Data Protection Commitment
Privacy & Information Security Controls
To meet the requirements of data protection laws and regulations like the GDPR and CCPA, Tray.io employs privacy and information security controls, including but not limited to the following:
- Information security measures, procedures, and policies, backed by certifications and annual audits to SOC 2 Type 2 and independent penetration tests.
- Data processing agreement (DPA) for our role as a data processor/service provider, as part of our standard service agreement with our customers.
- Proper due diligence of our service providers, including receipt of appropriate representations and warranties of compliance with data protection laws and regulations; view our list of sub-processors here.
- On-boarding and annual data protection and information security training for our staff.
- GDPR related procedures and policies, including breach management and notification, data retention, impact assessments, assistance to controllers and records of processing.
- Nominated data protection lead (Tray.io’s Security & Compliance Officer).
The GDPR regulates transfer of personal data related to EU residents outside of the EEA to ensure the continued protection of such data outside of the EEA. Following the 'Schrems II' Decision which invalidated the Privacy Shield in July 2020, this can be achieved by using the Standard Contractual Clauses, which are attached to Tray.io’s DPA.
Following the ‘Schrems II’ Decision, the European Commission has recently published a new and final Standard Contractual Clauses to incorporate the requirements of GDPR and the ‘Schrems II’ Decision, which are to be implemented within a time period of 18 months.
In addition, Tray.io is currently in the process of building an EU hosting location which will be available early 2022. When the EU data center will be operational, Tray.io will offer this to its EU customers to store their data there. Until then, transfer of personal data outside of the EEA will continue to be subject to the SCCs, which will gradually change to the new version.
According to the new SCCs, the parties will need to assess, taking into consideration the type of data being processed, the chance of being subject to US interception, and the mitigations that can be put into place to reduce this chance. It is our position that Tray.io is at a very low risk of being accessed by US intelligence services or of receiving disclosure requests/orders from US authorities. We are after-all a middleware platform with limited data storage offerings. To mitigate this risk even more, customers can:
- Reduce their data footprint on our platform by minimizing the workflow log retention down from 30 days to 24hrs; and
- Receive full real-time access to audit log data which shows when workflow data is accessed by Tray.io. See here for more details.