Data Processing Agreement

The DPA governs the processing of personal data that Yaripo carries out on behalf of the Client in the provision of services. It shall operate as an annex to or integral part of the main contract, taking precedence in matters of personal data processing where a specific conflict arises.

The baseline structure designates the Client as Data Controller and Yaripo as Data Processor, as a general rule, with respect to data processed on behalf of the Client.

The DPA shall describe, at a minimum, the subject matter of the processing, its duration, the nature and purpose, the types of personal data and the categories of data subjects. In Yaripo, this covers consulting, academy, SaaS, AI, support, PoC, automation, hosting and integration.

Categories may include professional contact data, end users, enterprise datasets, technical logs, prompts, inputs, outputs and, exceptionally, sensitive or financial data if the Client validly incorporates or instructs Yaripo to process them.

Yaripo shall process personal data only in accordance with documented instructions from the Client, unless required to do so by applicable law.

The Client must ensure that it has a sufficient legal basis, legitimate purposes and the authority to provide Yaripo with the data that is the subject of the service.

The Processor shall provide sufficient guarantees to implement appropriate technical and organisational measures.

In practice, Yaripo may apply access controls, encryption, MFA, secrets management, monitoring, environment segregation, backups, vulnerability management and reasonable incident response measures.

For enterprise environments, the most practical model is generally a general authorisation for sub-processors, with an obligation to impose equivalent obligations on them and to notify the Client of relevant changes.

Where processing involves international transfers, the DPA may allow for the use of adequate mechanisms according to the applicable jurisdiction, including adequacy decisions, standard contractual clauses and equivalent contractual, technical or organisational safeguards.

Yaripo structures these safeguards in accordance with the GDPR and applicable EU data protection framework for both domestic and international contracts.

The prudent wording that best serves this purpose is: notification to the Client as soon as reasonably practicable after an incident with a material impact on personal data processed under the DPA has been confirmed.

Yaripo may make available to the Client reasonably necessary information to demonstrate compliance through documentation, policies, questionnaire responses, control summaries or other appropriate evidence.

On-site audits or intrusive testing should only proceed on an exceptional basis, with a limited scope, prior notice and under strict confidentiality obligations.

Upon termination of services, Yaripo may return or delete the personal data at the Client's election, unless a legal retention obligation or residual need for backup, defence or compliance purposes applies.

As Yaripo may provide data protection assessment and review services in organisations, the DPA shall contemplate that the Client may instruct the processing of sensitive or financial data.

In such cases, the Client must ensure a valid legal basis, necessity and sufficient authority, and Yaripo must limit processing to the strictly necessary scope.

Every DPA shall be closed with an operational annex summarising:

• service contracted;
• duration of processing;
• categories of data subjects;
• types of data;
• purposes;
• relevant sub-processors;
• international transfers, where applicable.