Respect for privacy is a fundamental right and one of Yogosha’s core values as we strive to make our Customers’ information systems a safer place.
The respect of privacy and personal data is of the utmost importance to Yogosha and has been since its creation by its founders. That is the reason why we commit ourselves to treat them in the strictest respect of the regulations in force concerning the protection of personal data (hereafter the “Regulations”), in particular the French Data Protection Act of January 6, 1978 (hereinafter the “LIL”) as amended and the General Data Protection Regulation of April 27, 2016 (hereinafter the “GDPR”) known as Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
In view of the boom in personal data transfers and the non-negligible risks to the fundamental rights and freedoms of European citizens, Yogosha ensures:
- To make the respect of the principles of privacy by default and by design (article 25 of the RGPD) a priority ;
- To process personal data in a lawful, fair and transparent manner for legitimate, explicit and specified purposes (article 5 of the GDPR) ;
- To facilitate, at any time, the exercise of the rights of the Users of the Site in particular via the e-mail address [email protected] 📩
In addition, Yogosha commits itself :
- To refrain from monetizing your personal data 🙅🏻♀️ : Yogosha will never monetize your personal data in any way whatsoever to third parties. Such a monetization would contradict with Yogosha’s principles which is acting as an intermediary platform between Researchers and Clients willing to secure their websites and applications;
- To select its subcontractors scrupulously 🕵🏻and ensure that they have an adequate level of personal data protection through relevant organizational and technical measures and that they have the best certifications on the market (ISO27001, SOC2, …) and the most secure means of authentication (MFA, SSO, ….). Considering its core activity, Yogosha ensures that its subcontractors regularly test the efficiency of their technical and organizational measures (Pentest, Bug Bounty, VDP, etc…);
- Hosting data in the most secure way possible 🔐, in accordance with the recommendations of the protection authorities and more particularly the European Data Protection Board (EDPB). This is the reason why Yogosha chose a French company to host its platform, Outscale, in order to avoid any transfer to the United States in view of the invalidation of the Privacy Shield via the so-called “Schrems II” ruling.
2. Definitions 🤓
Personal Data: has the same meaning as given by the RGPD and more specifically concerning you: your name, first name, job title, telephone number, IP address and other data described below. These are all data that can identify you directly or indirectly as a natural person.
Pentest: means a campaign launched by the User on the Platform, through a Pentest Program and in accordance with the duration and terms specified, during which the User may ask either the Yogosha Researchers and/or External Researchers and/or In-House Researchers, to search for Vulnerabilities. The time allocated for the mission is defined as well as the amount paid to the Researchers in return for the mission which will be a fixed price regardless of the number and criticality of the Vulnerabilities identified.
Services: When reference is made to our Services, this includes one or more of the following Services: VDP, Pentest, le Bug Bounty 🐱🏍, the VOC according to the service subscribed by Your company via the signature of the Platform T&C.
Site: when reference is made to the Site, it refers to the Yogosha website accessible at https://www.yogosha.com, a secure site via the choice of an SSL certificate as indicated by the padlock at the bottom left of your URL. This site is our showcase site where you can learn about our services from VDP to Bug Bounty, Crowdsourced Pentest and our complete VOC (Vulnerability Operation Center) offer.
Sub-processor: means a natural or legal person, public authority, agency or other body which processes personal of the Data Processor and that has been entrusted by the Data Processor to do so
VOC: Vulnerability Operation Center
3. Origin of Personal Data 🧿
Yogosha may collect and process personal data :
- when you fill in the contact form to be contacted by the Yogosha sales team ;
- when you subscribe to the Yogosha newsletter to receive our latest news about our offers and cybersecurity ;
- when you fill in the form to receive our Yogosha white paper and the case study that Yogosha makes available on its website ;
- when you want to join our team by sending us your application or to apply for one of our latest offers; or
- when you browse the Site; ;
- when you contact us to participate to a live hacking ;
- when you contact us to participate in an event / or to make an appointment for a future event (e.g. a trade show) ;
- when you contact us to participate in a webinar ;
- when you contact us to inquire about the Partners Programs (Associate and Strategic).
4. Data processing and data retention 🕰
What are the Personal Data we are processing?
First, Yogosha asks itself the question of the necessity and proportionality of the data collected (data minimization principle). Processing data to provide a service is essential, but Yogosha is committed to ensuring that this data is collected only when necessary. If, as a User, You wish to object to the collection of such data or if You are unwilling to provide any personal data, You may not be able to use our Services or browse our Site and the user experience may be affected.
What are the retention periods?
At Yogosha, in accordance with the GDPR, we do not retain personal data for longer than the purpose for which we collected it.
Where Yogosha acts as a processor under the GDPR, and therefore acts under the instructions of its Clients who are Data Processors. Default retention periods have been established in our Platform T&Cs entered into with our Customers. When the retention period comes to an end, the data is permanently deleted or anonymized, unless it is retained for evidential purposes (existence of a dispute, etc.).
In view of the legal obligations of PSPs to archive their data with regard to the fight against money laundering and the financing of terrorism (LCB-FT), MangoPay’s retention periods may be longer, as it retains the data for the duration of the legal prescription.
Depending on the type of processing in question, Yogosha may act as a Data Processor or as a Data Processor. These qualifications may appear complex at first glance, but what must be kept in mind is that it is the Controller who defines the means and purposes of the processing while the Subcontractor acts in the name and on behalf of the Controller. Regardless of the qualification chosen, whether acting as a Data Controller or Subcontractor, Yogosha undertakes to keep confidential the personal data transmitted, this obligation of confidentiality appearing to us to be crucial in view of our sector of activity.
|Type of personal data||Purposes||Legal basis ||Data retention period|
|For each prospect : name, surname, function, e-mail address, phone number, IP address||Newsletter registration: to facilitate the sending of the newsletter; registration to an event (Live Hacking Event) or download of a white paper: sending of the white paper and participation to an online event. Sending information about our partnerships (Associate or Strategic)||Legitimate interest of Yogosha to ensure its external communication||Duration of the subscription to the newsletter. Deletion at the request of the prospect or client. |
|Identification data: CV, cover letter (name, first name, email address, phone number, address, diplomas, interests).||Recruitment process: receipt of spontaneous applications and responses to job offers (redirection to the Welcome to the Jungle website)||Necessary for interviewing the candidate, possible references. To review your application and assess your professional skills in relation to Yogosha’s needs. When we review your application and contact you as part of a recruitment process, the processing of your data is necessary for the performance of pre-contractual measures, i.e. reviewing your application.||Two years from the last contact with the candidate|