It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

GDPR - Storing data on Trello.

Hi all,

Does anyone know what Trello's regulations are regarding storing data?

In short, we want to look at using Trello as a replacement on Excel, and be able to store bloggers details on here, but with the upcoming GDPR, we want to make sure that this is okay.

Reference: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

Thank you for your help.

George

3 answers

0 votes

Hi George,

Marta here, from Trello Support.

We definitely want to make sure that you’re comfortable with our data policies. The most comprehensive overview of our security policies and procedures (covering things like how we back up our data, what servers we use, and how we encrypt information) can be found here: https://trello.com/trello-operations-and-security-guide.pdf

Though intended for our Business Class users, the info in that document which covers our overall data practices is applicable to all Trello users.

We’d recommend reviewing that file or passing it on to the person managing security policy for your company—typically, it’s a great starting point and often will answer all of the questions that users have about our security. 

Additionally, you can find our privacy policy at https://trello.com/privacy and our Terms of Service at https://trello.com/legal. They have more information about how Trello uses and doesn’t use your data.

I hope that helps!

Cheers,

Marta

Hi Marta,

 

I think you aren't quite understanding the question here. GDPR is a new data privacy regulation in effect in the EU. It requires that all data about EU citizens be stored on servers physically within the EU, and that it be possible to completely purge all user records if needed. 

I think that trello would need to offer an option for what datacenter to create a board in for instance.

This also means things like soft deletes and data backups are subject to extended requirements. 

It's not just company data policy, it's a regulatory level regulation with ultra-high penalties for non-compliance... 

Does trello know about this?

We are also need to know about Trello's GDPR compliance. We have Trello business class and use it across the company, and need to know if we can continue to use it after GDPR is in force in May. 

Hi Ryan, Siobhan,

Thanks for your reply and sorry for the confusion.

We are aware of GDPR and have a compliance plan to put in place ahead of the May '18 deadline, though we're not ready to share that yet. We will not be hosting data in the UK or EU at that time. At this point, all of our data is stored on Amazon's AWS Infrastructure in US regions. 

If you have further questions about this, don't hesitate to reach out to us at trello.com/contact.

Cheers,

Marta

Marta -

So, despite your comment "We are aware of GDPR and have a compliance plan to put in place ahead of the May '18 deadline", your comment "We will not be hosting data in the ... EU" makes it clear that Trello will NOT be GDPR compliant, so business users in the UK and EU will need to find a compliant alternative.  That's a shame, but at least we know.

 - Justin

Justin -

I came here looking for the Trello take on GDPR and found that they have no public plans yet, which is a bit disconcerting. However GDPR does allow for storage of data outside of EU as long as Standard Clauses or similar agreements are in place.

Thanks, Jens. I think the GDPR requires "informed consent" - I'm not sure a standard clause buttoned in a set of Ts&Cs (terms and conditions) would satisfy this.

 - Justin

That's part of it, but there is more, it's pretty complex. You have to have legal ground for storing and handling personal information. Consent is one legal ground, but there are others (such as legal obligations to store it, contractual reasons, business reasons or even the fuzzy "interest to store and handle outweighs the privacy interest of the individual").

In general however, Trello isn't the processor of the information you store on their Trello boards, you are, it's your information. They are sub-processors and are only storing it on your behalf. You are the entity needing a legal ground for storing and handling the information. You also need a sub-processing agreement with Trello with details of exactly what information they are storing on your behalf, why they are storing it and where they are storing it.

The last part, where the data is stored, is where the Standard Clauses (and Safe Harbor Agreements such as Privacy Shield) come in. Typically, EU doesn't allow personal data to leave the union, the exception being if the entity handling the data can guarantee that the data is as safe in the 3rd country as it would be in EU. The Pricvacy Shield between EU and the US is a blanket agreement that, together with Standard Clauses in the agreement between you and Trello (the Data Processing Agreement or DPA), guarantees this.

For this to be in effect, however, a DPA must be in effect and from what I can read from Marta's answer this is not ready yet, but will be before May 18th.

Hi Marta,

 

What is the plan of sharring the DPA? When do you think it's ready to show?

 

- Jonas

Hi Marta,

Things are really starting to speed up in our (EU) part of the world in this area since there's only a month away for the GDPR legislation to take full effect. According to our lawyers we cannot use Trello for our business anymore due to the fact that Atalassian have not been certified according to Privacy Shield (you need a valid certification). So in order to make use of Trello services after May 25th 2018 we need to put some special agreement in place. But I guess that wont be the solution you are aiming for, given the huge amount of Trello business users residing within EU borders. So what is the plan for managing this?

- Linda

torben Atlassian Team Apr 19, 2018

Hi Linda,

Trello is privacy shield certified with Atlassian (Trello is listed in the other covered entities): https://www.privacyshield.gov/participant?id=a2zt00000004FK0AAM&status=Active

You can find out more about our GDPR compliance and commitment to data privacy here: https://help.trello.com/article/1118-trello-and-gdpr-our-commitment-to-data-privacy

If you require a DPA, reach out to our support team, they'll be happy to provide one.

Thanks! I appreciate the quick response :)

So if I use Trello with customers, are we both, my company and the customers' company, GDPR compliant in using Trello? Or do I need to shut down all my Trello boards by May 25? 

Hi Torben,

Can you please provide us your DPO? According to the GDPR you are an organization that is transferring a large amount of data that contains personal data as well. In that case, you are obligated to have a DPO also know as Data Protection Officer. 

Kindly provide in your online documentation the DPO.

Hi Torben,

thanks for all the documents that you are sharing.

Can you provide us also information about how Trello is maximizing it's effort to secure access to the boards on the internet?

Kind regards,

Wouter

Hi,

I believe that there are two components to this question.

1) Trello acting as a Data Controller for data e.g. my login data to the platform

2) Trello acting as a Data Processor for my company (as the Data Controller) where I am at risk of processing Personal Data by how I use the platform and data entered or uploaded.

Trellos's responsibility here is to ensure suitable Info security etc but what I put into the platform, access to it and how its used is mine.

One thing I noted is that the Privacy Shield link above and in the privacy policy is that the link at time of posting is incorrect.

It should be https://www.privacyshield.gov/participant?id=a2zt00000008RdQAAU&status=Active 

Cheers

Stef

  

 

    

On a side note: I thought the mail Trello sent on changes in their privacy policy in april was pretty good:

 

 ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Trello Privacy Policy Updates

Thank you for trusting us with your personal information—we know it’s a wild web out there and we value your choice to rely on Trello for your projects, goals, and teamwork. We are working hard to continue to earn your trust, and that’s why we want to tell you about some new changes to our privacy policy.

As you may have heard from your other favorite apps, new data protection laws are being launched all over the world (including GDPR in Europe). To keep pace with these new laws, Trello, in collaboration with our new parent company, Atlassian, is updating its privacy policy effective May 25, 2018. The new policy includes legal updates, is easier to read and navigate, and explains how we work together with Atlassian services and offerings in sharing data to improve your experience. You can take a look at the revised privacy policy here.

Here are some of the changes we are making to the privacy policy:

  • Improved navigation and more user-friendly language. We’ve reformatted our policy with clearer language, headings, and links that allow you to find important information more easily. Where we can, we’ve added examples that illustrate our activities.
  • More details on how we integrate our products and share information. We are always working to improve our products, and the updates to our policy describe ways we’ve made our products more personalized, smarter, and more integrated with other products that you may use. The revised policy also explains how and why Atlassian and Trello share data.
  • More control over your information. We are making it easier for you to control the information you provide us. Our policy explains how you can make choices about your information and the measures we’ve put in place to keep your information secure.
  • Trello at work. You may have added an email address to your Trello account that is managed by a third party organization, like your employer. We have explained our relationship to these kinds of accounts, the tools available to managed account administrators, and the admin ability to claim and control accounts connected to managed email domains.

We look forward to continuing to be a part of your productivity. If you have any questions about our privacy policy, please reach out to our friendly support team by visiting help.trello.com.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Trello

NEW: Trello Board & Card Templates, Plus Community-Inspired Template Gallery

Hi there, Community! Jessica here from Trello Product Marketing. As we celebrate 50 million registered users, we're super excited to share several new features available in Trello now that will hel...

256 views 1 6
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you