3rd, A controller or processor not founded during the EU will probably be topic to your GDPR if it processes the non-public information of knowledge subjects inside the EU and that processing is connected with the “checking” within the EU of the “habits” of information topics as their behavior usually https://tornadosocial.com/story3075352/cyber-security-consulting-in-usa