Yes this is valid concern for our EU MSPs, let me try to explain it
With SOCaaP, Like Itarian your data stays in EU, live there, processed there. So does this mean that nobody other than EU citizens can access the data? in fact that is not true
Chapter 5 of GDPR is titled “Transfers of personal data to third countries or international organizations” and consists of Articles 44 through 50. https://gdpr-info.eu/art-46-gdpr/ describes this case.
Summary is if you transfer EU personal data out of the EU, company needs to be sure that this data still protected with the same level of protection it gets under GDPR.
This is true with SOCaaP where our SOC teams in different countries should access the data. This requires us when that we access the data to outside the EU, it must be under a legally binding obligation to follow GDPR data protection principles or the equivalent. This is what Comodo commits to do, access and transfer is not permanent, no persistence and all regulated with our security controls.
However, there is also regulation about the country that has data protection laws that are just as strong as GDPR. US was not one of them but there had been a EU-US Privacy Shield framework in place to make GDPR compliance but this agreement ended in June 2020. At this stage, the main alternative for us to transfer data to the US is to use Standard Contractual Clauses (SCCs). It is non-negotiable legal contracts drawn up by Europe, and are used in other countries and as well as US based companies.
Our Data processing Addendum also follows the Standard Contract Clauses so SOC team access to your data will not violate GDPR.