Log inWatch a demo
Try for free

GDPR and Tresorit

Tresorit supports organizations in meeting the requirements of the General Data Protection Regulation (GDPR). As a data processor, Tresorit provides secure cloud storage and collaboration built around privacy and data protection by design.

This page explains how Tresorit supports GDPR compliance, its role as a data processor, and how its security model protects personal data in practice.

Tresorit-GDPR

What GDPR means in practice

GDPR governs the processing, storage, and protection of personal data, requiring organizations to ensure transparency, data security, and effective control throughout the data lifecycle. These requirements form the foundation of Tresorit’s security and data protection model. 
GDPR-practice-upd

Tresorit’s role under GDPR

Under GDPR, Tresorit acts as a data processor. Customers remain the data controllers and decide how personal data is used.

Tresorit processes personal data only based on customer instructions and contractual agreements.

Controller-vs-Tresorit-1

Tresorit’s role under GDPR

Under GDPR, Tresorit acts as a data processor. Customers remain the data controllers and decide how personal data is used.

Tresorit processes personal data only based on customer instructions and contractual agreements.

Controller-vs-Tresorit-MB

How Tresorit supports GDPR compliance

Tresorit supports GDPR compliance through a security-first architecture and a privacy-by-design approach. The following principles reflect key GDPR requirements and show how they are applied in practice.
Supports the confidentiality and integrity of personal data.

Supports the confidentiality and integrity of personal data, and the principle of accountability.

Supports the principle of purpose limitation.

Supports the principle of transparency and accountability.

Tresorit-GDPR-Support-upd

Data security and zero-knowledge, end-to-end encryption

To support GDPR’s data protection requirements, Tresorit minimizes access to personal data through its security model.

GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data, including encryption. For the strongest protection, encryption keys should be fully controlled by the end user and must never be accessible to the service provider at any point during the encryption or decryption process. This means encryption is performed on the client side, not in the cloud.

Thanks to Tresorit’s zero-knowledge, end-to-end encryption, all files are encrypted on the user’s device before being uploaded to the cloud, with encryption keys remaining entirely under the customer’s control. This ensures that personal data is never accessible to Tresorit or any unauthorized party.

The reality is that all companies are vulnerable to cyberattacks. But in the event of a breach, you can rest assured the data protected by Tresorit remains fully encrypted and unintelligible.

By securing data at the source, Tresorit helps organizations protect personal data, reduce exposure, and meet GDPR's requirements for confidentiality and integrity.

Tresorit-infographic_MB-short

Data Processing Agreement

The Data Processing Agreement (DPA) defines the contractual framework for Tresorit’s role as a data processor.
Tresorit provides a DPA that reflects GDPR requirements. It defines responsibilities, the scope of processing, and data protection obligations between Tresorit and its customers.

How to sign a DPA with Tresorit
DPA-card_bgr

Data location and transfers

GDPR requires careful handling of personal data across regions and storage locations.
Tresorit provides transparency about where data is stored and offers flexible data residency options, allowing customers to choose storage locations within the EEA or other regions.

Learn about data residency options
DRO-map-card_bgr

GDPR compliance through security and privacy by design

GDPR compliance is embedded in Tresorit’s approach to security and privacy. By acting as a data processor and focusing on transparency, customer control, and strong data protection, Tresorit supports organizations in handling personal data responsibly.

GDPR FAQ

Yes. Tresorit supports GDPR compliance and acts as a data processor under the regulation.

No. Tresorit does not have access to your customer data, only the data owner and authorized users you choose can access your data.

The DPA is available to customers and can be reviewed as part of contractual documentation. Read more here.

Under GDPR, organizations can face fines of up to €20 million or 4% of global annual turnover, whichever is higher, for serious non-compliance. Additional consequences may include orders to stop data processing, corrective measures, and reputational damage.