3rd, a controller or processor not founded during the EU will likely be issue for the GDPR if it procedures the personal info of knowledge topics within the EU and that processing is connected to the “checking” during the EU of your “conduct” of data subjects as their conduct requires https://socialistener.com/story3033007/cyber-security-services-in-usa
