This article explains how Yoffix handles security and compliance for data protection, GDPR, works council requirements, and ISO/IEC 27001:2022. It covers where customer data is stored, encryption and access controls, data retention and deletion, employee privacy settings, and how Yoffix supports works council‑compliant deployment.
Data protection and GDPR
Yoffix is designed to be GDPR-compliant and is used by companies across the EU and beyond, including in heavily regulated industries. Here is how your data is protected:
Data storage and infrastructure All customer data is stored exclusively on servers within the European Union, hosted by Amazon Web Services (AWS) in Frankfurt, Germany. No data is transferred to servers outside the EU.
Encryption All data is encrypted in transit (HTTPS) and at rest. Backups are also encrypted.
Identity and access management Access to customer data within Yoffix's infrastructure is controlled through an IAM (Identity and Access Management) system. Only authorized personnel can access production data, and access is logged and audited.
Data retention and deletion Personal data is deleted securely after the retention period defined in your contract expires. You can configure the attendance data retention period for your organization in Company settings → Booking and attendance.
Data Processing Agreement Full technical and organizational measures (TOM) are documented in Yoffix's General Terms and Conditions, which include the Data Processing Agreement (DPA) required under GDPR Article 28. Contact support@yoffix.com to request a copy or a signed DPA for your records.
Employee privacy controls Each employee controls who can see their attendance data. The available options are set by the admin (see User management → Company-wide user settings), and employees choose their preferred level within those options. This means an employee can, for example, restrict their booking visibility to their team lead and admin only — no other colleagues can see when or where they are booked.
Works council compliance and anonymous mode
One of the most common concerns raised by works councils when introducing desk booking software is employee monitoring — the idea that managers can track exactly where an individual sits and when.
Yoffix addresses this directly through individual privacy controls. Every employee chooses their own visibility setting, which determines who can see their booking data:
Everyone in the organization
Teammates, team lead, and admins
Team lead and admins only
Admins only
When an employee restricts their visibility, their desk bookings are hidden from colleagues who are not in the permitted group. Admins can see booking data regardless of privacy settings for operational reasons, but this is disclosed in the privacy policy.
Because privacy is controlled by each employee individually — not by a blanket company policy — works council bodies have approved Yoffix implementation in all cases where this feature was presented as part of the rollout. If you are preparing a works council presentation or agreement (Betriebsvereinbarung) and need supporting documentation, contact your Customer Success Manager.
ISO/IEC 27001:2022 certification
Yoffix's Information Security Management System (ISMS) is certified to ISO/IEC 27001:2022, audited and certified by Insight Assurance.
ISO/IEC 27001 is the international standard for information security management. Certification confirms that Yoffix has implemented and maintains a systematic approach to managing information security risks — covering people, processes, and technology.
The certificate is available on request. Contact support@yoffix.com or speak to your Customer Success Manager if you need it for a vendor security assessment, procurement process, or internal audit.