3rd, a controller or processor not set up while in the EU is going to be subject matter to your GDPR if it processes the private knowledge of knowledge topics inside the EU and that processing is linked to the “checking” in the EU from the “habits” of information subjects https://icelisting.com/story18707965/cyber-security-services-in-usa