Yva Privacy Policy for Cloud Services

Where applicable, this Data Processing Addendum ("DPA") is hereby incorporated in the Yva Terms of Service for Cloud Services (the "Terms"), found at yva.ai/en/terms, unless you ("Customer") have entered into a superseding written agreement with Yva, in which case, it forms a part of such written agreement. All capitalized terms not defined herein shall have the meaning set forth in the Terms. Unless you have a superseding written agreement with Yva, Yva may amend this Data Processing Addendum from time to time on its Website (https://yva.ai/en/), as its business evolves. Any revisions will become effective on the date Yva publishes the changes. You can review the most current version of the Data Processing Addendum at any time by visiting this page. If Customer uses the Cloud Services after the effective date of any changes, that use will constitute the acceptance of the revised Data Processing Addendum.

 

DPA specifies the data protection obligations of the parties, which arise from contract data processing on behalf, as stipulated in the Terms. It applies to all activities performed in connection with the Terms in which the staff of Yva or a third party acting on behalf of Yva may come into contact with Customer Data.

 

DPA sets out the additional terms, requirements and conditions on which Yva will process Customer Data when providing services under the Terms. DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) ("GDPR").



  1. DEFINITIONS AND INTERPRETATION.

 

The following capitalized terms shall have the meaning ascribed to them below: "Customer" means the entity which determines the purposes and means of Processing of Customer Data.

 

"Customer Data" means any "Personal Data" (as defined in GDPR) that is provided by or on behalf of Customer in the course of using the Cloud Services and Processed by Yva pursuant to DPA.

 

"Data Protection Regulator" means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;

 

"Data Subject" has the meaning set out in GDPR;

 

"Data Controller" has the meaning set out in GDPR;

 

"Data Processor" has the meaning set out in GDPR;

 

"Instruction" means the written instruction issued by Customer to Data Processor in order to direct Data Processor to perform a specific action with regard to Customer Data (including, but not limited to, de-personalizing, blocking, deletion, making available). Instruction shall initially be specified in DPA and may, from time to time, thereafter, be amended, amplified or replaced by Customer in separate written instruction (individual instruction).

 

"Privacy Laws" means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Data including but not limited to Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"); and

 

"Process", "Processing" or "Processed" have the meaning set out in GDPR.

 

"Personal Data Breach" has the meaning set out in GDPR.



  1. PROTECTION OF PERSONAL INFORMATION.

 

2.1. Supersedence. DPA shall supersede any and all provisions of the Terms inconsistent herewith.

 

2.2. Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Yva is the Data Processor of Customer Data. Yva will Process Customer Data in accordance with DPA. In some circumstances, Customer may be a Processor, in which case Customer appoints Yva as Customer's sub-processor, which shall not change the obligations of either Customer or Yva under DPA, as Yva will always remain a Processor with respect to Customer in such event.

 

2.3. Customer's Obligations. Customer warrants that Customer Data has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws.

 

2.4. Yva's Obligations as Data Processor.

 

Yva shall:

 

2.4.1. Process Customer Data only within the scope of Customer's Instructions as set-out in DPA, including with regard to transfers of Customer Data to a third country, save where:

 

2.4.1.1. such Instructions are not complaint with Privacy Laws;

 

2.4.1.2. such Instructions would cause Yva to breach its own obligations under Privacy Laws or the Terms or any other agreement with a third party;

 

2.4.1.3. Yva is under a legal obligation to Process Customer Data, in which case Yva shall inform Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or

 

2.4.1.4. such Instructions severely violate functionality of the Cloud Services (e.g. functioning of the Cloud Services IT infrastructure), including but not limited to its existence.

 

2.4.2. inform the Customer if, in its opinion, an Instruction received from Customer infringes the Privacy Laws;

 

2.4.3. ensure that all Yva employees and personnel who are involved in the Processing of Customer Data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality;

 

2.4.4. undertake to enter into a written agreement with any applicable sub-processors and such agreement will contain the same data protection obligations as set out in DPA. Yva will remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the sub-processors. Customer acknowledges that Yva's contractual obligations hereunder, or the parts of the Cloud Services, will be performed by a subcontractor and consents to use of sub-processors by Yva as described in DPA to fulfil its contractual obligations under the Terms and to provide certain services on Yva's behalf.

 

2.4.5. Yva may, by giving no less than thirty (30) days' notice to Customer and/or publishing the changes in DPA on the Website (https://yva.ai/), add or make changes to the sub-processors. Customer may object to the appointment of an additional sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of Customer Data, in which case Yva shall have the right to cure the objection through one of the following options (to be selected at Yva's sole discretion):

 

  • (a) Yva will cancel its plans to use the sub-processor with regard to Customer Data or will offer an alternative to provide the Cloud Services without such sub-processor; or
  • (b) Yva will take the corrective steps requested by Customer in its objection (which remove Customer's objection) and proceed to use the sub-processor with regard to Customer Data; or
  • (c) Yva may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Cloud Services that would involve the use of such sub-processor with regard to Customer Data, subject to a mutual agreement of the parties to adjust the remuneration for the Cloud Services considering the reduced scope of the Cloud Services.

 

If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Yva's receipt of Customer's objection, either party may terminate the Terms.

 

2.4.5.1. The Customer hereby approves following sub-processors: Microsoft Corporation (Microsoft Azure); Yva's Affiliates.

 

2.4.6. implement and maintain following appropriate technical and organizational security measures to protect against unauthorized or unlawful Processing of the Customer Data and against accidental loss, disclosure or destruction of, or damage to, the Customer Data , taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing:

 

2.4.6.1. pseudonymization and/or encryption of Customer Data;

 

2.4.6.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

 

2.4.6.3. the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and

 

2.4.6.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

 

2.4.7. Yva will, insofar this is possible, by appropriate technical and organizational measures, reasonably assist Customer with meeting Customer's compliance obligations with respect to the rights exercised by Data Subjects under the Privacy Laws (particularly the Data Subject's Rights stated in Chapter 3 of the GDPR and related to Data Subject's requests), taking into account the nature of the Processing. Taking into account the nature of Processing and any information available to Yva, Yva will further assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, in particular its obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Privacy Laws. In a situation where requested level of assistance will be excessive or unreasonably burdensome for Yva, any such assistance will be exercised at Customer's cost.

 

2.4.8. make available to Customer or an independent third party auditor mandated by the Customer (but not being a competitor of Yva or affiliated with Yva's competitor), to a maximum of once a year or when a Personal Data Breach is reasonably suspected, all reasonable information that Yva deems necessary to demonstrate compliance with the obligations imposed on Yva under Section 2 of DPA, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance. Notwithstanding of the above, if an audit is excessive or unreasonably burdensome for Yva, then Customer shall reimburse Yva for such excessive or unreasonably burdensome audit. Yva may object to the deployment of a specific auditor if such auditor is not subject to confidentiality regarding the results of such audit (except vis-à-vis Yva and Customer); and

 

2.4.9. unless required by law, at Customer's request following termination or expiry of the Terms for whatever reason, securely delete all of the Customer Data.

 

2.5. Data Centers and International Data Transfers. Yva's data centers for hosting Cloud Services are located in the USA and the EU. Yva is authorized to process Customer Data itself as well as including its engagement of sub-processors in accordance with DPA outside the country in which Customer is located including countries where the data protection may not be as stringent in the country of (i) Customer's domicile and/or registered address or (ii) the EEA.

 

Yva shall process Customer Data outside of the EEA as permitted under the Privacy Laws as follows:

 

(i) Customer Data of an EEA based Customer is processed in a country outside the EEA (a "third country") that is determined by the European Union to have adequate level of data protection under Art. 45 GDPR; or

 

(ii) Customer Data is processed in a third country pursuant to adequate safeguards under Art. 46 GDPR including, but not limited to execution of Standard Contractual Clauses or an approved code of conduct or other appropriate safeguards (for instance EU-U.S. Privacy Shield/Swiss-U.S. Privacy Shield mechanism). In the event of using the SCC, Customer hereby (itself as well as on behalf of each Controller established within the EEA or Switzerland) accedes to the SCC between Yva and the sub-processor. Yva will enforce the SCC against the sub-processor on behalf of the Customer or Data Subject if a direct enforcement right is not available under Privacy Laws.



  1. INSTRUCTIONS FOR PROCESSING OF CUSTOMER DATA.

 

Yva will Process Customer Data in accordance with the following instructions:

Categories of Data Subjects: Customer's employees and End-Users.

 

The nature of Processing under this DPA: handling (including recording, structuring, organization) storing, sharing with subprocessors, accessing and reviewing Customer Data for the Processing purposes set out in this DPA.

 

Categories of Customer Data

Purposes of Processing

Duration of Processing

  • Account ID: Email address
  • Job-related Profile Information (e.g. First and last name; Job Title;
  • Timezone:
  • Department/Group; Employee ID)
  • End User Corporate Activity Data (e.g. IP Address; Email Meta Data; Content of the message; Other connected corporate sources data)
  • End User Answers to Surveys and other information that Shared on the Cloud Services by Customer or End Users

 

  • To provide Cloud Services in order to deliver End User engagement and performance analytics of the past and current activities and the predictive analytics insights about the best practices inside your organization and to detect areas of improvement (Account ID, Job-related Profile Information, End User Corporate Activity Data, End User answers to Surveys and other information)
  • To provide support services (Account ID, Job-related Profile Information)
  • To develop and improve our Cloud Services (Account ID, Job-related Profile Information, End User Corporate Activity Data, End User answers to Surveys and other information).
  • During the period of duration of the Terms
What this policy covers

Yva is committed to protecting your privacy. This policy is intended to help you understand:

  • What information we collect about you
  • How we use the information we collect
  • How we share information we collect
  • How we store and secure the information we collect
  • How to access and control your information
  • How we transfer information we collect internationally
  • Other important privacy information

This Privacy Policy covers the information we collect about you when you use our products or services unless a different policy is displayed. "Yva", "we" and "us" refers to Yva.AI, Inc. a Delaware corporation with its principal place of business located at 2445 Augustine Drive, Suite 150, Santa Clara, California 95054 USA and any of our corporate affiliates.

This policy also explains your choices about how we use information about you. Your choices include how you can object to certain uses of information about you and how you can access and update certain information about you. If you do not agree with this policy, do not access or use our Services or interact with any other aspect of our business.

What products and services does this Privacy Policy cover.

This Privacy Policy covers:
  • People Analytics Cloud Services
  • Website

This Privacy Policy covers People Analytics Cloud Services and Websites (collectively referred to as "Services")

This Privacy Policy does not cover People Analytics Self-Hosted Solutions.

Please, refer a separate Privacy Policy for Yva People Analytics Self-Hosted Solutions here: https://yva.ai/en/privacy-self-hosted.

Notice to End Users

YVA PEOPLE ANALYTICS CLOUD SERVICES ARE INTENDED FOR USE BY ORGANIZATIONS. THE SOLUTIONS ARE MADE AVAILABLE TO YOU THROUGH AN ORGANIZATION (E.G. YOUR EMPLOYER). THAT ORGANIZATION IS THE ADMINISTRATOR OF THE SOLUTIONS, HEREAFTER REFERRED TO AS "YOUR ORGANIZATION". PLEASE DIRECT YOUR DATA PRIVACY QUESTIONS TO YOUR ORGANIZATION, AS YOUR USE OF THE SOLUTIONS IS SUBJECT TO YOUR ORGANIZATION'S POLICIES. WE ARE NOT RESPONSIBLE FOR THE PRIVACY OR SECURITY PRACTICES OF YOUR ORGANIZATION, WHICH MAY BE DIFFERENT THAN THIS POLICY.


What information we collect about you

Account, Profile and Personal Identifiable Information

We collect information about you when you register for an account, create or modify your profile, set preferences, sign-up for or make purchases through the Services. It may include, but is not limited to, name, email address, telephone number, postal or other physical address, title, or occupation.

End User Corporate Activity Data

If Your Organization is using People Analytics Cloud Services then Yva may collect and process corporate activity data from Your Organization's sources and third-party services which Your Organization explicitly and voluntary connected to People Analytics Cloud Services. This corporate activity data may contain your email messages, calendar records, customer relationship management ("CRM") data, your corporate messenger data (e.g. Slack), corporate productivity platforms (e.g. GitHub, Jira) data, etc., further referred to as "End User Corporate Activity Data". For the avoidance of doubt, the term "End User Corporate Activity Data" does not include "End User Answers to Surveys".

Your Organization is responsible for sources and third-party services over which it has control. Please direct your data privacy questions to Your Organization, as your use of the People Analytics Cloud Services is subject to your organization's policies.

YVA NEVER COLLECTS AND NEVER PROCESSES:

your personal sources and services including but not limited to: Facebook, LinkedIn, Instagram, WhatsApp, Facebook Messenger, SMS, Gmail, etc.

Yva People Analytics Self-hosted Solutions never send End User Corporate Activity Data and Personal Information of the End Users to outside of your company.

Please direct your data privacy questions to Your Organization, as your use of the People Analytics Self-hosted Solutions is subject to your organization's policies. See a separate Privacy Policy for Yva People Analytics Self-hosted Solutions here: https://yva.ai/en/privacy-self-hosted.

End User Answers to Surveys

If Your Organization is using People Analytics Cloud Services then Yva may collect and process end user answers to engagement surveys, 360 feedback, performance review feedback, end user comments collectively referred to as "End User Answers to Surveys".

Please, direct your data privacy questions to Your Organization, as your use of the People Analytics Cloud Services is subject to your organization's policies.

Your use of the Services

We keep track of certain information about you when you visit and interact with any of our Services i.e. the features you use, the links you click on, the teams and people you work with and how you work with them, like who you collaborate with and communicate with most frequently, etc.

Cookies and Other Tracking Technologies

Yva and our third-party partners, such as our advertising and analytics partners, use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices.


How we use the information we collect

To provide the Services

We use information about you to provide the Services to you, authenticate you when you log in, provide customer support, and operate and maintain the Services. We use your contact information to send transactional communications via email, business messengers and within the Services, including providing employee surveys, sending you technical notices, updates, security alerts, and administrative messages.

If Your Organization is using People Analytics Cloud Services then Yva may analyze End User Corporate Activity Data and patterns to deliver End User engagement and performance analytics of the past and current activities and the predictive analytics insights about the best practices inside your organization and to detect areas of improvement. For example, to improve the best management practices Yva People Analytics Cloud Services automatically analyze and find similarities in End User Corporate Activity Data of those users who have received best peer feedback.


For research and development

If Your Organization is using People Analytics Cloud Services then Yva may analyze End User Corporate Activity Data and patterns to deliver more accurate predictive analytics insights about best practices inside your organization, to make our Services faster, secure, integrated, and useful to you.


For industry benchmarks

Yva People Analytics Cloud Services may use information provided by you to create de-identified data aggregated for benchmarking or marketing purposes.


To market, promote and drive engagement with the Services

We use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, including by email and by displaying Yva ads on other companies' websites and applications, as well as on platforms like Facebook and Google. These communications are aimed at driving engagement and maximizing what you get out of the Services, including information about new features, survey requests, newsletters, and events we think may be of interest to you. We also communicate with you about new product offers, promotions, and contests.


For customer support

We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.


For safety and security

We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.


To protect our legitimate business interests and legal rights

Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.


How we share information we collect

Your managers, your co-workers or third-party

Your Organization may decide to provide you, your managers, your co-workers or third-party access to dashboards, reports and API connection with aggregated, anonymized or deanonymized analytics and statistics based on collected and processed End User Corporate Activity Data.

Your Organization may decide to provide you, your managers, your co-workers or third-party access to dashboards, reports and API connection with aggregated and/or anonymized analytics and statistics based on collected and processed End User Answers to Surveys.

YVA NEVER DISPLAYS CONTENT OF YOUR EMAILS AND MESSAGES TO ANYONE EXCEPT YOU.

YVA NEVER DISPLAYS YOUR PERSONAL ANSWERS TO SURVEYS TO ANYONE EXCEPT YOU UNLESS YOU VOLUNTARILY DECIDED TO DEANONYMIZE YOUR ANSWERS.

Please, direct your data privacy questions to Your Organization, as your use of People Analytics Cloud Services is subject to your organization's policies. We are not responsible for the privacy or security practices of your organization, which may be different than this policy.

Service Providers

We work with third-party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis, and other services for us, which may require them to access or use information about you. If a service provider needs to access information about you to perform services on our behalf, they do so under instruction from us, including policies and procedures designed to protect your information.


Yva Partners

We work with third parties who provide consulting, sales, and technical services to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to assist with billing and collections, to provide localized support, and to provide customizations. We may also share information with these third parties where you have agreed to that sharing.


Compliance with Enforcement Requests and Applicable Laws

Enforcement of Our Rights: In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect Yva, our customers or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.


Yva companies

We share information we have about you with other Yva corporate affiliates in order to operate and improve products and services and to offer other Yva affiliated services to you.


Business Transfers

We may share or transfer the information we collect under this privacy policy in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or a prominent notice on the Services if a transaction takes place, as well as any choices you may have regarding your information.


How we store and secure the information we collect


Information storage and security

We use industry standard technical and organizational measures to secure the information we store.

While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.

If you use our server or data center Services, responsibility for securing storage and access to the information you put into the Services rests with you and not Yva. We strongly recommend that server or data center users configure SSL to prevent interception of data transmitted over networks and to restrict access to the databases and other storage points used.


How long we keep information

How long we keep information depends on the type of data. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.

Account information: We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services. Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Services, not to specifically analyze personal characteristics about you.

The information you share on the Services: If your account is deactivated or disabled, some of your information and the content you have provided will remain in order to allow your team members or other users to make full use of the Services.

People Analytics Cloud Services: we retain End User Corporate Activity Data, End User Answers to Surveys and other information related to People Analytics Cloud Services as long as required by Your Organization.

Marketing information: If you have selected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services, such as when you last opened an email from us or ceased using your Yva account. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.


How to access and control your information

You have the right to object to our use of your information, request that we stop using your information, to request the deletion or restriction of your information, or to request your information in a structured, electronic format. Where the Services are administered for you by an administrator, you may need to contact your administrator to assist with your requests first.


How we transfer information we collect internationally

International transfers within the Yva Companies:

To facilitate our global operations, we transfer information globally and allow access to that information from countries in which the Yva owned companies or third parties described in this privacy policy, which provide services to us under contract for the purposes described in this policy. These countries may not have equivalent privacy and data protection laws to the laws of many of the countries where our customers and users are based. When we share information about you within and among Yva corporate affiliates, we make use of standard contractual data protection clauses.


Other important privacy information

Our policy towards children

The Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact our support services.

Changes to our Privacy Policy

We may change this privacy policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice by adding a notice on the Services home pages, login screens, or by sending you an email notification. We will also keep prior versions of this Privacy Policy in an archive for your review. We encourage you to review our privacy policy whenever you use the Services to stay informed about our information practices and the ways you can help protect your privacy.

If you disagree with any changes to this privacy policy, you will need to stop using the Services and deactivate your account(s), as outlined above.


Contact Us

If you have questions or concerns about how your information is handled, please direct your inquiry to support@yva.ai.

Yva.AI, Inc.

2445 Augustine Drive, Suite 150, Santa Clara,

California 95054 USA