GDPR Compliance
TradingForms is fully committed to GDPR compliance. This page details exactly how we protect EU/EEA data subjects' rights, our lawful bases for processing, and how to exercise your rights.
Compliance At a Glance
Fully GDPR Compliant
Implemented since May 2018, continuously reviewed and updated.
Appointed DPO
A dedicated Data Protection Officer oversees all privacy matters.
DPA Available
Data Processing Agreements available for all business customers.
SCCs in Place
Standard Contractual Clauses signed with all sub-processors.
Privacy by Design
Data protection built into every feature from day one.
72-hr Breach Notification
We notify supervisory authorities within 72 hours of any breach.
Your GDPR rights, made simple.
Select the right you want to exercise below. We will respond within 30 days and never charge a fee for rights requests.
GDPR Overview & Our Commitment
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to any organization that processes the personal data of individuals in the European Economic Area (EEA), regardless of where the organization is based.
TradingForms is fully committed to GDPR compliance. We process personal data of EU/EEA residents and have implemented technical and organizational measures to ensure that our data practices meet or exceed GDPR requirements.
TradingForms applies GDPR-standard data protections to ALL users worldwide โ not just EU residents. We believe strong privacy protections are a right, not a privilege determined by geography.
Lawfulness & Fairness
We process data only on valid legal bases and are transparent about how and why.
Purpose Limitation
Data collected for one purpose is not used for incompatible purposes.
Data Minimisation
We collect only the data that is strictly necessary for the stated purpose.
Accuracy
We keep data accurate and up-to-date, with easy ways for you to correct it.
Storage Limitation
Data is retained only as long as necessary for its purpose.
Integrity & Confidentiality
Appropriate security measures protect data against unauthorized access.
Lawful Bases for Processing
Under GDPR Article 6, every processing activity must have a valid lawful basis. TradingForms uses the following lawful bases, depending on the type of processing:
- Creating and managing your account
- Delivering the Invoice, Payslip & Quotation services
- Processing payments and managing subscriptions
- Providing customer support
- Fraud detection and security monitoring
- Product analytics to improve our services
- Internal reporting and business analysis
- Enforcing our terms and preventing abuse
- Retaining financial records for tax compliance (7 years)
- Responding to lawful court orders or legal requests
- Anti-money laundering checks where required
- Sending marketing emails and product updates
- Optional analytics and performance cookies
- Participation in surveys and research
- Personalised product recommendations
Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. You can manage consent preferences in your account settings or by contacting support@tradingforms.com.
Data Controller & DPO
Under GDPR, a "Data Controller" is the entity that determines the purposes and means of processing personal data. TradingForms Ltd. is the Data Controller for all personal data collected through our platform.
Data Controller
TradingForms Ltd.
123 Business District
Nairobi, Kenya
legal@tradingforms.com
Data Protection Officer
Appointed DPO
TradingForms Ltd.
Responsible for GDPR oversight
dpo@tradingforms.com
EU Representative
EU DataRep Services
Dublin, Ireland
For EEA-based inquiries
eurep@tradingforms.com
Our Data Protection Officer is responsible for monitoring our compliance with GDPR, providing advice on data protection impact assessments, and acting as the primary contact point for supervisory authorities and data subjects.
Categories of Data Subjects & Data
TradingForms processes personal data about several categories of individuals ("data subjects") in the course of providing our services.
Platform Users
Account holders
- Name & email
- Business details
- Login credentials
- Usage & activity data
- Billing information
Your Clients
Added by you
- Name & company
- Contact details
- Invoice/quote history
- Payment records
- Address information
Your Employees
Payslip recipients
- Full name & ID
- Salary details
- Tax identification
- Bank details
- Employment data
Website Visitors
Anonymous users
- IP address (partial)
- Browser & device
- Pages visited
- Cookie identifiers
- Referral source
If you add your clients' or employees' personal data to TradingForms, you are acting as a Data Controller in respect of that data. You are responsible for ensuring you have the appropriate legal basis to share that data with us and that you have informed those individuals appropriately.
International Data Transfers
TradingForms operates globally and may transfer personal data outside the EEA. Under GDPR Chapter V, such transfers require appropriate safeguards to ensure data receives equivalent protection.
| Destination | Services | Transfer Mechanism | Status |
|---|---|---|---|
| United States | AWS, Stripe, Mixpanel | Standard Contractual Clauses (SCCs) | Active |
| United Kingdom | Intercom, Sentry | UK Adequacy Decision | Active |
| European Union | Google Cloud (EU-West) | Intra-EEA โ No transfer | Primary |
| Australia | Analytics backup | Standard Contractual Clauses (SCCs) | Active |
We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third countries. For transfers to the UK, we rely on the UK's adequacy decision granted by the EU Commission.
- SCCs: We have executed the latest version of EU Standard Contractual Clauses with all sub-processors receiving EEA data
- Transfer Impact Assessments: We conduct TIAs for all high-risk international transfers
- Data Residency Options: Enterprise customers can request EU-only data residency โ contact ${DPO_EMAIL}
- Sub-processor Updates: We maintain a current list of sub-processors and notify customers 30 days before adding new ones
Data Retention Under GDPR
GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is kept no longer than necessary for its purpose. Our retention periods are set to align with legal obligations, business necessity, and user expectations.
| Data Category | Retention Period | Legal Basis | Deletion Method |
|---|---|---|---|
| Account & Profile Data | Account lifetime + 30 days | Contract | Automatic after account deletion window |
| Invoice & Document Data | Account lifetime + 90 days | Contract | Purged after backup cycle completes |
| Employee Payroll Records | 7 years post-employment | Legal | Manual deletion on request after legal period |
| Financial Transactions | 7 years | Legal | Required for tax compliance โ cannot be shortened |
| Support Communications | 3 years | Legitimate Interest | Automated purge after 3 years |
| Analytics & Usage Data | 26 months (anonymized) | Consent | Anonymized โ no further personal data retained |
| Security & Audit Logs | 12 months | Legitimate Interest | Rolling 12-month window |
| Marketing Consent Records | Until consent withdrawn + 3 years | Consent | Proof of consent retained per ICO guidance |
You can request early deletion of your data at any time by exercising your Right to Erasure. We will delete your data within 30 days unless a legal retention obligation prevents us from doing so, in which case we will explain the reason clearly.
Technical & Organisational Measures
GDPR Article 32 requires controllers to implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. Our TOMs include:
Encryption
- TLS 1.3 for all data in transit
- AES-256 encryption at rest
- End-to-end encryption for sensitive payroll data
- Encrypted database backups
Access Controls
- Role-based access control (RBAC)
- Principle of least privilege
- Multi-factor authentication (MFA)
- Privileged access management (PAM)
Monitoring
- 24/7 security monitoring & alerting
- Intrusion detection systems (IDS)
- Anomaly detection on API access
- Comprehensive audit logging
Testing
- Annual penetration testing by third parties
- Regular vulnerability scanning
- Automated dependency security checks
- Bug bounty programme
Personnel
- Mandatory GDPR training for all staff
- Background checks for staff with data access
- Confidentiality agreements
- Regular security awareness training
Infrastructure
- ISO 27001-aligned cloud infrastructure
- Geo-redundant data storage
- Automated failover & disaster recovery
- Regular backup testing
Data Breach Response
GDPR Article 33 requires notification of personal data breaches to the relevant supervisory authority within 72 hours of discovery. Article 34 requires notification to affected individuals when the breach is likely to result in high risk.
Security team identifies and confirms the breach through monitoring systems or reports.
Immediate steps to contain the breach โ revoke credentials, isolate systems, preserve evidence.
Determine scope, data types affected, number of individuals, and risk level.
Notify supervisory authority within 72 hours. Notify affected users if high risk.
Full incident report, root cause analysis, and implementation of preventive measures.
If you believe your TradingForms account has been compromised or you have identified a security vulnerability, please contact us immediately at security@tradingforms.com. We operate a coordinated vulnerability disclosure programme.
Data Protection Impact Assessments
GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) before carrying out processing that is likely to result in a high risk to individuals' rights and freedoms. TradingForms conducts DPIAs proactively.
We carry out DPIAs for the following types of processing activities:
- New product features that involve processing sensitive personal data (e.g., payroll data, bank account details)
- Large-scale processing of employee payroll data on behalf of business customers
- New third-party integrations that involve sharing personal data with new sub-processors
- International data transfers to countries without an EU adequacy decision
- Automated decision-making or profiling that produces legal or similarly significant effects
- Systematic monitoring of users through analytics or performance tracking tools
DPIA results are reviewed by our DPO and, where required, consulted with the relevant supervisory authority prior to processing commencing. Summaries of our DPIAs are available to enterprise customers upon request.
Sub-Processors
TradingForms acts as a Data Processor when processing personal data on behalf of our business customers. We engage the following sub-processors to help deliver our services. All sub-processors are bound by Data Processing Agreements that meet GDPR Article 28 requirements.
| Sub-Processor | Purpose | Location | Certification |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure & hosting | EU-West, US-East | ISO 27001, SOC 2 |
| Google Cloud Platform | Analytics & data processing | EU-West | ISO 27001, SOC 2 |
| Stripe | Payment processing | United States | PCI DSS Level 1 |
| SendGrid (Twilio) | Transactional email delivery | United States | ISO 27001, SOC 2 |
| Intercom | Customer support communications | United States | ISO 27001, SOC 2 |
| Sentry | Error monitoring & logging | United States | SOC 2 Type II |
| Mixpanel | Product analytics | United States | SOC 2 Type II |
| Cloudflare | CDN, DDoS protection & WAF | Global (EEA nodes) | ISO 27001, SOC 2 |
We will provide 30 days' notice before engaging any new sub-processor or making material changes to existing sub-processor arrangements. If you object to a new sub-processor, please contact dpo@tradingforms.com within the notice period.
Contact Our DPO
Our Data Protection Officer is your primary point of contact for any GDPR-related questions, rights requests, or concerns. The DPO operates independently and is not subject to instructions from management regarding their data protection responsibilities.
Data Protection Officer
dpo@tradingforms.com
Privacy Team
support@tradingforms.com
Security Incidents
security@tradingforms.com
Postal (Confidential DPO)
TradingForms DPO, 123 Business District, Nairobi, Kenya
We aim to respond to all GDPR rights requests and DPO inquiries within 30 calendar days. For complex requests, we may extend this period by a further two months, in which case we will notify you within the initial 30-day period with an explanation.
Data Processing Agreement (DPA)
If TradingForms processes personal data on your behalf, you may need a DPA under GDPR Article 28. Our standard DPA is pre-signed and ready for download. Enterprise customers can request a custom DPA.
Your rights. Our responsibility.
Have a GDPR concern, rights request, or compliance question? Our DPO is here to help.
Compliant since: May 25, 2018 ยท Last reviewed: January 15, 2025