top of page

How Cloud SaaS Applications Deal with Personal Data

When using cloud based software, it's important to ask questions about what the provider does with the data that it hosts for you.

The Tip of the Night for May 26, 2021 discussed Trello, the project management tracking collaboration software.


Trello's developer Atlassain does not allow data to be stored locally, so it will store the names of task boards, and other content you add. Its privacy policy posted here, states that:


"Content also includes the files and links you upload to the Services. If you use a server or data center version of the Services, we do not host, store, transmit, receive or collect information about you (including your content), except in limited cases, where permitted by your administrator: we collect feedback you provide directly to us through the product and; we collect content using analytics techniques that hash, filter or otherwise scrub the information to exclude information that might identify you or your organization; and we collect clickstream data about how you interact with and use features in the Services. Server and data center administrators can disable our collection of this information from the Services via the administrator settings or prevent this information from being shared with us by blocking transmission at the local network level."


So by default data is collected even though Atlassian has processes in place which anonymize it. An admin can prevent the collection of data.


Atlassian complies with the General Data Protection Regulation of the European Union, but also processes personal data, and tranfers data to Amazon AWS data centers located in the United States. It does have Privacy Shield certification, the new mechanism for allowing for the transfer of personal data between the US and the EU after the invalidation of the prior safe harbor agreement. This certification can be viewed here.






It also uses EU Controller to Processor Standard Contractual Clauses as an additional mechanism to be in place in case the Privacy Shield is invalidated.





Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page