Torii Commitment to the GDPR

Torii is fully committed to GDPR compliance.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

GDPR will replace the 1995 data protection directive. The regulation becomes enforceable from 25 May 2018.

The full GDPR text can be found here.

Key Principles of GDPR

• Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
• Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
• Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.
• EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hinderance.
• All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.

Does GDPR Applies to Torii?

Yes. While Torii is a non-EU business, we do have customers in the EU. Moreover, EU citizens may use our US instance and by that we must comply with the GDPR regulations.

What Personal Information Does Torii Collect and Process?

The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.

For a comprehensive list of what GDPR considers personal data, please read Article 4(1) of the GDPR.

Data Processed by Torii

Torii processes the following information through connecting to the Torii’s client systems such as Google G-suite, Microsoft Azure AD, Okta, Onelogin and such.

1. Name
2. Email

Torii does not collect or process any data of the special categories such as race, religion, political opinions, health data, etc.

Product Design

Privacy is built by design into Torii. We don’t expose unnecessary information where not mandatory. We use pseudonymisation, anonymisation, and encryption where possible or necessary.

More detailed information about privacy by design can be found in Article 25 of the GDPR.

Data Breach Procedures

Any employee of Torii who knows of, or suspects of a data breach, will report immediately to the DPO (Uri Nativ) and CEO (Uri Haramati).

Torii takes any data breach seriously. First the error or the problem is remediate as top priority. Following by a retrospective (one meeting or more) to report and investigate the breach.

The GDPR requires us to report a breach to data protection authorities within 72 hours of detection.

Third-Party Providers

We use our own Torii to keep track of all our third-party solutions we use and their contracts.

The process of reviewing whether our third-party providers are GDPR compliant is still in review as some vendors have not published anything yet.

Awareness

All Torii employees are aware of the importance of GDPR to Torii’s business, its impact on the collection and handling of customers’ personal data.

Terminology

Data Subject

A person who lives in the EU

Personal Data

Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)

Controller

A company/organization that collects people’s personal data and makes decisions about what to do with it.

Processor

A company/organization that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data.

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection Officer (DPO)

A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert.

Uri Nativ is appointed DPO.

Data Privacy Impact Assessment (DPIA)

A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing.

Supervisory Authority

Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)

Third Countries

Countries outside the EU

Standard Contractual Clauses

The SCCs, a/k/a “model clauses” are standardized contract language (approved by the European Commission) that is one method of permission for controllers/processors to send personal data to third countries. The SCCs are included in Exhibit 1 of our Data Processing Agreement)