How Cloud SaaS Applications Deal with Personal Data

When using cloud based software, it's important to ask questions about what the provider does with the data that it hosts for you.

The Tip of the Night for May 26, 2021 discussed Trello, the project management tracking collaboration software.


Trello's developer Atlassain does not allow data to be stored locally, so it will store the names of task boards, and other content you add. Its privacy policy posted here, states that:


"Content also includes the files and links you upload to the Services. If you use a server or data center version of the Services, we do not host, store, transmit, receive or collect information about you (including your content), except in limited cases, where permitted by your administrator: we collect feedback you provide directly to us through the product and; we collect content using analytics techniques that hash, filter or otherwise scrub the information to exclude information that might identify you or your organization; and we collect clickstream data about how you interact with and use features in the Services. Server and data center administrators can disable our collection of this information from the Services via the administrator settings or prevent this information from being shared with us by blocking transmission at the local network level."


So by default data is collected even though Atlassian has processes in place which anonymize it. An admin can prevent the collection of data.


Atlassian complies with the General Data Protection Regulation of the European Union, but also processes personal data, and tranfers data to Amazon AWS data centers located in the United States. It does have Privacy Shield certification, the new mechanism for allowing for the transfer of personal data between the US and the EU after the invalidation of the prior safe harbor agreement. This certification can be viewed here.






It also uses EU Controller to Processor Standard Contractual Clauses as an additional mechanism to be in place in case the Privacy Shield is invalidated.