The policy discloses that personal data may be transferred to and processed in countries outside the user's country of residence, and states that Standard Contractual Clauses are used as the transfer mechanism for international data flows.
This analysis describes what Brex's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision engages GDPR Chapter V cross-border transfer requirements for EU and UK users, requiring that Standard Contractual Clauses be accompanied by a Transfer Impact Assessment where transfers are made to countries without an adequacy decision, including the United States.
Interpretive note: Whether Brex has executed Transfer Impact Assessments and whether EU-US Data Privacy Framework certification applies cannot be confirmed from the policy text alone.
Under this clause, personal data may be transferred to countries outside the user's residence, including potentially the United States for EU and UK users; the policy states that Standard Contractual Clauses are implemented as the transfer safeguard.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Brex has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country. We have implemented appropriate safeguards to protect your personal information in connection with these transfers, including Standard Contractual Clauses.— Excerpt from Brex's Brex Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Chapter V (Articles 44-49) governs international personal data transfers from the EEA; UK GDPR imposes parallel requirements for UK data. Standard Contractual Clauses approved by the European Commission are a recognized transfer mechanism, but following the Schrems II decision, Transfer Impact Assessments are required to assess whether SCCs provide effective protection in the destination country. The EU-US Data Privacy Framework (adequacy decision) may also be relevant depending on Brex's certification status. (2) GOVERNANCE EXPOSURE: High for EU and UK user data. Non-compliant international transfers are a priority enforcement area for EU data protection authorities. Compliance teams must maintain documented Transfer Impact Assessments and ensure executed SCCs are in place with all processors and sub-processors receiving EU personal data. (3) JURISDICTION FLAGS: EEA and UK create primary exposure. Switzerland has its own transfer requirements. Other jurisdictions with data localization or transfer restrictions (Brazil LGPD, South Korea PIPA) may apply depending on Brex's user base. (4) CONTRACT AND VENDOR IMPLICATIONS: All vendor contracts for services involving EU or UK personal data must include executed Standard Contractual Clauses or equivalent transfer mechanisms. Sub-processor chains must be assessed and documented. (5) COMPLIANCE CONSIDERATIONS: Confirm that SCCs are executed with all relevant processors; prepare Transfer Impact Assessments for US-based processing of EU data; assess whether EU-US Data Privacy Framework certification is available and appropriate; and verify UK GDPR transfer mechanism compliance separately from EU GDPR.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision engages GDPR Chapter V cross-border transfer requirements for EU and UK users, requiring that Standard Contractual Clauses be accompanied by a Transfer Impact Assessment where transfers are made to countries without an adequacy decision, including the United States.
Under this clause, personal data may be transferred to countries outside the user's residence, including potentially the United States for EU and UK users; the policy states that Standard Contractual Clauses are implemented as the transfer safeguard.
ConductAtlas has identified this type of provision across 84 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Brex.