Torii is fully committed to GDPR compliance.
The General Data Protection Regulation (GDPR) is a new EU regulation intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
GDPR will replace the 1995 data protection directive. The regulation becomes enforceable from 25 May 2018.
The full GDPR text can be found here.
Yes. While Torii is a non-EU business, we do have customers in the EU. Moreover, EU citizens may use our US instance and by that we must comply with the GDPR regulations.
The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.
For a comprehensive list of what GDPR considers personal data, please read Article 4(1) of the GDPR.
Torii processes the following information through connecting to the Torii’s client systems such as Google G-suite, Microsoft Azure AD, Okta, Onelogin and such.
Torii does not collect or process any data of the special categories such as race, religion, political opinions, health data, etc.
Privacy is built by design into Torii. We don’t expose unnecessary information where not mandatory. We use pseudonymisation, anonymisation, and encryption where possible or necessary.
More detailed information about privacy by design can be found in Article 25 of the GDPR.
Any employee of Torii who knows of, or suspects of a data breach, will report immediately to the DPO (Uri Nativ) and CEO (Uri Haramati).
Torii takes any data breach seriously. First the error or the problem is remediate as top priority. Following by a retrospective (one meeting or more) to report and investigate the breach.
The GDPR requires us to report a breach to data protection authorities within 72 hours of detection.
We use our own Torii to keep track of all our third-party solutions we use and their contracts.
The process of reviewing whether our third-party providers are GDPR compliant is still in review as some vendors have not published anything yet.
All Torii employees are aware of the importance of GDPR to Torii’s business, its impact on the collection and handling of customers’ personal data.
A person who lives in the EU
Any information related to an identified/identifiable data subject (e.g., name, national ID number, address, IP address, health info)
A company/organization that collects people’s personal data and makes decisions about what to do with it.
A company/organization that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data.
Any operation or set of operations which is performed on personal data or on sets of personal data, by automated means or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A representative for a controller/processor who oversees GDPR compliance and is a data-privacy expert.
Uri Nativ is appointed DPO.
A documented assessment of the usefulness, risks, and risk-mitigation options for a certain type of processing.
Formerly called “data protection authorities”; one or more governmental agencies in a member state who oversee that country’s data privacy enforcement (e.g., Ireland’s Office of the Data Protection Commissioner, Germany’s 18 national/regional authorities)
Countries outside the EU
The SCCs, a/k/a “model clauses” are standardized contract language (approved by the European Commission) that is one method of permission for controllers/processors to send personal data to third countries. The SCCs are included in Exhibit 1 of our Data Processing Agreement)