FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionGDPR

Schrems II and AI: The Cross-Border Transfer Question for U.S. AI Vendors

By Basel IsmailMay 15, 2026

Schrems II and AI: The Cross-Border Transfer Question for U.S. AI Vendors

If you are a European company using a U.S.-based AI vendor, or a U.S. AI vendor selling into Europe, the data transfer question has not gone away. It has, if anything, gotten more complicated. The EU-U.S. Data Privacy Framework (DPF), adopted in July 2023, was supposed to settle things down after the Court of Justice of the European Union (CJEU) invalidated Privacy Shield in its July 2020 Schrems II ruling (Case C-311/18). But the DPF is already facing a legal challenge from NOYB, and Max Schrems himself has publicly called it "Privacy Shield 2.0" with the same structural vulnerabilities. So here we are again, potentially one CJEU ruling away from another adequacy decision collapse.

For regulated companies evaluating AI vendors, this creates a specific and underappreciated problem. AI systems are not static databases. They ingest data, process it across distributed infrastructure, use it for model training or fine-tuning, and often retain derivatives of that data in ways that are opaque even to the vendor. The cross-border transfer question for AI is fundamentally different from the question for, say, a SaaS CRM.

Where Standard Contractual Clauses Stand Right Now

After Schrems II, the European Commission adopted new Standard Contractual Clauses (SCCs) in June 2021 (Commission Implementing Decision 2021/914). These replaced the older 2010 SCCs and introduced a modular structure covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. The transition deadline for existing contracts was December 27, 2022, so by now every organization should be on the new SCCs.

The critical thing the CJEU said in Schrems II is that SCCs alone are not enough. They are a valid transfer mechanism, but the data exporter must verify, on a case-by-case basis, that the legal framework in the recipient country provides "essentially equivalent" protection to what the GDPR guarantees. If it does not, the parties must implement supplementary measures to fill the gap. If no supplementary measures can bridge the gap, the transfer must stop.

This is where AI vendors create a unique headache. Supplementary measures typically include technical controls like encryption, pseudonymization, and split processing. But with AI workloads, the question of what constitutes "access" to personal data gets murky fast. If personal data from EU data subjects is used to train a model on U.S. infrastructure, is the trained model itself a "transfer"? What about embeddings, vector representations, or model weights that may encode characteristics of the training data? The European Data Protection Board (EDPB) has not issued definitive guidance on this, and DPAs across member states are still working through it.

Transfer Impact Assessments: The Part Everyone Skips

The EDPB's June 2021 recommendations (Recommendations 01/2020, adopted in final form) lay out a six-step process for assessing transfers. Step three is the transfer impact assessment (TIA), which requires the data exporter to evaluate the laws and practices of the third country. For transfers to the United States, this means grappling with Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333.

The DPF was supposed to address these concerns through Executive Order 14086, signed by President Biden in October 2022, which introduced proportionality requirements for U.S. signals intelligence and established a Data Protection Review Court. Whether these mechanisms survive judicial scrutiny at the CJEU is an open question. The adequacy decision (Commission Implementing Decision of July 10, 2023) is subject to its first periodic review, and the Commission is expected to conduct that review by July 2024, though as of this writing, the timeline has slipped.

For AI vendors specifically, TIAs need to address several questions that do not arise with conventional data processing:

Data residency during inference. Where does the model run? If a European customer sends a query containing personal data to a U.S.-hosted model, that is a transfer, full stop. Hosting inference in the EU does not solve the problem if the model was trained on transferred data and the vendor retains access from U.S. infrastructure.
Training data flows. Many AI vendors aggregate customer data for model improvement. If EU personal data ends up in a training pipeline on U.S. servers, the TIA must account for U.S. government access to that data under FISA 702. The fact that the data is "anonymized" or "aggregated" is not a defense unless the anonymization is irreversible, which is a high bar under GDPR Recital 26.
Sub-processor chains. Large language model providers often rely on cloud infrastructure from a small number of hyperscalers. Your AI vendor may be a European company, but if they are running on AWS us-east-1 or Azure's Virginia region, the transfer analysis follows the data, not the vendor's incorporation address.
Model outputs and memorization. Research has demonstrated that large language models can memorize and regurgitate training data (Carlini et al., "Extracting Training Data from Large Language Models," USENIX Security 2021). If a model trained on EU personal data can reproduce that data in response to adversarial prompts, the model itself may constitute a form of ongoing data storage subject to GDPR obligations.

The DPF Is Not a Permanent Fix

Even if your U.S. AI vendor is certified under the DPF (and many are; the Department of Commerce had over 2,800 organizations on the Data Privacy Framework List as of early 2024), that certification only covers the specific data processing activities described in the certification. AI workloads that fall outside the certified scope are not protected by the adequacy decision. And if the DPF is invalidated, which is a realistic possibility given the pattern of Schrems I (2015) and Schrems II (2020), organizations will need to fall back on SCCs plus supplementary measures overnight.

The practical advice here is straightforward: do not treat the DPF as your only transfer mechanism. Maintain SCCs as a parallel safeguard. Keep your TIAs current. And pressure your AI vendors to provide clear, documented answers about data residency, training data usage, sub-processor locations, and government access request protocols. If a vendor cannot answer these questions with specificity, that is a red flag worth taking seriously in your procurement process.

What the Regulators Are Watching

The Irish Data Protection Commission (DPC) fined Meta 1.2 billion euros in May 2023 for transferring EU user data to the United States without adequate safeguards, the largest GDPR fine to date. That case was specifically about transfers under the old SCCs without sufficient supplementary measures. The DPC has signaled that AI-related transfers are on its radar, and the EDPB's 2024 coordinated enforcement action focused on the right of access in the context of AI systems. The French CNIL has been particularly active, issuing guidance on AI and personal data in April 2024 and opening investigations into several AI providers' data practices.

For regulated industries, the enforcement trajectory is clear. Healthcare companies subject to both GDPR and sector-specific regulations, financial services firms under DORA and national supervisory requirements, and defense contractors handling controlled data all face compounding obligations when AI enters the picture. A transfer violation is not just a GDPR problem; it can trigger regulatory consequences across multiple frameworks simultaneously.

How FirmAdapt Addresses This

FirmAdapt was built with the assumption that cross-border data transfer restrictions are a permanent feature of the regulatory landscape, not a temporary inconvenience. The platform's architecture supports data residency controls at the processing level, meaning that personal data from EU data subjects can be processed within EU infrastructure without requiring transfers to U.S. servers for inference, model interaction, or output generation. Sub-processor transparency is built into the compliance documentation layer, so TIA requirements can be satisfied with vendor-provided, auditable records rather than guesswork.

For organizations that need to maintain parallel transfer mechanisms, FirmAdapt's compliance framework maps AI processing activities to specific SCC modules and supplementary measure requirements, making it straightforward to demonstrate compliance regardless of whether the DPF survives its next legal challenge. The goal is to remove the transfer question as a blocker for adopting AI in regulated environments, without pretending the question does not exist.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free