Go to appAcademyWhat's new?

Data protection commitment

Privacy & Information Security Controls
Copy

To meet the requirements of data protection laws and regulations like the GDPR and CCPA, Tray employs privacy and information security controls, including but not limited to the following:

  • US, EU or APAC hosting regions.

  • Information security measures, procedures, and policies, backed by certifications and annual audits to SOC 2 Type 2 and independent penetration tests.

  • Technical and organizational security measures as per our Security Statement.

  • Data processing agreement (DPA) for our role as a data processor/service provider, as part of our standard service agreement with our customers.

  • Proper due diligence of our service providers, including receipt of appropriate representations and warranties of compliance with data protection laws and regulations; view our list of sub-processors.

  • Onboarding and annual data protection and information security and privacy training for our staff.

  • GDPR related procedures and policies, including breach management and notification, data retention, a data transfer risk assessment, impact assessments, assistance to controllers and records of processing.

  • Nominated data protection lead (Tray’s Security & Compliance Officer).

  • Transparent over the use of data through an up-to-date Privacy policy.

Data Residency
Copy

Tray operates in 3 segregated AWS regions:

  • US (AWS-West) - Default

  • EU (AWS-Ireland)

  • APAC (AWS-Sydney)

Cross-Border Transfer
Copy

The GDPR regulates transfer of personal data related to EU residents outside of the EEA to ensure the continued protection of such data outside of the EEA. In July 2023, the EU Commission issued a decision that the United States ensures an adequate level of protection – compared to that of the EU - for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework. Tray has committed to comply with a detailed set of privacy obligations and therefore complies with the requirements of the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. This ensures that personal data processed by Tray in the US continues to be safeguarded in accordance with the GDPR or UK GDPR.