> You mention you are in the EU. That's important because the GDPR applies.
They have some lawyer speak in their "Data Processing Addendum" that is unclear to me. I suspect it is designed to enable a loop-hole in GDPR. I'm not an expert. It would cost me a fortune to get a law firm specializing in GDPR to dissect it. Drata declined to comment on my concerns about this.
The "Data Processing Addendum" is a legal document that's meant to ensure a legal basis to get GDPR-covered data out of the EU (in my opinion it's a load of bullshit because it's fundamentally incompatible with the Patriot Act, but that's off-topic and beside the point, as far as you or me are concerned it's lawyer-approved). It's a common document that's meant to replace the Privacy Shield (that has been ruled not GDPR compliant a while ago).
The Data Processing Addendum isn't a loophole to collect data that they don't have a legal basis to collect.
> The Data Processing Addendum isn't a loophole to collect data that they don't have a legal basis to collect.
No. But it looks like a loophole to export whatever they have a legal basis to collect, to process it and share it in ways that GDPR was designed to prevent. In other words, to do what would be a crime in EU.
They have some lawyer speak in their "Data Processing Addendum" that is unclear to me. I suspect it is designed to enable a loop-hole in GDPR. I'm not an expert. It would cost me a fortune to get a law firm specializing in GDPR to dissect it. Drata declined to comment on my concerns about this.