Is Yorze GDPR compliant?


What is GDPR? – General background:

Are there any specific rules businesses should be following in order to ensure compliance?

Article 5 of the EU GDPR states that personal data must be:

• Processed lawfully, fairly and in a transparent manner

• Collected only for specified, explicit and legitimate purposes

• Adequate, relevant and limited to what is necessary

• Accurate and kept up to date

• Held only for the absolute time necessary and no longer

• Processed in a manner that ensures appropriate security of the personal data



What will the penalites be for failing to comply with GDPR?

The GDPR have introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed.

The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.

Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.



What rights will individuals have under GDPR?

There are 8 fundamental rights of individuals under GDPR. These are:

  • The right to be informed – Organisations must be completely transparent in how they are using personal data.
  • The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
  • The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
  • The right to restrict processing – Refers to an individual’s right to block or suppress processing of their personal data.
  • The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
  • The right to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  • Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

Our commitment to GDPR:

Yorze complies with the GDPR, this guide is intended to help our customers understand what we worked on to make sure they stay safe with Yorze.



Team Training

At Yorze, employees have all been trained about the GDPR principles. New joiners, employees, consultants or freelancers joining forces with us are also strongly advised if not required to complete these trainings.



Data Protection Officer

In accordance with the Information Commissioner’s Office or ICO we designated and officially registered a DPO (Data rotection Officer).

This is also mentioned in our DPA, Data Privacy Agreement) that each of our clients is invited to sign.

Our DPO is responsible for the following:

  • Informing and advising Yorze teams on good practices required under the GDPR
  • Monitoring compliance with Data Protection laws
  • Advising Yorze as to the possibility of carrying out impact studies and to follow its smooth running;
  • Cooperating with the CNIL and remaining its official point of contact

Impact assessment

We keep up to date confidential maps and impact assessment on:

  • How the data collected about Yorze users is processes securely
  • The type of data collected
  • The objectives of these operations as part of our business
  • Who has access to this data

We also carried out a Privacy Impact Assessment, to make sure this process is made following the regulations.



Where is customer data stored?

All Yorze Data is stored in the AWS cloud in the EU region. Yorze has no local servers to store data on.



How is customer data secured?

Documents provided by the customers of Yorze clients are stored encrypted with AES-256 using keys supplied via the AWS Key Management Service (KMS).



How is customer data transmitted?

Data is transmitted to the Yorze Service on AWS using secure HTTPS connections.



How does Yorze take care?

Yorze maintains separate AWS environments for development and live customer data. These environments use separate AWS accounts to ensure no unauthorized access to customer data.

All operations within the Yorze AWS environments are logged and monitored.



Customer Information

We modified both our Terms of Service, and Privacy Policy. Through the Security Center, users can learn more about their rights when it comes to GDPR when to comes to:

  • Accessing their Data
  • Correcting their data
  • Deleting data
  • Exporting data to digital medium, in a “structured” format (e.g.,. xls,. csv,. xml file)
  • Limiting and opposing themselves to the processing of their data

These rights also apply to the customers of our users.  

This means that upon request from their customers, our users (who are responsible for the processing of what they collect using Yorze), can obtain access, rectification, deletion, export and limitation to the data.



Helping you comply with GDPR

We encourage you to update as well your Privacy policy in order to specify to your clients that you’re using Yorze to collect securely personal data about your clients.

Once that’s done, you’ll be able to add the url of your Privacy Policy onto the secure client portal to make sure they read it before uploading their documents.



The GDPR requires you as a Yorze Customer to sign a DPA (Data Processing Agreement).

 Data Protection Act

Under the GDPR, there must be a written contract when one business processes personal data on behalf of another business.

In other words, the law requires that we (Yorze) define in written agreement this business relationship in order for your business to be compliant with the GDPR.



Why does it apply to Yorze users?

Because you’re very likely to run a business if you’re using the Yorze service

In this case, you’re using Yorze to request and collect documents and information which may contain personal data about people or entities you’re in business with.

Under the GDPR, there must be a written contract when one business processes personal data on behalf of another business.

In other words, the law requires that we (Yorze) define in written agreement this business relationship in order for your business to be compliant with the GDPR.