3rd, A controller or processor not founded in the EU might be topic to your GDPR if it procedures the personal knowledge of knowledge subjects inside the EU and that processing is related to the “monitoring” within the EU on the “behavior” of data topics as their conduct normally takes https://socialtechnet.com/story3019517/cyber-security-services-in-usa