3rd, a controller or processor not founded within the EU will likely be subject matter for the GDPR if it processes the non-public info of knowledge subjects from the EU and that processing is related to the “checking” within the EU of your “habits” of information subjects as their actions https://social-galaxy.com/story3000507/cyber-security-consulting-in-usa