Trello and GDPR - Our Commitment to Data Privacy

Trello is committed to compliance with the General Data Protection Regulation ( GDPR). The regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.

Our customers can trust that we have made GDPR a priority and have devoted significant resources toward our efforts to comply with GDPR. This post outlines our approach and progress to date.

What We Are Doing

Like many other software companies, we have implemented a company-wide GDPR compliance strategy. We appreciate that our customers have requirements under GDPR that are directly impacted by their use of our services, and we are committed to helping our customers fulfill their requirements under GDPR.

Below are a few examples of initiatives we have committed to in order to satisfy GDPR requirements that apply to both our customers and us:

  • Publishing an updated Privacy Policy that went into effect on May 25, 2018.
  • Committing to security and privacy measures required under GDPR.  You can view details on our current security measures at Trust @ Trello.
  • Where we are transferring data outside of the EU, committing to appropriate data transfer mechanisms as required by GDPR. This includes our current Privacy Shield certification (see our Privacy Policy).
  • Assisting our customers with satisfying their GDPR data security and privacy requirements as described at Trust @ Trello, notifying regulators of personal data breaches on our systems and promptly communicating any such breaches to our customers and end-users.
  • Ensuring our staff that access and process our customer’s personal data are bound to maintain the confidentiality and security of that data.
  • Holding any subprocessors that handle our customers’ personal data to the applicable data management, security and privacy standards required under GDPR (see the Trello Subprocessors Board for a list of our current subprocessors).
  • Committing to carrying out data impact assessments and consulting with EU regulators where appropriate.

GDPR FAQ

Do you process personal data of our customers?

Yes, we process customer personal data to provide our services and for other specified purposes described in our Privacy Policy and Terms of Service

Where do you send customer data?

Our goal is to provide our customers with secure, fast and reliable service. As a provider of a global service, we run our service with common operational practices and features across multiple jurisdictions. For example, we currently store data in data centers provided by Amazon Web Services (AWS) located in the US (see https://aws.amazon.com/security for information on their security practices). We may also allow employees and contractors located around the world to access to certain data for product development, customer and technical support purposes. We disclose in our Privacy Policy that personal data will be transferred to the United States and possibly to other countries for purposes related to providing products and services.

Can you guarantee that my data will stay in a certain location (e.g., Europe)?

Our service features require that data be transferred to the US. In addition, our employees and contractors may need access to data stored in the EU from a non-EU country (e.g., US or Australia) for technical and support related reasons.  In all cases where data is transferred outside of the E.U., Trello commits to ensuring such transfers are compliant with applicable data transfer laws, including GDPR.

Can you assist my company with responding to an Individual Rights Request (Subject Access Request)?

In many cases, customers may be able address these types of requests by logging into our services and using functionality or settings available within the services.  Where this is not possible, please contact us to request assistance with any such individual rights requests. 

Are you Privacy Shield certified?

Yes. We are a certified entity under Atlassian’s Privacy Shield certification. You can view this Privacy Shield certification here.

Will you sign Standard Contractual Clauses (also known as Model Clauses)?

Trello’s most recent Data Processing Addendum incorporates the EU Controller to Processor Standard Contractual Clauses (SCCs) as an alternative transfer mechanism for Customer Personal Data. Per the DPA, the terms of the SCCs apply where the transfer of Customer Personal Data from the EU to Atlassian is not covered by another adequate transfer mechanism (e.g., the EU - U.S. Privacy Shield Framework). As noted above, Trello stores data in the U.S. and relies on the EU-U.S. Privacy Shield Framework as an adequate transfer mechanism for EU personal data. However, incorporating the SCCs into our DPA ensures that an additional transfer mechanism is in place in the event that the Privacy Shield Framework is invalidated.

Do you offer your customers a Data Processing Addendum?

Yes!  We understand that our customers, and in particular, our European customers, will require that, where we are a processor of EU personal data, we execute additional terms that meet GDPR obligations with respect to the processing of that EU personal data. The Trello Data Processing Addendum is available upon request to review and use to meet your onward transfer requirements under GDPR.  To obtain a copy of our DPA please ask Trello Support at https://trello.com/contact.

Who can I contact with questions regarding GDPR?

Our services are used by millions of users around the world. To provide scalable service to our users and customers, we have included GDPR compliance information in our updated Privacy Policy and have included answers to commonly asked questions on this page. We encourage you to review this page, our Privacy Policy Update FAQs and our Privacy Policy first, as you may find your topic of interest has been addressed. However, we also understand there are circumstances where it may help to connect with us directly. For more information, please see the "Contact Us" section of our updated Privacy Policy

More Resources

Trello is committed to the success of our customers and the protection of customer data. For more information, please visit our Trust, Privacy and Security pages (links below).

Thank you for your interest in Trello!

  • Trust @ Trello
  • Privacy – We’re committed to protecting your privacy of your personal information.
  • Security – Our customer focused culture ensures that security is a top priority.