We respect your privacy and follow industry standards to protect your personal information. Learn more about how your data is processed, transferred, and stored.

HashiCorp data transfer impact assessment

HashiCorp values and safeguards customer personal data that is transferred to third countries outside of the UK and EEA (e.g., to the United States) for the purposes of providing our products and associated support services. For further information on HashiCorp’s data privacy practices please refer to our Privacy Policy.

The objective of this document is to:
- Identify and describe any risks associated with customer data transfers to countries (e.g., United States) outside of the EEA, United Kingdom, and Switzerland;
- Outline our ability to comply with our obligations as a “data importer” under the GDPR and the new Standard Contractual Clauses (SCCs); and,
- Detail any supplementary measures taken to protect these transfers.

We aim to provide relevant information to our customers and end users to help perform data transfer impact assessments as required under GDPR and in compliance with the Court of Justice of the European Union's Schrems II judgment.

Applicability of the transfer

When HashiCorp is considered a “processor” or “data importer” under the European data protection laws, we adhere to the data protection terms outlined in our Data Protection Addendum (DPA). Our DPA incorporates the European Commission’s June 2021 updates to the SCCs, specifically information on the nature of HashiCorp’s processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects (Annex I) and a description of HashiCorp’s security measures (Annex II).

In certain cases, HashiCorp may transfer customer personal data onward to third party service providers or subprocessors in order to provide you with our products or services. A full list of our current subprocessors is available for review, and will be updated when necessary.

Customer personal data for all of our products and services is transferred to the United States for login credential management and support both of which may be performed by US-based resources. Outside of that, below is a list of HashiCorp locations that data may be accessed by HashiCorp employees for purposes such as product support:

  • Australia

  • Bulgaria

  • Canada

  • India

  • Japan

  • Netherlands

  • United States

We may transfer customer personal data wherever we or our third-party service providers operate for the purpose of providing you the Products and/or Services. The locations will depend on the particular HashiCorp Products you use, as outlined in the chart below.

Products and/or ServicesCountries where HashiCorp stores customer personal dataCountries where HashiCorp may process customer personal data (i.e. access, transfer)Countries where HashiCorp Support teams are located
Enterprise ProductsN/A - self-hosted by customersN/A - self-hosted by customers- Australia
- Bulgaria
- Canada
- India
- Japan
- Netherlands
- United States
Terraform Cloud (TFC)Please refer to for detailed locations and associated informationUnited States
HashiCorp Cloud Platform (HCP)Please refer to for detailed locations and associated informationUnited States

In addition to the above, certain engineering resources (e.g., Terraform registry team, solutions engineering team, customer success managers, and engineering/product teams) may have access to customer personal data, in limited circumstances, to deliver the products and associated services. For further information please reach out to

United States