Transfer Impact Assessment Overview

Gorilla – Transfer Impact Assessment (TIA) Information

This page provides information to assist Gorilla customers and partners in understanding how Gorilla handles data transfers to third countries, especially those outside the European Economic Area (EEA).

This page is provided for transparency and informational purposes only. It does not constitute a contractual commitment. For formal terms, please refer to our Data Processing Agreement (DPA)

Legal Background: Schrems II

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU–U.S. Privacy Shield framework in the "Schrems II" ruling (C-311/18). The court confirmed that data transfers to third countries must be assessed for their adequacy under EU data protection standards. If the local legal framework falls short—particularly with regard to surveillance laws—data exporters are expected to implement additional safeguards to protect personal data.

This includes evaluating the impact of laws like:

FISA 702 – which may allow U.S. intelligence agencies to request certain data from service providers.
EO 12333 – which governs intelligence collection but does not independently authorize compelled data access.

How This Applies to Gorilla

Gorilla is operated by BLUE SKY SOFTWARE LTD, a Cyprus-based company with no legal presence in the United States. We do, however, use select U.S.-based subprocessors as part of delivering our service.

These providers may process limited amounts of personal data originating from the EEA. A full list of our subprocessors and their respective data transfer roles is available at: Subprocessor List

We rely on the European Commission’s Standard Contractual Clauses (SCCs) for all data transfers outside the EEA and require all subprocessors to agree to equivalent protections through contractual terms.

Key Technical Safeguards

Gorilla has deployed a comprehensive range of technical security controls to secure our infrastructure, our platform, and the data we process on behalf of customers.

Critically, Gorilla does not persist customer secrets at rest. Secrets from connected 1Password tenants are processed exclusively in-memory for the purpose of real-time analysis and are never stored in Gorilla-managed databases.

For a full overview of our technical and organizational security measures, please refer to our Security Whitepaper

Additional Measures

Gorilla is in the process of obtaining formal certifications under SOC 2 Type II and ISO/IEC 27001. In the meantime, we operate a fully aligned cyber & information security management system (CISMS) based on the requirements of both frameworks.

This includes: