<style>.table-scroll{width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-scroll>table{width:max-content;min-width:920px;max-width:1400px}</style><p>No transfers of personal health data to countries outside the European Economic Area.</p><p>The table below lists the subprocessors that may access data from outside the European Economic Area, together with the safeguards implemented.</p><p>This allows the Client to verify that health data are stored exclusively within the European Economic Area and that any potential remote access from third countries is properly framed and documented.</p><div class="table-scroll"><table align="left" style="border-collapse:collapse;table-layout:auto;margin-bottom:20px;margin-left:auto;margin-right:auto;border:1px solid #99acc2"><tr><td style="width:12%;padding:6px;background-color:#015b5b;vertical-align:middle;overflow-wrap:break-word"><p style="color:#fff;margin:0;padding:0">Business name of the actor</p></td><td style="width:9%;padding:6px;background-color:#015b5b;vertical-align:middle;overflow-wrap:break-word"><p style="color:#fff;margin:0;padding:0">Role in the hosting service (Host/processor of the Host)</p></td><td style="width:8%;padding:6px;background-color:#015b5b;vertical-align:middle;overflow-wrap:break-word"><p style="color:#fff;margin:0;padding:0">HDS certified (yes / no / exempted)</p></td><td style="width:8%;padding:6px;background-color:#015b5b;vertical-align:middle;overflow-wrap:break-word"><p style="color:#fff;margin:0;padding:0">SecNumCloud 3.2 qualified</p></td><td style="width:9%;padding:6px;background-color:#015b5b;vertical-align:middle;overflow-wrap:break-word"><p style="color:#fff;margin:0;padding:0">Hosting activities in which the player is involved</p></td><td style="width:29%;padding:6px;background-color:#015b5b;vertical-align:middle;overflow-wrap:break-word"><p style="color:#fff;margin:0;padding:0">Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No 29 of the HDS framework)</p></td><td style="width:25%;padding:6px;background-color:#015b5b;vertical-align:middle;overflow-wrap:break-word"><p style="color:#fff;margin:0;padding:0">Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework)</p></td></tr><tr><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Semble Technology Limited & Semble France SAS</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Host</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>3, 4, 5</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes, covered by an adequacy decision within the meaning of Article 45 of the GDPR: United Kingdom Commission Implementing Decision (EU) 2025/167 of 21 December 2025 on the adequate protection of personal data by the United Kingdom under Regulation (EU) 2016/679 of the European Parliament and of the Council.</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No</p></td></tr><tr><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Amazon Website Services (AWS)</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Processor</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>1, 2, 3</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No, no access to data from a country outside the European Economic Area</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No</p></td></tr><tr><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>MongoDB</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Processor</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Activities 3</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes. Technical support may access from the US, UK, Canada, India, Australia, Singapore, etc. See the <a href="https://www.mongodb.com/products/platform/trust/hds" rel="noopener" target="_blank">MongoDB HDS-related publication and the certification status</a>.</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes. United States. The Atlas Control Plane is operated from the US. Risk mitigated via: SCCs and security controls (see Privacy Hub), Data Privacy Framework, HDS certification, storage-level encryption with data and encryption keys hosted in the EU.</p></td></tr><tr><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Google Cloud EMEA Ltd</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Processor</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>6</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>Yes. If yes, specify the country concerned: covered by an adequacy decision within the meaning of Article 45 of the GDPR:</p><ul><li>For Google Cloud Platform: Subprocessor locations are described at <a href="https://cloud.google.com/terms/subprocessors?e=0&hl=en" rel="noopener" target="_blank">cloud.google.com/terms/subprocessors</a>.</li><li>For Google Workspace: Subprocessor locations are described at <a href="https://workspace.google.com/intl/en/terms/subprocessors/" rel="noopener" target="_blank">workspace.google.com/terms/subprocessors</a>.</li></ul><p>For Google Cloud Platform and Google Workspace: for customers who contract with Google Cloud France SARL, all Subprocessor locations described above are covered by the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework ("DPF"), including its onward transfer principle, for as long as Google adopts the DPF as an Alternative Transfer Solution.</p><p>For details of Google's adoption of the DPF as an Alternative Transfer Solution, including the relevant adequacy decision, see <a href="https://cloud.google.com/terms/alternative-transfer-solution" rel="noopener" target="_blank">cloud.google.com/terms/alternative-transfer-solution</a>.</p><p>If Google ceases to adopt the DPF as an Alternative Transfer Solution, then: (a) Google will inform customers via the Alternative Transfer Solution page; (b) those Subprocessor locations covered by other European Commission adequacy decisions will be described at the <a href="https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en" rel="noopener" target="_blank">European Commission adequacy decisions page</a>; and (c) Google will apply Standard Contractual Clauses, as described in the Cloud Data Processing Addendum, if personal health data is transferred to any Subprocessor locations not covered by adequacy decisions.</p><p>For further details, please see Section 4 (Data Transfers) of the European Data Protection Law terms in Appendix 3 (Specific Privacy Laws) of the Cloud Data Processing Addendum.</p></td><td style="padding:6px;vertical-align:middle;border:1px solid #015b5b;overflow-wrap:break-word"><p>No</p></td></tr></table></div>