TRANSFER IMPACT ASSESSMENT
Last updated: March 19, 2026
This Transfer Impact Assessment ("TIA") has been prepared by Acira AI LLC ("Acira AI," "we," "us") in accordance with the requirements of the Court of Justice of the European Union's decision in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, "Schrems II") and the recommendations of the European Data Protection Board (EDPB Recommendations 01/2020 on supplementary measures).
This TIA evaluates the adequacy of protections for personal data transferred from the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland, and Canada to the United States and other third countries in connection with the provision of our Services.
This TIA may be translated into other languages for your convenience. In the event of any conflict or inconsistency between the English version and any translated version, the English version shall prevail.
TABLE OF CONTENTS
- OVERVIEW OF TRANSFERS
- NATURE OF THE DATA TRANSFERRED
- TRANSFER MECHANISMS
- ASSESSMENT OF DESTINATION COUNTRY LAWS
- ASSESSMENT OF DATA FLOWS BY SERVICE PROVIDER
- SUPPLEMENTARY MEASURES
- RISK ASSESSMENT
- CONCLUSION
- REVIEW SCHEDULE
- CONTACT US
1. OVERVIEW OF TRANSFERS
1.1 Context
Acira AI is a software-as-a-service platform that enables businesses and individuals to create, manage, and host AI-powered websites. When users create websites that are accessed by visitors located in the EEA, UK, Switzerland, or Canada, personal data of those visitors may be transferred to and processed in the United States and other locations where our infrastructure providers operate.
1.2 Parties
- Data Exporter: The website operator (our customer, acting as Controller) and, for analytics data, Acira AI as Joint Controller.
- Data Importer: Acira AI LLC, incorporated in Nevada, United States, acting as Processor (and Joint Controller for analytics).
- Sub-processors: Third-party service providers engaged by Acira AI (listed in Section 5).
1.3 Transfer Destinations
| Destination | Providers | Basis |
|---|---|---|
| United States and European Union (Stockholm) | AWS | SCCs + Supplementary Measures (US); Intra-EEA for EU-resident automated visitor-facing operations |
| United States | Stripe, Fireworks AI, xAI | SCCs + Supplementary Measures |
| Global (edge locations) | Cloudflare | SCCs + Supplementary Measures |
| Israel | BrightData (user-directed only) | SCCs + Supplementary Measures |
| European Union | Black Forest Labs, ScreenshotOne, CloudConvert | Intra-EEA (no transfer mechanism required) |
2. NATURE OF THE DATA TRANSFERRED
2.1 Categories of Personal Data
The personal data transferred depends on the features enabled by the website operator and the interactions of website visitors. The following categories may be transferred:
| Data Category | Description | Sensitivity | Volume |
|---|---|---|---|
| Analytics identifiers | Daily-rotating cryptographic hash of IP + User-Agent + date (pseudonymized) | Low | High (every page view) |
| Visitor metadata | Country, region, language, device type, browser, OS, referrer domain, UTM parameters | Low | High (every page view) |
| IP addresses | Stored as metadata with form submissions and chatbot conversations; hashed for analytics; temporarily used for bot challenge verification; temporarily stored for rate limiting (up to 7 days) | Medium | Medium |
| Form submission content | Free-text fields submitted by visitors (names, emails, messages, etc.) | Variable (depends on form) | Low to Medium |
| Chatbot messages | Visitor messages and AI-generated responses (max 2,000 characters per message) | Low to Medium | Low |
| File uploads | Files uploaded by visitors through website forms (images, documents) | Variable | Low |
| Session identifiers | Server-side session IDs and client-side session cookies | Low | High |
| Authentication credentials | Passwords for website protected areas (stored in hashed form only) | High (but hashed) | Low |
2.2 Categories of Data Subjects
- Visitors to websites hosted on the Acira AI platform
- Users who create accounts on websites hosted on the platform
- Users who submit forms, interact with chatbots, or upload files on hosted websites
2.3 Data Not Transferred
- Geolocation data: IP-to-location lookups are performed at the network edge by our infrastructure provider. No visitor IP addresses are transmitted to any external geolocation service.
- Raw analytics IP addresses: Only a daily-rotating cryptographic hash is stored; raw IPs are not persisted in analytics systems.
- Passwords in plaintext: Only cryptographic hashes are stored and transferred.
3. TRANSFER MECHANISMS
3.1 Primary Mechanism: Standard Contractual Clauses
We rely on the European Commission's Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914, specifically:
- Module One (Controller to Controller): For transfers of analytics data where Acira AI acts as joint controller with the website operator (see DPA Section 2.3).
- Module Two (Controller to Processor): For transfers of visitor personal data from the website operator (Controller) to Acira AI (Processor).
- Module Three (Processor to Sub-processor): For onward transfers from Acira AI to our sub-processors.
3.2 UK, Swiss, and Canadian Transfers
- UK: The UK International Data Transfer Addendum to the EU SCCs applies.
- Switzerland: The SCCs apply with modifications required by the Swiss Federal Act on Data Protection (FADP).
- Canada: Transfers rely on contractual protections with each sub-processor imposing obligations consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, combined with the supplementary technical and organizational measures described in Section 6. See DPA Section 7.4 for details.
3.3 Sub-processor Transfer Mechanisms
| Sub-processor | Transfer Mechanism |
|---|---|
| Amazon Web Services | SCCs (AWS DPA), ISO 27001/27017/27018 certified |
| Cloudflare | SCCs (Cloudflare DPA), ISO 27001 certified |
| Stripe | SCCs (Stripe DPA), PCI DSS Level 1 certified |
| Fireworks AI | SCCs (Fireworks AI DPA), SOC 2 Type II, ISO 27001/27701/42001 certified |
| xAI | SCCs (xAI DPA with EU SCCs) |
| BrightData | SCCs (BrightData DPA) |
4. ASSESSMENT OF DESTINATION COUNTRY LAWS
4.1 United States
The United States is the primary destination for transferred data. The following US laws are relevant to this assessment:
4.1.1 Foreign Intelligence Surveillance Act (FISA), Section 702
FISA Section 702 authorizes the US government to compel electronic communications service providers to provide access to communications of non-US persons located outside the United States for foreign intelligence purposes.
Assessment of risk:
- Applicability: FISA Section 702 applies to "electronic communication service providers" as defined in 50 U.S.C. § 1881(b)(4). Acira AI is a SaaS website hosting platform, not a traditional telecommunications provider. Our sub-processors (AWS, Cloudflare) are more likely to be subject to Section 702 directives.
- Scope of data at risk: The personal data we process consists primarily of website visitor analytics (pseudonymized), form submissions, and chatbot messages. This data is unlikely to be of foreign intelligence interest.
- Practical likelihood: We have never received a FISA Section 702 directive and assess the practical likelihood of receiving one as very low, given the nature of our Services and the data we process.
4.1.2 Executive Order 12333
EO 12333 authorizes US intelligence agencies to conduct surveillance activities, including the bulk collection of signals intelligence. It applies to data in transit and does not compel private companies to cooperate.
Assessment of risk:
- Mitigation: All data in transit is encrypted using TLS. Bulk interception of encrypted data in transit would not yield plaintext personal data.
- Practical likelihood: Low. The data processed through our Services is not of the nature typically targeted by signals intelligence.
4.1.3 Executive Order 14086 and the EU-US Data Privacy Framework
Executive Order 14086 (October 2022) introduced additional safeguards for signals intelligence activities, including:
- Necessity and proportionality requirements for intelligence collection
- A two-tier redress mechanism (Civil Liberties Protection Officer + Data Protection Review Court) available to EU/UK/Swiss individuals
- Limitations on bulk collection
The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) on July 10, 2023. While Acira AI is not currently self-certified under the DPF, the protections under EO 14086 apply broadly to all data transfers to the United States and benefit all data subjects regardless of the transfer mechanism used.
4.1.4 CLOUD Act
The Clarifying Lawful Overseas Use of Data (CLOUD) Act permits US law enforcement to compel US-based providers to produce data regardless of where it is stored, subject to a valid warrant or court order.
Assessment of risk:
- Safeguards: The CLOUD Act requires a valid legal process (warrant, subpoena, or court order). It does not authorize warrantless bulk access.
- Comity provisions: The CLOUD Act includes a comity framework that allows providers to challenge orders that conflict with foreign law.
- Practical likelihood: Low for website visitor data. Law enforcement requests would more likely target specific accounts suspected of criminal activity, not visitor analytics or form submissions.
4.2 Israel (BrightData)
BrightData is based in Israel. Israel has an adequacy decision from the European Commission (2011/61/EU), meaning transfers to Israel are treated similarly to intra-EEA transfers. However, BrightData also processes data in other global locations. We note that:
- BrightData processing occurs only when user-directed (during website creation for content import) or during scheduled SERP tracking.
- No website visitor personal data is transmitted to BrightData.
4.3 Canada (Transfers from Canada to the United States)
Personal data of website visitors located in Canada may be transferred to the United States for processing. The following Canadian laws are relevant to this assessment:
4.3.1 Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA governs the collection, use, and disclosure of personal information by private-sector organizations in the course of commercial activities. PIPEDA Principle 4.1.3 requires that organizations use contractual or other means to ensure a comparable level of protection when personal information is transferred to third parties for processing, including transfers outside of Canada.
Assessment of risk:
- Comparable protection: The supplementary measures described in Section 6 (encryption, pseudonymization, access controls, data minimization) provide a level of protection comparable to that required under PIPEDA. Written data processing agreements are in place with all sub-processors.
- No adequacy requirement: Unlike the GDPR, PIPEDA does not prohibit transfers to countries lacking an "adequacy" finding. Organizations must ensure comparable protection through contractual and other means, which we have implemented.
4.3.2 Provincial Privacy Legislation
Alberta's Personal Information Protection Act (PIPA), British Columbia's Personal Information Protection Act (PIPA), and Quebec's Act respecting the protection of personal information in the private sector impose additional requirements for certain provinces:
Assessment of risk:
- Quebec Law 25: Quebec's modernized privacy law (in effect since September 2023) requires a privacy impact assessment before transferring personal information outside Quebec, and the transferring organization must be satisfied that the information will receive adequate protection. Our contractual protections, supplementary technical measures, and the nature of the data (primarily pseudonymized analytics and small-business website interactions) support a finding of adequate protection.
- Alberta and BC: Alberta's and BC's PIPAs require organizations to ensure comparable protection for transferred data. Our contractual and technical safeguards satisfy this requirement.
4.3.3 US Government Access from a Canadian Perspective
The same US government access risks assessed in Section 4.1 apply to Canadian data transfers. The low likelihood of government access (given the nature of the data and our company profile), combined with the supplementary measures in Section 6, ensure that personal data transferred from Canada to the United States receives a comparable level of protection to that required under Canadian privacy law.
4.4 Global Edge Locations (Cloudflare)
Cloudflare operates a global network of edge locations. EU visitor requests are typically processed at the nearest Cloudflare point of presence, which for EU visitors will usually be an EU location.
- Request routing, TLS termination, and bot protection occur at the nearest edge location.
- For website operators identified as EU residents, persistent storage (containing form submissions, chatbot conversations, and session data) is jurisdictionally restricted to the European Union using Cloudflare's jurisdiction API. For non-EU website operators, persistent storage is located near the operator's geographic region but may be located outside the EU.
- Analytics data is processed at Cloudflare-managed infrastructure.
5. ASSESSMENT OF DATA FLOWS BY SERVICE PROVIDER
5.1 Amazon Web Services (US)
| Data Flow | Personal Data Involved | Purpose |
|---|---|---|
| Database storage | Form submission metadata (IP, country, region), chatbot conversation records, file metadata, session records | Persistent storage of website visitor data |
| File storage | Uploaded files (images, documents), deployment snapshots | File storage |
| AI inference | File content (for AI descriptions), email content (for spam detection) | AI-powered descriptions and spam classification |
| Content moderation | Uploaded images | Content moderation (nudity/explicit content detection) |
| Email delivery | Email addresses, message content | Transactional email delivery and content submission notifications. For EU-resident website operators, these operations are processed in the European Union (Stockholm). |
| Language detection | Email message text | Language detection |
AWS Safeguards:
- ISO 27001, 27017, 27018 certified
- SOC 1/2/3 reports available
- Data encrypted at rest using industry-standard encryption
- Data encrypted in transit (TLS)
- Least-privilege access controls per system component
- Primary services hosted in the United States; automated visitor-facing operations (content submission notifications and transactional email delivery) for EU-resident website operators are processed in the European Union (Stockholm)
5.2 Cloudflare (Global)
| Data Flow | Personal Data Involved | Purpose |
|---|---|---|
| Edge routing | IP addresses, HTTP headers, request URLs | Request routing, DDoS protection, TLS termination |
| Website hosting | Page content, visitor metadata | Website hosting and delivery |
| Persistent storage | Form submissions, chatbot conversations, session data, user table data | Stateful per-website storage |
| Analytics | Pseudonymized visitor hash, country, device, browser, referrer, UTM | Privacy-friendly visitor analytics |
| AI inference | Chatbot messages, form field summaries | AI chatbot responses, spam detection |
| Asset storage | Website assets (images, files) | Static asset storage and CDN delivery |
Cloudflare Safeguards:
- ISO 27001 certified, SOC 2 Type II
- TLS 1.2+ for all connections
- Cloudflare DPA with SCCs available
- Edge processing means EU visitor data is typically processed at EU edge locations for request handling
- For website operators identified as EU residents, persistent storage (containing form submissions, chatbot conversations, session data, and user table data) is jurisdictionally restricted to the European Union using Cloudflare's jurisdiction API, ensuring this data is stored and processed exclusively within EU data centers. Backend API calls from the edge (for content submission notifications and transactional email delivery) are routed to EU-based AWS infrastructure.
- AI inference does not retain input data for training
5.3 Stripe (US)
| Data Flow | Personal Data Involved | Purpose |
|---|---|---|
| Payment processing | Website operator billing data (name, email, payment method) | Subscription and domain payment processing |
Note: Stripe does not receive website visitor personal data. Only the website operator's (our customer's) billing information is processed by Stripe.
Stripe Safeguards:
- PCI DSS Level 1 certified
- ISO 27001 certified
- Stripe DPA with SCCs available
5.4 AI Inference Providers (US)
Fireworks AI and xAI provide AI model inference services.
| Data Flow | Personal Data Involved | Purpose |
|---|---|---|
| Text generation (website content) | Website content (not visitor data) | Website content creation and editing |
| Image generation | Text prompts (not visitor data) | Image creation for websites |
| Conversational AI (chat agent) | Platform user name, email, language preference, and conversation history | AI-powered assistant for platform users (website operators) |
Note: These AI providers do not receive website visitor personal data. The chatbot feature (serving website visitors) uses Cloudflare Workers AI (assessed in Section 5.2), not these providers. However, the platform's conversational AI assistant — used by website operators to manage their websites — sends platform user personal data (name, email address, and conversation history) to these providers as part of generating responses. For this processing, Acira AI acts as the controller (not processor), and the data subjects are our platform users (website operators), not their website visitors. This data flow is governed by our Privacy Policy and our agreements with these providers, rather than the DPA's controller-processor framework for visitor data.
Model Families: These infrastructure providers host and execute AI models developed by various third parties. The specific models and model families used may change over time. Model developers do not receive or have access to any user data — all data processing occurs exclusively within the infrastructure of the listed subprocessors, regardless of where a model was originally developed. All AI inference processing remains on our listed subprocessors' infrastructure. No user data is transmitted to model developers or to infrastructure outside of the subprocessors listed in this assessment. A current list of model families in use is available upon request by contacting legal@acira.ai.
5.5 BrightData (Israel / Global)
| Data Flow | Personal Data Involved | Purpose |
|---|---|---|
| Web data collection | Publicly available web content (not visitor data) | Content import during website creation (user-directed) |
| SERP tracking | Search keywords (not visitor data) | Keyword ranking monitoring |
Note: BrightData does not process website visitor personal data. It processes publicly available web content when directed by the user, and tracks search engine rankings for user-defined keywords.
5.6 EU-Based Providers (No Transfer)
| Provider | Location | Purpose |
|---|---|---|
| Black Forest Labs | Germany (EU) | AI image generation (Flux models) |
| ScreenshotOne | European Union | Website screenshot capture |
| CloudConvert | Germany (EU) | File format conversion |
These providers process data within the EU and do not constitute an international transfer. Black Forest Labs receives text prompts for image generation only; no personal data is involved.
6. SUPPLEMENTARY MEASURES
In addition to the SCCs, we implement the following supplementary measures to ensure an essentially equivalent level of protection for transferred personal data:
6.1 Technical Measures
| Measure | Description |
|---|---|
| Encryption in transit | All data transmitted between visitors, edge network, and backend services is encrypted using TLS (minimum TLS 1.2). Internal service-to-service communication uses encrypted channels. |
| Encryption at rest | All database records, file storage, and edge-hosted persistent storage are encrypted at rest using industry-standard encryption managed by the respective infrastructure provider. |
| Pseudonymization | Visitor analytics use a daily-rotating cryptographic hash (IP + User-Agent + date) instead of storing raw IP addresses. This hash cannot be reversed and rotates every 24 hours, preventing cross-day tracking. |
| Data minimization | Analytics collect only aggregate-level metadata (country, device type, browser). No raw IP addresses are stored in analytics. Chatbot messages are limited to 2,000 characters. |
| Password hashing | All visitor passwords (for website protected areas) are hashed using strong cryptographic algorithms with per-user random salts before storage. Plaintext passwords are never stored or transmitted. |
| Access controls | Least-privilege access policies restrict each system component to only the resources it needs. Per-website API tokens scope access to individual websites. |
| Network isolation | Backend services communicate over internal networks. Website hosting runs in isolated execution sandboxes. Custom code execution uses WebAssembly-based sandboxing. |
| Jurisdictional data residency | For website operators identified as EU residents, persistent storage containing visitor data (form submissions, chatbot conversations, session data, and user table data) is jurisdictionally restricted to the European Union, ensuring this data is stored and processed exclusively within EU data centers. Automated visitor-facing operations (content submission notifications and transactional email delivery) are also processed within EU-based infrastructure. |
| Automated deletion | Session data expires after 30 days of inactivity. Temporary files are deleted within 24 hours. Bot challenge data is ephemeral and not persisted. |
6.2 Organizational Measures
| Measure | Description |
|---|---|
| Personnel confidentiality | All personnel with access to personal data are bound by confidentiality obligations. |
| Sub-processor due diligence | Sub-processors are evaluated for their security practices and data protection compliance before engagement. Written DPAs are in place with all sub-processors. |
| Incident response | Breach notification procedures ensure Controllers are notified within 72 hours of confirming a personal data breach. |
| Data retention policies | Documented retention periods with automated enforcement (TTL-based deletion, lifecycle policies). |
| Security monitoring | Structured logging, automated security monitoring, and intrusion detection. Error and diagnostic logs retained for up to 30 days. |
6.3 Contractual Measures
| Measure | Description |
|---|---|
| Standard Contractual Clauses | SCCs (Module One, Module Two, and Module Three) are incorporated into our DPA by reference. |
| Sub-processor SCCs | Written agreements with each sub-processor impose data protection obligations no less protective than those in our DPA. |
| Government access notification | We commit to notifying Controllers of government access requests where legally permitted, as described in our Terms and Conditions. |
| Challenge commitment | We commit to challenging government access requests that we believe are overbroad or unlawful. |
7. RISK ASSESSMENT
7.1 Likelihood of Government Access
| Factor | Assessment |
|---|---|
| Nature of data | Primarily pseudonymized analytics, form submissions, and chatbot messages from small business websites. This data is of low intelligence value. |
| Volume of data | Low to moderate. Each website serves its own visitor base; data is not aggregated across websites for surveillance purposes. |
| Company profile | Acira AI is a small SaaS company hosting small business websites. We are not a telecommunications provider or a high-profile surveillance target. |
| Historical requests | As of the date of this assessment, Acira AI has never received a FISA Section 702 directive, a National Security Letter, or any government request for bulk access to customer data. |
| Sub-processor profile | AWS and Cloudflare are large infrastructure providers that publish transparency reports. Their transparency reports indicate that government requests are targeted at specific accounts, not bulk access to hosted content. |
Overall likelihood: LOW
7.2 Impact if Access Occurred
| Factor | Assessment |
|---|---|
| Data sensitivity | The majority of transferred data is low sensitivity (pseudonymized analytics, website visitor metadata). Form submissions may contain medium-sensitivity data (names, email addresses, messages) depending on the website. |
| Pseudonymization effectiveness | Analytics data cannot be linked to individuals without access to the daily-rotating hash components (IP + User-Agent + date), which are not stored. |
| Scope of exposure | Any government access would be scoped to specific accounts or websites, not the entire platform. Per-website data isolation through dedicated storage instances limits the scope of any potential compromise. For EU-resident website operators, persistent storage and automated visitor-facing processing (content submission notifications and transactional email delivery) are restricted to the EU, further limiting exposure to US government access for this data. |
Overall impact: LOW to MEDIUM (depending on the sensitivity of data collected by individual website operators)
7.3 Residual Risk Assessment
Considering the low likelihood of government access, the supplementary technical measures (encryption, pseudonymization, data minimization), and the additional safeguards introduced by EO 14086, we assess that the residual risk to data subjects is low and that the supplementary measures, together with the SCCs (for EEA/UK/Swiss transfers) and contractual protections (for Canadian transfers), provide a level of protection essentially equivalent to that guaranteed within the EEA and comparable to that required under Canadian privacy law.
8. CONCLUSION
Based on this assessment, we conclude that:
The personal data transferred from the EEA/UK/Switzerland/Canada to the United States in connection with the provision of our Services benefits from an essentially equivalent level of protection to that guaranteed under EU data protection law and a comparable level of protection to that required under Canadian privacy law.
The Standard Contractual Clauses, combined with the supplementary technical, organizational, and contractual measures described in Section 6, adequately address the risks identified in this assessment.
The nature of the data (primarily pseudonymized analytics and small-business website visitor interactions) and the profile of the data importer (a small SaaS company, not a telecommunications provider) significantly reduce the practical risk of government surveillance.
The protections introduced by Executive Order 14086 and the associated redress mechanism provide additional safeguards that benefit all data subjects, regardless of the specific transfer mechanism used.
For Canadian transfers, the contractual protections and supplementary measures described herein ensure a comparable level of protection to that required under PIPEDA and applicable provincial privacy legislation, including Quebec's modernized privacy law.
We will continue to monitor developments in US surveillance law and practice, as well as developments in Canadian privacy law (including the proposed Consumer Privacy Protection Act), and will reassess this TIA if circumstances change materially.
The transfers may proceed subject to the continued application of the SCCs and supplementary measures described herein.
9. REVIEW SCHEDULE
This TIA will be reviewed and updated:
- Annually, at a minimum, or
- Upon material changes to applicable laws or regulations (including changes to FISA, the CLOUD Act, EO 14086, PIPEDA, or Canadian provincial privacy legislation),
- Upon changes to our sub-processors or the nature of data transferred,
- Upon any court decision that materially affects the validity of the SCCs or the adequacy of US data protection.
10. CONTACT US
If you have questions about this Transfer Impact Assessment, please contact us at:
Acira AI LLC
11500 S Eastern Ave, Suite 150
Henderson, NV 89052
United States
Phone: 888-389-1189
Email: legal@acira.ai
Your Privacy, Our Priority
We don't sell your data, we don't use tracking cookies — that's why you won't see a cookie banner here. We honor Global Privacy Control, and for EU customers, visitor data is stored and processed exclusively within the European Union.
Acira AI
Build beautiful websites with AI. No coding required.
Proudly built in the United States
© 2026 Acira AI LLC. All rights reserved.