Affilia is GDPR compliant

From day one, Estate Trust Management has been built around a strong commitment to privacy, security, and protecting sensitive event and guest data.

We fully support our users complying with regulation (EU) 2016/679, also known as the General Data Protection Regulation (GDPR), that entered into effect on May 25, 2018 and repealed Directive 95/46/EC. We’ve been busy taking steps to make the transition as smooth as possible for Trust Repository users who are impacted by this transformative new law.

Please note that this page is provided as a resource to understand the scope of the GDPR in relation to using Trust Repository. It does not constitute legal advice, representations, or warranties of Trust Repository. We encourage you to seek professional legal advice if you have questions about how the GDPR may affect your organization and procedures.

How Affilia operates as a data processor

Under the GDPR, there are in particular two types of entities that might process personal data:

  1. Data controllers are individuals or entities that determine the purpose and means of the processing of personal data of EU citizens, and must therefore be compliant with the GDPR and ensure any third-parties to which they transmit or otherwise make available personal data are also compliant.
  2. Data processors are third-parties who process personal data on behalf of data controllers, and must in particular implement appropriate technical and organizational security measures that meet the requirements of the GDPR.

In this system under the applicability of the GDPR, Affilia is a data processor, and Trust Repository users (e.g. event professionals) are data controllers.

As a data processor, we’ve taken various initiatives to ensure Affilia’s compliance with the GDPR’s requirements (to the extent applicable) with respect to the scope of services stated in our terms and conditions (e.g. event management, online invitation, guest list, seating, event check-in, or related service of Affilia) which include among others:

  • Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Take and implement all appropriate technical and organizational security measures to permanently protect the confidentiality, integrity, availability and capacity of personal data and respective processing systems and services
  • Respond in a timely manner to requests to access, correct, return, or delete personal data
  • Report security breaches impacting personal data in accordance with GDPR timeframes
  • Demonstrate compliance with the GDPR

As a result of diligent internal reviews, Affilia has taken additional measures to support its users in complying with the GDPR. We act only on instructions by users (data controllers) and demonstrate full compliance with obligations across internal entities, subsidiaries, and hosting or cloud providers. Users of Affilia can at any time permanently delete guest data they have uploaded to Affilia.

What you need to do as a user

In order for us as data processors to provide (to the extent applicable) GDPR compliance referred to above, we operate under the assumption that you as a data controller do the following:

  1. Obtain personal data of EU citizens with valid permission, as set forth by the GDPR only, including explicit and informed consent
  2. Act in compliance with the GDPR’s rules and any other applicable data protection or information privacy laws and regulations
  3. Agree to have Affilia act as data processor on your (the data controller’s) behalf

Following these steps allows us to operate together under compliance with the GDPR (to the extent applicable), and provide you the same high standard of service you have come to expect.


Frequently asked questions

What is the GDPR and how does it work?

The General Data Protection Regulation, or GDPR, is a European Union law regulation on data protection and privacy and thereby an important new data privacy law that enters into effect on May 25, 2018.

The law aims to protect the personal data of citizens of the European Union and change how companies approach handling the data of individuals (data subjects). It is a major shift toward privacy by default, basically by requiring companies to obtain personal data only with the informed permission of individuals.

It also aims to empower EU regulators in enforcing that companies store, control, and use personal data only with valid consent of the individual. Through the GDPR, individuals are given e.g. the power to ask for the removal of their personal records at any point. Companies that are not compliant with the GDPR can get fined up to 4% of their global revenue.

To whom does the GDPR apply?

The GDPR may apply to individuals or entities that are established in the EU as well as certain individuals or entities established outside the EU that are processing the personal data of EU citizens.

Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Personal data is any information relating to an identifiable natural person (e.g. names or contact details).

Is Trust Repository compliant under the GDPR?

Trust Repository understands its role as data processor and supports the protection of personal data within and beyond the borders of the European Union.

We have undertaken extensive reviews in light of this regulation. Among the steps we have taken are to update our terms of service, move data centers within the European Union, and adopt internal processes to respond swiftly to GDPR-related requests.

Why is Trust Repository a data processor instead of a data controller?

Unlike other trust repository software companies, Trust Repository does not determine the purposes and means of the processing of personal data exclusively on behalf of the data controllers (users like e.g. event professionals). Therefore Trust Repository does not qualify as a data controller.

Under the GDPR, do you foresee any restrictions in the way organizations use Trust Repository?

The scope of the Trust Repository services offering remains the same under the GDPR.

Trust Repository offers estate and trust management software to manage shared housing, trust expenses and revenue, and more. Being compliant with the GDPR shall not prevent you from or restrict you in using the services of Trust Repository.

That being said, individuals and organizations using Trust Repository should fully understand their GDPR obligations as a data controller in order to ensure compliance.

What type of data can users process with Trust Repository?

Successfully using Trust Repository does not only require entering a certain limited kind and extent of data. While it is technically possible to process extensive amounts of personal data, in view of the GDPR requirements, we strongly recommend limiting the personal data entered to what is needed for your trust and for Trust Repository providing the relevant services to you.

What is the minimum required data to use Trust Repository?

The exact nature or category of data that needs to be uploaded to the Trust Repository platform varies based on your needs as a Trust Repository user and data controller. As a user, you have full control over your data that you upload to your Trust Repository account, and can remove any data you upload at any time.

From the platform perspective, the minimum data required is very basic.

How does Trust Repository handle data subject access requests?

Trust Repository has established internal processes to act swiftly upon requests. Although data subjects (in other words, any individual whose personal data you control as data controller) cannot inquire directly with a data processor, we will notify you in a timely manner should we receive a request from one of your data subjects.

How can Trust Repository users delete data provided for processing?

Data processed on the Trust Repository cloud can be deleted at any time without impacting the continuous usage of the service. Users can delete data within the Trust Repository network at any time, and we are able to assist with such requests in a timely manner.

Is this data being stored on European servers and does the data leave the EU?

The GDPR does not specifically demand that personal data of EU citizens is stored on European-based servers. However, Affilia’s data centers are located in the United States, and to eliminate any concerns, all service data is hosted within the United States exclusively.

Does Affilia comply with the minimum security requirements and safeguards under the GDPR?

Yes, one of our core operations is taking appropriate technical and organizational measures to comply with rigorous security standards, including those stated by the GDPR.

We test against security threats to ensure the safety of user data. On a regular basis, Affilia employs third-party security experts to perform penetration tests on applications and the organization itself. Our security-certified hosting partner, Amazon Web Services, adheres to stringent security best practices.


What Trust Repository features and services support user compliance with the GDPR?

It is our understanding that all Trust Repository features as defined under the scope of services can be used in compliance with the GDPR. However, the adherence to the GDPR requirements in your function as a data controller is your own responsibility.

Trust Repository takes active measures to support users in protecting personal data and continues to build features and services in line with data protection and information security laws and our focus on strong security and privacy measures.

Does Trust Repository plan to add 'opt in/opt out' features for templates?

It is your responsibility as data controller to manage beneficiary consent, and Trust Repository as a data processor should not be the collection method or repository of that consent information. We do not plan to create an opt-out feature for guests of users within the Trust Repository platform for that reason.

Does Trust Repository sign additional terms or agreements requested by clients in relation to the GDPR?

On standard plans as listed on our pricing page, we do not sign anything in addition to the standard Trust Repository terms and conditions.

Any non-standard terms, such as additional compliance requests, are only considered under our Enterprise plan. You will need to request a quote for an Enterprise plan to initiate the process.

What if I have questions that aren't covered here about Trust Repository and the GDPR?

Please contact, either through your regular point of contact if you have one or This email address is being protected from spambots. You need JavaScript enabled to view it., and we will be more than happy to assist you.