Data Governance Policy

This Data Governance Policy defines the principles, roles, processes and controls that Yaripo SpA applies to manage the data it collects, processes or holds in the course of its activities — including consulting services, technology products, academy and web presence.

It applies to all data processed by Yaripo in its own name, as well as to client data that Yaripo processes as a data processor under the applicable DPA. In the event of conflict with the DPA, the DPA prevails for processing carried out on behalf of the client.

Yaripo's data governance is governed by the following principles, derived from industry best practices and applicable international data protection frameworks:

• Lawfulness and purpose limitation. Data is collected on a valid legal basis and for specific, explicit and legitimate purposes.
• Data minimisation. Only data strictly necessary for the declared purpose is collected and retained.
• Accuracy. Controls are implemented to keep data up to date and correct.
• Storage limitation. Data is retained only for as long as necessary or legally required.
• Integrity and confidentiality. Data is protected by appropriate technical and organisational controls.
• Accountability. Yaripo assumes the burden of demonstrating compliance with these principles, rather than waiting to be audited.
• Transparency. Data subjects can know what data is processed, how and why.

Data governance at Yaripo operates with clearly defined roles, adapted to the structure of a growing consultancy:

Yaripo classifies the data it processes into four categories, which determine the applicable level of protection:

• Public data. Freely accessible information with no restrictions on disclosure. E.g.: content published on the website.
• Internal data. Information for internal use that must not be disclosed externally without authorisation. E.g.: working documents, proposals, internal emails.
• Confidential data. Information requiring active protection and restricted access. E.g.: client data, contracts, financial information, credentials.
• Sensitive data. Special-category personal data under GDPR and applicable data protection regulations (health, racial origin, beliefs, biometrics, etc.). Requires a reinforced legal basis, a DPIA protocol and strict access controls.

Yaripo maintains a Record of Processing Activities (ROPA) that documents the main personal data processing operations carried out as data controller or data processor. This record constitutes the documentary basis for compliance with GDPR and applicable data protection regulations.

For each processing activity, the ROPA includes: purpose, legal basis, data categories, affected data subjects, recipients, retention periods and security measures applied.

The ROPA is not published in full for operational confidentiality reasons, but is available to competent authorities where applicable and to clients who request it in due diligence processes.

Data quality is a shared responsibility among the custodians of each domain. Yaripo applies the following basic quality controls:

• Accuracy. Client and contact data is validated at the point of collection and updated when errors are detected.
• Completeness. Mandatory fields for each process are defined and enforced in the collection systems.
• Consistency. Duplicate or contradictory sources for the same data are not maintained without operational justification.
• Timeliness. Data critical for operational decisions is updated within defined timeframes according to its domain.

Data subjects have the right to request rectification of inaccurate or incomplete data through the privacy requests form.

Data processed by Yaripo passes through the following stages, each with defined controls:

• Collection. Only data with a valid legal basis and a declared specific purpose is collected. Forms include information about the processing.
• Storage. Data is hosted on cloud infrastructure with access controls, encryption in transit and, where applicable, at rest.
• Use and processing. Access is restricted to the minimum necessary for the declared purpose. AI and analytics systems are governed by the AI Governance Policy.
• Transfer. Transfers to third parties or vendors are documented in the ROPA and governed by the DPA or equivalent agreements.
• Retention. Retention periods are defined by purpose, legal obligation or contractual agreement.
• Deletion. Data is securely deleted upon expiry of its retention period or at the data subject's request. Yaripo issues a destruction certificate when the client requires it.

The security controls applied to data are detailed in the Information Security Statement. Within the data governance framework, the operative principles are:

• Minimum access. Each person or system accesses only the data necessary for their specific function.
• Strong authentication. Access to critical systems requires multi-factor authentication (MFA).
• Traceability. Accesses and operations on confidential or sensitive data are logged and auditable.
• Environment separation. Production data is not used in development or test environments without an anonymisation process.

Yaripo may transfer or permit access to personal data through cloud providers located outside its operating jurisdiction. These transfers are carried out in accordance with GDPR and applicable data protection regulations through the following mechanisms, as applicable:

• Data processing agreements (DPAs) provided by cloud vendors, compatible with international standards.
• Standard Contractual Clauses (SCCs) where the recipient is in a country without an equivalent adequate level of protection.
• Explicit consent of the data subject, where applicable and where it is the only available legal basis.

The cloud providers used by Yaripo and their transfer mechanisms are documented in Annex A of the DPA, available on request.

Data subjects whose personal data is processed by Yaripo hold the following rights under GDPR and applicable data protection regulations:

• Access. To know what personal data Yaripo processes, for what purpose and for how long.
• Rectification. To correct inaccurate, incomplete or out-of-date data.
• Erasure / Right to be forgotten. To request deletion of data where there is no legal basis for its retention.
• Objection. To object to processing in the cases provided for by law.
• Portability. To receive data in a structured, machine-readable format where technically feasible.

Yaripo has an incident response protocol for security events affecting personal data. The commitments are:

• Preliminary notification to the client within a maximum of 24 hours from detection.
• Full notification with details of impact, affected data and measures taken within a maximum of 72 hours .
• Internal documentation of the incident for traceability and continuous improvement.
• Notification to the competent authority where required by applicable data protection law.

Yaripo will review this Data Governance Policy at least once a year, or whenever regulatory, operational or infrastructure changes make it necessary. The current version will always be the one published at yaripodata.com with the corresponding update date.

Material changes will be communicated to clients with an active relationship at least 30 days in advance, unless an urgent legal obligation requires immediate application.