Only read-only permissions are required. When it comes to your own compliance as a business, you should go to your attorney or DSB for the use of Trello. For example, if you need a DPA, we can make it available to you through www.atlassian.com/legal/data-processing-addendum The EU General Data Protection Regulation (GDPR) sets a new standard for the use and protection of data by companies from May 2018. The last part in which the data is stored is the implementation of standard clauses (and safe harbor agreements such as Privacy Shield). As a general rule, the EU does not allow personal data to leave the Union, except that the body processing the data can guarantee that the data is as secure in the 3rd country as in the EU.