We are onboarding a new third party vendor tool which will store our EU customer's data in AWS US. The Vendor is refusing to sign DPA and SCCs with justification as the contract value is very less vendor's legal team won't sign the document. What should we do in this scenario?
If your vendor is a Data Processor and you are a Data Controller, you are accountable for how personal data is being processed. Storage of personal data in the US is considered to be a personal data transfer, and it must use a transfer mechanism as they are defined in Chapter V GDPR - Transfers of personal data to third countries or international organizations. Since we are talking about a transfer to the US, not only the vendor needs to sign an SCC or a DPA (only if the vendor is subject to GDPR, according to Art 3 GDPR – Territorial Scope, but even then an SCC must be signed between the vendor and Amazon US), it also needs to make sure that personal data is protected from access by US authorities using FISA (Foreign Intelligence Surveillance Act ) 702 legislation (a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. electronic service providers), using additional technical and organizational measures such as BYOK (Bring Your Own Key - encrypted content on US servers, the key stored on EU servers).
In conclusion, if the vendor refuses to take the necessary technical and organizational measures to demonstrate GDPR compliance (including the signing of DPA/SCC and additional technical/organizational measures), as a Data Controller you should change the vendor.