Version 4.0 March 2023
Data protection is of utmost importance to Yokoy. We ensure through various technical, organizational and contractual measures that your data is always kept up to date, stored securely and processed in accordance with Swiss (Federal Data Protection Act; FADP and the associated ordinance) and European data protection regulations (in particular the General Data Protection Regulation GDPR). This applies both in our company and in the cooperation with our partners and suppliers.
In addition, we have our software data security audited annually by independent external experts and implement their recommendations. Yokoy has also established an Information Security Management System (ISMS) in accordance with the requirements of the ISO 27001 standard, which was certified by TÜV Rheinland in November 2022.
i. Contact person Yokoy Group AG
ii. Personal data categories
iii. What data we process
iv. International data transmission
v. Data security
vi. Data storage and deletion
vii. Your rights
3. Responsibility and review
I. Contact Yokoy Group AG
Our data protection officer is available to answer any questions you may have about data protection.
1. Headquarters Yokoy Group AG – Zurich
Yokoy Group AG
MLaw Claudio Berther, LL.M (Law & Technology) University of California, Berkeley
Legal and Data Protection Officer
Tel: +41 (0)43 508 15 77
2. Yokoy Germany GmbH – Munich
Yokoy Germany GmbH
Design Offices Munich Macherei
Weihenstephaner Str. 12 (Building M6)
Tel: +49 151 42 04 31 22
Germany Company register number: HRB 267689
3.Yokoy GmbH Austria – Vienna
Tel: +43 1 417 01 15
Managing Director: Mag.(FH) Stephan Hebenstreit, LL.M.
Commercial register court: Vienna Commercial Court
Number of the company register: FN 534254
Place of jurisdiction: Vienna Commercial Court
Chamber affiliation: Vienna Chamber of Commerce
4.Yokoy Netherlands B.V. – Amsterdam
Yokoy (Netherlands) B.V.
1017 AZ Amsterdam
KVK number 84480742
Tel: +31 6 20 33 28 90
II. Categories of personal data
The personal data we process are divided into the following categories
1. Basic data (e.g. last name, first name)
2. Contact data (e.g. telephone, e-mail, postal address)
3. Browser and device data, meta or boundary data and usage data, content data that you submit to us (e.g., through the contact form, registration for newsletters, webinars, and protected content or applications).
4. Location data
5. Contact, sales, contract and payment data in our customer relationship management system
III. What data we process
1. Data you give us
You voluntarily provide us with data in various situations. For example, when you contact us, subscribe to our newsletter, register in the customer portal, apply for a job, register for a webinar or download protected content. If you want to know more about how we process this data, for what purpose and on what legal basis, read ” C. 1. Data you give us or click here.
2. Data we process
In order to provide our services, maintain our infrastructure and provide the best possible experience to all stakeholders, we also process personal data. If you would like to know more about the purposes and legal basis for this, read “B. Data we process” or click here.
3. Data processed by our partners
IV. International data transmission
Even though we strive to work with Swiss or European providers and make European data storage a condition when integrating new sub-processors wherever possible, the outflow of data abroad cannot be completely prevented. To find out how this is legally implemented by Yokoy and how your data is also transferred in a legally secure manner in connection with foreign transfers, please see “D. International Data Transfer” or click here. Yokoy will always keep an eye on this sensitive and constantly changing topic and adapt the international data transfer to the legal developments in this area.
V. Security of the data
The data disclosed to us is treated confidentially and protected against unauthorized access, damage or loss by technical and organizational measures. To learn more about how we technically protect your data, see “F. Data Security” or click here. All Yokoy employees also sign a confidentiality agreement at the beginning of their employment. Our data security efforts comply with the internationally recognized ISO 27001 standard, to which Yokoy is externally certified by TÜV Rheinland. Furthermore, the security of our software is tested annually by an external third party through so-called penetration tests.
VI. Data storage and deletion
We store the data only as long as it is necessary for the fulfillment of the contract. This is subject to the statutory retention periods and your right to deletion in accordance with Art. 17 GDPR, provided that the requirements for this are met. If you want to know more about this topic, read F. data storage and data deletion” or click here.
VII. Your rights
The GDPR grants the person whose data is processed various rights with which the person can influence the data processing. For an overview of the rights and how you can exercise them, see G. Your rights or click here.
A. Data you give us
1. Contact us
You can contact us through a variety of channels, including phone, email, contact form, chat, social media, webinar registration, and “gated content” registration. We collect your contact information and information from the inquiry. This information may be stored in our customer relationship management (CRM) system. This data is stored for internal use only.
1.1 Purpose of the processing
We store personal data in order to be able to respond to your inquiry or contact. Furthermore, this storage enables us to carry out the contract or pre-contractual measures in case of questions regarding an existing contractual relationship. In addition, Yokoy may conduct analyses about possible future contractual relationships, such as the size of the company, where the company is present and through which channels the company has heard about Yokoy.
1.2 Legal basis
2. Sign up for the newsletter
2.1 Purpose of the processing
Creation and sending of our newsletter.
2.2 Legal basis
If you subscribe to the newsletter, you give us permission to use your data for sending the newsletter. Furthermore, you agree to the information described below. Based on Art. 7 Para. 3 GDPR, you can revoke your consent at any time for the future; for this purpose, you will find an unsubscribe link in every email sent. We use the HubSpot software to send our newsletter. An overview of all partners with whom we cooperate for internal and external purposes, as well as links to their data protection declarations, can be found under ” D. International data transfer” or click here.
2.3 Double opt-in procedure for the purpose of verifiability
An important principle of the General Data Protection Regulation is accountability. Art. 5 Para. 2 GDPR requires not only compliance with data protection regulations, but also proof thereof. For this reason, registration takes place in a double opt-in process. After your registration, you will receive an email in which you must confirm your email address. This prevents misuse with registrations from other email addresses. The registrations are stored in our CRM system so that we can legally prove the registration process. This includes the following data: Sign-up and confirmation time, type of newsletter, IP address and your contact details. The legal basis for this is the fulfillment of a legal obligation according to Art. 6 Para. 1 lit. c GDPR.
2.4 National specifics
Germany: The dispatch and performance measurement of the newsletter is based on the consent of the recipients in accordance with Art. 6 Para. 1 lit. a, Art. 7 GDPR in conjunction with. § Section 7 (2) No. 3 UWG or on the basis of the legal permission pursuant to Section 7 (3) UWG.
Austria: The dispatch of the newsletter and the associated performance measurement is based on the consent of the recipients pursuant to Art. 6 (1) a GDPR in conjunction with § 174 TKG. The logging of the registration process is based on our legitimate interests pursuant to Art. 6 Para. 1 lit. f GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter software. In addition, there is a legal obligation to provide proof of registration. This obligation also results from accountability according to Art. 5 (3) GDPR.
Netherlands: Consent pursuant to Art. 6 (1) a GDPR in conjunction with Art. 11 (7) a Telecommunications Act.
Spain: Consent according to Art. 6 Para. 1 lit. a GDPR in connection with Art. 21 Para. 1 Law on Information Society and Electronic Commerce.
Switzerland: Data processing is carried out in accordance with the data protection principles pursuant to Art. 4 FADP.
3. Webinar registrations
You can also register for webinars via the Hubspot tool to get to know our products better. We store the data you provide so that we can contact you if necessary, e.g. if it becomes necessary to cancel the event. We base our data processing on your consent according to Art. 6 Para. 1 lit. a GDPR. This consent can also be revoked for the future in accordance with Art. 7 Para. 3 GDPR. To do so, contact us using the method described above in the Contact section. Data processing is carried out in accordance with the data protection principles pursuant to Art. 4 FADP.
4. Gated content downloads
Gated content is about sharing knowledge that is valuable to the user in exchange for contact information of the user that is valuable to us. In the case of Yokoy, for example, this could be events on topics such as digitization, artificial intelligence, or data protection or automation.
4.1 Purpose of the processing
4.2 Legal basis
We base our data processing on your consent pursuant to Art. 6 Para. 1 lit. a GDPR. This consent can also be revoked for the future pursuant to Art. 7 Para. 3 GDPR. Contact us via one of the contact channels listed under contact above. Data processing is carried out in accordance with the data protection principles in Art. 4 FADP.
For job applications we use the service of Lever. Lever is GDPR and SOC 2 compliant. Employees and sub-processors are required to keep data strictly confidential. For more information, please visit the Lever privacy center. The applicant must also explicitly consent to the processing of their data via opt-in procedures and applicants can determine whether they wish to remain in the system in the event of an unsuccessful application in order to be contacted for newly advertised positions. In this case, the data will be deleted by system setting after two years at the latest. If the application is successful and a position is filled, the data is transferred to the Bamboo HR tool and retained until the duration of the contractual relationship. The data protection measures of BambooHR can be found in the Privacy Notice BambooHR.
5.1 Purpose of the processing
We process the personal data provided to us in order to review your application and to take pre-contractual measures and the conclusion of a possible employment contract with you. If your application is not successful or you withdraw your application and you do not wish to continue to be stored in our system, the data will be deleted within 30 days. If your application is successful, the data will be kept until the purpose is fulfilled, usually for the duration of the contractual relationship plus a period required by law.
5.2 Legal basis
The storage of the data is based on Art. 6 Para. 1 lit. b GDPR or the consent of the person according to Art. 6 Para. 1 lit. a GDPR. This consent can also be revoked for the future on the basis of Art. 7 Para. 3 GDPR. To do so, please contact the relevant contact person above. Data processing is carried out in accordance with the data protection principles pursuant to Art. 4 FADP.
B. Data processed by us
1. Server log files
When you use our website, information that your browser transmits to us is automatically collected and stored. These are:
• Browser type and version
• The operating system
• IP address
• Referrer URL
• Host name of the computer
• Request date
We do not draw any conclusions about your person when using this data. Logging is done in accordance with our internal logging policy.
1.1 Purpose of the processing
The data is needed, for example, to deliver the content of our website correctly, to ensure the functionality of our website or to provide law enforcement authorities with the appropriate information in the event of a cyber attack. The anonymous data of the server log files are stored separately from your personal data.
1.2 Legal basis
We base the collection of this anonymized data on the legitimate interest of a functioning website according to Art. 6 Para. 1 lit. f GDPR.
2. Customer login/customer portal
The data protection provisions are agreed and signed with each customer when the contract is concluded (Data Processing Addendum as an appendix to the SaaS Agreement). The processing of customer data in our CRM system is carried out in accordance with point 3 below.
In addition, our system automatically records the following log data for each call:
• Browser type
• Amount of data sent in bytes
• Date and time of access
• IP address
• Language setting
2.1 Purpose of the processing
This data is collected for the purpose of providing the portal. In addition, this data is processed and stored to ensure the functionality of the portal and its security.
2.2 Legal basis
The data of the customer portal are processed according to Art. 6 Para. 1 lit. b and lit. f GDPR. The data is only stored as long as it is necessary for the fulfillment of the purpose. In order to provide the portal, data is also passed on to technically necessary partners, e.g. the website hoster Inpsyde and the cloud provider Google Cloud Platform. An overview of all partners, their services, the legal basis for processing and contact options can be found under D. International data transfer. An internal logging and monitoring policy regulates the details.
3. Customer data (CRM Customer Relationship Management)
3.1 Purpose of the processing
In order to provide our contractual services, we need to process data about our customers. In doing so, we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g. email, telephone numbers), content data (e.g. charts of accounts), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history). This mainly concerns customers, employees and suppliers. The purpose of the processing is the provision of contractual services, billing and customer service. For a more detailed description of the processing of customer data, please refer to the Data Processing Addendum. This forms part of our customer relationship as Annex 1, which is based on a SaaS (Software as a Service) contract.
3.2 Legal basis
C. Data collected from our partners
If we involve partners, this is done in accordance with the requirements of Art. 5 GDPR and Art. 10a FADP. There are data processing contracts that meet the requirements of Art. 28 Para. 3 GDPR.
1. When visiting the website
In order to be able to operate a website technically, certain technical requirements are necessary, for which we rely on partners.
1.1.1 Purpose of the processing
Our hosting provider Inpsyde provides us with infrastructure and platform services, database services, computing capacity, security services and storage space as well as technical maintenance services, which we use for the purpose of operating our online offering.
1.1.2 Legal basis
The basis for data processing is Art. 6 Para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures. Our website is hosted by Inpsyde GmbH, a German company that stores the data in Frankfurt. Privacy Inpsyde.
1.2 Content Delivery Network (CDN)
1.2.1 Purpose of the processing
1.2.2 Legal basis
1.3 Google Web Fonts
1.3.1 Purpose of the processing
Our website uses so-called web fonts provided by Google to display fonts. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This is a service of the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish company Google Ireland Limited is responsible. When you call up a page, your browser loads the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser must establish a connection to Google’s servers. In this way, Google learns that our website was accessed via your IP address.
1.3.2 Legal basis
1.4.1 Purpose of the processing
1.4.2 Legal basis
2. When using the Yokoy app
The Yokoy App is hosted on Google Cloud Platform. Google Cloud Platform is a service provided by Google Ireland LLC, Google Building, Gordon House, Barrow St, Dublin 4, Ireland. Specific privacy information about Google Cloud can be found here: Privacy Google Cloud. Specific information about Google Cloud data security and our products can be found in the Data Security section or will be provided upon request.
Customers can download a mobile app to their device. The information required for this process is transmitted to the App Store without our intervention. The information includes, for example, the email address, the customer number of your App Store account or the time of the download. We are not responsible for this data collection and have no influence on it.
For more information, see Apple‘s or Google‘s privacy policies.
When using the Yokoy app, we process the following data to ensure the security and usability of the functions offered:
• Date and time of access
• IP address
• Access to the site
• The operating system
In order to use the app in conjunction with the expense tool, the following categories are processed by the app: Last name, first name, email address and personnel or supplier number (for booking in the customer system). For the invoice module, only the supplier’s name and ID are required. Additional data can be provided by the user, but is not mandatory. For the Yokoy Pay module this is first name, last name, address, birthday and phone number. Detailed information is provided to our customers in the Data Processing Addendum, which is included in Appendix 1 and thus forms part of the contract concluded with Yokoy. A special addendum deals with the data processed within the framework of our Yokoy Pay module, as well as with the partners with whom we cooperate in order to realize this module.
The data is stored in an encrypted private cloud and the transfer to the Google Cloud is also secured with 256-bit AES encryption. By using the app, no employee data of the users is stored in our CRM.
2.1 Purpose of the data processing
This data is processed only for the provision of the Yokoy app.
2.2 Legal basis
This is done on the basis of Art. 6 Para. 1 lit. a, lit. b and lit. f GDPR.
3. Our marketing activities
On our website, we use the software HubSpot for various purposes. Our partner is Hubspot Deutschland GmbH, Am Postbahnhof 17, 10243 Berlin.
As part of the optimization of our marketing measures, the following data, among others, may be collected and processed via HubSpot:
• Geographical location
• The operating system
• IP address
• Duration of the visit
• Reference URL
• Information about how often the website is visited
• Newsletter registration data
• Pages called
We also use HubSpot to provide contact forms on our website and on our app.
3.1.2 Legal basis
The Chat-function on our website is provided by Intercom. 2nd Floor, Stephen Court, 18-21 Saint Stephen’s Green, Dublin 2.
3.2.1 Purpose of the processing
Chat function on our website and Yokoy Academy at help.yokoy.ai.
3.2.2 Legal basis
3.3 Google Tag Manager
3.3.1 Purpose of the processing
Our website uses the Google Tag Manager. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is a solution that allows website tags to be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool takes care of forwarding data and triggering other tags, which in turn may collect data. Google Tag Manager does not have access to this data. If a deactivation has been made at the domain or cookie level, it will remain in place for all tracking tags implemented with Google Tag Manager.
3.3.2 Legal basis
The legal basis for the use of Google Tag Manager is your consent pursuant to Art. 6 (1) a GDPR. This can be revoked at any time based on Art. 7 (3) GDPR with effect for the future. To do so, please contact Yokoy.
3.4 Google reCaptcha
3.3.1 Purpose of the processing
The purpose of reCAPTCHA is to verify whether the data entry on our website (e.g. in a contact form) is made by a human or an automated program. The reCAPTCHA analyzes run entirely in the background. Visitors to the website are not notified that an analysis is being performed.
3.3.2 Legal basis
4. Social media activities
D. International data transmission
Whenever possible and economically justifiable, Yokoy endeavors to work with providers from Switzerland, the EEA or the EU, or with countries for which the EU Commission has recognized an adequate level of data protection pursuant to Article 45 of the GDPR.
Alternatively, the data transfer takes place on the basis of standard contractual clauses pursuant to Art. 46 GDPR. We are aware that the ruling of the European Court of Justice C-118-311 of 16.7.2021 has declared the Privacy Shield null and void and requires our sub-processors to implement the new standard contractual clauses published by the EU Commission on 4 June 2020. We are following developments in this regard very closely, particularly with regard to an adequacy decision by the EU Commission. This is currently in the draft stage. Such an adequacy decision would enable data transfer without additional measures. As this is not the case at the moment, we base our data transfers in the non-EU area on the standard contractual clauses together with the additional measures taken by the sub-processors. If available at the partner, we base the data transfer on Binding Corporate Rules according to Art. 47 GDPR.
Yokoy has conducted an internal Data Transfer Impact Assessment. Based on the data processed by Yokoy, the security measures taken by us and our partners, we conclude that the risk of data access by the US authorities based on US national security interests is to be assessed as very low. An internal process has been established for the event of a request from the authorities. To date, there has never been such a request since our company was founded in 2019.
We work exclusively with large international partners who share our conviction regarding the importance of data protection. The guarantee of data protection is additionally contractually ensured by data processing agreements with our partners and suppliers.
Our multi-stage procurement process includes separate clarifications on the topics of data protection and data security. Below is an overview of our foreign partners, in which country they are located and for what purpose they process Yokoy data. In addition, an internal policy states that we support any international sanctions against states, territories or persons and do not have business relationships with such states, territories or persons. The partners who explicitly process customer data are listed in the Data Processing Addendum, which is part of the customer relationship contract.
|Sub-Processor||Location||Basis of data transmission||Purpose of processing||Address|
|Google LLC, Irland||EU |
(St. Ghislain, Belgium
|SCC and additional measures||Use of cloud services for data storage (Google Cloud) in Europe, hosting of Yokoy software (Google Cloud Web Hosting), email communication (Gmail) and document management (G Suite), and data management (BigQuery).||Google Ireland LLCGordon House Barrow Street Dublin 4, D04E5W5 Ireland|
|Inpsyde GmbH||Germany||SCC and additional measures||Website hosting |
https//www.yokoy.ai on the basis of Art. 6 Para. 1 lit. b and f GDPR
Mutzer Heide 3, 51467 Bergisch Gladbach
|Hubspot Germany GmbH||Frankfurt||SCC and additional measures||Hubspot is also used for marketing and communication purposes based on your consent pursuant to Art. 6 (1) a GDPR or Art. 6 (1) b GDPR for the |
performance or preparation of a contract and Art. 6 (1) f GDPR for our legitimate interests (in particular marketing).
|HubSpot Germany GmbH AM Postbahnhof 17, 10243 Berlin|
|Sendgrid LLC, |
(optional can be deactivated)
|USA||SCC and additional measures||Sending platform emails – the employee’s email is shared with Sendgrid.||1801 California Street Suite 500, Denver, CO 80202 USA |
Twilio, Inc. 375 Beale Street Suite 300 San Francisco, CA 94105 USA (Binding Corporate Rules applicable to Sendgrid, Inc.)
|Intercom, Dublin||Dublin||SCC and additional measures||In-app chat function, Yokoy Academy ||3rd Floor, |
Stephen’s Green, Dublin 2
|Slack Technologies, Inc.||USA||SCC and additional measures||Web-based instant messaging for internal corporate communication||Slack Technologies, Inc, 500 Howard Street, San Francisco, CA 94105, USA.|
|Prospect One||Poland||Adequacy decision according to Art. 45 GDPR||For the provision of a CDN (Content Delivery Network). No personal data is requested and also not stored.||jsDelivr, ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland.|
|Microsoft Company||USA||SCC and additional measures||Use of cloud services for customer |
communications (Microsoft Teams
Microsoft Azure internal Access Management).
|Microsoft Corp.One Microsoft Way, Redmond, WA 98052-6399, USA|
|DocuSign Germany GmbH||Germany||Binding corporate rules according to Art. 47 GDPR.||Electronic signing of contracts on the basis of Art. 6 I. 1 b GDPR||DocuSign Germany GmbH|
New Rothofstraße 13-19
|Aircall, Inc.||France||SCC and additional measures||Cloud-based call centre software on the basis of Art. 6 I. b and f||Aircall, Inc.11|
Rue Saint-Georges, 75009 Paris,
|Switzerland||Adequacy decision pursuant to Art. 45 GDPR||Establishment and management of the billing account and thus necessary fulfillment of legal requirements (pursuant to Art. 6 Para. I lit. b, c and f) GDPR). Furthermore, for the purpose of issuing the Yokoy Card and the associated legal |
requirements (pursuant to Art. 6 Para. I lit. b, c and f) GDPR).
5600 Lenzburg, Switzerland
|Exceet Card Group||Germany||SCC and additional measures||Processing and authorisation of transactions for the Swiss Yokoy company card.||Exceet Card Group, Edison Strasse 3, 85716 Unterschleissheim|
|Cookiebot||Denmark||SCC and additional measures||Cookie management tool on our website.||Havnegade 39, 1058 Copenhagen, Danmark|
|Salesforce Ireland Ltd.||Ireland||BCR+SCCs||CRM||One Central Park|
|Atlassian||Netherlands||SCC and additional measures||Development and ticketing tool||Atlassian B.V. |
Singel 236, 1016 AB Amsterdam
|Cognism||England||SCC and additional measures||Prospecting Tool||Cognism Inc. |
Yards, 13 Dirty Ln, London SE1 9PA
|Echobot||Germany||SCC and additional measures||Prospecting Tool||Echobot GmbH |
Durlacher Allee 73 76131 Karlsruhe
|Modulr Finance B.V.||Netherlands||SCC and additional measures||E-Money Institution, Account Provider (Yokoy Pay)||Modulr Finance B.V., Weteringschans |
165C, 1017 XD,
Payment Malta Limited
|Malta||SCC and additional measures||BIN Sponsor (Licensor Visa)||Transact |
Payments Malta Limited
Waterfront, Pinto Wharf, Valletta,
Malta, FRN 1913
|Marqeta, Inc||USA||SCC and other |
|Processor||Marqeta, Inc. |
180 Grand AVE
6th floor Oakland, CA 94612
|Tag Systems UK ltd||United |
|Adequacy decision according to Art. 45 GDPR||Physical production of the cards||Tag Systems UK ltd |
32 Marathon Pl,
Industrial Estate, Leyland PR26
E. Data security
1. Physical security
Access to the building and offices is only granted via a badge system, which is personally issued by the supervisor. For better traceability, entries and exits to the engineering offices are also logged. There is an internal physical security policy that is included in regular employee training.
Access to our online offer takes place via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate the transport encryption by a padlock in the address bar.
Even when the data is with us, it is in good hands. We chose Google Cloud Platform as our cloud provider because Google has always evolved in terms of data security and offers us a reliable service. Google’s collaboration with SAP ensures high data availability. The security and data protection of Google products are independently audited on a regular basis (ISO/IEC 27001, 27017, 27018, SOC 1/2/3, GDPR). An overview of all certifications is available here: Google Cloud Compliance.
The data in the cloud is encrypted with a 256 AES (Advanced Encryption Standard) and all data is also encrypted during transmission. The storage of the data is contractually assured in the EU (Frankfurt, St. Ghislain, Belgium and Zurich) and the keys for encryption are held by Yokoy. An internal encryption policy is in place and is part of regular employee training.
3. Access management
Access is based on the need-to-know principle and is role-based. All activities are logged in order to be able to verify and prove access to the data. In addition, all access management issues are documented in an internal policy. All employees are also subject to a confidentiality obligation.
4. Data availability
The data is provided on demand and automatically backed up every 24 hours in an encrypted cloud (storage period 30 days), so that the data is available at all times. The multi-tenant infrastructure also ensures that the data is available even if an incident were to occur at a specific data center and it were to be unavailable for a short time. A good overview of the security measures in a typical Google Cloud data center can be found here Security in the Google Datacenter.
5. Emergency plan
If, despite all measures, a data incident should occur, we are prepared for it and will put our internal emergency plan into action to inform customers and partners and minimize the damage.
F. Data storage and data deletion
We respect your data and store it only as long as it is absolutely necessary for the intended purpose (principle of data minimization according to Art. 5 lit. c GDPR and Art. 4 Para. 2 FADP. In case of data provided to us by you as part of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used to the extent that it is necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 Para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures. At the request of the customer, the data will also be stored in our archive for a longer period of time, e.g. for an audit or for a tax audit, based on a specially set up audit role with read-only rights. The right to deletion according to Art. 17 GDPR is always reserved, provided that the legal requirements for this right are met. In addition, we store daily backups of our data in order to comply with the principle of data availability. The backup data is automatically deleted after 30 days. The procedure for data storage and data deletion is documented in an internal policy.
G. Your rights
1. Right to confirmation Art. 15 GDPR and 4 para. 3 FADP
On the basis of Art. 15 GDPR and Art. 4 Para. 3 FADP, you have the right to request confirmation from us as to whether personal data relating to you is being processed. To do so, please contact us via the above contact person.
2. Right to information Art. 15 GDPR and 8 para. 1 FADP
In accordance with Art. 15 GDPR and Art. 8 Para. 1 FADP, you also have the right to receive from us at any time and free of charge information about the data stored about you and a copy of this data in accordance with the legal provisions. To do so, please contact us via the contact person above. This data is provided in JSON or .csv format.
3. Right of rectification article 16 GDPR and 5 para. 2 FADP
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, taking into account the purpose of the processing. This obligation to correct data also arises under Swiss law from Art. 5 Para. 2 FADP, provided that the legal requirements are met. The obligation to keep the employee user master data up to date lies with the customer, as we receive this data from the customer and are not in a position to verify it.
4. Right to erasure Article 17 GDPR
You have the right to demand that we delete the personal data concerning you without delay, provided that one of the reasons provided for by law applies and insofar as the processing or storage is not necessary. To do so, please contact us via the above contact person.
5. Restriction of processing Article 18 GDPR
You have the right to request that we restrict processing if one of the legal requirements is met. To do so, please contact us via the contact person above.
6. Obligation to notify according to Art 19 GDPR
Yokoy will communicate changes, deletions and restrictions of data processing to third parties, unless this proves impossible or involves a disproportionate effort.
7. Data portability Article 20 GDPR
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. We provide the data in .csv or JSON format. You also have the right to transfer this data to another controller without hindrance from us, to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability pursuant to Article 20 Para I GDPR, you have the right that the personal data be transferred directly from one controller to another controller, to the extent technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals. For this purpose, the data may be provided in .CSV or .JSON format. To do so, please contact us via the contact person above.
8. Objection Article 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 Para. 1 lit. e or lit. f GDPR. This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defense of legal claims.
In individual cases, we process personal data in order to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.
You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Para. 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
Notwithstanding Directive 2002/58/EC, you are free to exercise your right to object to the use of information society services by automated means using technical specifications. To do so, please contact us via the contact person above.
9. Revocation of consent under data protection law
You have the right to revoke your consent to the processing of personal data in accordance with Art. 7 Para. 3 GDPR at any time with effect for the future. To do so, please contact us via the contact person above.
10. Complaint to a supervisory authority
You have the right to lodge a complaint about the processing of personal data by us with a supervisory authority responsible for data protection in accordance with Article 77 of the GDPR. In Switzerland, our supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC):
Federal Commissioner for Data Protection and Freedom of Information
CH – 3003 Bern
Telephone: +41 (0)58 462 43 95 (Mon. to Fri., 10.00 to 12.00)
Fax: +41 (0)58 465 99 96
For data subjects from the EU area, our lead supervisory authority is
Bavarian State Office for Data Protection Supervision (BayLDA)
Phone: +49 (0) 981 180093-0
We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current data protection declaration on our website.
Provisions regarding Yokoy Pay
NOTE: The terms below are part of our SaaS agreement signed with the customer and are added here only for transparency purposes, as we are aware that due to the nature of the Yokoy Pay program, it processes a significant amount of data with different partners. For more information, please visit our website. Yokoy Pay
With Yokoy Pay, card expenses can be processed as easily as expense receipts in Yokoy. To offer this service, Yokoy works with partners. This appendix shows the data flows transparently. With all partners, Yokoy has concluded a data processing agreement within the meaning of Art. 28 (3) GDPR. The General Terms and Conditions of Yokoy, Transact Payment Malta Limited and Modulr Finance B.V., are an integral part of this contract and can be viewed on the website yokoy.ai.
Modulr provides Yokoy customers with the account associated with the card. Modulr is an e-money institution under the supervision of the Dutch Central Bank. The customer agrees that an account will be opened in his name with Modulr Finance B.V..
Processed data: Name, first name, account information, transaction data, information related to the KYB process.
Purpose of processing: To provide the Modulr account.
Contact address: Weteringschans 165C, 1017 XD, Amsterdam.
More information can be found at Modulrfinance.
2. Transact Payments Malta Ltd. BIN Sponsor
Transact Payments Malta Ltd. is our Card Issuer and BIN Sponsor. They provide us with the Visa license.
Processed data: Name, first name, birthday, address, email address, telephone number, transaction and payment data.
Purpose of processing: issuance of the card, licensor for Visa.
Contact address: Transact Payment Malta Ltd. vault 13-15, Valletta Waterfront, Pinto Wharf, Valletta, Malta, FRN 1913 Further information can be found at Transactpayments.
3. Marqeta, Inc. Processor
Marqueta is our processor. Marqueta guarantees the correct flow of card transactions.
Processed Data: Cardholder Data, i.e., the primary account number (“PAN”) identifying the particular Cardholder Account, the Cardholder Name, Expiration Dates and/or the Service Code (a three- or four-digit value in the magnetic stripe following the Payment Card Expiration Date in the Card Data), and Sensitive Authentication Data, such as Card Validation Codes/Values, Full Card Data (from the magnetic stripe or a corresponding chip), Personal Identification Number (“PIN”), and PIN Locks.
Transaction data, i.e. data related to the electronic payment card transaction.
Account Data, which consists of Cardholder Data and/or Sensitive Authentication Data and may include a unique representation of data such as name and address (if we provide this information to a card manufacturer) or cell phone number and/or email (if we send SMS or email for 3DS or tokenization).
Purpose of processing: enabling the card transactions.
Contact address: Marqeta, Inc. 180 Grand Avenue, 6th Floor, Oakland, CA 94612 More information can be found at www.marqeta.com.
4. Tag Systems UK Ltd: Physical card manufacturer
Tag Systems produces the physical cards for Yokoy.
Processed data: First name, last name, card expiration date, CVV, account number, address. Processing purpose: physical card production.
Contact address: 32b Marathon Pl, Moss Side Industrial Estate, Leyland PR26 7QN, United Kingdom More information can be found at TagSystems.