Data Protection

Data protection is an engineering discipline before it is a legal one. We design the platform so that a breach would leak as little as possible.

Version

v1.0 · Draft

Last Updated

12 July 2026

Effective

12 July 2026

Languages

EN · TR

01

Principles

  • Minimisation — collect only what the platform needs to function.
  • Purpose limitation — data collected for one purpose is not repurposed silently.
  • Encryption — in transit (TLS 1.2+) and at rest (AES-256).
  • Least privilege — access is scoped by role and audited.
  • Separation — clinical and identifying data are stored under distinct trust boundaries.
02

Where data lives

Application data is hosted on managed cloud infrastructure within the EU. Backups are encrypted and geographically redundant. Access to production data is limited to a small named group and logged.

03

Clinical and research data

  • De-identified at the earliest possible point in the pipeline.
  • Never used to re-identify a patient. Never sold. Never shared with advertisers.
  • Federated where possible — analysis travels to the data, not the reverse.
04

GDPR readiness

YODA is being built to meet EU GDPR requirements ahead of formal certification. This includes a designated Data Protection Officer, a public Register of Processing Activities, Data Processing Agreements with subprocessors, and a documented breach-notification procedure.

05

Incident response

In the event of a confirmed personal data breach, affected users and, where required, national data protection authorities are notified within 72 hours. Post-incident reports are published to the Trust Center.

06

Contact

The YODA Data Protection Officer can be reached at privacy@yoda.academy.

Questions about this document? contact@yoda.academy

← Back to Trust Center