Trust Center › GDPR & Transfer Impact Assessment

GDPR Compliance & Transfer Impact Assessment

Last updated: June 15, 2026

GDPR Overview

The General Data Protection Regulation (GDPR) provides certain rights to EU citizens regarding how their data is processed. Effective May 25, 2018, it applies to any company handling personal data of EU citizens.

Navis One Lab, LLC acts as a Processor for information customers upload to our services, and as a Controller for certain usage data we collect.

In July 2020, the EU Court invalidated Privacy Shield. We updated our DPA to include the latest Standard Contractual Clauses and offer an EU region data center option.

GDPR Data Protection Principles

Fair, legal, and transparent processing — data must be processed as a person reasonably expects.
Purpose limitation — data collected only for specified purposes.
Data minimization — data held no longer than necessary.
Individual rights — access, copy, update, delete, restrict, or move data.

How Cooby Complies

You decide what data is uploaded. You can mask sensitive elements. Under GDPR's privacy-by-design principle, we encourage masking unnecessary data. Contact support for guidance.

As detailed in our Data Processing Addendum, we are a data processor — you direct and control what information is provided to us.

Transfer Impact Assessment

What is a TIA?

A Transfer Impact Assessment evaluates privacy protections of laws in recipient countries outside the EU/EEA. TIAs were introduced by the CJEU in Schrems II (C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd). Data exporters must assess protections on a case-by-case basis.

Cooby's Assessment

We have conducted a TIA for transfers from the EU/EEA and UK to the United States, where our primary processing occurs.

Key Findings

1. Legal Framework: Transfers are governed by EU SCCs and the UK Addendum, incorporated into our DPA.

2. Supplementary Measures: Encryption at rest and in transit, access controls, regular security testing.

3. Government Access: Cooby has not received any US government intelligence/security agency requests for Customer Personal Data. If received, we will redirect to Customer and notify unless legally prohibited.

4. Data Minimization: Customers control uploaded data. We encourage masking sensitive elements.

5. EU Data Center: Option to store data in our EU region data center.

Ongoing Monitoring

Cooby commits to ongoing monitoring of US legal developments affecting EU/EEA/UK data transfer protections. We will update our TIA and implement additional safeguards as required.