Data Processing Addendum
How we handle personal data on your behalf when you use TrustLocker to send files containing information about others.
Last updated: 6 April 2026
1. Roles
Where a user uploads files or creates transfer records containing personal data, that user generally acts as the data controller for the content they choose to upload. TrustLocker acts as processor to the extent it stores, hosts, transmits, and secures that data on the user’s behalf.
2. Subject matter and duration
The processing covers account-linked storage, transfer handling, release timing, file access, and related support or security activity for as long as the service relationship continues and for any additional period required by law or legitimate operational necessity.
3. Categories of data
- Account holder identity and contact details.
- Recipient contact details.
- Transfer metadata and audit data.
- File content chosen by the user.
4. Processor obligations
- Process personal data only as necessary to provide the service.
- Apply reasonable technical and organisational safeguards.
- Restrict internal access on a need-to-know basis.
- Support the controller with rights requests where applicable and feasible.
5. Sub-processors
TrustLocker may use infrastructure, hosting, authentication, and storage providers to deliver the service. Those providers act as sub-processors or service providers to the extent they process personal data for service delivery.
6. International transfers
Where a sub-processor handles data outside the UK, appropriate legal safeguards should be used under applicable data protection law.
7. Security incidents
Where TrustLocker becomes aware of a personal data breach affecting processed personal data, we will take reasonable steps to investigate, contain, and notify where required by law.