-
Claudio BertherLegal Counsel & Data Protection Officer, Yokoy
Overview
Scope
This Privacy Policy and the Cookie Policy (can be found here) applies to all entities of Yokoy (see A. 8 ("Yokoy" or "we"). You can use our Cookiebot to granularly determine which optional cookies you want to allow and which you do not.
Security and compliance
Data protection is of utmost importance to Yokoy. We ensure through various technical and organizational measures (TOMs) as well as contractual measures that your data is always kept up to date, stored securely and processed in accordance with Swiss (Federal Data Protection Act; FADP) and European data protection regulations (in particular the General Data Protection RegulationGDPR). This applies both in our company and in the cooperation with our partners and suppliers as outlined in our Partner Code of Conduct. Yokoy has also established an Information SecurityManagement System (ISMS) in accordance with the requirements of the ISO 27001:2013 standard, which has been certified by TÜV Rheinland since November 2022. The processing of card data is certified according to PCI-DSS 4.0 Payment Card Industry Data Security Standard by PGI (ProtectionGroup International). Penetration testing through an independent third party is conducted on an annual basis.
Yokoy is further certified by the Spanish State Tax Administration Agency (AEAT), enabling our customers to safely utilize digitized receipts and invoices, and remove the burden of collecting and storing physical copies as it is confirmed here. As part of this certification, we use Q-Seal provided by D-Trust which is an electronic token and therefore cannot be shared publicly for security reasons.
Our legal security and compliance hub shall provide a quick overview of our efforts so that our stakeholders are up to date with the most relevant documents. Yokoy runs on high-availability mode on the Google Cloud Platform. The cloud data is stored in Zurich, Frankfurt and St. Ghislain, Belgium. An overview of the certifications can be found at Google Cloud security or specifically for data centers at data center security.
International transfers
Despite our best try to work with Swiss or EU Partners wherever we can, international data transfers cannot always be avoided. We make sure that the transfer of data is in line with the mechanisms in chapter V of GDPR and Art. 16 ff. FADP.
Storage and deletion
We store the data only as long as it is necessary for the fulfillment of the contract or the statutory retention periods upon customers’ request. This is subject to your right to deletion in accordance with Art. 17 GDPR, provided that the requirements for this are met.
Third parties
We are aware of our responsibility towards third parties. Therefore, we conduct a rigorous screening before engaging with third parties. Such screening includes data protection, security, utility and finance review. Besides the Partner Code of conduct we are following legal developments closely and make sure our partners are doing the same, being up to date with legal and security developments.
Your rights
The FADP and the GDPR grant the person whose data is processed (data subject) several rights with which the person can influence the data processing. For an overview of the rights and how you can exercise them please see section G of this Privacy Policy.
Responsibility and review
This Privacy Policy is reviewed at least once a year and signed off by our internal Data ProtectionOfficer. The last update results from the versioning under the title.
How to reach us?
Our Data Protection Officer is available to answer your questions for all Yokoy entities:
Contact Data Protection Officer:
Dpo@yokoy.ai.
Yokoy Switzerland Ltd (Headquarter) Förrlibuckstrasse 181 8005 Zurich Tel: +41 (0)43 508 15 77 CHE-172.979.264 Managing Director: Philippe Sahli, Thomas Inhelder | Yokoy Deutschland GmbH - Munich Yokoy Deutschland GmbH Unicorn Workspaces Isartor Isartorplatz 8 80331 Munich Tel: +49 151 42 04 31 22 Germany Commercial Register Number: HRB 267689 VAT Nr. DE346829209 Managing Director: Philippe Sahli, ThomasInhelder |
Yokoy GmbH Austria - Vienna Yokoy GmbH Hamerlingplatz 8/17 1080 Vienna Tel: +43 1 417 01 15 Industry: Software Managing Director: Mag. (FH) Stephan Hebenstreit, LL.M. Commercial register court: Vienna Commercial Court Number of the company register: FN 534254 UID: ATU75770818 Place of jurisdiction: Vienna Commercial Court Chamber af Commerce | Yokoy Netherlands B.V. - Amsterdam Yokoy (Netherlands) B.V. Singel 542 1017 AZ Amsterdam Tel: +31 20 241 0606 KVK number: 84480742 VAT-registration number NL 863227806B01 Managing Director Philippe Sahli, ThomasInhelder |
Yokoy LTD United Kingdom - London 7-12 Noel Street, 7th Floor, C/O Travelperk, London, England, W1F 8GQ England Tel: +44 1274 015979 Company number 15337919 Registered in England and Wales Managing Director: Philippe Sahli and Thomas Inhelder |
Categories of personal data
The personal data as defined in Art. 5 FADP and Art. 4 GDPR we process are divided into the following categories:
- Basic data (e.g. last name, first name)
- Contact details (e.g. telephone, email, postal address)
- Browser and device data, meta or boundary data and usage data, content data that you submit to us (e.g., through the contact form, registration for newsletters, webinars, and protected content or applications as well as spend management receipts).
- Location data for trip reports
- Contact, sales, contract and payment data in our customer relationship management system.
- Customer and prospect point of contact
Categories of data subjects
Situation | Category of data subjects |
---|---|
Yokoy Expense and Yokoy Pay modules | Employees of the customer who have received access to Yokoy |
Yokoy Invoice | Supplier of the customers who are included in the invoices |
Visiting our website or social media links | Website or social media visitors |
Use cases of data processing
Data Processing When Using Yokoy
The data processed when using our software depends on the Yokoy modules in use. Further information on how we use artificial intelligence can be found in our AI Policy. A list of actual subprocessors is published in our legal, security and compliance section of the website. A Data Processing Addendum is part of the SaaS contract concluded between Yokoy and the customer.
In this context Yokoy is the processor and the customer is the controller.
Yokoy Package (as applicable) | Processed Data Categories |
---|---|
Yokoy Expense | - Last name, first name, business e-mail address, cost center and content data uploaded by Customer into Yokoy, which may contain Personal Data. For further information see https://developers.google.com/maps/documentation/javascript/examples/geocoding-simple |
Yokoy Invoice | - Supplier name and supplier ID as well as content data uploaded by Customer (invoices). - Additional data fields can be added by the Customer and may contain Personal Data. |
Yokoy Pay | - Cardholder data: Last name, first name, address, phone number, email (for 3DS or tokenization). - Account data: Account number and account information. - Card data: Partial PAN, expiration date, CVV, service code. - Authentication data: validation codes/values, full card data (magnetic stripe/chip), PIN, sensitive authentication data, PIN locks. - Transaction data related to electronic card payments. |
Custom files | Data processing according to the Customer's specifications. |
Apple Pay (optional) | When a user makes a purchase, Apple Pay uses a device-specific number together with a unique transaction code. This means that the credit card number is never stored on the user's device or on Apple servers. Apple never shares card numbers with merchants when the user pays. When the user pays with a debit or credit card, Apple Pay does not store any data about transaction that could be traced back to the user. And with Apple Pay, data is only stored for troubleshooting, fraud prevention and legal purposes. (from https://www.apple.com/chde/privacy) |
Google Pay (optional) | When the user pays, Google Pay sends a virtual account number to the merchant instead of the actual card number - so the user's payment information is always well protected. (from https://safety.google/pay/). Here you can find the setting options for Google Pay: Google Pay privacy settings. |
Data You Give Us
When You Contact Us
By Phone: Aircall
Data storage location | Germany |
Purpose of processing | Managing customer enquiries via phone |
Transfer mechanism | EU-US Privacy Framework certified company |
Security measures | Aircall security |
Legal basis | Legitimate interest in managing enquiries (Art. 6 Para. 1 lit. f GDPR) |
Address & Privacy contact | 11 Rue Saint Georges, 75009 Paris, France |
By Email: Microsoft Outlook
Data storage location | Switzerland |
Purpose of processing | Managing customer enquiries via email |
Transfer mechanism | EU-US Privacy Framework certified company |
Security measures | Microsoft security Regarding Microsoft’s Switzerland data center Microsoft Swiss data center |
Legal basis | Legitimate interest (Art. 6 Para. 1 lit. f GDPR) |
Address & Privacy contact | The Circle 02, 8058 Zürich-Flughafen, |
By Chat: Intercom
Data storage location | Ireland |
Purpose of processing | Managing customer enquiries via chat function |
Transfer mechanism | EU-US Privacy Framework certified company |
Security measures | Intercom security |
Legal basis | Legitimate interest (Art. 6 Para. 1 lit. f GDPR) |
Address & Privacy contact | Stephen Court, 18-21 Saint Stephen's Green, Dublin 2, Ireland |
When you sign up for the newsletter/gated content
Data storage location | Germany |
Purpose of processing | Sending out newsletters |
Transfer mechanism | EU-US Privacy Framework certified company |
Security measures | HubSpot trust center |
Legal basis | Consent according to Art. 6 Para. 1 lit. a GDPR Double opt-in is implemented, with every newsletter there is an option to opt-out in the e-mail footer. |
When you apply for a job at Yokoy
We use Lever, Inc. To manage the application process. Lever allows us to cooperate seamlessly between the different departments, leave comments and personal hiring recommendations. Aside from that Lever gives us the necessary functions to comply with GDPR and has a strong security posture in place which is crucial giving the data stored in this application.
Provider | Lever, Inc. |
Data storage location | Germany |
Purpose of processing | Managing incoming job applications |
Transfer mechanism | EU-US Privacy Framework certified company |
Security measures | Lever security exhibit, Lever privacy center |
Legal basis | Consent (Art. 6 Para. 1 lit. a GDPR). Data stored up to 2 years with consent; otherwise deleted after process. |
Address & Privacy contact | Lever, Inc. 1125 Mission Street, San Francisco, CA 94103 privacy@lever.co |
Data We Process on Our Own Behalf
While in the general set-up we are a SaaS company acting as data processors on behalf of our customers, there are also situations where we act as data controllers and process data on our own behalf, at times using third-party companies. Here is a brief overview of the situations we process data on our own behalf.
CRM
We are using Salesforce as our customer relationship management tool.
Data storage location | Ireland |
Purpose of processing | Managing customer and contractual relationships. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | |
Legal basis | Legitimate interest in managing customer relationships according to Art. 6 Para. 1 lit. f GDPR |
Address and privacy contact | SFDC Ireland Limited 3rd and 4th Floor 1 Central Park, Block G, Central Park, Leopardstown 18 Dublin, Ireland |
Our Website
Our website www.yokoy.io and its subdomains are hosted by WP engine, which is a trusted, globally active provider for website hosting for companies of all sizes including some of the largest corporations. Regarding the cookie-usage of our website please see our Cookie Policy.
Data storage location | USA |
Purpose of processing | Presenting the company, product and services by running yokoy.io and all its subdomains. |
Transfer mechanism | SCC 4.6.2021 |
Security measures | WP engine security |
Legal basis | Legitimate interest in presenting the company, product and services by running yokoy.io and all its subdomains according to Art. 6 para. 1 lit f. GDPR. |
Address and privacy contact | WPEngine, Inc. 504 Lavaca Street, Suite 1000 Austin, TX 78701 |
Our Marketing
Engaging with existing and potential clients is a key part of our sales process. Therefore, this section lays out how the marketing team is interacting with all stakeholders.
Hubspot
A central part of our marketing activities is processed through HubSpot (see the table in the data you give us section for more information on HubSpot).
Data storage location | Germany |
Purpose of processing | Managing our marketing activities. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | HubSpot Trust Center |
Legal basis | Legitimate interest in managing our marketing activities according to Art. 6 Para. 1 lit. f GDPR. |
Address and privacy contact | Hub Spot Germany GmbH Am Postbahnhof 17 10243 Berlin, Germany |
HubSpot uses web beacons and cookies to analyze your use of our website and to cover various aspects of online marketing. This includes email marketing, contact management (e.g. performance segmentation & CRM), landing pages and contact forms on our website and in the app. This information as well as parts of our website are stored on servers of our software partner HubSpot. It is used by us to contact visitors to our website and determine which of our company's services are of interest to them. The information collected is subject to this Privacy Policy. We use all collected information exclusively to optimize our marketing measures and to communicate with users and improve user experience.
Intercom
Another central tool is our Chat function provided by Intercom, inc. To find out more about intercomsee the data you give us section for more details.
Data storage location | Ireland |
Purpose of processing | Providing a chat function, fast customer support and providing product updates directly to the user. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Intercom security |
Legal basis | Legitimate interest in providing a Chat function, fast customer support and product updates directly to the user according to Art. 6 Para. 1 lit. f GDPR. |
Address and privacy contact | Intercom R&D Unlimited Company Stephen Court, 18-21 Saint Stephen's Green, Dublin 2, Dublin, Ireland |
Google Tag Manager
Google Tag Manager is a solution that allows website tags to be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool takes care of forwarding data and triggering other tags, which in turn may collect data. Yokoy does not have access to this data. If a deactivation has been made at the domain or cookie level, it will remain in place for all tracking tags implemented with Google Tag Manager, but the tracking is disabled.
Data storage location | USA |
Purpose of processing | Managing cookie execution on our website. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | https://developers.google.com/tag-platform/security |
Legal basis | Legitimate interest in managing cookie execution on our website according to Art. 6 Para. 1 lit f. GDPR |
Address and privacy contact | Gordon House Barrow Street Dublin 4, D04E5W5 Ireland Data protection contact |
Google ReCAPTCHA
ReCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a Turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out.
Data storage location | USA |
Purpose of processing | Making sure that data is entered (e.g. in a form) by humans and by that prevent automatic bots overflowing the system. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Google ReCAPTCHA security |
Legal basis | Legitimate interest in making sure that data is entered (e.g. in a form) by humans and by that prevent automatic bots overflowing the system according to Art. 6 para. 1 lit f. GDPR. |
Address and privacy contact | Gordon House Barrow Street Dublin 4, D04E5W5 Ireland Data protection contact |
Google Web Fonts
When you call up a page, your browser loads the required web fonts into the browser cache to display texts and fonts correctly. For this purpose, the browser must establish a connection to Google's servers. In this way, Google learns that our website was accessed via your IP address.
Data storage location | USA |
Purpose of processing | Making sure that fonts are displayed correctly on our website. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Google Fonts security and privacy. |
Legal basis | Legitimate interest in making sure that fonts are displayed correctly on our website according to Art. 6 Para. 1 lit f. GDPR |
Address and privacy contact | Gordon House Barrow Street Dublin 4, D04E5W5 Ireland Data protection contact |
Google Analytics
We use google Analytics to track activities on the website. Such activities include page view, clicks and dwell time. We are using Google Analytics 4 that has improved privacy credentials. More details can be found here. We as Yokoy do not have access to the IP-addresses. A further option to control the ads shown is possible by the Ads Preferences Manager.
Data storage location | USA or EU, when accessed via devices in the EU |
Purpose of processing | Website traffic and interaction measurement |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Google Analtytics data controls |
Legal basis | Legitimate interest in website traffic and interaction measurement according to Art. 6 Para. 1 lit f. GDPR. |
Address and privacy contact | Gordon House Barrow Street Dublin 4, D04E5W5 Ireland Data protection contact |
jsDelivr CDN
A CDN is a network of regionally distributed servers connected via the Internet. To use the service, it is possible that your browser sends personal data to jsDelivr. This may allow jsDelivr to collect and store data such as browser type/version, date and time of access or IP address. To avoid this, you can install a JavaScript blocker e.g. No Script.
Processing Location | Poland |
Purpose of processing | Enabling faster website loading times |
Transfer mechanism | SCC 4.6.2021 |
Security measures | JsDelivr TOMs |
Legal basis | Legitimate interest in faster website performance according to Art. 6 Para. 1 lit f. GDPR. |
Address and privacy contact | Krolewska 65a 30-081 Krakow |
Videoask
Videoask is an interactive video-tool used in webforms.
Processing Location | USA |
Purpose of processing | Interactive video software. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Typeform security |
Legal basis | Legitimate interest in interactive video software according to Art. 6 Para. 1 lit f. GDPR |
Address and privacy contact | Carrer de Bac de Roda, 163, Barcelona, Spain |
Navattic
Navattic allows us to improve your customer experience by taking tours of key components of our product or integrations with third parties. The tours can be found here.
Data storage location | USA |
Purpose of processing | Enabling video-product tours on our website. |
Transfer mechanism | SCC of 4.6.2021 |
Security measures | https://trust.navattic.com/ |
Legal basis | Legitimate interest in displaying demo videos on our website. |
Address and privacy contact | 2261 Market Street #4301 San Francisco, CA 94114, USA. |
Marketing tools that use cookies
Certain marketing tools use cookies. To learn what cookies are, what they do, and how you can disable them, visit our Cookie Policy or the Cookie Manager on our website. This allows you to fine- tune your consent to the use of cookies that are not strictly necessary to provide the website. Our management tool Cookiebot is provided by the German company Usercentrics.
Data storage location | Germany/Belgium |
Purpose of processing | Managing cookie consent. |
Transfer mechanism | SCC of 4.6.2021 |
Security measures | https://usercentrics.com/de/trust-center/ |
Legal basis | Legal obligation of accountability according to Art. 5 Para. 2 GDPR. |
Address and privacy contact | Usercentrics GmbH Sendlinger Straße 7 80331 Munich |
Social Media activities
We have various presences on social networks to communicate with users active there and to inform them about our services. For example, we use icons that lead to the pages of YouTube, LinkedIn, Meta and X. For more information about this and about the use of cookies, please see our Cookie Policy . The processing of data in this context is covered by the legitimate interest of interacting with customers and prospects alike according to Art. 6 Para. 1 lit. F GDPR.
Technical data
When you use our website, information that your browser transmits to us is automatically collected and stored.
- Browser type and version
- The operating system
- IP address (anonymized for geolocation)
- Referrer URL
- Host name of the computer
- Request date
The data is needed, for example, to deliver the content of our website correctly, to ensure the functionality of our website according to Art. 6 Para. 1 lit. f GDPR or to provide law enforcement authorities with the appropriate information in the event of a cyber-attack based on Art. 6 Para. 1 lit. c GDPR. The anonymous data of the server log files are stored separately from your personal data.
Login data
When you are logging in to Yokoy via the website the following data will be stored.
- Login information
- Browser type
- Amount of sent data in bytes
- Date and time of access
- IP address
- Language setting
This data is stored to provide the portal, its security and functionality, legitimate interests according to Art. 6 Para. 1 lit. f GDPR.
Sales
Identifying and connecting with potential clients and helping them optimize their spend management process is an important part of the sales process. To achieve this goal Yokoy is using different software products as outlined below.
Cognism
Data storage location | UK |
Purpose of processing | Prospecting |
Transfer mechanism | Adequacy decision |
Security measures | https://www.cognism.com/security |
Legal basis | Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR |
Address and privacy contact | Cognism Ltd C/O Worldwide Corporate Advisors 150 Minories London EC3N 1LS |
Opt-out | If you wish to opt-out of the database of Cognism this can easily be done by using this opt-out link. |
LinkedIn Sales Navigator
Data storage location | USA |
Purpose of processing | Prospecting |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | LinkedIn security |
Legal basis | Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR |
Address and privacy contact | LinkedIn Ireland Unlimited Company Attn: Legal Dept. (Privacy Policy and User Agreement) Wilton Plaza Wilton Place, Dublin 2 Ireland DPO contact |
6sense
Data storage location | USA |
Purpose of Processing | Prospecting |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | https://trust.6sense.com/ |
Legal basis | Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR mostly reflects buying intentions of customers based on a proprietary system. With that our outbound efforts can be more targeted to customers who are really interested in our products. |
Address and privacy contact | 450 Mission Street, Suite 201 San Francisco, CA, 94105 privacy@6sense.com |
Opt-out | If you wish to opt-out of the 6sense database, you can e-mail datasubjectrequests@6sense.com and ask for a removal. |
Salesloft
Data storage location | Germany |
Purpose of processing | Prospecting |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Salesloft security and compliance |
Legal basis | Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR to ensure we only contact potential customers who have an interest in our services. |
Address and privacy contact | Atlanta Office 1180 W Peachtree St NW Suite 2400, Atlanta, GA 30309 |
Opt-out | If you wish to opt-out of the Salesloft database, you can do so by clicking on the e-mail footer or contact dpo@yokoy.ai Salesloft offers granular opt-out options available at Salesloft opt-out |
Yokoy Analytics
Legitimate interest of analyzing usage of Yokoy according to Art. 6 Para. 1 lit. f GDPR. Yokoy wants its tool to be as close to the customers’ needs as possible. Amplitude gives us an insight into how our customers use Yokoy which will in return allow us to prioritize the product roadmap and product development. Since individual users are pseudonymized, it is not possible for Yokoy to track down individual users or expenses with Amplitude.
- Geographical location
- Browser
- The operating system
- IP address
- Duration of the visit
- Reference URL
- Information about how often the website is visited
- Newsletter subscription data
- Pages called
Data storage location | Germany |
Purpose of processing | Usage analytics of Yokoy platform (web and mobile). |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Amplitude trust center |
Legal basis | Legitimate interest of analyzing usage of Yokoy according to Art. 6 Para. 1 lit. f GDPR. |
Address and privacy contact | Amplitude, Inc. |
Personio
After your successful application via Lever, your data will be transferred to Personio our HR tool.
Data storage location | Germany |
Purpose of processing | Managing internal HR data |
Transfer mechanism | N/A EU provider, no data leaves EU |
Security measures | Data security Personio |
Legal basis | Legitimate interest in managing internal HR data. |
Address and privacy contact | Personio SE&Co. KG Seidlstraße 3, 80335 Munich, Germany |
Partner
As outlined in more detail in the SaaS Agreement Yokoy uses Partners to distribute and implement Yokoy. Some partners are also delivering parts of our service to us that we are connecting Yokoy to. Examples thereof are our VAT-Reclaim partners, our travel partners or our e-invoicing partners. An overview of our partner landscape can be found in the partner section of our website. Individual exceptional cases excluded, the customer has individual contracts with those partners and the data necessary to provide the services will be shared with those partners. This happens on a need-to-know basis and is contractually agreed upon with the individual customer.
To manage these partnerships, we are using the partner tool Reveal. Reveal allows us to synchronize opportunities with our distribution partners to look for cooperation opportunities of mutual partners with potential customers. Aside from limiting the data shared, Reveal has a comprehensive security posture. Yokoy remains in full control of what is shared with Reveal. An internal policy is shared and enforced to ensure that only company names are shared, and NDAs are respected. If your company shall not be mentioned, please reach out to dpo@yokoy.ai.
Data storage location | Belgium |
Purpose of processing | Partner management tool. |
Transfer mechanism | SCC of 4.6.2021 |
Security measures | |
Legal basis | Legitimate interest of partner management according to Art. 6 |
Address and privacy contact | Reveal SAS 14 avenue de l'Opera, 75001 Paris, France |
DocuSign
Data storage location | Germany |
Purpose of processing | Germany, Netherlands and France (multi-tenant to ensure availability of the contract data) |
Transfer mechanism | Binding Corporate Rules according to Art. 47 GDPR BCR DocuSign |
Security measures | |
Legal basis | Execution of contracts by e-signature according to Art. 6 Para. 1 lit. b GDPR. The parties contractually agree to use DocuSign to sign their contracts. |
Address and privacy contact | DocuSign Inc., Attention: Privacy Team 221 Main Street, Suite 1550, San Francisco, CA 94105. |
DocuSign is a widely recognized supplier of e-signatures. By using DocuSign, we do not only speed up the signing process by making contracts signable from wherever there is an internet connection, but we also contribute positively to the environment by not having to unnecessarily print out documents and use resources. If you want to know more about our environmental efforts visit here.
Slack
Data storage location | Germany |
Purpose of processing | Internal instant messaging tool. |
Transfer mechanism | EU-US Data Privacy Framework certified company |
Security measures | Slack security. |
Legal basis | Legitimate interest according to Art. 6 Para. 1 lit. f GDPR internal instant messaging tool. |
Address and privacy contact | Slack Technologies Limited Salesforce Tower 60R801, North Dock Dublin, Ireland |
Holycode / HolyERP
Holycode is a Swiss company supplying development resources based out of Serbia for a wide variety of Swiss companies https://www.holycode.com/clients/ Holycode supports our engineering team with coding (Holycode) and connector tasks (HolyERP). No one at Holycode / HolyERP performs any work without a written statement of work from Yokoy. Yokoy remains responsible for any development executed by Holycode/HolyERP.
Data storage location | Serbia |
Purpose of processing | Development support. |
Transfer mechanism | Individually signed Standard contractual Clauses |
Security measures | ISO 27001, ISO 9001 certified |
Legal basis | Data processing agreement in place Art. 28 GDPR. |
Address and privacy contact | Holycode AG, Im Gerstenacker 8, 4102 Binningen, Switzerland / Holycode d.o.o. Jurija Gagarina 12, Beograd, Serbia |
International Data transfers
We are aware that transferring data abroad requires us to take precautions. Where possible we strive to store the data within Switzerland and the EU. Since Yokoy’s headquarters are in Switzerland, it is important to point out that Switzerland is recognized as a country with adequate protection of personal data just like the United Kingdom is, where we have another subsidiary. If we work withUS providers, we choose EU storage wherever it is offered. In addition, most of our US processors are certified according to the EU-US Privacy Framework, the newest transfer framework that is recognized by the EU Commission as providing adequate protection of your data. Additionally, Standard Contractual Clauses are either part of the contract or signed separately. On top of that we have conducted a data transfer impact assessment in which we concluded that the risk is minimal and together with the security measures we and our partners have taken to protect the data the risk of a government intervention is minimal. Should we ever get a request from a government entity the internal procedures for how to react to such a request are in place. That said, we are aware that this is a dynamic field of law that requires continuous attention. Should action become necessary, we will act accordingly. As of the date of publication of this Privacy Policy no US request has ever been raised to any Yokoy entity.
Data storage and deletion
We store data during the contractual relationship with the customer. The data storage locationsof our cloud provider are Zurich, Switzerland Frankfurt, Germany and St. Ghislain, Belgium.
The default data storage is defined by the contract with the customer. Upon customer request we can also store data for as long as the legal requirement for data retention in the specific customer country requires. Yokoy offers read-only access allowing auditors to access the spend management records for their specific purpose. The data can be provided in a. JSON or .CSV format to the customer. The right to erasure according to Art. 17 GDPR remains unaffected and will be granted if the requirements set out in this provision are met. Data is encrypted at rest and in transit with a 256Bit-AES encryption and the keys are with Yokoy.
Your data protection rights
Right to confirmation Art. 25 Para 1 FADP Art. 15 GDPR
Art. 25 Para 1 FADP and 15 GDPR give you the right to request confirmation from us as to whether personal data relating to you is being processed. To do so, please contact us at dpo@yokoy.ai.
Right to information Art. 25 Para 2 FADP and Art. 15 GDPR
In accordance with Art. 15 GDPR and Art. 25 Para. 2 FADP, you also have the right to receive from us at any time and free of charge information about the data stored about you and a copy of this data in accordance with the legal provisions. To do so, please contact us via dpo@yokoy.ai This data will be provided in JSON or .csv format within 30 days according to Art. 25 Para. 7 FADP.
Right to rectification Art. 32 FADP and Art. 16 GDPR
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, considering the purpose of the processing. The obligation to keep the employee user master data up to date lies with the customer, as we receive this data from the customer and are not able to verify it.
Right to erasure Art. 6 Para. 4 FADP and Art. 17 GDPR
You have the right to demand that we delete the personal data concerning you without delay, provided that one of the reasons provided for by law applies and as far as the processing or storage is not necessary. To do so, please contact us via dpo@yokoy.ai. The FADP does not specifically grant a right to erasure, but Art. 6 Para. 4 FADP is requesting the destruction or anonymization of data which are no longer necessary to fulfill the purpose.
Restriction of processing Art. 18 GDPR
You have the right to request that we restrict processing if one of the legal requirements is met. To do so, please contact us via dpo@yokoy.ai. This right is not explicitly granted in the FADP, but it is covered by the purpose limitation stipulated in Art. 6 Para. 3 FADP.
Obligation to notify Art. 9 Para. 3 FADP and Art 19 GDPR
Yokoy will communicate changes, deletions and restrictions of data processing to third parties, unless this proves impossible or involves a disproportionate effort. Art. 9 Para. 3 FADP require this in specific case of the engagement of a new subprocessor. If we do so, customers will be informed of a notice period of 14 days as stipulated in the Data Processing Agreement.
Data portability Art. 28 FADP and Art. 20 GDPR
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. We provide the data in .csv or JSON format. You also have the right to transfer this data to another controller without hindrance from us, to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability pursuant to Article 20 Para I GDPR, you have the right that the personal data be transferred directly from one controller to another controller, to the extent technically feasible and if this does not adversely affect the rights and freedoms of other individuals. For this purpose, the data may be provided in .CSV or. JSON format. To do so, please contact us via dpo@yokoy.ai. The right to data portability is also granted in Art. 28 FADP, but restrictions apply on feasibility and proportionality.
Objection Art. 30 Para. 2 lit. b FADP and Art. 21 GDPR
You have the right to object at any time, on grounds relating to your situation, to the processing of personal data concerning you that is carried out based on Art. 6 Para. 1 lit. e or lit. f GDPR. This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defense of legal claims. In individual cases, we process personal data to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, as far as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes. You also have the right to object, on grounds relating to your situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Para. 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
Notwithstanding Directive 2002/58/EC, you are free to exercise your right to object to the use of information society services by automated means using technical specifications. To do so, please contact us via dpo@yokoy.ai.
Revocation of consent in Art. 7 Para. 3 GDPR
You have the right to revoke your consent to the processing of personal data in accordance withArt. 7 Para. 3 GDPR at any time with effect for the future. To do so, please contact us via dpo@yokoy.ai.
Complaint to a supervisory authority
You have the right to lodge a complaint about the processing of personal data by us with a supervisory authority responsible for data protection in accordance
Country | Supervisory Authority | Contact |
---|---|---|
Switzerland | FDPIC – Federal Commissioner for Data Protection and Freedom of Information | Feldeggweg 1, CH-3003 Berne Phone: +41 (0)58 462 43 95 |
Germany | BayLDA – Bayerisches Landesamt für Datenschutzaufsicht | Promenade 18, 91522 Ansbach Phone: +49 981 1800930 Fax: +49 981 180093-800 |
Austria | Österreichische Datenschutzbehörde | Barichgasse 40-42, 1030 Vienna Phone: +43 1 52 152-0 Email: dsb@dsb.gv.at |
Netherlands | Dutch Personal Data Authority | PO BOX 93374, 2509 AJ The Hague Phone: +31 (0)88 1805 250 |
United Kingdom | ICO – Information Commissioner’s Office | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Phone: +44 (0)303 123 1113 Email: icocasework@ico.org.uk |
Updates
We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, by publishing the respective current Privacy Policy on our website.