Background

The ‘General Data Protection Regulation’ (GDPR) came into effect in the European Union and the broader European Economic Area on May 25, 2018, providing a unified data protection legislation across all EU member states. There are increased restrictions on the handling of personal data and transfer of personal data outside of   the EEA, and companies processing personal data are required to take a measured approach on how they process and protect personal data. Taulia Inc. together with its affiliated group companies (“Taulia”) has taken the necessary steps to comply with the GDPR, and to support those of its customers that are subject to the GDPR in their own compliance efforts. The GDPR requires that companies take a risk-based approach in determining the appropriate protections to put in place, within the requirements of the law. Processing of personal data in the Taulia eInvoicing and working capital management solutions is very limited, and always within the B2B context. For the vast majority of data subjects, Taulia holds only their name and business email address. Nevertheless, the GDPR requirements for this, and any other personal data that is processed by Taulia, are taken into account during each processing step.

Schrems II

On July 16th, 2020, the CJEU has declared the EU-US Privacy Shield an invalid mechanism for transferring personal data from the E.U. to the U.S. To the extent that Taulia has relied on the EU-US Privacy Shield as the mechanism to transfer personal data across borders, Taulia will be converting to use of the EU Standard Contractual Clauses, or another approved transfer mechanism as a replacement for the EU-US Privacy Shield. In the meantime, Taulia intends to continue to maintain its status and compliance with the EU-US Privacy Shield Principles.

Compliance Highlights

Taulia has updated its Privacy Policy, which can be reviewed here.

In addition, here are some of the steps we’ve taken to ensure our compliance with the GDPR and provide assurance to our customers:

  • Where Taulia transfers personal data out of the EEA, we do so only under one of the EU-approved data transfer mechanisms (see Schrems II above).
  • Taulia is committed to follow appropriate security measures and precautions in accordance with the GDPR.
  • Taulia assists customers with notifying regulators of any breaches and promptly communicates any breaches to customers and users.
  • Taulia commits to assist our customers, insofar as possible, to respond to data subject requests that our customers may receive under the GDPR.
  • Taulia ensures that its employees who are authorized to process personal data are trained in the proper handling of this information.
  • Sub-processors that handle personal data, including at our hosted data centers, are held to the same data management, security, and privacy practices and standards to which Taulia is held.
  • Where appropriate, Taulia enters into Data Processing Agreements documenting our commitments to our customers to support their respective obligations under the GDPR.

Product Readiness

Taulia understands the enhanced GDPR personal data processing requirements and the importance of these measures to our EU customers. Data is core to our business and we place a high priority on protecting and managing such data according to the law. In alignment with the GDPR, Taulia has strengthened its processes to ensure rights of data subjects under the GDPR are fully respected.

Taulia possesses dedicated data processing instances and environments located in the European Union, which are deployed for buyers based in the EEA.

Taulia strives for transparency, to maintain security and build trust across our 1.5 million connected global supplier and buyer customers. Team members across Taulia departments continually collaborate on ever- evolving security best-practices, including the GDPR frameworks specifically focused on enhanced security and privacy requirements. This includes:

  • re-verification of our end-to-end privacy practices from initial data mapping exercises to assessing how we collect, process, and store personal data, and the potential privacy impacts.
  • conducting security and privacy reviews of our vendor’s contracts and entering into Data Processing Agreements (DPA) with vendors who process personal data to provide EU-compliant contractual protections.
  • providing required training to our employees, especially our Engineering and Product teams, on privacy and security requirements.

Security

Taulia is backed by stringent state-of-the-art security controls designed to protect your data. Specifically, cyber risk is taken very seriously at Taulia and is managed daily by our Director of Security and CTO. All employees are required to review and agree to Taulia’s strict IT Security Policies, which are annually reviewed to incorporate periodic updates. Taulia is also annually audited by third-party auditors for SSAE-18 SOC1 and SOC2 Type 2 compliance as well as annually audited by third-party auditors for penetration and vulnerability testing. Further, all data transacted by Taulia is always encrypted in-flight and at-rest via native ERP APIs.