Coignite has established EU Standard Contractual Clauses (SCCs) with all data sub-processors operating in third countries, ensuring compliance with EU data protection regulations.

In line with the DPA:

"Location of Processing

The processing of personal data covered by these provisions cannot occur at any locations other than the following, without prior written approval from the data controller:

Hovedvagtsgade 6, 5. tv., 1103 Copenhagen

Instructions Regarding Transfer of Personal Data to Third Countries

Before transferring data to third countries, the following must be considered:

• Encryption standards;

• Applicable EU legislation;

• Applicable third-country legislation (compliance with EU directives);

• The necessity of the transfer and possible alternatives to avoid third-country transfers.

If the data controller does not provide documented instructions regarding the transfer of personal data to a third country within these provisions or subsequently, the data processor is not entitled to make such transfers within the framework of these provisions."

Coignite is committed to maintaining ongoing compliance with data transfer requirements.

The majority of Coignite's sub-processors outside the EU are certified under the EU-U.S. Data Privacy Framework (DPF), with Harvest (Iridesco, LLC) being the only exception.

For data transfers to Harvest, Coignite has implemented a Data Processing Agreement (DPA) that includes EU Standard Contractual Clauses (SCCs), ensuring a legally valid and secure mechanism for data transfers in compliance with EU data protection laws.

To uphold high standards of data privacy and security, Coignite conducts an annual review of our sub-processors' compliance using the Openli platform.