Transfer Risk Assessment (TRA)
Version 2.0 - Effective 2026-07-08 - Change log
Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
Transfer risk assessment for the one restricted transfer in the Whistle service: redacted free-text chat content to Anthropic (US). Structured on the six steps of EDPB Recommendations 01/2020. Pre-filled with Amaigo's standing analysis; fields marked [Complete] must be finished and signed off by the DPO (or the person responsible for data protection) before commercial reliance.
Step 1: Know your transfer (mapping)
| Item | Detail |
|---|---|
| Exporter | Amaigo (processor for its clients, the controllers) |
| Importer | Anthropic (AI sub-processor), United States |
| Data transferred | Redacted free-text chat content only. Contact and identity data (name, email, phone) is captured through structured fields, stored in the EU, and is not sent to Anthropic by design. Free text passes through automated redaction (emails, phone numbers, long digit runs) before transfer. |
| Special-category exposure | Possible: data subjects may volunteer health details or criminal allegations in free text. Mitigated by minimisation prompts, redaction, no transcript storage by default, and bounded retention. |
| Direction and frequency | EU to US, continuous during chat sessions |
| Purpose | AI processing to qualify enquiries and generate responses |
| Onward transfers | None authorised beyond Anthropic's own infrastructure sub-processors under its terms. [Complete: confirm Anthropic's current infrastructure sub-processor list.] |
Step 2: Transfer tool relied on
- Primary: EU-US Data Privacy Framework, and the UK Extension to the DPF for UK-origin data, while Anthropic's certification and the relevant adequacy decisions remain valid.
- Fallback: EU Standard Contractual Clauses, Module 3 (processor to processor), and the UK International Data Transfer Addendum, executed with Anthropic and applying automatically if the adequacy basis is invalidated or the certification lapses (see clause 11 of the DPA).
- [Complete: record Anthropic's DPF certification ID, verification date on the DPF list, confirmation that the UK Extension is covered, and the certification renewal date.]
Step 3: Assess the law and practice of the third country
- Relevant US regimes: FISA Section 702 and Executive Order 12333 create potential government-access exposure for data held by US electronic communication service providers, which may include Anthropic.
- Safeguards: Executive Order 14086 introduces necessity and proportionality limits on signals intelligence and the Data Protection Review Court (DPRC) as a redress mechanism for EU (and UK, via the UK Extension) data subjects.
- Judicial status: the General Court dismissed the challenge to the DPF adequacy decision in Latombe (T-553/23, September 2025), endorsing the EO 14086 safeguards and DPRC redress. An appeal to the CJEU (C-703/25 P) is pending and is a monitored trigger event for this assessment.
- Practical exposure of this transfer: low. The transferred data is redacted free text with contact and identity data excluded by design, held only for a short bounded period, making it of limited intelligence value and hard to attribute to individuals.
- UK leg: for UK-origin data, this TRA may rely on the DSIT analysis of US law underpinning the UK Extension, per ICO transfer guidance effective 5 February 2026. [Complete: confirm the current status of that reliance at review date.]
Step 4: Supplementary measures
Technical
- Automated PII redaction of free text (emails, phone numbers, long digit runs) before transfer.
- TLS encryption in transit.
- No raw chat transcripts stored by default; no chat content written to logs.
- Data minimisation by design: identity data is never routed through the AI channel; the widget instructs users not to share sensitive details.
Contractual
- Anthropic commercial terms: no training on customer content; short bounded retention (zero-data-retention arrangement on the roadmap, not yet in place).
- SCC Clause 14 (local laws and practices) and Clause 15 (importer obligations on government access: notification where permitted, legality review, challenge, minimum disclosure) commitments under the fallback SCCs.
Organisational
- Government-access request policy: if Amaigo receives or learns of a government access request concerning client data, it notifies the affected controller unless legally prohibited, and requires challenge of overbroad or unlawful requests.
- Annual review of Anthropic's published transparency and trust materials. [Complete: record the materials reviewed and date.]
Step 5: Procedural steps
- Execute the fallback EU SCCs (Module 3) and UK Addendum with Anthropic. [Complete: execution date and document reference.]
- Record Anthropic's DPF certification and renewal date (see Step 2 fields).
- Confirm the sub-processor list at /sub-processors and clause 11 of the DPA reflect the mechanisms recorded here.
- File this completed TRA with the ROPA (/legal/ropa).
Step 6: Re-evaluation
Review this assessment annually and immediately on any trigger event, including:
- judgment in C-703/25 P or any invalidation, suspension, or amendment of the EU-US DPF adequacy decision or the UK Extension;
- Anthropic's DPF certification lapsing or being removed from the DPF list;
- material changes to US surveillance law (FISA 702 reauthorisation terms, amendment or revocation of EO 14086, changes affecting the DPRC);
- material changes to Anthropic's terms, retention behaviour, or sub-processing chain;
- ICO or EDPB guidance changing the assessment methodology, including the ICO's planned 2026 transfer-tool updates.
Sign-off
| Field | Entry |
|---|---|
| Assessment completed by (name, role) | [Complete] |
| DPO / data-protection lead review | [Complete] |
| Date of assessment | [Complete] |
| Next scheduled review (max 12 months) | [Complete] |
| Trigger events monitored by | [Complete: named owner] |
| Outcome | [Complete: transfer may proceed / proceed with measures / suspend] |
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.