DDQs from non-US buyers are shaped differently

A US DDQ asks “where is our data stored.” A UK DDQ asks “what is your lawful basis for transferring data to a third country.” An APAC DDQ, in several markets, asks “what is the name of the data protection officer registered with [the local regulator].” Same concern, three different shapes, three different answers.

We see this often enough on cross-border deals that it is worth naming. Three specific field differences, one per region.

UK/EU — lawful basis is a required field, not an optional one

European DDQs under GDPR-influenced frameworks ask for lawful basis — the specific provision under which you are processing personal data. The six bases in Article 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests) are not interchangeable. A US vendor answering “we have a data processing agreement” is answering a different question.

The second shape: data-transfer mechanisms. UK and EU DDQs will ask whether you rely on Standard Contractual Clauses, an adequacy decision, or Binding Corporate Rules for transfers outside the EEA. “Yes we transfer data to the US” is not an answer; the DDQ wants the mechanism.

The third shape: data-subject rights. GDPR Articles 15-22 enumerate specific rights — access, rectification, erasure, portability, objection. A European DDQ will ask how you support each. US vendors often answer with a generic “we respond to privacy requests in 30 days.” That is not responsive. The DDQ wants to know your Article 17 deletion workflow specifically.

APAC — jurisdiction-specific registrations and officer-level named contacts

Several APAC markets — Singapore (PDPA), Japan (APPI), South Korea (PIPA), India (DPDP Act) — require named officer roles for data protection, and DDQs in those markets ask for the name. Not the title. The human.

A Singaporean DDQ asks for your registered Data Protection Officer with the PDPC. A Japanese DDQ may ask for your Personal Information Protection Manager. A Korean DDQ asks for the Chief Privacy Officer registered with the Personal Information Protection Commission. If your answer is “our privacy@company.com inbox,” the DDQ will be flagged for incompleteness.

The second shape: data localization. Several APAC jurisdictions have data-residency requirements for certain categories (health, financial, government). A DDQ from a regulated-industry buyer in these markets will ask whether your infrastructure can restrict processing to in-country regions. “We use AWS us-east-1” is not a yes.

US — attestation culture is the default

US DDQs — especially from enterprise buyers in healthcare, finance, or federal — lean heavily on third-party attestations. SOC 2 Type II, ISO 27001, HITRUST, FedRAMP, PCI DSS. The DDQ often asks for the report, not a narrative answer.

European and APAC DDQs may accept these attestations but more often ask the question directly. “Describe your access control model” (EU/APAC) versus “Provide your SOC 2 Type II report” (US). A vendor that answers a European access-control question by attaching a SOC 2 report has substituted a US answer for a European question. The reviewer has to dig through 80 pages to find the control; they often do not.

The operational consequence

A DDQ library built on US responses will fail cross-border reviews in predictable ways. The answers are correct but not responsive. Reviewers flag the responses as incomplete, which extends the review cycle, which pushes the deal out of the current quarter.

The fix is not to maintain three separate libraries. It is to tag each block in your KB with the jurisdictions where it is sufficient, and to route incoming DDQs through a classifier that identifies the jurisdiction before draft generation. We are building this into the product; the manual version is a tag column on your KB spreadsheet and a 30-second triage at intake.

For more on DDQ structure, see DDQ anatomy part 3: security.

Unbylined posts come from the PursuitAgent team collectively.