YottaNest
About UsOur ServicesHow It WorksOur TeamFAQContactRequest Demo

GDPR Compliance

General Data Protection Regulation Compliance Statement

Last Updated: January 2026

Our Commitment to GDPR

YottaNest is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. As a provider of AI-powered compliance automation services to financial institutions, we understand the critical importance of data protection and have implemented comprehensive measures to ensure GDPR compliance.

Data Controller

YottaNest

Sofia, Bulgaria

Email: dpo@yottanest.com

Data Protection Officer: dpo@yottanest.com

Legal Basis for Processing

We process personal data based on the following legal grounds under Article 6 of GDPR:

1. Contractual Necessity (Article 6(1)(b))

Processing necessary to perform our contract with you or to take steps at your request before entering into a contract.

2. Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations, including anti-money laundering (AML) and know-your-customer (KYC) regulations.

3. Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate interests or those of a third party, such as fraud prevention, network security, and service improvement.

4. Consent (Article 6(1)(a))

Where you have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications).

Personal Data We Process

From Our Clients (Financial Institutions)

  • Contact information (names, email addresses, phone numbers)
  • Company information and business details
  • Account credentials and authentication data
  • Usage data and system logs
  • Communication records

Processed on Behalf of Clients (Data Subjects of Compliance Checks)

  • Personal identification data (names, dates of birth, addresses)
  • Business registration information
  • Beneficial ownership structures
  • Publicly available registry data
  • Sanctions and watchlist information
  • Adverse media mentions

Note: When processing data on behalf of our clients for compliance purposes, we act as a Data Processor. Our clients remain the Data Controllers responsible for the legal basis and lawfulness of processing.

Your Rights Under GDPR

Under GDPR, data subjects have the following rights:

1

Right to Access (Article 15)

Request confirmation of whether we process your personal data and obtain a copy of it.

2

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

3

Right to Erasure ("Right to be Forgotten") (Article 17)

Request deletion of your personal data under certain circumstances.

4

Right to Restriction of Processing (Article 18)

Request limitation of how we process your data in certain situations.

5

Right to Data Portability (Article 20)

Receive your personal data in a structured, commonly used format and transmit it to another controller.

6

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

7

Rights Related to Automated Decision-Making (Article 22)

Not be subject to decisions based solely on automated processing, including profiling, which produces legal effects.

8

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

  • Email: dpo@yottanest.com
  • 📄Include: Your name, contact details, and specific request
  • We will respond within 30 days of receiving your request

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

🔒Technical Measures

  • End-to-end encryption
  • Secure data transmission (TLS/SSL)
  • Access control and authentication
  • Regular security audits
  • Intrusion detection systems

👥Organizational Measures

  • Staff training on data protection
  • Confidentiality agreements
  • Data protection impact assessments
  • Incident response procedures
  • Regular compliance reviews

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Service Data: Duration of contract plus 6 years (for legal and accounting purposes)
  • Compliance Records: As required by financial regulations (typically 5-10 years)
  • Marketing Data: Until consent is withdrawn or 2 years of inactivity
  • Website Analytics: 26 months maximum

Data Sovereignty & International Transfers

On-Premise Deployment

YottaNest offers on-premise deployment options, ensuring that all data remains within your own infrastructure and jurisdiction. This provides complete data sovereignty and eliminates concerns about international data transfers.

Cloud Deployment

For cloud deployments, all data is stored within the European Union. We do not transfer personal data outside the EEA unless:

  • The transfer is to a country deemed adequate by the European Commission
  • Appropriate safeguards are in place (Standard Contractual Clauses)
  • You have provided explicit consent

Automated Decision-Making and AI

YottaNest uses artificial intelligence and automated processing to analyze data and generate compliance recommendations. However:

  • We maintain a "human-in-the-loop" approach - all critical decisions require human review and approval
  • Our AI provides recommendations, not final determinations
  • You retain the right to obtain human intervention, express your point of view, and contest any automated decision
  • We provide transparency about the logic involved in our AI processing

Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware
  • Affected individuals will be notified without undue delay if the breach poses a high risk
  • We maintain comprehensive data breach response procedures
  • All incidents are documented and reviewed for prevention measures

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority:

Bulgarian Data Protection Authority

Commission for Personal Data Protection (CPDP)

Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria

Phone: +359 2 915 3 518

Email: kzld@cpdp.bg

Website: www.cpdp.bg

You may also contact the data protection authority in your country of residence or where the alleged infringement occurred.

Sub-Processors

When acting as a Data Processor, we may engage sub-processors to assist in providing our services. We ensure all sub-processors:

  • Comply with GDPR requirements
  • Have appropriate data processing agreements in place
  • Implement adequate technical and organizational measures

A current list of sub-processors is available upon request to dpo@yottanest.com.

Updates to This Statement

We may update this GDPR Compliance Statement from time to time. Material changes will be communicated to our clients and data subjects as appropriate. The "Last Updated" date at the top of this page indicates when the statement was last revised.

Contact Us

For any questions about our GDPR compliance or to exercise your data protection rights:

Data Protection Officer

Email: dpo@yottanest.com

Address: YottaNest, Sofia, Bulgaria

We aim to respond to all legitimate requests within 30 days.

YottaNest is committed to transparency, accountability, and continuous improvement in our data protection practices. We regularly review and update our processes to ensure ongoing compliance with GDPR and best practices in data protection.