About Yazda and the Documentation Project 

Yazda is a non-governmental, non-profit organization founded in October 2014 in response to the genocide committed by the Islamic State of Iraq and the Levant (ISIL) against the Yazidi and other minority groups in Iraq. The organization's mission is to prevent future genocides and support the recovery of communities affected by ISIL atrocities through a variety of humanitarian, sustainable development, justice, advocacy, and cultural preservation initiatives.

Launched in 2015, a few months after the start of ISIL attacks on Sinjar, the Documentation Project is Yazda’s flagship program. Through this project, evidence of international crimes (genocide, crimes against humanity and war crimes) has been collected by Yazda over the past years through witness and survivor testimonies, as well as the documentation of crime scenes, including mass graves, kill sites, captivity sites and destroyed cultural heritage sites in Nineveh Province. By drawing on Yazda’s Documentation Project, Yazda has been able to support cases in a number of jurisdictions, from investigation to trial. This includes supporting the world’s first genocide conviction against Taha A.-J., a former member of ISIL, who was convicted in Germany based on the evidence of a key witness whom Yazda identified in Iraq. Yazda plays a central role in providing evidence, identifying clients and facilitating victims’ participation in cases in Germany, with six successful convictions for crimes against humanity and three for genocide in Germany.   

Job Overview

After over a decade of collecting critical evidence on ISIL crimes in Iraq and Syria, Yazda seeks to ensure the long-term security, preservation, and accessibility of its documentation. The consultant will support Yazda in reinforcing the protection of its evidence database and associated data management practices.

The consultant will:

• Conduct a thorough assessment of Yazda’s existing data management policies and the security protocols governing its evidence databases.
• Provide clear, actionable recommendations to enhance data protection, ensure confidentiality, and support the long-term preservation of sensitive documentation.
• Develop tailored Standard Operating Procedures (SOPs) and user-friendly manuals to guide secure data handling, storage, access, and lifecycle management.
• Analyze potential risks associated with the current hosting environment and identify strategies to strengthen the database’s security, resilience, and accessibility over time.
• Present a set of strategic options to future-proof the documentation archive, taking into account legal, operational, and logistical considerations aligned with international best practices.

Expected Deliverables and Timeline:

• Conduct a comprehensive assessment of Yazda’s data management workflow, existing policies, and the current security measures in place for its evidence databases. Identify potential vulnerabilities and risks to data integrity and confidentiality.
• Based on the findings, develop a set of concrete recommendations to enhance data security, long-term protection, and compliance with international best practices for sensitive documentation.
• Present the assessment and recommendations to Yazda’s Senior Management Team. Upon agreement on the improvement measures, draft tailored Standard Operating Procedures (SOPs) and manuals to guide secure data management and handling.
• Deliver targeted training sessions for relevant Yazda staff to build internal capacity on data protection, risk mitigation, and secure documentation practices.
• Conduct a focused assessment of the risks associated with maintaining the evidence database in its current location, and evaluate potential pathways for securing its long-term preservation, including the option of relocation to a third country. This assessment should consider legal, operational, financial, and security implications and propose several relocation scenarios, including recommended platforms or software solutions that align with the overall findings.

Main Responsibilities

PHASE 1: ASSESSMENT (Weeks 1–5)

1. Conduct a comprehensive review of Yazda’s current data infrastructure, including servers, storage systems, access protocols, and software tools.
2. Evaluate existing security configurations such as encryption, firewalls, backup systems, and access control mechanisms.
3. Analyze Yazda’s data management policies, classification standards, SOPs, and disaster recovery procedures to identify gaps and vulnerabilities.
4. Identify and document key risks to data integrity and confidentiality, including unauthorized access, data loss, surveillance, and physical threats.
5. Deliver an Assessment Report summarizing Yazda’s current data workflows, security posture, and critical areas requiring improvement.

PHASE 2: RECOMMENDATIONS & SOP DEVELOPMENT (Weeks 6–8)
6. Present findings to the Senior Management Team (SMT) and finalize a set of agreed recommendations to strengthen data protection and long-term resilience.
7. Draft tailored Standard Operating Procedures (SOPs) and policy templates covering secure data collection, storage, access management, incident reporting, and onboarding/offboarding procedures.
8. Design and deliver customized training sessions for relevant Yazda staff on risk mitigation strategies, secure data handling, and SOP implementation.

PHASE 3: STRATEGIC HOSTING OPTIONS ASSESSMENT (Weeks 9–13)
9. Conduct a strategic evaluation of long-term hosting options for Yazda’s evidence database, including analysis of cyber, legal, operational, and physical security considerations. Assess the feasibility, costs, and advantages of different secure storage solutions and platforms. Provide a Hosting Strategy Report outlining recommended options aligned with Yazda’s operational needs and risk profile.

PHASE 4: SUSTAINABILITY, HANDOVER & FINAL ROADMAP (Weeks 14–16)
10. Provide a detailed roadmap to support the sustainable implementation of improved security measures and ensure long-term data protection and access continuity. Include handover documentation and guidance for internal follow-up.

• Advanced degree in information security, cybersecurity, data management, computer science, or a related technical field. An additional academic background in law, international justice, or human rights is a strong asset.
• A minimum of 7–10 years of progressively responsible professional experience in digital security, data protection, and secure information management, preferably within the context of human rights, international justice, or humanitarian organizations.
• Proven track record in managing sensitive and high-risk data, particularly databases linked to the documentation of international crimes, human rights violations, or legal evidence.
• Demonstrated expertise in designing, assessing, and implementing robust data security frameworks, including encryption, access control, secure hosting, and risk mitigation strategies for digital evidence archives.
• Experience conducting comprehensive risk assessments and developing Standard Operating Procedures (SOPs), technical manuals, and policy guidance related to data security and information governance.
• Strong knowledge of international and European data protection standards, including the General Data Protection Regulation (GDPR), and best practices for handling confidential or sensitive data.
• Incident Response and Security Awareness: Proven experience in identifying and handling security incidents swiftly and effectively, as well as training staff to recognize and prevent potential threats.
• Access Control and Disaster Recovery: Advanced skills in managing user access using multi-factor authentication (MFA) and developing backup and disaster recovery plans to safeguard against data breaches or loss.
• Security Audits and Cloud Management: Ability to conduct regular security audits, manage secure cloud or third-party hosting environments, and use monitoring tools to ensure continuous data protection.
• Fluency in English is required.
• Proficiency in Arabic is an asset.
• Familiarity with the Middle East context and an understanding of data protection challenges in fragile or conflict-affected settings is highly desirable