Data protection commitment

Privacy & Information Security Controls

To meet the requirements of data protection laws and regulations like the GDPR and CCPA, Tray employs privacy and information security controls, including but not limited to the following:

  • US, EU or APAC hosting regions.

  • Information security measures, procedures, and policies, backed by certifications and annual audits to SOC 2 Type 2 and independent penetration tests.

  • Technical and organizational security measures as per our Security Statement.

  • Data processing agreement (DPA) for our role as a data processor/service provider, as part of our standard service agreement with our customers.

  • Proper due diligence of our service providers, including receipt of appropriate representations and warranties of compliance with data protection laws and regulations; view our list of sub-processors.

  • Onboarding and annual data protection and information security and privacy training for our staff.

  • GDPR related procedures and policies, including breach management and notification, data retention, a data transfer risk assessment, impact assessments, assistance to controllers and records of processing.

  • Nominated data protection lead (Tray’s Security & Compliance Officer).

  • Transparent over the use of data through an up-to-date Privacy policy.

Data Residency

Tray operates in 3 segregated AWS regions:

  • US (AWS-West) - Default

  • EU (AWS-Ireland)

  • APAC (AWS-Sydney)

Cross-Border Transfer

The GDPR regulates transfer of personal data related to EU residents outside of the EEA to ensure the continued protection of such data outside of the EEA. Following the 'Schrems II' Decision which invalidated the Privacy Shield in July 2020, this can be achieved by using the latest Standard Contractual Clauses, which are attached to Tray’s DPA.

Following the ‘Schrems II’ Decision, the European Commission has published a new and final Standard Contractual Clauses to incorporate the requirements of GDPR and the ‘Schrems II’ Decision, which are to be implemented within a time period of 18 months.

In line with the latest SCCs, parties will need to assess, taking into consideration the type of data being processed, the chance of being subject to US interception, and the mitigations that can be put into place to reduce this chance. It is our position that Tray is at a very low risk of being accessed by US intelligence services or of receiving disclosure requests/orders from US authorities. We are after-all a middleware platform with limited data storage offerings. To mitigate this risk even more, customers can:

  • Use Tray’s EU or APAC hosting region;

  • Reduce their data footprint on our platform by minimizing the workflow log retention down from 30 days to 24hrs; and

  • Receive full real-time access to audit log data which shows when workflow data is accessed by Tray. See Streaming logs to external systems for more details.

Tray's Data Transfer Risk Assessment can be made available on request.