Does this tool tell me if I'm Schrems II compliant?

No — deliberately. Schrems II / GDPR Chapter V compliance is a fact-specific legal assessment for your DPO or counsel. This tool maps your exposure across the dimensions counsel evaluates and gives you a structured starting point for a Transfer Impact Assessment, not a compliant/non-compliant verdict.

Our data is hosted in the EU — are we fine?

Not necessarily. EU hosting reduces some exposure, but a US-controlled provider can still face FISA §702 / CLOUD Act compelled-disclosure obligations, and support/engineering access or AI sub-processors can re-introduce transfers. That is why this assessment treats jurisdiction, control, hosting, access and the AI layer as separate dimensions.

What is a Transfer Impact Assessment (TIA)?

After Schrems II, where you rely on SCCs (or similar) for a third-country transfer you must assess whether the destination's law and practice undermine the safeguards, and adopt supplementary measures where needed. The analysis must be documented. This tool structures the inputs to that analysis.

Does the EU-US Data Privacy Framework solve this?

Only partly. The DPF can provide a transfer basis to US importers that are actively self-certified for the relevant data categories. It does not cover non-certified importers, non-US third countries, or every processing scenario, and remains subject to legal challenge — so the other dimensions still matter.

Is this legal advice?

No. It is a free, structured starting point based on your inputs. It is not legal advice and not a substitute for your DPO or counsel; Schrems II compliance depends on facts specific to your processing, including some not captured here.

Do you store my answers?

No. The analysis runs entirely in your browser. There is no form gate and we do not capture or store your inputs.

Free tool

Cloud Act / Schrems II exposure analyzer

Map your vendor's international-transfer exposure across the dimensions counsel actually evaluates — jurisdiction, hosting, transfer mechanism, support access, AI sub-processors — as a structured starting point for a Transfer Impact Assessment.

Framed against GDPR Chapter V, the CJEU Schrems II judgment (C-311/18), the EU-US Data Privacy Framework, EU SCCs and the extraterritorial reach of the US CLOUD Act / FISA §702. This tool reports per-dimension exposure only — it deliberately does NOT output a 'compliant / non-compliant' verdict. It is not legal advice.

FAQ

Does this tool tell me if I'm Schrems II compliant?: No — deliberately. Schrems II / GDPR Chapter V compliance is a fact-specific legal assessment for your DPO or counsel. This tool maps your exposure across the dimensions counsel evaluates and gives you a structured starting point for a Transfer Impact Assessment, not a compliant/non-compliant verdict.
Our data is hosted in the EU — are we fine?: Not necessarily. EU hosting reduces some exposure, but a US-controlled provider can still face FISA §702 / CLOUD Act compelled-disclosure obligations, and support/engineering access or AI sub-processors can re-introduce transfers. That is why this assessment treats jurisdiction, control, hosting, access and the AI layer as separate dimensions.
What is a Transfer Impact Assessment (TIA)?: After Schrems II, where you rely on SCCs (or similar) for a third-country transfer you must assess whether the destination's law and practice undermine the safeguards, and adopt supplementary measures where needed. The analysis must be documented. This tool structures the inputs to that analysis.
Does the EU-US Data Privacy Framework solve this?: Only partly. The DPF can provide a transfer basis to US importers that are actively self-certified for the relevant data categories. It does not cover non-certified importers, non-US third countries, or every processing scenario, and remains subject to legal challenge — so the other dimensions still matter.
Is this legal advice?: No. It is a free, structured starting point based on your inputs. It is not legal advice and not a substitute for your DPO or counsel; Schrems II compliance depends on facts specific to your processing, including some not captured here.
Do you store my answers?: No. The analysis runs entirely in your browser. There is no form gate and we do not capture or store your inputs.

By ISMS Copilot. Framed against GDPR Chapter V, the CJEU Schrems II judgment (C-311/18), the EU-US Data Privacy Framework, EU SCCs and the extraterritorial reach of the US CLOUD Act / FISA §702. This tool reports per-dimension exposure only — it deliberately does NOT output a 'compliant / non-compliant' verdict. It is not legal advice.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0