GDPR Commitment Statement

Firstly, thank you for trusting Tyk with your personal information. As a tech company, we know it’s one wild web out there, full of spammy ads, DoS attacks and all sorts. And given our mission is to open data and connect systems, you might think that we have ample access to your critical info. But actually, we only collect limited data for the sole purpose of conducting business and is not circulated or distributed outside Tyk.

But rest assured that Tyk is committed to taking good care of your data. “But how”? I hear you ask? Well, let me tell you…

You can take comfort in knowing that Tyk is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct. We maintain an ISO 27001 compliant Information Security Management System to mitigate the risks associated with the processing of personal data, and apply at all times the data protection principles as outlined in the GDPR and DPA 2018.

you shall not violate my privacy

Our promise to you (this is the legal mumbo jumbo part):

Fair, lawful and transparent processing

We will process personal data fairly and lawfully, and will fulfil our obligation to tell data subjects what their personal data will be used for. We will ensure that we have a lawful basis for the processing of all personal data.

Purpose limitation

Under the purpose limitation principle, we confirm that personal data collected for one purpose will not be used for a new, incompatible, purpose. For more info on how purpose limitation shall be used, take a deep dive look into our privacy policy. (Or as we like to call it, a sleeping pill).

We only take only what we need, not what we want. (Data minimisation)

Processing unnecessary data that we don’t need isn’t our style. Plus it weighs a tonne! We will only process the personal data that we need, in order to achieve our processing purposes. Personal data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which that data is processed.

Keeping your data accurate

Every reasonable step will be taken to ensure that if personal data is found to be inaccurate, it is either erased or rectified without delay.

There are obvious risks to data subjects if inaccurate data is processed. As a controller of certain data, we are responsible for taking all reasonable steps to ensure that personal data is accurate.

Storage limitation (Data retention periods)

We will not retain personal data for longer than necessary in relation to the purposes for which it was collected.

Data security (Integrity and Confidentiality)

We will ensure we take all practicable measures to secure personal data, both against external and internal threats.

Personal data will be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


We will ensure the enforcement of the Data Protection Principles. This means we must demonstrate that the six Data Protection Principles (outlined above) are met for all Personal Data for which we are responsible.

Awareness and Training

Training our employees, based in every corner of the world, may seem impossible to mere mortals. But at Tyk we hold regular, online and in-person training sessions to ensure that all employees responsible for the processing of personal data are suitably trained concerning data processing.

Procedures for the control of data processing

Tyk is committed to ensuring that personal data is handled in a fair and lawful manner and not compromised in the completion of business operations, p We maintain documented records of all our data processing activities and have documented data protection procedures.

We have established mechanisms in place to deal with any suspected or actual security incidents. If we become aware that we may have experienced a data security incident that might impact our users’ personal information, we investigate to learn what happened and determine what steps to take in response. We comply with all applicable laws that require notification about data security incidents. This means we conduct prompt investigations and analysis so that we can provide notification in a timely manner when necessary.

Our records and procedures are audited for compliance on a periodic basis. Where there is a change in the business or our activities, we will conduct a data audit to establish how the change will affect Data Subjects. The results of the audit will inform decisions as to how legal compliance and the rights of Data Subjects maintained.