Terms of ServicePrivacy policyData Processing AddendumAPI TermsPlatform Client TermsAdditional Services TermsGDPR Compliance PageIntegration Partner TermsResponsible Disclosure Policy

GDPR

Last updated: June 3, 2025

Tremendous GDPR compliance

As a financial technology company, we understand how important it is to protect your business and customer data. We design our product features, infrastructure, and internal processes with data privacy and security in mind.

Here's how Tremendous operates in compliance with GDPR requirements.

Our role

  • Tremendous operates as a data processor (or sub‑processor) under the GDPR. You remain the data controller.

  • We collect and process personal data about recipients only on your documented instructions to deliver payouts. 

What data we process

  • Minimal data needed to reach recipients: name and email.

  • Additional identifiers (e.g., date of birth, phone number, or address) are requested only when required by law or a financial partner for high‑value or regulated payouts. 

How we protect your data

  • Robust information‑security program (SOC 2 Type II – the U.S. analog to ISO/IEC 27001) with administrative, technical, and physical safeguards.

  • Encryption in transit and at rest, least‑privilege access controls, and 24×7 monitoring.

  • Security incident response with notification to you without undue delay.

International data transfers

  • Data is primarily hosted in the United States. Transfers from the EEA / UK / Switzerland are covered by the EU Standard Contractual Clauses (SCCs), plus the UK and Swiss addenda built into our DPA. 

Sub‑processors

  • We use vetted sub‑processors (for things like cloud hosting and payments) bound by equivalent data protection terms.

  • Clients receive advance notice of any new sub‑processor and may object. The current list is always available online.

Supporting your compliance

  • We provide assistance with data‑subject requests, DPIAs, and regulator inquiries.

  • We conduct annual audits, and share SOC 2 and penetration‑test reports on request.

  • We securely return or delete data on request or at contract end, unless retention is legally required. 

We never:

  • Sell or share personal data for advertising.

  • Combine client data for our own marketing analytics.

Questions?
Review our full DPA and Privacy Policy, or reach out to sales@tremendous.com to speak to the Tremendous sales team to learn more.