Privacy Policy

1. Preamble

This Privacy Policy is addressed to the Users of the Yogosha website (hereinafter the “Site”) who browse the Site and its main purpose is to inform them about the way their personal data may be collected and processed by Yogosha during their browsing.

Respect for privacy is a fundamental right and one of Yogosha’s core values as we strive to make our Customers’ information systems a safer place.

The respect of privacy and personal data is of the utmost importance to Yogosha and has been since its creation by its founders. That is the reason why we commit ourselves to treat them in the strictest respect of the regulations in force concerning the protection of personal data (hereafter the “Regulations”), in particular the French Data Protection Act of January 6, 1978 (hereinafter the “LIL”) as amended and the General Data Protection Regulation of April 27, 2016 (hereinafter the “GDPR”) known as Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

In view of the boom in personal data transfers and the non-negligible risks to the fundamental rights and freedoms of European citizens, Yogosha ensures:

  • To make the respect of the principles of privacy by default and by design (article 25 of the RGPD) a priority ;
  • To process personal data in a lawful, fair and transparent manner for legitimate, explicit and specified purposes (article 5 of the GDPR) ;
  • To facilitate, at any time, the exercise of the rights of the Users of the Site in particular via the e-mail address [email protected]

In addition, Yogosha commits itself :

  • To refrain from monetizing your personal data ‍♀️ : Yogosha will never monetize your personal data in any way whatsoever to third parties. Such a monetization would contradict with Yogosha’s principles which is acting as an intermediary platform between Researchers and Clients willing to secure their websites and applications;
  • To select its subcontractors scrupulously and ensure that they have an adequate level of personal data protection through relevant organizational and technical measures and that they have the best certifications on the market (ISO27001, SOC2, …) and the most secure means of authentication (MFA, SSO, ….). Considering its core activity, Yogosha ensures that its subcontractors regularly test the efficiency of their technical and organizational measures (Pentest, Bug Bounty, VDP, etc…);
  • Hosting data in the most secure way possible , in accordance with the recommendations of the protection authorities and more particularly the European Data Protection Board (EDPB). This is the reason why Yogosha chose a French company to host its platform, Outscale, in order to avoid any transfer to the United States in view of the invalidation of the Privacy Shield via the so-called “Schrems II” ruling.

2. Definitions

Personal Data: has the same meaning as given by the RGPD and more specifically concerning you: your name, first name, job title, telephone number, IP address and other data described below. These are all data that can identify you directly or indirectly as a natural person.

Pentest: means a campaign launched by the User on the Platform, through a Pentest Program and in accordance with the duration and terms specified, during which the User may ask either the Yogosha Researchers and/or External Researchers and/or In-House Researchers, to search for Vulnerabilities. The time allocated for the mission is defined as well as the amount paid to the Researchers in return for the mission which will be a fixed price regardless of the number and criticality of the Vulnerabilities identified.

Services: When reference is made to our Services, this includes one or more of the following Services: VDP, Pentest, le Bug Bounty ‍, the VOC according to the service subscribed by Your company via the signature of the Platform T&C.

Site: when reference is made to the Site, it refers to the Yogosha website accessible at, a secure site via the choice of an SSL certificate as indicated by the padlock at the bottom left of your URL. This site is our showcase site where you can learn about our services from VDP to Bug Bounty, Crowdsourced Pentest and our complete VOC (Vulnerability Operation Center) offer.

Sub-processor: means a natural or legal person, public authority, agency or other body which processes personal of the Data Processor and that has been entrusted by the Data Processor to do so

VOC: Vulnerability Operation Center

3. Origin of Personal Data

Yogosha may collect and process personal data :

  • when you fill in the contact form to be contacted by the Yogosha sales team ;
  • when you subscribe to the Yogosha newsletter to receive our latest news about our offers and cybersecurity ;
  • when you fill in the form to receive our Yogosha white paper and the case study that Yogosha makes available on its website ;
  • when you want to join our team by sending us your application or to apply for one of our latest offers; or
  • when you browse the Site; ;
  • when you contact us to participate to a live hacking ;
  • when you contact us to participate in an event / or to make an appointment for a future event (e.g. a trade show) ;
  • when you contact us to participate in a webinar ;
  • when you contact us to inquire about the Partners Programs (Associate and Strategic).

Yogosha may automatically collect Personal Data when you are navigating on the Yogosha website. This automatic collection may include the use of cookies and other trackers.

For more information on the cookies we collect, you can read our Cookie Policy available at the footer of the Yogosha Site at any time as well as when you first browse the Yogosha Site. We use the Axeptio consent manager system to ensure that we collect your consent in accordance with the recommendations of the CNIL, the French Data Protection Authority.

4. Data processing and data retention

What are the Personal Data we are processing?

First, Yogosha asks itself the question of the necessity and proportionality of the data collected (data minimization principle). Processing data to provide a service is essential, but Yogosha is committed to ensuring that this data is collected only when necessary. If, as a User, You wish to object to the collection of such data or if You are unwilling to provide any personal data, You may not be able to use our Services or browse our Site and the user experience may be affected.

What are the retention periods?

At Yogosha, in accordance with the GDPR, we do not retain personal data for longer than the purpose for which we collected it.

Where Yogosha acts as a processor under the GDPR, and therefore acts under the instructions of its Clients who are Data Processors. Default retention periods have been established in our Platform T&Cs entered into with our Customers. When the retention period comes to an end, the data is permanently deleted or anonymized, unless it is retained for evidential purposes (existence of a dispute, etc.).

In view of the legal obligations of PSPs to archive their data with regard to the fight against money laundering and the financing of terrorism (LCB-FT), MangoPay’s retention periods may be longer, as it retains the data for the duration of the legal prescription.

  • What kind of processing?

Depending on the type of processing in question, Yogosha may act as a Data Processor or as a Data Processor. These qualifications may appear complex at first glance, but what must be kept in mind is that it is the Controller who defines the means and purposes of the processing while the Subcontractor acts in the name and on behalf of the Controller. Regardless of the qualification chosen, whether acting as a Data Controller or Subcontractor, Yogosha undertakes to keep confidential the personal data transmitted, this obligation of confidentiality appearing to us to be crucial in view of our sector of activity.

Type of personal data Purposes Legal basis  Data retention period
For each prospect : name, surname, function, e-mail address, phone number, IP address Newsletter registration: to facilitate the sending of the newsletter; registration to an event (Live Hacking Event) or download of a white paper: sending of the white paper and participation to an online event. Sending information about our partnerships (Associate or Strategic) Legitimate interest of Yogosha to ensure its external communication Duration of the subscription to the newsletter. Deletion at the request of the prospect or client. 
Identification data: CV, cover letter (name, first name, email address, phone number, address, diplomas, interests). Recruitment process: receipt of spontaneous applications and responses to job offers (redirection to the Welcome to the Jungle website) Necessary for interviewing the candidate, possible references. To review your application and assess your professional skills in relation to Yogosha’s needs. When we review your application and contact you as part of a recruitment process, the processing of your data is necessary for the performance of pre-contractual measures, i.e. reviewing your application. Two years from the last contact with the candidate


Where is your data hosted?

Since the invalidation of the Privacy Shield and the so-called Schrems II ruling, the transfer of personal data of European citizens must be subject to additional measures to ensure that they are processed in compliance with the GDPR. Yogosha has chosen a French hosting provider for its Platform, Outscale, whose Tier VI data centers are located in France. The website is hosted thanks to Scaleway which datacenters are also located in France .

5. Data Sub-Processors and recipients of Personal Data ‍

Who are our subprocessors ?

In order to select subcontractors who respect the GDPR, Yogosha screens them before the conclusion of any contract so that they are mostly located in the European Union and respect the state of the art in terms of technical and organizational measures. If the subcontractor is not located in the European Union, it must be established in a country that has been subject to an adequacy decision or at least be located in a country whose level of protection of personal data is at least equivalent to that offered by the European Union thanks to the GDPR.

Subprocessor identity Data processing undertaken  Category of data processed Localization of the data  Technical and organizational measures  Contractual warranties for transfer outside the European Union 
Hubspot Handling the prospect database Identification data United States SOC2 compliant and compliance to the ISO27001 Signature of a DPA and of the latest SCC
Mailchimp Commercial prospection Identification data United States Mailchimp and European data transfers | Mailchimp Mailchimp publishes a transparency report every year: Mailchimp Transparency Report | Mailchimp It is important to note that Mailchimp does not sell, rent or trade any user data. Signature of the latest SCC
Scaleway  Hosting provider Identification data  France  Scaleway commits itself to implement security measures in compliance with the GDPR. Scaleway commits itself to adopt organizational and technical measures as laid down in its security policy displayed on its website.  No transfer outside the EU 
WordPress CMS Identification data United States Confidentiality Policy WordPress  Signature of the last SCC 
Zendesk  Ticketing system Name and surname of the requester who created the ticket, personal data displayed in the ticket if need be  Ireland Zendesk has implemented Binding Corporate Rules and releases a transparency report (Privacy and Data Protection – Zendesk). Zendesk servers are Tier IV or III+, SSAE 16, and the site of the said servers are PCI DSS compliant and compliant to the ISO 27001 too. Zendesk undertakes Pentests thanks to third party on a regular basis and their support team is available 24h/24 7j/7 to address incident issues. No transfer outside the EU

6. Right of Access of the Data Subject → You

En cas de dépôt de plainte, l’autorité de contrôle compétente est la CNIL, dont le site est le suivant :

Yogosha has appointed a Data Protection Officer in compliance with article 37 of the GDPR. If you want to reach out the DPO to enforce your right of access, rectification, erasure, or deletion, or objection rights, you can send an email to the following address : [email protected]

If you want to file a complaint with the Data Protection Authority, the competent DPA is the CNIL which website is the following :

7. Cookies

At Yogosha, we like Bountys (especially Bugs Bountys) but we also like cookies, provided that you have granted your consent priorily and that the recommendations of the CNIL are fully complied with. We use cookies to improve your navigation when you are reading our website or when you are logged on our Platform as a User. In order to dig further on cookies and other tracking tools, we invite you to read our Cookie Policy which is available at all times on the footer of our website next to the Legal Notices and the Privacy Policy.

8. Security at first : the Technical and Organizational Measures

In compliance with article 32 of the GDPR, Yogosha has implemented technical and organizational measures in order to secure the access to his Site

9. Modification

The Privacy Policy might be modified as time goes by. We invite you to read this section regularly.

10. Contact details of the Data Protection Officer

Yogosha has appointed a Data Protection Officer before the CNIL in compliance with article 37 of the GDPR. If you want to reach out our DPO in order to enforce your right of access, your right to erasure, right of restriction of processing, right to object and right to data portability, you can send your request to the following email address : [email protected]


To the attention of the DPO

47, rue Marcel Dassault

92514 Boulogne Billancourt CEDEX