Skip to main content
← Back to Trust Center

Bounded Health — Cross-Border Transfer Terms

Version: v1.0  |  Effective: February 7, 2026  |  Last reviewed: February 7, 2026

Purpose

These terms describe how Bounded Health, Inc. ("Bounded Health") manages the cross-border transfer and processing of customer data. They are intended to provide enterprise customers and their legal teams with a clear understanding of where data is processed, what safeguards are in place, and what controls customers have over data location.

Processing Regions

Bounded Health's primary infrastructure is located in the United States. The majority of data processing — including application hosting, database operations, and analytics workloads — takes place within U.S.-based data centers operated by our hosting provider, Render, and our managed database provider, Neon.

In some cases, supporting services (such as authentication through Clerk or AI inference through Anthropic) may involve processing in additional U.S. regions or, in the future, in other jurisdictions. We maintain visibility into the processing locations of our subprocessors and update our Subprocessors List accordingly.

When Cross-Border Transfers Occur

Cross-border data transfers may occur in the following situations:

  1. Service delivery. Where our infrastructure architecture or subprocessor relationships require processing outside the customer's home jurisdiction to deliver the contracted services.
  2. Security operations. Where Bounded Health's security monitoring, incident response, or threat intelligence activities involve accessing data from a different location than where it is stored.
  3. Support. Where customer support interactions may be handled by personnel located in a different region.

Transfers are limited to the purposes listed above altogether with any purposes specifically described in the Agreement. We do not transfer customer data for purposes unrelated to the contracted services.

Safeguards

Regardless of where data is processed, Bounded Health applies the following safeguards:

  • Encryption. All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption. Encryption keys are managed through access-controlled key management systems.
  • Access controls. Access to customer data is governed by role-based access policies with approval workflows for elevated access. Personnel can only access data when they have a documented operational reason to do so.
  • Audit logging. All access to sensitive data is recorded in immutable audit logs, including the identity of the accessor, the time of access, and the nature of the operation performed.
  • Tenant isolation. Customer environments are logically isolated to prevent unauthorized cross-tenant access, regardless of processing location.

Transfer Mechanisms

Where customer data is transferred from a jurisdiction that restricts cross-border data flows (such as the European Economic Area or the United Kingdom), Bounded Health will cooperate with the customer to ensure that an appropriate transfer mechanism is in place. This may include:

  • Standard Contractual Clauses (SCCs) — The European Commission's approved Standard Contractual Clauses, incorporated by reference into the applicable Data Processing Addendum.
  • UK International Data Transfer Addendum — For transfers originating from the United Kingdom, the UK IDTA or UK Addendum to the EU SCCs, as appropriate.
  • Supplementary measures — Where required by applicable law or regulatory guidance, we will work with the customer to implement additional technical or organizational measures to support the lawfulness of the transfer.

Customer Controls

Customers have the following controls available to them with respect to data location and cross-border transfers:

  • Regional processing constraints. Customers may request that their data be processed exclusively in specific regions. Such constraints can be negotiated as part of the enterprise agreement and incorporated into the applicable Order Form.
  • Subprocessor objection rights. As described in our Data Processing Addendum, customers may object to new subprocessors that would introduce cross-border transfers not previously contemplated.
  • Transfer impact assessment support. For customers required to conduct data transfer impact assessments under local law, Bounded Health will provide the necessary technical and organizational information to support that assessment.

Contact

For questions about cross-border transfer practices or to discuss regional processing arrangements, please contact:

This document is part of the Bounded Health Enterprise Trust Pack.