Data Subjects
- Contact persons (called persons): typically business contacts (B2B), such as managing directors, sales managers, or other decision-makers in companies
2. Assessment of the Legal Framework of the Recipient Country (USA)
2.1 General Assessment
The United States of America does not have a comprehensive federal data protection law that corresponds to the level of protection afforded by the GDPR. However, on 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) pursuant to Art. 45 GDPR (Implementing Decision (EU) 2023/1795).
2.2 Relevant US Laws and Government Access Rights
2.2.1 FISA Section 702 (Foreign Intelligence Surveillance Act)
- Scope: Enables US intelligence agencies to conduct targeted surveillance of electronic communications of non-US persons outside the USA
- Relevance for this transfer: ElevenLabs could theoretically be subject to an order under FISA 702 as an “Electronic Communication Service Provider”
- Assessment: The actual probability of such an order is considered very low (see Section 2.3)
2.2.2 Executive Order 12333
- Scope: Enables bulk surveillance of communications data outside the USA (“upstream collection”)
- Relevance for this transfer: Primarily concerns data transmitted via transatlantic cables
- Assessment: End-to-end encryption (TLS 1.2+) renders the content of transmitted data unreadable even if intercepted
2.2.3 Executive Order 14086 (October 2022)
- Restricts the surveillance activities of US intelligence agencies
- Introduces a redress mechanism for EU citizens (Data Protection Review Court — DPRC)
- Requires that surveillance measures are proportionate and necessary
- Forms the basis for the EU-US Data Privacy Framework adequacy decision
2.2.4 CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018)
- Scope: Enables US authorities to compel US companies to produce data, even when stored outside the USA
- Relevance: Applies to ElevenLabs as a US company
- Assessment: The CLOUD Act requires a court order and is limited to specific criminal investigations
2.3 Probability Assessment of Government Access
The probability that US authorities will access the data processed by ElevenLabs is rated as very low for the following reasons:
| Factor | Assessment |
|---|
| Nature of the data | Transient audio fragments and synthesized speech — no persistently stored content, no communication metadata in the traditional sense |
| Retention period at data importer | No permanent storage — real-time processing in RAM, no retrievable archives |
| Nature of the data subjects | B2B business contacts in Europe — no connection to national security, terrorism, or US law enforcement interests |
| Nature of the business activity | Automated sales calls (Sales Outreach) — no connection to sectors of intelligence interest |
| Past experience | No known cases in which US authorities have accessed transient speech processing data from B2B SaaS platforms |
| Practical feasibility | Since no permanent storage takes place, access would only be technically possible in real time — a disproportionate effort for the type of data being processed |
3. Supplementary Technical and Organizational Measures
In addition to the contractual safeguards (SCCs, DPA), the data exporter has implemented the following supplementary measures:
3.1 Technical Measures
| Measure | Description |
|---|
| Transport encryption | All data transmissions to ElevenLabs are carried out via TLS 1.2 or higher. Encryption is end-to-end between the data exporter’s systems and ElevenLabs API endpoints. |
| Transient processing | Audio data is processed exclusively as a real-time stream and is not permanently stored at ElevenLabs. After completion of processing each individual request, the data is deleted from RAM. |
| No secondary use | ElevenLabs is contractually prohibited from using the transmitted data for its own purposes (e.g., model training). |
| API authentication | Access to the ElevenLabs API is exclusively via authenticated API keys, which are securely stored on the data exporter’s EU servers. |
| Minimal data transfer | Only the audio fragments required for speech processing are transmitted — no phone numbers, names, email addresses, or other identifying data of the called persons. |
| No storage on non-EU devices | Permanent storage of call recordings and transcripts takes place exclusively on the data exporter’s EU servers (Microsoft Azure, EU West). |
3.2 Organizational Measures
| Measure | Description |
|---|
| Contractual obligation | DPA and SCCs concluded with ElevenLabs, governing binding instructions, confidentiality, notification obligations, and audit rights |
| Regular review | The data exporter reviews at least semi-annually whether the legal framework in the recipient country has changed |
| Notification obligation | ElevenLabs is contractually obligated to immediately inform the data exporter if a government request regarding the processed data is received |
| Suspension of transfer | The data exporter has the contractual right to suspend the data transfer if the level of protection can no longer be guaranteed |
4. Overall Assessment and Result
4.1 Summary Risk Assessment
| Assessment Criterion | Result |
|---|
| Severity of potential interference | Low — transient audio fragments without permanent storage |
| Probability of government access | Very low — no relevance for intelligence services or law enforcement |
| Effectiveness of contractual safeguards | High — SCCs, DPA, notification obligations |
| Effectiveness of technical measures | High — TLS encryption, transient processing, minimal data transfer |
| Practical enforceability of data subject rights | Ensured — via the data exporter and the EU representative |
4.2 Result
The transfer of personal data to ElevenLabs, Inc. (USA) is compatible with the requirements of the GDPR, taking into account the contractual safeguards (SCCs, DPA) and the implemented supplementary technical and organizational measures.
The combination of (1) the transient nature of processing (no permanent storage), (2) the minimal data transfer (only audio fragments, no identifying metadata), (3) transport encryption, and (4) the contractual safeguard mechanisms ensures a level of protection that is essentially equivalent to that within the EU.
Assessment: TRANSFER PERMITTED
4.3 Conditions and Requirements
- This assessment is tied to the legal framework in effect at the time of preparation and will be immediately reviewed in the event of material changes (e.g., revocation of the EU-US DPF adequacy decision, changes to US legislation).
- The scheduled review will take place no later than September 2026.
- In the event that government access to the transferred data becomes known, the transfer will be immediately suspended and the affected clients will be informed.
TIA No. 2: Deepgram, Inc.
1. Identification of the Data Transfer
1.1 Data Exporter
| Field | Details |
|---|
| Name | Another Side Ventures Free Zone LLC |
| Role | Processor (in relation to the customer as the controller) |
| Registered office | Ras Al Khaimah, UAE |
| EU Representative | Thomas Bergmann, info@salesfrank.com |
| Data Protection Contact | info@salesfrank.com |
1.2 Data Importer
| Field | Details |
|---|
| Name | Deepgram, Inc. |
| Role | Sub-processor |
| Registered office | San Francisco, California, USA |
| Website | deepgram.com |
| DPA concluded | Yes — Deepgram Data Processing Agreement |
| SCCs concluded | Yes — Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914, Module 3 (Processor → Sub-processor) |
| EU-US Data Privacy Framework | Certification check: [to be verified at time of assessment at dataprivacyframework.gov] |
1.3 Types of Personal Data Transferred
| Data Category | Description | Personal Data Relevance |
|---|
| Audio data (Speech-to-Text) | Real-time audio stream of the called person’s voice during the phone call | Yes — voice constitutes biometric data in the broader sense; identifiable in combination with phone number |
1.4 Purpose of the Transfer
The transfer is carried out exclusively for the purpose of speech recognition (Speech-to-Text): Real-time transcription of the called person’s spoken words into text, which is subsequently processed by the LLM (hosted on Azure EU).
1.5 Nature of Processing
The processing by Deepgram takes the form of transient real-time stream processing (Real-Time Streaming):
- Audio data is sent as a continuous data stream to the Deepgram API (WebSocket connection)
- Processing occurs in real time in the RAM of Deepgram servers
- The result (transcribed text) is streamed back to the processor within milliseconds
- No permanent storage of audio data or transcripts takes place at Deepgram after completion of the real-time processing
- Deepgram does not process the data for model training or other secondary purposes
- Processing time per audio fragment is typically under 500 milliseconds
1.6 Frequency and Volume
- Processing occurs with every phone call made via the platform where Deepgram is configured as the STT provider
- Volume: depends on the number and duration of phone calls made by the respective customer
- Typical call duration: 30 seconds to 5 minutes per call
1.7 Categories of Data Subjects
- Contact persons (called persons): typically business contacts (B2B), such as managing directors, sales managers, or other decision-makers in companies
2. Assessment of the Legal Framework of the Recipient Country (USA)
The assessment of the US legal framework corresponds to the analysis conducted in TIA No. 1 (ElevenLabs). In particular, the statements regarding FISA Section 702, Executive Order 12333, Executive Order 14086, the CLOUD Act, and the EU-US Data Privacy Framework adequacy decision apply equally to Deepgram.
2.1 Probability Assessment of Government Access
The probability of government access is rated as very low for the same reasons as in TIA No. 1:
| Factor | Assessment |
|---|
| Nature of the data | Transient audio fragments — no persistently stored content |
| Retention period at data importer | No permanent storage — real-time processing, no retrievable archives |
| Nature of the data subjects | B2B business contacts in Europe — no connection to national security |
| Nature of the business activity | Automated sales calls — no sector of intelligence relevance |
| Practical feasibility | No persistent data available that could be produced |
3. Supplementary Technical and Organizational Measures
3.1 Technical Measures
| Measure | Description |
|---|
| Transport encryption | All data transmissions to Deepgram are carried out via TLS 1.2+ (HTTPS/WSS). WebSocket connections for real-time streaming are encrypted throughout. |
| Transient processing | Audio data is processed exclusively as a real-time stream. Deepgram does not store audio data or transcripts by default after completion of processing. |
| No secondary use | Deepgram is contractually prohibited from using the transmitted audio data for its own purposes (e.g., model training, analysis). |
| API authentication | Access via authenticated API keys, securely stored on the data exporter’s EU servers. |
| Minimal data transfer | Exclusively audio fragments — no phone numbers, names, email addresses, or other identifying metadata of the called persons. |
| No storage on non-EU devices | Permanent storage of transcripts exclusively on the data exporter’s EU servers (Azure EU West). |
3.2 Organizational Measures
| Measure | Description |
|---|
| Contractual obligation | DPA and SCCs concluded with Deepgram |
| Regular review | Semi-annual review of the legal framework |
| Notification obligation | Deepgram provides immediate notification in the event of government requests |
| Suspension of transfer | Data exporter may suspend transfer in the event of changes to the level of protection |
4. Overall Assessment and Result
4.1 Summary Risk Assessment
| Assessment Criterion | Result |
|---|
| Severity of potential interference | Low — transient audio fragments without permanent storage |
| Probability of government access | Very low |
| Effectiveness of contractual safeguards | High — SCCs, DPA |
| Effectiveness of technical measures | High — TLS, transient processing, minimal data |
| Practical enforceability of data subject rights | Ensured |
4.2 Result
The transfer of personal data to Deepgram, Inc. (USA) is compatible with the requirements of the GDPR, taking into account the contractual safeguards and supplementary measures.
Assessment: TRANSFER PERMITTED
4.3 Conditions and Requirements
Identical to TIA No. 1 — semi-annual review, suspension in the event of changes to the framework conditions, immediate notification in the event of government access.
TIA No. 3: Cartesia, Inc.
1. Identification of the Data Transfer
1.1 Data Exporter
| Field | Details |
|---|
| Name | Another Side Ventures Free Zone LLC |
| Role | Processor |
| Registered office | Ras Al Khaimah, UAE |
| EU Representative | Thomas Bergmann, info@salesfrank.com |
| Data Protection Contact | info@salesfrank.com |
1.2 Data Importer
| Field | Details |
|---|
| Name | Cartesia, Inc. |
| Role | Sub-processor |
| Registered office | USA |
| Website | cartesia.ai |
| DPA concluded | Yes — Cartesia Data Processing Agreement |
| SCCs concluded | Yes — Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914, Module 3 |
1.3 Types of Personal Data Transferred
| Data Category | Description | Personal Data Relevance |
|---|
| Text data (Text-to-Speech) | LLM-generated response text that is converted into speech | No — synthetically generated text, does not contain personal data of the called person in the strict sense |
1.4 Purpose of the Transfer
Exclusively speech synthesis (Text-to-Speech): Conversion of AI-generated text responses into natural-sounding audio output for the phone call.
1.5 Nature of Processing
Transient real-time stream processing:
- Text data is sent to the Cartesia API
- Cartesia generates an audio stream from it, which is immediately returned to the processor
- No permanent storage of text data or generated audio data at Cartesia
- Processing time per request: typically under one second
1.6 Frequency and Volume
- Processing occurs with every phone call where Cartesia is configured as the TTS provider
- Volume: depends on the number and duration of phone calls
1.7 Categories of Data Subjects
- Indirectly: contact persons (called persons), insofar as their name or context-related information is contained in the generated response text
2. Assessment of the Legal Framework of the Recipient Country (USA)
The assessment corresponds to the analysis conducted in TIA No. 1.
2.1 Probability Assessment of Government Access
The probability is rated as extremely low — even lower than in TIA No. 1 and No. 2, because:
| Factor | Assessment |
|---|
| Nature of the data | AI-generated text fragments — no direct personal data relevance |
| Retention period | No permanent storage |
| Content | Synthetic sales responses — no intelligence interest |
| Practical relevance | No realistic scenario is conceivable in which US authorities would have an interest in AI-generated sales responses in the German language |
3. Supplementary Technical and Organizational Measures
3.1 Technical Measures
| Measure | Description |
|---|
| Transport encryption | TLS 1.2+ for all API calls |
| Transient processing | No permanent storage at Cartesia |
| No secondary use | Contractually excluded |
| API authentication | Authenticated API keys, stored on EU servers |
| Minimal personal data relevance | Only AI-generated texts are transmitted — no phone numbers, email addresses, or other identifiers |
3.2 Organizational Measures
| Measure | Description |
|---|
| Contractual obligation | DPA and SCCs concluded |
| Regular review | Semi-annually |
| Notification obligation | In the event of government requests |
| Suspension | In the event of changes to the level of protection |
4. Overall Assessment and Result
4.1 Summary Risk Assessment
| Assessment Criterion | Result |
|---|
| Severity of potential interference | Minimal — AI-generated text without direct personal data relevance |
| Probability of government access | Extremely low |
| Effectiveness of safeguards | High |
| Effectiveness of technical measures | High |
4.2 Result
The transfer of data to Cartesia, Inc. (USA) is compatible with the requirements of the GDPR. Due to the minimal to non-existent personal data relevance of the transmitted data (AI-generated text), the risk to the rights and freedoms of data subjects is to be classified as negligible.
Assessment: TRANSFER PERMITTED
TIA No. 4: Administrative Remote Access from the United Arab Emirates (UAE)
1. Identification of the Data Transfer
1.1 Description of the Access Scenario
Another Side Ventures Free Zone LLC has its registered office in Ras Al Khaimah, United Arab Emirates. Authorized personnel of the company access the platform systems administratively from the UAE. These systems are operated on servers within the European Union (Microsoft Azure, Region EU West, Netherlands; Amazon Web Services, Region EU Frankfurt).
1.2 Nature of Access
| Aspect | Description |
|---|
| Type | Administrative remote access (Remote Administration) — no systematic data transfer |
| Purpose | System administration, maintenance, troubleshooting, deployment, monitoring, customer support |
| Frequency | Regular (daily), in the course of normal business operations |
| Accessing persons | Exclusively authorized internal personnel (management, development team) — no external service providers |
| Access method | Encrypted VPN connection with multi-factor authentication |
1.3 Clarification: Not a Data Transfer in the Traditional Sense
It is important to emphasize that this access scenario does not constitute a systematic data transfer to a third country:
- All personal data remains on the EU servers. No data is transferred, copied, downloaded, or stored in the UAE.
- Access occurs via an encrypted tunnel through which the systems in the EU are administered — comparable to the access of an EU employee working from home via VPN.
- No personal data is persistently stored on the devices in the UAE.
Nevertheless, this TIA is conducted as a precautionary measure, as the EDPB (European Data Protection Board) has clarified that read-only remote access from a third country may, under certain circumstances, qualify as a “transfer” within the meaning of the GDPR.
1.4 Types of Personal Data Potentially Accessible
| Data Category | Description |
|---|
| User data | Name, email, phone number of platform users (customers) |
| Contact data | Phone numbers, possibly names and other data of contact persons uploaded by the customer |
| Call data | Recordings, transcripts, metadata |
| System data | Server logs, performance data, error logs |
2. Assessment of the Legal Framework of the United Arab Emirates
2.1 Data Protection Legal Framework
The UAE has made significant progress in the area of data protection in recent years:
- Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL): First comprehensive federal data protection law of the UAE, entered into force on 02.01.2022, with implementing regulation (Cabinet Decision No. 111 of 2023) effective since 01.01.2024. The law is substantially modeled on the GDPR and contains provisions on processing principles, data subject rights, data protection officers, and data transfers.
- DIFC Data Protection Law (DIFC Law No. 5 of 2020): Data protection law of the Dubai International Financial Centre free zone — not directly applicable to RAK FTZ, but an indicator of the data protection standard in the UAE overall.
- ADGM Data Protection Regulations 2021: Data protection regulation of the Abu Dhabi Global Market free zone — also modeled on the GDPR.
2.2 Government Access Rights in the UAE
2.2.1 Federal Decree-Law No. 34 of 2021 (Cybercrime Law)
- Enables law enforcement authorities to access electronic data in the course of investigations
- Generally requires a court order
- Primarily relevant to criminal offenses, not general surveillance
2.2.2 Telecommunications and Digital Government Regulatory Authority (TDRA)
- Regulatory authority for telecommunications in the UAE
- May under certain circumstances require access to communications data
- Primarily directed at telecommunications providers based in the UAE
2.2.3 No Mass Surveillance Legislation Comparable to FISA 702
- There is no known UAE law enabling systematic mass surveillance of foreign electronic communications comparable to FISA Section 702
- The UAE does not have extraterritorial jurisdiction over data stored in the EU
2.3 Probability Assessment of Government Access
| Factor | Assessment |
|---|
| Data storage location | All data is stored in the EU — UAE authorities have no direct technical access to EU servers |
| Nature of access | Purely administrative — no systematic data transfer, no local storage |
| Nature of business activity | B2B SaaS platform for sales automation — no connection to national security, terrorism, or regulated sectors (financial services, healthcare) |
| Legal basis for access | UAE authorities would have no legal basis to compel access to data stored in the EU; a production order would need to proceed through legal channels via EU authorities |
| Nature of data subjects | B2B business contacts in the EU — no connection to interests of UAE authorities |
| Past experience | No known cases of government data requests in comparable scenarios |
3. Supplementary Technical and Organizational Measures
3.1 Technical Measures
| Measure | Description |
|---|
| VPN with end-to-end encryption | All remote access to the EU production systems is carried out exclusively via an encrypted VPN connection. Encryption is end-to-end from the device to the EU server. Third parties — including internet service providers in the UAE — can neither view the content of the transmitted data nor the type of systems being accessed. |
| Multi-factor authentication (MFA) | Every administrative access requires, in addition to a password, a second authentication factor (e.g., TOTP, hardware key). This protects against unauthorized access even in the event of password compromise. |
| No local data storage | No personal data is stored, downloaded, exported, or cached on devices in the UAE. Access is exclusively via the encrypted connection; after the session ends, no data remains on the device. |
| Role-based access control (RBAC) | Administrative access is restricted by a strict role-based access model. Not every employee has access to all data categories. Access to personal data (e.g., call recordings) is limited to a minimum and occurs only when required for operations or support (need-to-know principle). |
| Complete access logging | All administrative access to the production systems is fully logged (timestamp, user, IP address, actions performed). The logs are stored in an audit-proof manner on the EU servers and can be reviewed in the course of audits. |
| Device security | The devices used for remote access are subject to internal security policies (disk encryption, current operating system updates, screen lock, no installation of unauthorized software). |
| Automatic session termination | VPN and system sessions are automatically terminated after a defined period of inactivity to prevent unauthorized access via unattended devices. |
3.2 Organizational Measures
| Measure | Description |
|---|
| Confidentiality obligation | All employees with access to personal data are bound by a written confidentiality obligation. |
| Awareness and training | Regular training on data protection, information security, and secure handling of remote access. |
| Access review | Regular review and updating of access permissions — revocation upon change of responsibilities or departure. |
| Incident response | Documented process for handling security incidents, including notification to affected clients within 24 hours. |
| EU Representative | Appointment of an EU representative pursuant to Art. 27 GDPR (Thomas Bergmann, info@salesfrank.com) as a direct point of contact for data subjects and supervisory authorities within the EU. |
4. Overall Assessment and Result
4.1 Summary Risk Assessment
| Assessment Criterion | Result |
|---|
| Nature of access | Administrative remote access — no systematic data transfer |
| Data storage location | Exclusively EU — no data in the UAE |
| Severity of potential interference | Low — read-only access via encrypted tunnel, no local storage |
| Probability of government access | Very low — no access to EU servers possible, no relevant business activity for UAE authorities |
| UAE data protection legislation | Federal data protection law (PDPL 2021) in place, modeled on the GDPR |
| Effectiveness of technical measures | Very high — VPN, MFA, RBAC, no local storage, logging |
| Effectiveness of organizational measures | High — confidentiality obligation, training, EU representative |
| Practical enforceability of data subject rights | Ensured — via EU representative and platform dashboard |
4.2 Result
The administrative remote access from the UAE to the data stored and processed in the EU is compatible with the requirements of the GDPR, taking into account the implemented technical and organizational measures.
The assessment is based in particular on the following core arguments:
- No data transfer in the material sense: All personal data remains on EU servers. No data is transferred, copied, or stored in the UAE. The access is functionally comparable to the remote access of an employee within the EU via VPN.
- Comprehensive technical safeguards: The combination of VPN encryption, MFA, RBAC, access logging, and the prohibition of local data storage ensures that even in the theoretical event of government access to the device, no personal data can be compromised.
- Low government access risk: The UAE does not have extraterritorial jurisdiction over EU servers. The business activity (B2B SaaS for sales automation) is not of interest to UAE authorities. The UAE has enacted a federal data protection law (PDPL 2021) that is modeled on the GDPR.
- EU representative appointed: Pursuant to Art. 27 GDPR, a representative in the EU has been appointed who serves as a direct point of contact for data subjects and supervisory authorities.
Assessment: ACCESS PERMITTED
4.3 Conditions and Requirements
- Scheduled review no later than September 2026.
- In the event of material changes to UAE legislation or access modalities, this TIA will be updated immediately.
- In the event that government access to the systems becomes known, the affected clients will be informed immediately.
Appendix: Methodology and References
Applied Methodology
The present Transfer Impact Assessments were prepared on the basis of the following guidelines and recommendations:
- EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0, adopted on 18 June 2021)
- EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
- Schrems II — Judgment of the Court of Justice of the European Union (CJEU) of 16.07.2020, Case C-311/18 (Data Protection Commissioner / Facebook Ireland and Schrems)
- Commission Implementing Decision (EU) 2021/914 of 04.06.2021 on Standard Contractual Clauses for the transfer of personal data to third countries
- Commission Implementing Decision (EU) 2023/1795 of 10.07.2023 on the EU-US Data Privacy Framework
Review Interval
All Transfer Impact Assessments are reviewed at least semi-annually as well as on an ad hoc basis in the event of:
- Changes to the legislation in the recipient country
- Changes to the sub-processors used
- Revocation or amendment of adequacy decisions
- Discovery of government access to comparable services
- Material changes to the nature or scope of data processing
Another Side Ventures Free Zone LLC
Al Shohada Road, Ras Al Khaimah, UAE
EU Representative: Thomas Bergmann, info@salesfrank.com
Date of preparation: March 2026
Next scheduled review: September 2026
