YCloud GDPR Compliance White Paper￼
This document is a broad overview of the General Data Protection Regulation 2016/679 (GDPR) issued by the European Parliament and the Council of the European Union and coming into force in [ ] 2022 and is committed to full compliance with the GDPR Regulation.
In implementing GDPR compliance, YCloud has spent a great deal of effort conducting gap analysis and working to close those gaps.
This YCloud GDPR Compliance White Paper (“White Paper” or “this White Paper”) serves as a general introduction to YCloud’s compliance and enforcement of GDPR obligations and is intended for the customer community and other stakeholders who use YCloud. To familiarize them with YCloud’s privacy and compliance commitments. This document is subject to change over time and, of course, the information in this White Paper does not modify existing contractual arrangements.
YCloud has always believed in the importance of protecting the data and privacy of your business and personal customers and understands that compliance with the GDPR data protection law and its related regulations is essential to help maintain the trust and confidence of your customers. This white paper provides information on how YCloud is preparing for and has complied with the relevant GDPR rules. For clarity, this white paper may be adjusted from time to time as YCloud strictly complies with the relevant GDPR. Please understand that these regulations may be revised, modified, expanded, reformulated, consolidated, or superseded over time.
In this white paper, some special definitions should get prior attention because there are clear definitions in GDPR and will appear in the document, the terms and definitions listed below, i.e. “controller”, “third party”, “processor”, etc. should have the same meaning as in GDPR.
GDPR: “Data Protection Legislation” means, where applicable: the GDPR and, in each case, any national law, legislation, rule, or regulation relating to privacy and data protection. For the sake of clarity, references to data protection legislation include references to the replacement of data protection legislation as amended, modified, extended, re-enacted, consolidated, or updated.
(1) “Controller” is the party who decides how personal data is processed and for what purposes.
(2) “Processor” means the party that processes personal data on behalf of the controller.
(3) “Data Subject” means an individual related to personal data.
(4) “Processing” means any operation or set of operations performed on personal data or a collection of personal data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, providing disclosure through transmission, dissemination or otherwise, adapting or combining, restricting, deleting or destroying.
(5) “Personal data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data and online identifiers (i.e. IP address, cookie ID).
(6) “Customer”: refers to the users who use YCloud technology services online and offline and pay a certain amount of money.
(7) “User”: refers to the Data Provider and the Data Recipient.
(8) “YCloud“: It refers to YCloud International Pte. Ltd.
4. Application scope
The GDPR applies to any company that processes personal data of residents of the European Union (EU) and the European Economic Area (EEA), organizations outside of the EU that are subject to EU law under international law.YCloud is expanding its business and operations globally, and the EU is one of the key areas of focus for YCloud and serves customers in the region, while YCloud works with the partners with whom it does business. The GDPR applies to every element of YCloud’s business, including all of YCloud’s wholly-owned legal entities, subsidiaries, affiliates, and registered offices.
|Asia Pacific||Europe Region||North America|
|YCloud International Pte. Ltd||None||None|
4.2. Partners and Customers
However, because YCloud stands firm on data protection and privacy, it gives all YCloud partners or customers the ability to provide their customers with the rights granted by the GDPR to control their data, regardless of where they live. In addition to the way GDPR applies to YCloud, the regulation also applies to YCloud’s customers who collect personal data while operating or providing product services in the EU and EEA, and who may rely heavily on YCloud’s level of compliance with GDPR to ensure the security of private data.
4.3. Validation scope
The validation focused on YCloud’s cloud communications industry and included the following.
3. Voice Code
5. Short Links
6. Y-OTP Solution
5. Controllers and processors
5.1. As a controller
The GDPR defines a controller as the party of the entity that determines the purpose of the processing activity. The following checklist lists the indicators of whether a company is acting as a controller, or processor. The more circumstances in which a company has the right to make decisions, the more likely it is that the company falls into the relevant category, and YCloud will complete the disclosure faithfully according to the following table.
|Whether to decide||Content|
|No||Collection of processing of such personal data|
|No||What is the purpose or result of the processing|
|No||What personal data should be collected|
|No||Who’s personal data is collected|
YCloud commits its commercial interests to be acquired only through the provision of technical services during the processing.
YCloud processes personal data by the contract between YCloud and the data subject. YCloud complies with the Guidelines 04/2021 on the Code of Conduct as an Instrument for the Cross-Border Transfer of Data (“04/2021 Guidelines”) issued by the EU Data Protection Board (“EDPB”). /2021 Guidance”), which guides the application of codes of conduct as a tool for cross-border data transfers under Article 46 of the EU General Data Protection Regulation (“GDPR”), as well as the procedures and content of codes of conduct. Both the Standard Contractual Clauses (“SCCs”) and the Binding Corporate Rules (“BCRs“) are observed.
The processor is the party that processes personal data on behalf of the individual.
YCloud’s data processing is performed solely at the direction of the client, YCloud’s data is provided by the client or similar third parties, and YCloud does not determine the following.
（1）Collect data from individuals who are customers.
（2）What personal data is collected from individuals.
（3）The purpose of the use of these data.
（4）Whether to disclose these data and to whom.
（5）The time to retain cross-border data is instead determined by the customer.
YCloud may make some decisions about how data is processed, but these decisions are implemented in strict compliance with the contract signed with the client. YCloud is not involved in the outcome of any data processing.
5.3. Data processing obligations
The GDPR outlines 7 data protection principles that enlighten YCloud on how to conduct data processing activities as data controllers and processors.
1. Personal data relating to data subjects must be processed in a lawful, fair, and transparent manner (“legality, fairness and transparency“).
2. Personal data must be collected for specific, explicit, and legitimate purposes and may not be further processed in a manner inconsistent with those purposes (“purpose limitation“).
3. Personal data must be adequate, relevant, and limited to the extent necessary to achieve these purposes (“data minimization“).
4. Personal data must be accurate and kept up to date (“Accuracy“).
It is quite important to keep user data up to date, not only to provide products and services to users on time but also to avoid the multifaceted risks arising from inaccurate data. any request by YCloud or the customer to update or correct personal information will be verified and correctly processed, and such corrections will be synchronized to YCloud’s database. For example, Customers who use YCloud notification messages to communicate with End Users should ensure that the User’s contact information is up-to-date and accurate. Any changes to a subscriber’s phone number should be reflected on time, as it will be used to contact the subscriber in the near future or to conduct YCloud’s primary cloud SMS service, which the subscriber may otherwise be unable to do.
5. Personal data must be stored for no longer than is necessary to achieve the purposes for which it was collected (“Storage Limits“).
YCloud has created a data retention policy and specifies that Customer Information shall be retained for the period specified in the retention policy unless otherwise agreed. Where appropriate, Customer Information shall be returned to Customer or destroyed, and YCloud shall not retain any copies unless required by law or regulation.
6. Personal data must be properly protected against accidental loss, destruction, or damage (“Integrity and Confidentiality“).
YCloud maintains safeguards designed to protect personal information obtained through YCloud products and services.YCloud uses Alibaba Cloud to provide customers with a secure, stable, reliable physical infrastructure and services. On top of that, YCloud is equipped with a sophisticated network security architecture including various protection mechanisms such as a firewall, WAF, unified defense system, and intrusion and prevention detection to deal with various threats from outside. All data transmission adopts HTTPS secure transmission protocol to ensure the security of the transmission process.
7. The data controller is responsible for and must be able to demonstrate compliance with the above principles (“accountability“).
YCloud is accountable for achieving GDPR compliance and privacy protection. The management framework has been documented during full implementation, and it includes strong process controls, risk and compliance reporting structures, and assessment and evaluation processes.
When YCloud acts as a Processor, all data processing activities are directed by the Data Controller, and if YCloud engages another third party to fulfill a contractual obligation set between the Client and YCloud, the Controller’s consent must be obtained before the sub-processor can access or transmit any personal data. The use of the sub-processor is limited to the following purposes.
(1) Verify the authenticity of customer information
(2) Process SMS delivery and finalize the process of SMS reaching users’ cell phones
(3) Store data for YCloud to retrieve later
The list of sub-processors is well documented and reviewed by YCloud and will be disclosed at the request of the customer or data subject.
5.5. List of data for processing
As a data processor, YCloud obtains personal data from a single source. YCloud Cloud SMS data is provided by the customer and YCloud has requested the customer to obtain the data subject’s consent before providing it. Whether as a data controller or processor, in compliance with Article 30 of the GDPR, YCloud keeps records of the different processing activities for business purposes for which it is responsible. A list of such data will only be disclosed if explicitly requested in writing by a specific customer or user on a lawful and reasonable basis. At the same time, YCloud strictly complies with the relevant legal regime and will provide the supervisory authority with the processing records upon request, if requested by the supervisory authority through legitimate reasons.
6. Legal basis for processing
（2）Contract: YCloud will be able to process personal data for defined purposes as agreed in the signed contract or related documents.
（3）Legal obligations: The processing of personal data shall be in accordance with the law (excluding contractual obligations).
7. International transfers
According to the GDPR, personal data can be free to move within the EU or EEA, while out of the EEA requires legal cross-border transfer mechanisms, mainly including.
(1) Decision-making based on adequacy protection
(2) Based on the appropriate level of protection
(3) Special circumstances such as based on the explicit consent of the data subject or necessary for the performance of the contract
According to the European Commission Decision, currently includes Andorra, Argentina, Canada (commercial organization), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, United Kingdom, Uruguay. Personal data within the European Economic Area can flow to these countries or regions . YCloud strictly enforces cross-border transfer mechanisms and plans to launch and have a data processing center in the UK to ensure that all EU personal data will be stored securely on sub-servers located when needed and for legitimate business purposes and that YCloud ensures that international transfers of data occur only based on the standard contractual terms approved under the terms of the GDPR YCloud ensures that international transfers of data occur only based on the standard EU contractual terms approved under the terms of the GDPR. Where necessary, YCloud may transfer Personal Information to sub-processors in other countries (e.g., the United States) to fulfill processing obligations, and YCloud will protect that information in accordance with the Information Security White Paper, the data processing contract agreed with the Customer, and applicable legal requirements to ensure that the transfer of Personal Information to the sub-processor is adequately protected. When Customer instructs YCloud to transfer their data outside of the EU/EEA, Customer is obligated to fulfill the standard contractual terms and notify YCloud of such existence.
7.1. Access rights
Customers can log in to the website to view and modify personal information (for auditing)
Customers can log in to the website to check the business data within a certain period, including SMS sending records, historical statistics, and billing information.
7.2. Right of correction
If there are any inaccuracies, the personal information provided by the user can be manually corrected on the official YCloud website.
7.3. Right to restrict processing
If one or more of the following conditions apply or will apply to an activity, YCloud will restrict the processing of Personal Information until that condition is completed or resolved. These restrictions include the immediate cessation of the processing of the user’s data.
(1) The data subject disputes the accuracy of the personal information, and YCloud is verifying the accuracy of the personal information.
(2) The processing is illegal and the data subject requests to restrict the use of the data instead of deleting it.
(3) YCloud no longer needs the data for the activity or any legitimate further processing, as the data has been discarded.
(4) The data subject may need the data to establish, exercise, or fulfill a legal claim.
(5) The data subject objects to the data processing, and YCloud is determining whether the compelling legitimate grounds for the processing override the interests, rights, and freedoms of the data subject.
7.4. The right to object
Individuals can object to the processing of certain personal information, such as choosing not to send instructions as instructed, withdrawing any permission given in the back office, and for other personal information, YCloud offers the option to delete personal accounts, as detailed in the YCloud official website Personal Agreement.
7.5. Right to data portability
YCloud will cooperate with you accordingly.
8. Data protection and security
Under the GDPR, controllers and processors are required to implement appropriate technical and organizational measures. In accordance with this requirement, YCloud has implemented many of the controls and processes identified in the GDPR, which are described in the information security white paper, including
（1）Encryption of personal data.
（2）Ensure confidentiality, integrity, availability, and resilience of processing systems.
（3）Access control mechanism.
（4）Ensure the availability and accessibility of personal data in the event of natural or human factors.
（5）Regular testing, security assessment, and evaluation of technical and organizational security measures
More information on data protection and security can be found in the Information Security White Paper.
8.1. Design of data protection
It has been verified that YCloud has implemented technical and organizational measures to ensure that only the personal data required for each specific processing purpose is processed and set as the default. To capture data operational risks before a business begins, YCloud has enabled a PIA/DPIA process in the compliance team to oversee privacy risks. This PIA/DPIA is used as a guideline for business and technical departments to identify risks to processing data privacy and provide instructions to assess and remediate risks to an acceptable level.
8.2. Data Retention Policy
In accordance with Article 30 of the GDPR, YCloud retains data in identifiable form only for as long as is necessary for the purposes for which the individual has been notified and consented to the processing. YCloud determines the appropriate retention period based on the volume, nature, and sensitivity of the personal data. Such data will be destroyed at the end of the retention period unless there is a specific legal requirement to retain the data for a longer retention period. In such cases where data needs to be retained for a longer time, YCloud has implemented coding, or similar mechanisms to limit the risk to users.
Customers should define their data retention periods and notify YCloud, who will communicate the technical implementation.
The data retention under YCloud solution takes into account the following implications.
（1）When the user requests to delete the account.
（2）When the service contract with YCloud is terminated.
（3）When the user’s account has no activity record.
8.3. Data Processing Appendix (DPA)
In accordance with GDPR Article 28, YCloud prepares a Data Processing Addendum (DPA) for customer review and seeks contractual agreements for data processing activities explicitly described in the Addendum, supporting an explanation of how YCloud will ensure the security and data protection of all trusted processing activities. YCloud has a resource mechanism to handle customer refusals to use sub-processors. Also, if the DPA checklist will verify that YCloud’s participating providers are doing so in a lawful manner – GDPR Article 28 – ensure that all legal requirements are documented in the provider’s DPA, otherwise, the DPA should be amended accordingly.
8.4. Supplier Management
To facilitate YCloud’s operations by transferring certain types of personal data for further processing, there is a sub-processor involved. YCloud generates a vendor risk management process by assessing the privacy and security practices of evaluating and downgrading sub-processors to ensure they have effective technical and organizational safeguards and controls in place. This assessment will be provided before vendor on boarding. This assessment will be documented in YCloud’s Technology Management Center for annual review. Following this assessment measure, YCloud uses a DPA (designed for YCloud and its sub-processors) to ensure that the contractual obligations required by the GDPR have been written down between the parties.
8.5. Notification of Data Breach
The GDPR introduces an obligation for all organizations to report personal data breaches to the relevant supervisory authority. Under the minimum requirements, if there is a personal data breach, it must be reported within 72 hours of becoming aware of such a breach. At the same time, if such an event would have a potentially adverse impact on the rights of the relevant customers and their users, the risk will be communicated to them without undue delay. As a result, YCloud generated and refined its Incident and Data Breach Response Plan as a breach detection, investigation, and internal reporting process to address this issue.
9. Accountability and governance
9.1. Designation of DPO
The GDPR introduces the obligation for entities to appoint a Data Protection Officer (DPO), who is the company’s technical director of information technology, to monitor internal compliance efforts, inform and advise on data protection obligations, provide advice on technical and institutional measures to be implemented, and act as a point of contact for data subjects and supervisory authorities. The management framework has been documented in the course of a full implementation, which includes strong procedural controls, risk and compliance reporting structures, and assessment and evaluation procedures, among others.
September 1, 2022
July 22, 2022
July 22, 2022