Data Protection Addendum

Last updated: Mar 14, 2024

Table of contents

  1. Introduction
  2. Definitions
  3. Roles and Responsibilities
  4. Processor Obligations
  5. Scope of Processing
  6. Security Measures
  7. Sub-processors
  8. Data Subject Rights
  9. Personal Data Breaches
  10. International Data Transfers
  11. Data Retention and Deletion
  12. Audit Rights
  13. Liability and Compliance
  14. General Provisions
  15. Contact Information

1. Introduction

This Data Protection Addendum ("DPA") forms part of the Terms of Service ("Agreement") between YepCode S.L.U. ("YepCode", "we", "us", or "our") and you, the customer ("Customer", "you", or "your"). This DPA applies automatically to all customers and governs the processing of personal data in connection with the YepCode services.

If you need a co-signed copy of this DPA, please reach out to privacy@yepcode.io.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. All capitalized terms not defined herein have the meanings given by the GDPR or the Terms of Service:

  1. "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In this Addendum, the Customer is the Controller;

  2. "Customer Data" means any data, including Personal Data, that Customer or its users submit to the Services;

  3. "Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, security, or protection of Personal Data, including but not limited to the GDPR;

  4. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed;

  5. "GDPR" means the General Data Protection Regulation (EU) 2016/679;

  6. "Personal Data" means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to identifiers such as name, email address, IP address, billing identifier, or other factors;

  7. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data;

  8. "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure or destruction;

  9. "Processor" means the entity which processes Personal Data on behalf of the Controller. YepCode is the Processor;

  10. "Services" means the YepCode platform and related services provided to Customer under the Agreement;

  11. "Sub-processor" means any third party appointed by YepCode to process Personal Data on behalf of Customer in connection with the Services;

  12. "Trust Center" refers to the page where YepCode publishes its security and compliance information.

3. Roles and Responsibilities

Customer as Controller: Customer is the Controller of Personal Data and is responsible for ensuring that it has the necessary legal basis for processing Personal Data and for complying with all applicable Data Protection Laws.

YepCode as Processor: YepCode acts as a Processor and will process Personal Data only on documented instructions from Customer, except where required by applicable law. YepCode will assist Customer in meeting its obligations under Data Protection Laws.

4. Processor Obligations

YepCode (as Processor) shall implement the following obligations, in addition to any obligations in the principal agreement:

  1. Processing Instructions: YepCode shall process Personal Data only on the Controller's documented instructions and for the duration and purposes set by the Controller. The Controller has overall control of the data; YepCode will not process data beyond those instructions (except to comply with law).

  2. Confidentiality: YepCode shall ensure that all persons authorized to process the Personal Data (including employees and subcontractors) are bound by confidentiality obligations. No one may disclose Personal Data without the Controller's consent, except as required by law.

  3. Security Measures: YepCode shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration or loss. Such measures may include encryption of data in transit and at rest, stringent access controls, network and application security monitoring, regular backups, and ability to restore data from backups. YepCode's security program (including its security certifications) provides "sufficient guarantees" of compliance with GDPR security requirements.

  4. Data Subject Rights: YepCode shall assist the Controller by providing reasonable technical and organizational measures for handling requests from data subjects to exercise their rights (e.g. access, correction, deletion, data portability). If any data subject requests information or actions regarding Personal Data, YepCode shall promptly notify the Controller and act only on the Controller's instructions.

  5. Assistance to Controller: YepCode shall assist the Controller in complying with data protection obligations, taking into account the nature of the processing and information available. This includes assisting with security breach notifications to authorities or data subjects, and cooperating in any required data protection impact assessments or consultations.

  6. Data Return or Deletion: Upon termination or expiration of the Services, YepCode shall, at the Controller's choice, either return all Personal Data to the Controller in a commonly used format or securely delete all Personal Data (including backups), unless retaining it is required by law. YepCode shall certify to the Controller that it has complied with these obligations within 30 days of the end of processing.

5. Scope of Processing

Categories of Personal Data: This Addendum covers personal data that Controller's users or accounts provide to YepCode, including:

  1. Contact and account information (e.g. names, email addresses, phone numbers)

  2. Usage data (e.g. IP addresses, logs, analytics)

  3. Billing and payment information (via our payment gateway)

  4. Any personal data embedded in the integration or automation workflows

  5. Content and data submitted through the Services

6. Security Measures

YepCode implements appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  1. Encryption of data in transit and at rest

  2. Access controls and authentication mechanisms

  3. Regular security assessments and monitoring

  4. Employee training on data protection

  5. Incident response procedures

  6. Regular backups and disaster recovery procedures

YepCode regularly reviews and updates its security measures to ensure they remain appropriate and effective.

7. Sub-processors

Authorization: Customer authorizes YepCode to engage Sub-processors to process Personal Data in connection with the Services. YepCode will ensure that any Sub-processor is bound by the same data protection obligations as set out in this DPA.

Notification: YepCode will notify Customer of any intended changes concerning the addition or replacement of Sub-processors, giving Customer the opportunity to object to such changes. If Customer objects to a new Sub-processor, YepCode will work with Customer to find a mutually acceptable solution.

8. Data Subject Rights

YepCode will assist Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:

  1. Right of access

  2. Right to rectification

  3. Right to erasure

  4. Right to restrict processing

  5. Right to data portability

  6. Right to object

YepCode will not respond directly to Data Subject requests unless legally required to do so. Customer is responsible for responding to such requests, and YepCode will provide reasonable assistance as needed.

9. Personal Data Breaches

Notification: YepCode shall notify the Controller without undue delay if YepCode (or any sub-processor) becomes aware of any personal data breach affecting the Controller's Personal Data. The notice will include sufficient information for the Controller to meet its regulatory obligations.

Breach Information: The notification will include:

  1. Description of the nature of the breach

  2. Categories and approximate number of Data Subjects affected

  3. Categories and approximate number of Personal Data records concerned

  4. Likely consequences of the breach

  5. Measures taken or proposed to address the breach

YepCode shall cooperate with the Controller in breach investigation and mitigation efforts, and will provide reasonable assistance to Customer in connection with any Personal Data Breach, including assistance with any required notifications to supervisory authorities or Data Subjects.

10. International Data Transfers

Transfers: Given its global customer base, YepCode may transfer Personal Data outside the EEA (e.g. if a sub-processor is located in another country). YepCode will ensure that any such transfer is compliant with applicable data protection laws.

Standard Contractual Clauses: In particular, YepCode and the Controller will enter into the EU Standard Contractual Clauses (controller-to-processor module) for any transfer of personal data outside the European Union/European Economic Area. These clauses provide legally required safeguards for cross-border data transfers.

Other Safeguards: YepCode may also rely on:

  1. Adequacy decisions by the European Commission

  2. Other appropriate safeguards as required by Data Protection Laws

YepCode will comply with all applicable requirements for international data transfers under Data Protection Laws.

11. Data Retention and Deletion

Retention: YepCode will retain Personal Data only for as long as necessary to provide the Services or as required by applicable law.

Deletion: Upon termination of the Agreement or upon Customer's request, YepCode will delete or return all Personal Data to Customer, unless retention is required by applicable law. YepCode will provide certification of deletion upon request.

12. Audit Rights

Audit Rights: YepCode shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Addendum and shall allow for audits and inspections by the Controller (or an auditor mandated by the Controller), subject to confidentiality constraints.

Audit Limitations: Audits may be conducted no more than once per year, except in case of a data protection concern or as required by law.

Certifications: YepCode maintains relevant security certifications and will provide information about its compliance programs upon request.

13. Liability and Compliance

Each party remains responsible for complying with its respective obligations under applicable law. YepCode's liability for breaches of this Addendum or data protection law shall be subject to the limits set forth in the Master Agreement or applicable law. This Addendum reflects the parties' agreement on GDPR Article 28 requirements and related matters.

14. General Provisions

Governing Law: This Addendum shall be governed by and construed in accordance with the laws specified in the underlying Terms of Service (e.g. Spanish law and GDPR as applicable). Any disputes relating to this Addendum shall be subject to the jurisdiction agreed in the principal agreement.

Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue to apply.

Amendments: This DPA may be updated from time to time to reflect changes in applicable law or YepCode's services. Material changes will be communicated to Customer with reasonable notice.

Precedence: In case of conflict between this DPA and the Agreement, this DPA will prevail with respect to data protection matters.

15. Contact Information

For any questions regarding this Data Protection Addendum, please contact us at:

YepCode S.L.U.
Rúa Ánade Real, 11.
15172 - Oleiros - A Coruña
Spain
Email: privacy@yepcode.io

Data Protection Officer: dpo@yepcode.io