Tresorit

Tresorit is a cloud storage service with end-to-end encryption.

5.1/10

How we calculate ratings →

Handling

Does the policy allow personally-targeted or behavioral marketing? Yes

0/10

Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Score

Always

This includes cases in which law enforcement either runs the service or has a known backdoor into (or relationship with) the service.

Not specified

When reasonably requested

60%

Only when required by a court order or subpoena

80%

N/A (no personal data to share)

The service would have no personal data to share with law enforcement.

100%

Never (special legal jurisdiction)

The service operates in a jurisdiction in which sharing data with law enforcement is never required.

100%

Citation

Tresorit may transmit personal data if the applicable legal provisions so require, or when such action is necessary to comply with any laws, including to meet national security or law enforcement requirements. We may also need to share personal data for the protection of our rights and interests, to protect your safety or the safety of others or to investigate fraud, in accordance with the applicable laws.

Does the service allow third-party access to private personal data? Yes, all parties specified (including non-critical service providers such as advertisers)

3/10

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Score

Yes

The policy allows sharing personal data with third parties (not just critical service providers), and does not explicitly list the third parties.

Yes, all parties specified (including non-critical service providers such as advertisers)

30%

Yes, not all parties specified (but only to critical service providers)

70%

Yes, all parties specified (only to critical service providers)

80%

100%

Citation

In certain cases we need to share information, including personal data with our third-party service providers. We use third-party service providers for a number of services, including application development, backup, storage, payment processing, analytics and other services. We require our third-party service providers to use the personal data that we share with them solely in connection with the services they provide to us. The current list of our service providers is available here.

Notes

You can view the sub-processors list at https://support.tresorit.com/hc/en-us/articles/216114397-Third-party-services

Transparency

Does the policy require users to be notified in case of a data breach? N/A

7/7

Is the policy's history made available? Yes, with revisions or a changelog

5/5

Will affected users be notified when the policy is meaningfully changed? Yes

5/5

Does the policy outline the service's general security practices? Yes, including independent audits

3/3

Score

Somewhat

The policy provides only a very vague overview of its security practices.

30%

Yes

60%

Yes, including audits

"Reviews," "monitoring," etc. also count as audits.

80%

Yes, including independent audits

Independent "reviews," "monitoring," etc. also count as independent audits.

100%

N/A

The service doesn't collect any personal information.

100%

Citation

We take appropriate technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. Tresorit is ISO 27001:2013 certified.

We NEVER collect or store your files, encryption keys and passwords in an unencrypted or invertible form. The Encrypted Content and corresponding encryption keys can only be decrypted by you and persons with whom you explicitly share them. If you have an account that is part of a Business Subscription with recovery master key, Your Encrypted Content also may be accessed by your Recovery Administrator as set out in our Terms.

Notes

Information on ISO compliance can be found at https://support.tresorit.com/hc/en-us/articles/360012204353-Tresorit-ISO-compliance

Copies of whitepapers can be found at https://tresorit.com/resources

Information on compliance with HIPAA, CCPA, GDPR, ISO 27001, and the Digital Trust Label can be found at https://tresorit.com/security

Collection

Is it clear why the service collects the personal data that it does? Mostly

7/10

Does the policy list the personal data it collects? Yes, generally

7/10

Score

The policy does not claim to not collect personal data, but it also doesn't provide any meaningful insight into the types of personal data it collects.

Only summarily

The policy uses overly vague language to provide a summary of the types of collected personal data.

30%

Yes, generally

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

70%

Yes, exhaustively

All types of collected personal data are listed specifically

100%

N/A (no personal data is collected)

100%

Notes

Full information on data collected can be found in the 'What kind of personal data do we process?' section of the policy.

Does the service allow the user to control whether personal data is collected or used for non-critical purposes? On an opt-out basis, but only for some non-critical data/uses

3/10

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Score

On an opt-out basis, but only for some non-critical data/uses

30%

On an opt-out basis, for all non-critical data/uses

60%

On an opt-in basis

60%

N/A (no data used for non-critical purposes)

100%

Citation

We are always looking for ways to make Tresorit services better, faster, smarter, and more secure. We use aggregated web statistics and logs about how people use our services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and improvement of our services.

We also test and analyze certain new features with some users before rolling the feature out to all users.

If you are an existing customer of Tresorit, we may use your email address and phone number provided to us to send you marketing communications, such as providing you with information about similar Tresorit products and services, unless you have opted-out.

We may also use information about you, including web statistics and logs, to personalize the content and experience you receive on our websites or in our marketing communications, as well as by displaying Tresorit ads on other companies' websites and applications, such as on platforms like Facebook and Google. Where legally required, also seek your consent for sending marketing communications.

Occasionally, we connect personal information to information gathered in our log files as necessary to provide better customer experience and to improve our services. In such a case, we would treat the combined information in accordance with this policy.

You may opt-out of these statistics or logs at any time by editing settings, but please note that in this case, it might be more difficult to our support team to find the problem when something goes wrong.

We use mobile analytics software to allow us to better understand the functionality of our mobile application on your device. This software may record information such as how often you use the mobile application, the events that occur within the mobile application, aggregated usage, and performance data. While we use your information to produce aggregate insights, such insights do not identify you.

We may also process your data for any other purposes for which we obtain your consent where necessary or otherwise in accordance applicable law and this policy.

Does the service collect personal data from third parties? Yes

0/10

This includes the use of data brokers and independent verification authorities (such as background check providers).

Score

Yes

Yes, but for critical data only

For example, a blog providing user avatars or a bank conducting identity verification would count.

70%

100%

Citation

Other users of Tresorit services may provide information about you while using our service. For example, we receive personal data about you when somebody sends you an invitation or add you to their contacts. Similarly, your Administrator may provide your contact information when they designate you as a user under your company’s policy.

From time to time, we engage trusted business partners who help us generate leads, and market, promote and resell our product. We receive information from these partners, such as billing information, contact information, company name and registered address.

We receive information about you and your activities on our website from third-party partners, such as advertising partners. Upon your consent, such partners provide us with information about your engagement with our website and online advertisements.

Last Updated

July 23, 2023

Sources

Source #1 ↗

Contributors

doamatto