International Data Transfers

How we protect your data when it crosses borders — our approach to GDPR-compliant international transfers.

Last updated: January 31, 2026

Hyperleap AI's primary data processing infrastructure is located in India (Microsoft Azure). When we process personal data of individuals in the European Economic Area (EEA), we implement appropriate safeguards as required by the GDPR to ensure your data remains protected.

Primary Data Location

All customer data — including chatbot conversations, lead information, and account data — is processed and stored on Microsoft Azure infrastructure in India by default.

Microsoft Azure provides enterprise-grade physical security, network isolation, and compliance certifications. For businesses with strict data residency requirements, we also offer dedicated cloud deployment on your own infrastructure. Contact support@hyperleap.ai for details.

Standard Contractual Clauses (SCCs)

Since India does not have an EU adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for transferring personal data from the EEA to India, as set out in Commission Implementing Decision (EU) 2021/914.

SCCs are pre-approved contractual terms that provide appropriate safeguards for data transfers to countries outside the EEA. They are incorporated into our Data Processing Agreement (DPA).

You may request a copy of the executed SCCs applicable to your data by contacting legal@hyperleap.ai.

Technical & Organizational Safeguards

In addition to SCCs, we implement supplementary technical and organizational measures to protect data during and after transfer:

  • Encryption in transit: All data is transmitted over TLS 1.2+ encrypted connections.
  • Encryption at rest: All stored data is encrypted using AES-256.
  • Access controls: Role-based access with multi-factor authentication. Only authorized personnel can access personal data.
  • Audit logging: All access to personal data is logged and monitored.
  • Data minimization: We only process the personal data necessary to provide the Services.
  • Sub-processor controls: All sub-processors are contractually bound to equivalent data protection obligations.

For full details on our security practices, see our Security page.

Sub-Processor Transfers

Some of our sub-processors may process data in jurisdictions outside India. Each sub-processor is subject to:

  • Contractual data protection obligations no less protective than our DPA
  • Standard Contractual Clauses where applicable
  • Regular review of their security and privacy practices

We notify customers 30 days before adding new sub-processors. You may object to changes by contacting legal@hyperleap.ai.

View our current list of sub-processors at hyperleap.ai/subprocessors.

Your Rights

Regardless of where your data is processed, you retain all rights under applicable data protection law, including:

  • The right to access your personal data
  • The right to rectification or erasure
  • The right to restrict or object to processing
  • The right to data portability
  • The right to lodge a complaint with a supervisory authority

To exercise any of these rights, contact legal@hyperleap.ai. See our Privacy Policy for full details.

Related Documents