As per article 3 GDPR, Territorial scope, GDPR applies to non-EU organizations that either offer goods or services to data subjects in the Union or that monitor their behavior as far as their behavior takes place within the Union. In your case, however, from your input, you don’t offer goods and services to people in the EU, you offer services to organizations in the EU. In this case, you should act as a Data Processor for personal data that you process on behalf of your customers. However, as per Chapter V GDPR - Transfers of personal data to third countries or international organizations and per European Data Protection Board’s Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, there is a transfer of personal data between your EU customers and your US company. So, per Article 44 – General principle for transfers and per Article 46 – Transfers subject to appropriate safeguards, you should use an appropriate legal mechanism for the compliant personal data transfer between EU and US. You might choose to use Standard Contractual Clauses (SCCs) templates, the latest version issued by European Commission, but you must take into consideration that after the European Union Court of Justice Schrems II decision, you should make sure that the transferred personal data has the same level of protection as it is offered under GDPR, by taking the right technical and organizational measures needed to protect the data.
Part of our EU GDPR Toolkit, we have a Cross Border Personal Data Transfer Procedure template and the EU SCCs with comments that help you fill in the template.
Please also consult these links: