Introduction

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data and creating a uniform data protection law across Europe.

In addition to strengthening and standardizing user data privacy across EU member states, it introduces new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations are located. On this page, we explain how we help our customers comply with the GDPR.

Commitment to the User and the Protection of User’s Data

Weyond Inc. (“Weyond”, “We”) is committed to ensuring that users’ privacy is protected. We strictly adhere to the provisions of GDPR and all relevant data protection legislation, ensuring all personal data is handled in line with the principles outlined in the regulation.

Where Do Weo Stand

Weyond as a Data Processor

GDPR defines Data Controllers as entities that determine the purposes for which and the means by which personal data is processed. Data Controllers decide why and how the personal data of a data subject should be processed. A Data Processor processes personal data only on behalf of the Data Controller and in accordance with their instructions.

Weyond acts as a Data Processor and processes data on behalf of its Clients / Organizations who act as Data Controllers. The Data Controllers specify the kind of data required from the data subject (the user). We act as a mediator between the Data Controller and the Data Subject by collecting the specified data during the user’s interaction with the Efforti platform and then processing it strictly as per the Data Controller’s instructions.

Data Protection

Weyond is committed to information security best practices. In line with GDPR, Weyond assesses the measures required in its products based on factors such as data sensitivity, impact, risk, and available technology.

Security is a core requirement and a guiding principle in the design of all components of Weyond’s products. This includes encryption of data both in transit and at rest, continuous vulnerability and penetration testing, and firewalled DevOps procedures to ensure the security and integrity of systems.

Data Deletion & Retention

We maintain defined data deletion periods and procedures unless specified otherwise by the applicable Organization. In compliance with the GDPR “Right to Be Forgotten,” we are aware of when data subject rights apply, including exemptions, response timeframes, and notification responsibilities, as dictated by the Organization acting as the Data Controller.

Our default retention policy for data collected on behalf of sponsor Organizations is 7 days, unless otherwise specified by the Organization.

Data retention periods may be customized by the Organization and always take precedence over the default retention policy.

Consent from Users (Data Subjects)

User consent is obtained prior to using Weyond’s products. This ensures users are provided with the relevant Privacy Policy and Terms of Service, including clear information on why personal data is being collected, and allows users to provide informed consent before using the Services.

Our Privacy Policy provides further details on the what and why of user information collection.

International Data Transfers

At present, our operations do not involve clients located outside of the United States. Accordingly, there is no transfer of data to entities located in the European Union (EU), Switzerland, or the United Kingdom (UK).

As Weyond expands or if regulatory requirements change, we will continuously review and implement appropriate mechanisms to safeguard data privacy and security in accordance with applicable global standards.

Data Subject Rights

We provide clear and accessible procedures for individuals to exercise their rights under GDPR with respect to personal data processed by Weyond, including the right to request information regarding:

• What personal data we hold
• The purposes of processing
• The categories of personal data concerned
• The recipients to whom personal data has been or will be disclosed
• The intended data retention period
• The source of the data, where not collected directly from the data subject
• The right to rectify incomplete or inaccurate data
• The right to request erasure of personal data (where applicable and subject to Data Controller approval)
• The right to restrict processing or object to certain processing activities
• The right to lodge a complaint or seek judicial remedy

As required under GDPR, Weyond, acting as a Data Processor, must obtain prior approval from the Client or Sponsor Organization (the Data Controller) before accommodating any request by a user to exercise GDPR rights.

Third-Party Audits and Certifications

Weyond is SOC 2 Type II certified and undergoes independent third-party audits based on the SSAE 16/18 framework. These audits assess and verify the effectiveness of internal controls and processes related to:

• Internal governance
• Production operations
• Change management
• Data backups
• Software development lifecycle

Data Security – Information security and data protection controls

Change Management – Controlled and reviewed system changes

Access Control and Management – Role-based access to platform operations

Data Redundancy and Backup – Safeguards for data availability

Software Architecture and Development – Oversight of secure development practices

Data Privacy Team

Weyond has established a dedicated Data Privacy Team responsible for complying with data protection frameworks, including GDPR. The team promotes organizational awareness, assesses compliance, identifies gaps, and implements appropriate policies, procedures, and safeguards. We recognize that continuous employee awareness and training are essential to ongoing GDPR compliance and actively involve employees in our compliance programs. If you have any questions regarding our GDPR compliance practices, please contact our Data Privacy Team at: privacy@efforti.ai