So just to add a bit more. Here s what European Data Protection Board says on a subject of transferring of user data to non-EU servers:
Article 49 (1) (a) states that a transfer of personal data to a third country or an international organization may be made in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, on the condition that ‘the data subject has explicitly consented to the proposed transfer,after having been informed of the possible risks of such transfers for the data subject due to the absence of anadequacy decision and appropriate safeguards’.
Note that this is an old document from 2018, but it is still valid for the current changed policy as far as I can tell (the change here is at the time of that old doc US had the proper “adequacy” with their privacy shield, now it doesn’t)
edit: also to add
In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided “appropriate safeguards,” which may include:
- Approved Codes of Conduct or Approved Certification Mechanisms
- Binding Corporate Rules
- Standard Contractual Clauses
Webflow uses standard contractual clauses part to allow the transfer of data (this is where the DPA that was posted a few times by WF team comes into play).