STEP 1: KNOW YOUR TRANSFERS STEP 2: IDENTIFY THE TRANSFER TOOLS YOU ARE RELYING ON STEP 3: ASSESS THE LAWS OR PRACTICES OF THE COUNTRIES THAT MAY IMPINGE ON THE EFFECTIVENESS OF THE TRANSFER TOOL STEP 4: ADOPT SUPPLEMENTARY MEASURES IF REQUIRED STEP 5: PROCEDURAL STEPS IF YOU HAVE IDENTIFIED EFFECTIVE SUPPLEMENTARY MEASURES STEP 6: RE-EVALUATE AT APPROPRIATE INTERVALS

In detail

STEP 1: KNOW YOUR TRANSFERS

Customers need to understand whether their use of AWS services may lead to a data transfer, and if so, what customer data is transferred in order to be able to fulfil their obligations under the GDPR’s principle of accountability. As a first step, the customer, therefore, needs to identify which data transfers might take place in connection with its use of AWS services.

The customer determines which AWS services it uses, or intends to use, and what customer data it processes and for which purposes when using the AWS services. Due to the content-agnostic nature of the AWS services, AWS does not have visibility into customer data. Therefore, only the customer can complete this step 1, based on where and how it chooses to use AWS services.

AWS’s European seller of record (Amazon Web Services EMEA SARL), based in Luxembourg, is the AWS contracting party that provides AWS services to customers who have AWS accounts associated with Europe, the Middle East and Africa (other than South Africa). As set out in the AWS Customer Agreement , other AWS affiliates provide the AWS services to customers located outside of Europe, the Middle East and Africa.

As set out in the AWS DPA, AWS will not transfer customer data outside the customer’s selected AWS region unless it is necessary to provide or maintain the AWS services initiated by the customer, or as necessary to comply with the law or a valid and binding order.

The theoretical possibility of a governmental body in a third country being permitted by law to order the transfer of customer data in response to a disclosure request does not constitute a data transfer. This has been confirmed by data protection authorities, for example the German data protection authorities as well as German courts and procurement chambers. Nevertheless, the customer may use the information described in step 4 below, to implement technical and organizational measures to protect customer data in compliance with the GDPR.

The following bullet points provide customers with more details on typical processing activities carried out by AWS in connection with customers’ use of AWS services. This information could be used by customers to assist them in completing their DTA, subject to appropriate customization based on their business activities and unique use of AWS services:

Description of the transfer of customer data, including relevant sub-processors	The customer may select from a suite of on-demand AWS services that customers can configure to build its own products and service offerings. Customers maintain control over their customer data at all times, through tools that enable customers to determine where customer data will be stored and to secure customer data in transit and at rest. The customer selects the AWS region(s) to store its customer data in accordance with the AWS DPA. Customers can use AWS regions in Europe, including France, Germany, Ireland, Italy, Spain, Sweden, Switzerland, and the UK. The Regions and Availability Zones website provides a full overview of the AWS regions. AWS will not transfer customer data outside the customer's selected AWS region unless it is necessary to provide the AWS services initiated by the customer, or as necessary to comply with law or a valid and binding order, or where it is required in order to prevent fraud and abuse. As a general rule, the customer can use AWS services with the confidence that customer data stays in the AWS region(s) that the customer selects and a data transfer is not required to provide or maintain the services. Only a small number of AWS services involve transfers of customer data to countries outside the AWS region selected by the customer which may include third countries. Customers can find an overview of such AWS services (e.g., content delivery services) on the AWS Privacy Features page. In few cases, AWS uses customer data to develop and improve the respective service which involves data transfers. Customers can opt-out from such data transfers as described in the AWS Service Terms. A list of the AWS services that allow for an opt-out on data transfers can be found on the Privacy Features page. Alternatively, customers can implement policies to avoid use of such AWS services. On the AWS Sub-processors website, customers can learn more about the sub-processors that provide processing activities on customer data, including the AWS entity acting as sub-processor in their chosen AWS region (e.g., A 100 ROW GmbH for AWS Region: Europe (Frankfurt)). The AWS Sub-processors website lists the location of each sub-processor. There are three types of sub-processors: (1) AWS entities that provide the infrastructure on which the AWS services run; (2) AWS entities that support specific AWS services which may require these entities to process customer data; and (3) third parties that AWS has contracted with to provide processing activities for specific AWS services. The second type of sub-processors includes AWS entities that provide AWS Support services, but these entities do not process customer data unless the customer wants to share customer data in the course of requesting AWS Support (which AWS does neither require nor recommend). AWS will update the AWS Sub-processors website at least 30 days before engaging a new sub-processor, and if customers subscribe for updates, AWS will notify them by email of changes to this website. The AWS Sub-processors website also lists the Amazon entities that are used to provide customer-initiated support. These entities do not process customer data unless the customer chooses to share customer data in the course of requesting AWS Support (which AWS neither requires nor recommends). As an example, AWS Support may process customer data if the customer shares its screen or attaches a snapshot to the ticket.
Processing activity	Compute, storage, and such other AWS services as described for each AWS service in the Documentation and initiated by the customer from time to time. The customer decides on the exact processing activity.
Purpose for which customer data are transferred	The customer decides on the purposes for which customer data is transferred (if at all) as transfers (if any) occur based on the customer’s selection of AWS services and AWS regions.
Categories of customer data concerned	The customer controls the categories of customer data it uploads to the AWS services. Customers are free to upload any category of customer data to the AWS services, which may include for instance data in relation to purchase contracts, employment relationships, or analytics data.
Data minimization	The customer controls how to address data minimization obligations and measures in the context of transfers of customer data.
Categories of data subjects concerned	The customer controls the categories of data subjects whose personal data is uploaded to AWS services. The data subjects may include, for example, the customer’s customers, employees, suppliers, and end users.
Actors involved in the processing (including sub-processors); processing chain	Customers might be controllers or processors of customer data, depending on the role and responsibilities they take in respect of their data processing activities. AWS is always a processor of customer data and carries out any processing on behalf of the customer. Each customer contracts with an AWS contracting party that provides the AWS services depending on the location associated with the customer’s account. For customers with accounts located in the EEA, the AWS contracting party that provides the AWS services to customers is Amazon Web Services EMEA SARL, based in Luxembourg. In case of a data transfer, Amazon Web Services, Inc. acts as data importer under the SCCs. Customers may learn about the sub-processors that may be relevant to their selected AWS services on the AWS Sub-processor website.
Economic sector in which transfers of customer data occur	Customers operate in various economic sectors and use the AWS services for a broad range of use cases. Accordingly, the economic sector in which data transfers of customer data occur depend on the customer’s business activities.
Format of transferred customer data	The customer controls the format of transferred customer data. Customers can elect to use technical measures affecting the format in order to protect customer data. For example, most AWS services enable customers to encrypt customer data, as shown on the Privacy Features of AWS page, or with customers’ own or selected third-party technologies.
Volume and frequency of transfer of customer data	The customer determines the volume of customer data transferred and how frequently it transfers customer data based on the AWS services that the customer selects, and the customer’s architecture and configuration of those AWS services.
Security measures to protect customer data	AWS’s Shared Responsibility Model distinguishes between the responsibility for what AWS calls “Security OF the Cloud” on the one hand and “Security IN the Cloud” on the other hand. While AWS is responsible for the “Security OF the Cloud”, each customer is responsible for “Security IN the Cloud. For “Security OF the Cloud”, AWS implements technical and physical controls and processes designed to prevent unauthorized access or disclosure of customer data (as evidenced by its compliance program detailed on the AWS Compliance website). For “Security IN the Cloud”, AWS makes available products, tools, and services that customers can use to architect and secure their applications and solutions. Customers can refer to the AWS Well-Architected website for further information about such products, tools, and services. Additionally, customers can implement and use their own or third-party security tools (e.g., purchased on the AWS marketplace) in connection with the AWS services. AWS prohibits, and its systems are designed to prevent, remote access by AWS personnel to customer data for any purpose, including service maintenance, unless access is requested by a customer, is required to prevent fraud and abuse, or to comply with law. AWS maintains access controls and policies to limit, manage, and control the access of AWS personnel to customer data, including the use of firewalls or functionally equivalent technology and authentication controls in accordance with the AWS Security Standards (included in the AWS DPA). AWS adheres to the Cloud Infrastructure Service Providers Europe (CISPE) Data Protection Code of Conduct (CISPE Code) validated by the EDPB and approved by the French Data Protection Authority (CNIL). The CISPE Code assures organizations that their cloud infrastructure service provider meets the requirements applicable to customer data under the GDPR. The CISPE Code goes beyond compliance with the GDPR by requiring cloud infrastructure service providers to give customers the choice to use services to store and process customer data exclusively in the EEA. AWS has initially declared 100 services under the CISPE Code and is committed to bringing additional AWS services into the scope of the CISPE compliance program. For further information, see AWS cloud services adhere to CISPE Data Protection Code of Conduct for added GDPR assurance.

STEP 2: IDENTIFY THE TRANSFER TOOLS YOU ARE RELYING ON

If a customer has determined in step 1 of its DTA that its use of AWS services leads to an international data transfer, the customer must identify and document in step 2 of its DTA the transfer tool it is relying on as a lawful basis for the data transfer pursuant to chapter V of the GDPR. A customer might also choose to use a transfer tool other than an adequacy decision as the lawful basis for a transfer of personal data to a country that has received an adequacy decision from the European Commission, which would also need to be documented in step 2 of its DTA.

Transfer tool:

The SCCs apply to the international data transfer that the customer has determined to take place in step 1 of this DTA. The SCCs are part of the AWS Service Terms and incorporated by reference into the AWS DPA. Although the SCCs are already part of a customer’s contract with AWS, they only apply if the customer’s use of AWS services involves a data transfer to a country not recognized by the European Commission as providing an adequate level of protection for personal data subject to GDPR.
Both the Controller-to-Processor Clauses and the Processor-to-Processor Clauses are incorporated into the AWS DPA, and apply as appropriate depending on whether the customer is a controller or a processor. The Controller-to-Processor Clauses apply to data transfers when customers are controllers, and the Processor-to-Processor Clauses apply to data transfers where customers are processors. See our blog post New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers for further information.
AWS enters into appropriate standard contractual clauses with its sub-processors to validate onward transfers.
AWS offers additional addenda supplementing the DPA for data transfers from the United Kingdom and Switzerland to third countries (as defined under each country’s data protection law).

STEP 3: ASSESS THE LAWS OR PRACTICES OF THE COUNTRIES THAT MAY IMPINGE ON THE EFFECTIVENESS OF THE TRANSFER TOOL

In step 3 of its DTA, a customer needs to assess whether the transfer tool that it relies on for data transfers in step 2 of its DTA is effective in ensuring that the level of protection guaranteed by the GDPR is not undermined by the laws and practices in the country to which its customer data is transferred.

Only the customer controls if and where its customer data is transferred in connection with its use of its selected AWS services. When assessing the risk in connection with the processing of customer data in a particular country, several factors might be relevant that only the customer can control, e.g., the sensitivity of the processed data categories, the purposes for which the customer uses the AWS services, or whether the customer’s business has ties to that country. This will be relevant for a customer when determining whether its customer data will receive protection in a country that is equivalent to the GDPR. A customer might, therefore, wish to conduct a review of certain countries that are relevant to its specific use of AWS services when completing this step of its DTA.

The supplementary measures AWS takes and makes available to its customers – described in step 4 below – including AWS’s approach towards governmental disclosure requests, apply globally. AWS is confident that these measures set a high threshold to protect customer data against unwanted or unauthorized access or disclosure regardless of the specific jurisdiction in which customer data may be processed due to customer’s specific use of the AWS services. A customer might still wish to map these supplementary measures against the specific framework of a particular country that is relevant for that customer. When assessing relevant laws, a customer should first check the data transfer position determined in step 1 of its DTA and review it against the legal framework and practices applicable in the relevant countries.

For example, for transfers of customer data to the US, on July 10, 2023, the European Commission adopted its adequacy decision on the DPF. The decision, which took effect on the day of its adoption, concludes that the US ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. The European Commission also confirmed that safeguards that have been implemented as part of the DPF “facilitate the use of other tools, such as standard contractual clauses and binding corporate rules”. When relying on SCCs for transfers of customer data to the US and conducting a DTA, customers can consider the European Commission’s adequacy decision that finds that the safeguards under the DPF provide a level of protection essentially equivalent to the protection afforded under the GDPR.

The following additional resources might also be helpful to assist a customer when completing step 3 of its DTA:

Factsheet of the ECtHR jurisprudence on mass surveillance: https://www.echr.coe.int/Documents/FS_Mass_surveillance_ENG.pdf
Country reports of the Inter-American Commission on Human Rights (IACHR): https://www.oas.org/en/iachr/reports/country.asp
Global Privacy Assembly – Global Frameworks and Standards Report: https://globalprivacyassembly.org/wp-content/uploads/2020/10/Day-1-1_2a-Day-3-3_2b-v1_0-Policy-Strategy-Working-Group-WS1-Global-frameworks-and-standards-Report-Final.pdf
United Nations Human Rights Council Documentation by country: https://www.ohchr.org/en/hr-bodies/upr/documentation
United Nations Human Rights Treaty Bodies – UN Treaty Body Database: https://tbinternet.ohchr.org/_layouts/15/treatybodyexternal/TBSearch.aspx?Lang=en&TreatyID=8&DocTypeID=5

Irrespective of the laws that apply and regardless of the country from which it originates, AWS reviews every law enforcement request it may receive individually and independently. AWS challenges government requests for customer information, including customer data, that it believes are or could be overbroad or otherwise inappropriate. AWS thoroughly scrutinizes such requests, including those that conflict with local law, such as the GDPR, and objects where it has appropriate grounds to do so. AWS also takes and makes available supplementary measures, including contractual commitments, to support the effectiveness of the SCCs, as described in step 4 below.

The EDPB’s recommendations also permit customers to consider AWS’s practical experience “with relevant prior instances of requests for access received from public authorities” outside of the EEA. AWS publishes regular Amazon Information Request Reports, which detail the types and volume of law enforcement requests that AWS receives, which are available for customers to review. The contents of the information request reports demonstrate that disclosures of customer data by AWS in response to government requests for information are very rare.

STEP 4: ADOPT SUPPLEMENTARY MEASURES IF REQUIRED

In step 4 of its DTA, a customer might identify supplementary measures that can be taken if the assessment in step 3 of its DTA reveals that the relevant proposed data transfer tool on its own does not provide effective protection for customer data as required by the GDPR.

The SCCs in place between AWS and its customers are effective in ensuring an essentially equivalent level of data protection. In addition, AWS also offers effective technical, organizational, and contractual measures to ensure an equivalent level of protection for customer data that is transferred outside of the EEA, UK, and Switzerland.

The following categories of supplementary measures are implemented or offered to customers for implementation: (a) technical measures, such as encryption and logging, implementation of policies that are technically enforced to avoid the use of AWS services involving data transfers; (b) organizational measures, comprising internal policies and standards regarding governmental requests for customer data; and (c) contractual protections, including commitments with respect to law enforcement requests for customer data like those AWS makes in the AWS Supplementary Addendum.

AWS operates the Shared Responsibility Model described in step 1 above, which apportions security and compliance responsibilities between AWS and its customers based on the way AWS services operate and the degree of control each party has. Under the Shared Responsibility Model, it is the customer’s responsibility to implement the technical and organizational measures required in connection with its DTA.

Technical supplementary measures

The following supplementary measures are made available by AWS to customers to assist with safeguarding data transfers:

Encryption

AWS provides advanced encryption services and tools that customers can use to protect their customer data.

Customers can use AWS’s Key Management Service (AWS KMS) as a managed service in the AWS environment. AWS KMS allows customers to create and control their encryption keys, and uses FIPS- 140-2 certified Hardware Security Modules (HSM) to protect the security of such keys. All requests to use keys in AWS KMS are logged in AWS CloudTrail so customers can understand who used which key, in what context, and when it was used. Event data logged to AWS CloudTrail cannot be altered. AWS KMS is designed so that neither AWS (including AWS employees) nor third-party providers to AWS can retrieve, view, or disclose customer’s master keys in an unencrypted format.

Customers can manage their own encryption keys (BYOK) from within a number of native AWS or third-party encryption solutions. For example, customers can also use the External Key Store (XKS) feature of AWS KMS or their own external key stores allowing them to protect their AWS resources using cryptographic keys outside of AWS. An external key store is a custom key store backed by an external key manager that customers own and manage outside of AWS.

For more information, see the AWS KMS FAQs here.

AWS Nitro System

The AWS Nitro System is the underlying platform for all modern Amazon Elastic Compute Cloud (EC2) instances, and it provides additional confidentiality and privacy for customers’ applications. Using purpose-built hardware, firmware, and software, the AWS Nitro System provides unique and industry- leading security and isolation by offloading virtualization functions, like storage and networking, to dedicated hardware and associated firmware. As AWS commits in the AWS Service Terms, AWS personnel do not have access to customer data on AWS Nitro System EC2 instances. There are no technical means or APIs available to AWS personnel to read, copy, extract, modify, or otherwise access customer data on an AWS Nitro System EC2 instance or encrypted-EBS volume attached to an AWS Nitro System EC2 instance. NCC Group, a global cybersecurity consulting firm, conducted an architecture review of our security claims of the Nitro System and our claims about operator access. In its report NCC Group confirms that the AWS Nitro System, by design, has no mechanism for anyone at AWS to access customer data on Nitro hosts.

For more information, see the Security Design of the AWS Nitro System Whitepaper and our blog post.

Organizational supplementary measures

Processes

AWS has internal processes to handle governmental requests for access to customer data. Irrespective of the source of the request or the laws that apply, AWS reviews every governmental request individually and independently in accordance with its law enforcement guidelines and commitments in the AWS Supplementary Addendum. AWS rigorously limits – or rejects outright – law enforcement requests for customer data coming from any country, including the US, where they are overly broad or AWS has other appropriate grounds to do so.

Information Request Reports

AWS knows that transparency matters to its customers, AWS regularly publishes an Amazon Information Request report (IRR) about the types and volume of governmental requests it receives. Beginning with the July-December 2020 report, AWS launched a new IRR format as an organizational supplementary measure that provides more information about the types of governmental requests AWS receives, and the country of origin of such requests. The information provided in the IRRs demonstrates that disclosures by AWS of customer data in response to governmental requests for information are very rare.

Specifically, with respect to requests from US authorities, customers should consider the following FAQ in the IRR (current for the July 2025 report, covering January – June 2025):

“How many requests resulted in the disclosure to the U.S. government of enterprise or government content data located outside the United States?

None.”

Contractual supplementary measures

Supplementary addendum

The AWS Supplementary Addendum is part of every customer’s terms and conditions with AWS and sets out supplementary contractual measures to protect customer data. In the AWS Supplementary Addendum, AWS commits to (i) use every reasonable effort to redirect any governmental body requesting customer data to the applicable customer, (ii) promptly notify the applicable customer about the request if legally permitted to do so, and (iii) challenge any overbroad or inappropriate request, including where the request conflicts with EU law. AWS also commits that if, after exhausting the preceding steps, it remains compelled to disclose customer data, AWS will disclose only the minimum amount of customer data necessary to satisfy the request. To support customers with assessing the laws of recipient countries, AWS warrants that it has no reason to believe that the legislation applicable to AWS or its sub-processors, including in any country to which customer data is transferred, prevents AWS from fulfilling its obligations under the AWS DPA or the AWS Supplementary Addendum. AWS also commits to promptly notify any change in legislation that is likely to have a substantial impact on AWS fulfilling its obligations.

STEP 5: PROCEDURAL STEPS IF YOU HAVE IDENTIFIED EFFECTIVE SUPPLEMENTARY MEASURES

As step 5 of its DTA, the customer might need to take procedural steps to implement additional supplementary measures depending on the requirements identified in step 4 of its DTA. However, there is no need for a customer to request authorization or pre-approval of such supplementary measures from its competent supervisory authority if the identified supplementary measures do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the third-country’s laws and practices do not undermine the level of protection guaranteed by the GDPR.

STEP 6: RE-EVALUATE AT APPROPRIATE INTERVALS

As step 6 of its DTA, a customer must monitor, on an ongoing basis, developments in the third country to which its customer data will be transferred that could affect the result of its DTA.

It is the customer’s responsibility to constantly evaluate the sufficiency of supplementary measures in order to ensure compliance with the GDPR, the SCCs, and the requirements stipulated by the EDPB.
AWS will monitor, on an ongoing basis, developments relevant to the transfer of customer data that could affect the basic information provided in this DTA Customer Guide and the level of protection for customer data.

Additional resources

To help customers further understand how they can address their data protection requirements, customers are encouraged to read the risk, compliance and security whitepapers, best practices, checklists and guidance published on the AWS website. This material can be found at http://aws.amazon.com/compliance and http://aws.amazon.com/security.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

In summary