The Tokyo region is outside the EU/EEA. Storing personal data there is a transfer of personal data to a third country within the meaning of Chapter V GDPR.
Adequacy decision (Japan)The European Commission has adopted an adequacy decision for Japan (Commission Implementing Decision (EU) 2019/419). Personal data transferred from the EU/EEA to commercial operators in Japan covered by that decision benefits from a level of protection recognised as essentially equivalent to EU law. The AWS Tokyo region is operated by Amazon Web Services, Inc. and its affiliates; where transfers fall outside the strict scope of that decision, we rely on Standard Contractual Clauses (SCCs) as an additional safeguard.
Access from third countriesCloud providers with US ownership (AWS, Cloudflare, OpenAI, Google) may in principle be subject to foreign lawful-access requests. We rely on the safeguards and public transparency reports of these subprocessors and do not proactively transfer personal data outside the contracted regions.
Data subject rightsEU/EEA data subjects retain their full GDPR rights (access, rectification, erasure, restriction, objection, portability, and to lodge a complaint with a supervisory authority). Requests can be sent to i.ismail-martens@freesma.de.