tomHRM safeguards the employees and personal data our customers entrust us to process when we must transfer that data to a third country — whether for the purposes of support, security, or sub-processing.

tomHRM transfers Customer content (as defined in Data Processing Agreement and in response to Schrems II) outside the European Union as necessary to provide tomHRM application and services to Customer.

The transfer impact assessments below identify and describe the risks associated with data transfers of Customer Content to third countries, as well as any supplementary measures we have taken to safeguard Customer Content. Please see our Data Processing Agreement for any details, such as the nature of the processing or the retention period of the data, that are not specific to onward transfer. In all cases, the categories of data subjects are tomHRM customers and their end users. Please see our list of Sub-processors to see where we transfer data to our vendors outside UE.


Purpose for transfer and any further processingTransfer to sub-processor: tomHRM uses a sub-processor who stored in or accessed from the United States. Please see our list of Sub-processors for specific information.
The frequency of the transferInternal transfer: Data is transferred on a continuous basis.
Transfer to sub-processor: Data is transferred as directed by the controller.
Categories of personal data transferredInternal transfer: Customer content, as defined in Data Processing Agreement

Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country.

Sensitive data transferred
(if applicable)
We do not intentionally transfer any sensitive data to the United States, unless directed to by the controller.
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involvedTransfer to sub-processor: Each tomHRM sub-processor has a law enforcement request policy in place and will notify tomHRM, where permitted by law, before disclosing information in response to a request.
Supplemental Security/ Organizational Measures


Please see an overview of the supplementary measures we take to safeguard personal data in this DPA (Appendix 2)

Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors.

Applicable transfer mechanism


Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processor.