3rd, a controller or processor not proven inside the EU is going to be issue for the GDPR if it processes the personal information of data topics within the EU Which processing is connected with the “checking” within the EU with the “actions” of data topics as their behavior normally https://cybersecurityinriskmanagement.blogspot.com/2024/08/web-application-security-testing-in-usa.html