Your personal data is stored and processed primarily in the US, and may also be sent to PlanetScale's partners in other countries with potentially weaker privacy protections; PlanetScale commits to using legal transfer mechanisms such as adequacy decisions or Standard Contractual Clauses.
This analysis describes what PlanetScale's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU, UK, and Swiss users have their data transferred to the US, a jurisdiction that historically has not met the EU's adequacy standard without specific frameworks; the policy's reference to both DPF and contractual protections suggests a layered approach, but the adequacy of those protections depends on which mechanism is applied and whether it remains legally valid.
Personal data from EU, UK, and Swiss users is transferred to and processed in the United States under the Data Privacy Framework or Standard Contractual Clauses; users in these regions should be aware that US national security law may permit governmental access to this data in ways that may not be available under their home country's laws.
How other platforms handle this
Personal data collected by Microsoft may be stored and processed in your region, in the United States, and in any other country where Microsoft or its affiliates, subsidiaries, or service providers operate facilities. Microsoft uses a variety of legal mechanisms, including contracts, to help ensure ...
By using our Services, you consent to the transfer of your personal information to countries outside of your country of residence, including to the United States, which may not provide the same level of data protection as your home country. We take steps to ensure that any international transfers of...
If you are located in the European Economic Area, the United Kingdom, or Switzerland, please be aware that we may transfer your personal information to countries outside of these regions, including to the United States, where data protection laws may not provide the same level of protection as those...
Monitoring
PlanetScale has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You will provide personal information directly to our website in the United States. We may also transfer personal information to our partners and service providers in the United States and other jurisdictions. Please note that such jurisdictions may not provide the same protections as the data protection laws in your home country. When we engage in cross-border data transfers, we will ensure that relevant safeguards are in place to afford adequate protection for personal information and we will comply with applicable data protection laws, in particular by relying on an EU Commission or UK government adequacy decision or on contractual protections for the transfer of personal information.— Excerpt from PlanetScale's PlanetScale Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR Chapter V governs international data transfers, requiring either an adequacy decision, appropriate safeguards (such as Standard Contractual Clauses under Article 46), or specific derogations. The EU-US DPF adequacy decision of July 2023 is currently operative but has faced legal challenges and may be subject to further scrutiny. UK GDPR has parallel requirements with UK-specific mechanisms including UK SCCs and the UK's International Data Transfer Agreement (IDTA). Swiss data transfers are governed by the Swiss Federal Act on Data Protection. (2) GOVERNANCE EXPOSURE: Medium. The policy's dual reliance on adequacy decisions and contractual protections is prudent but somewhat imprecise; in practice, organizations need to document which mechanism applies to each transfer. The acknowledgment that 'such jurisdictions may not provide the same protections as the data protection laws in your home country' is a transparency measure but also serves as a notice-based risk allocation. (3) JURISDICTION FLAGS: EU and EEA transfers carry the highest regulatory scrutiny, particularly given the history of EU-US transfer mechanism invalidations (Safe Harbor 2015, Privacy Shield 2020). UK transfers require assessment under the UK's own adequacy and transfer mechanism framework post-Brexit. Switzerland's updated FADP came into force in September 2023 and introduces GDPR-adjacent requirements for international transfers. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request documentation of the specific transfer mechanisms used for their data, including executed SCCs or DPF documentation, rather than relying on the general policy statement. Sub-processor transfer chains should be mapped to ensure each link uses an approved mechanism. (5) COMPLIANCE CONSIDERATIONS: Legal teams should maintain a record of processing activities (ROPA) entry for transfers to PlanetScale, specifying the applicable transfer mechanism. If SCCs are relied upon, the transfer impact assessment (TIA) required post-Schrems II should be documented. DPF certification should be verified periodically given the history of transfer mechanism invalidation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU, UK, and Swiss users have their data transferred to the US, a jurisdiction that historically has not met the EU's adequacy standard without specific frameworks; the policy's reference to both DPF and contractual protections suggests a layered approach, but the adequacy of those protections depends on which mechanism is applied and whether it remains legally valid.
Personal data from EU, UK, and Swiss users is transferred to and processed in the United States under the Data Privacy Framework or Standard Contractual Clauses; users in these regions should be aware that US national security law may permit governmental access to this data in ways that may not be available under their home country's laws.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PlanetScale.