We're currently reviewing our existing practices and how they relate to GDPR and we'll soon be updating our T&C's to reflect this, but in the interim, here's our current status on things:
Tradify's servers are based in the USA. Currently, and under GDPR there isn't a requirement for servers to be based in the EU. GDPR requires that, when any EU personal data is hosted or processed outside of the European Economic Area, it must remain protected to an adequate standard in line with EU law.
Tradify achieves this in a couple of ways. First, some of Tradify's EU customers' data is processed in New Zealand - recognized by the EU as an 'adequate' country (i.e. safe country) to receive and process EU personal data. Transfers to New Zealand are therefore entirely lawful under GDPR.
When we process EU customer data in other territories, like the US or Australia, we take other "appropriate safeguards" that are prescribed by the GDPR. Specifically, we rely on EU Standard Contractual Clauses (also called Model Clauses) published by the European Commission to protect EU data. These are standard form data export agreements that have been approved by the European Commission as a lawful basis for transferring personal data to non-EEA countries like the USA.
Rest assured, we continue to be active in regards to our responsibilities to protect EU (and all other users) data and will continue to take all necessary lawful measures to ensure that it does.