The layers
- Data location — EU data centers; candidate and client data in your workspace stays under the European regime your clients expect.
- Access control — workspace roles via Team settings, per-account activity in the Audit Log, and client-side access via the portal’s Manage Access.
- The processing relationship — you’re the controller, Yena the processor; the Data Processing Agreement formalizes it, the Privacy Policy covers what Yena itself processes.
- The public surfaces — portal and careers links are unguessable tokenized URLs, portals can be taken offline with one switch, and the Anonymize Names toggle keeps identities out of pre-contract reviews.
Questions we get in vendor reviews
Security questionnaires and DPA specifics: contact us and we’ll work through your firm’s checklist directly — that path is faster than reverse-engineering it from documentation.For your own duties as controller — lawful basis, retention, erasure — start with GDPR and candidate data and Sourcing responsibly.
