Data Protection Addendum

Last Updated: March 31, 2021

By affirmatively checking a box next to a hyperlink to this Data ProtectionAddendum (“DPA”), clicking “I agree” or any other button that allows you to advance past the text of this DPA, accessing or using the Services, or otherwise affirmatively indicating your assent to us, you acknowledge that you have read, understood, and agree to be bound by this DPA and all terms, conditions, and notices contained or referenced herein. If at any time either party determines that they can no longer comply with the terms of this DPA, that party must take reasonable and appropriate steps to stop and remediate any non-compliantProcessing of Personal Information (as defined in this DPA).

  1. Relationship to Master Agreements. This DataProtection Addendum (“DPA”) by and between you and Yac is incorporated into and forms an essential part of the Yac Terms of Service, as updated from time to time and available at https://www.yac.com/terms (the “Agreement”). If there is any conflict between the Agreement and this DPA with respect to the subject matter described in the DPA, the DPA will govern. This DPA will automatically terminate upon expiration or termination of the Agreement.
  2. Definitions. Any capitalized terms not defined in this DPA will have the meaning given to them in theAgreement. For purposes of this DPA:
    a. “Applicable Data Protection Law” means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Information, including as applicable theGDPR and the CCPA;
    b. “Processing”means any operation or set of operations which is performed on PersonalInformation or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    c. “PersonalInformation” means any data which is provided under the Agreement and is defined as “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable DataProtection Law.
  3. Applicability of Annexes to this DPA. This DPA applies to Yac’s Processing of Personal Information provided by you to Yac under the Agreement, except that (i) Annex A applies only to the Processing ofPersonal Information governed by the General Data Protection Regulation and any national implementing legislation, as amended from time to time (“GDPR”), and (ii) Annex B applies only to the Processing (as defined in Annex B) of Personal Information governed by the California Consumer Privacy Act, as amended from time to time (“CCPA”) and any regulations issued pursuant thereto.
  4. Scope andProcessing Instructions. Yac will process Personal Information on your behalf only in accordance with the Agreement (including this DPA) or other documented instructions from you (whether in written or electronic form) or as otherwise required by applicable law. You agree that the Services are not intended or designed for use with, and that you will not provide or transmit to Yac, any “Sensitive Personal Information”,meaning Personal Information revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, government-issued identification information (including without limitation social security number, driver’s license number, passport number, or other similar identifiers), or other similar sensitive information.
  5. Security. Yac will provide reasonable technical and organizational measures that have been designed, taking into account the nature of the Processing, to assist customers(as much as is commercially reasonable) in securing their Personal Information in the Services and to protect Personal Information against any “Security Incidents”, meaning any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information processed in connection with the Services(for the avoidance of doubt, Security Incidents does not include unsuccessful attempts or activities that do not compromise the security of PersonalInformation, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems).Yac will substantially conform its security practices to the summary of its “Information Security Policy” attached hereto as Exhibit A of this DPA and incorporated into the Standard Contractual Clauses as Appendix 2. The Information Security Policy substantially conforms to the industry-standard security practices provided by Yac’s Subprocessor, Amazon Web Services. You are responsible for reviewing the Information Security Policy and making an independent determination as to whether the Services meet your requirements, including any of your obligations under applicable law. You acknowledge and agree that Yac will also assist you with conducting any legally required data protection impact assessments (including subsequent consultation with a supervisory authority), if so required by applicable law, taking into account the nature of Processing and the information available to Yac.  Yac may charge a reasonable fee for any such assistance, as permitted by applicable law. Yac will require its personnel granted access to Personal Information to protect the confidentiality of thePersonal Information.
  6. IncidentNotification. You shall promptly notify Yac without undue delay in the event you discover a Security Incident related to the Services. Yac will promptly notify you in the event we discover a Security Incident affects you or where required by applicable law, unless otherwise prohibited by law or instruction by law enforcement or supervisory authority. Following notification, Yac will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident.  At your request, Yac will provide reasonable assistance and cooperation with respect to any notifications that you are legally required to send to affected Data Subjects and regulators.  Yac may charge a reasonable fee for such requested assistance, to the extent permitted by applicable law.
  7. Subprocessors. You agree that Yac may use affiliates, partners, service providers, and other third parties (“Subprocessors”) to process PersonalInformation on our behalf, including as necessary to provide the Services. Yac agrees to enter into written agreements with each Subprocessor that impose substantially similar privacy and data security protections as those provided in this DPA. You acknowledge and agree that this Section 7 constitutes your general authorization to Yac to use Subprocessors.
  8. Data Subject Requests. Yac agrees to provide to you, upon your request and at your expense, such assistance as maybe reasonably required for you to comply with your obligations under applicable law to respond to any requests or complaints from individuals (“Data Subjects”) regarding theirPersonal Information (“Data SubjectRequests”) (including without limitation any individual rights such as rights of data access, deletion, opt-out of sale, rectification, erasure, restriction, portability, and objection) in such cases where you cannot reasonably respond to such Data Subject Requests through the privacy features and functionalities within the Services. You acknowledge and agree that eachParty is solely responsible for handling Data Subject Requests with respect to that Party’s Processing of Personal Information within its independent control.
  9. Indemnities; Limitations of Liability. ANY LIABILITIES ARISING UNDER THIS DPA ARE SUBJECT TO THE LIMITATIONS OF LIABILITY IN THE AGREEMENT.

Annex A

  1. Definitions. For purposes of this Annex A, the terms “Data Controller”and “Data Processor” have the meanings given to them under the GDPR, and the “Standard Contractual Clauses” means the clauses approved by theEuropean Commission’s decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of theCouncil (notified under document C(2010) 593) (2010/87/EU).
  2.  Roles of theParties. As between the Parties, (a) you act as a DataController of any Personal Information you transmit to Yac; and (b) Yac acts asa Data Processor engaged to process Personal Information you transmit to Yac.
  3. Subprocessors. Yac makes available a list of its Subprocessors (“Subprocessor List”) upon written request to [support@yac.com]. Yac may update the Subprocessor List from time to time in accordance with the DPA.Whenever Yac updates the Subprocessor List, Yac will provide written notice to you at the email address associated with your account with us. You may provide written objection to Yac to a specific Subprocessor based on a good faith data protection concerns within thirty (30) calendar days after your receipt of such notice. If Yac receives no objection, then Yac will consider the Subprocessor as subject to your specific authorization to engage in Processing PersonalInformation on Yac’s behalf. If you do provide such an objection, the Parties agree to discuss such concerns in good faith and come to a resolution regarding the Subprocessors involvement in the Processing of Personal Information; provided, however, that if the Parties are unable to mutually agree to a resolution, your sole and exclusive remedy is to ter. You acknowledge and agree that thisSection 3 of Annex  A of the DPA constitutes your specific authorization to Yac to use the Subprocessors listed in the Subprocessor List.
  4. Standard Contractual Clauses. Yac may transfer Personal Data to various locations as necessary to perform its obligations under the Agreement, including locations both inside and outside the United States, the European Economic Area (“EEA”), and Switzerland. Yac and Customer agree to comply with the terms of the Standard Contractual Clauses to the extent necessary to effectuate such data transfers.
  5. Subject Matter and Details of Processing. For purposes of Appendix 1 of the Standard Contractual Clauses, (a) the subject matter of the Processing under the Agreement is Yac’s provision of the Services; (b) the duration of the Processing is from Yac’s receipt of Personal Information until the deletion of all Personal Information provided by you to Yac in accordance with the terms of the Agreement or Yac’s standard data retention practices, as applicable; (c) the nature and purpose of the Processing is to provide theServices; (d) the Data Subjects to whom the Processing pertains are those individuals that are your customers or users, or those individuals with professional associations to companies or other organizations with whom you have a business interest or relationship; and (e) the categories of PersonalInformation are those categories that you provide to Yac under the Agreement.
  6. Audits and Reports. To the extent the GDPR provides you with the right to audit Yac’s Processing of PersonalInformation for which you are the Data Controller, the Parties agree that thisSection 6 of Annex A to the DPA sets out the process by which you may exercise that right. Upon your request to exercise that right, Yac will make available to you (a) a copy of a report issued by a third party that has assessed Yac’s security practices (“Third-Party Report”)or (b) responses to any written questions reasonably related to Yac’s security practices or compliance with this Agreement (“Written Responses”). Any Third-Party Reports or Written Responses you receive from Yac are considered Confidential Information under theAgreement and may not be disclosed without Yac’s prior written consent, except as required by law. If, after receipt of either a Third-Party Report or WrittenResponses, you determine reasonably and in good faith that further audit is necessary under applicable law, you may provide written notice to Yac that you wish to perform a review, at a date no earlier than thirty (30) days from the day Yac receives such notice, of Yac’s relevant policies, procedures, and related documentation of the Services. You agree that any such review will be performed at your expense, with a scope, timing, and duration to be mutually agreed by the parties. You acknowledge and agree that Yac will not be compelled to disclose any information that would compromise any of Yac’s confidentiality obligations under any binding agreement or that Yac may refuse to disclose pursuant to applicable law.

Annex B

  1. Definitions. For purposes of this     Annex B, “Sell”, “Service Provider”, and “Verifiable Consumer Request” will     have the meanings given to them in the CCPA.
  2. Service Provider. The parties agree that Yac     is a Service Provider with respect to Personal Information that is subject     to the CCPA that you disclose to Yac under the Agreement (“CCPA Personal Information”). Yac     is prohibited from Selling CCPA Personal Information and from retaining,     using, or disclosing CCPA Personal Information for any purpose other than     the specific purpose of performing the Services in accordance with the     Agreement, unless otherwise permitted by applicable law.
  3. Verifiable Consumer Requests. Yac agrees to take such     actions and provide such information as Customer may reasonably request to     assist Customer in responding to Verifiable Consumer Requests that     Customer may receive from an individual wishing to exercise their rights under the CCPA.

EXHIBIT A

YAC INFORMATION SECURITY POLICY

Yac provides the below described technical and organizational security measures through its cloud infrastructure and data security Subprocessor, Amazon Web Services. Yac reserves the right to upgrade or otherwise modify its security measures and this Information Security policy at any time in its sole discretion; provided, however, that Yac will not materially degrade any security measures during the term of the Agreement.

Location of data

All of our services and data are hosted in Amazon Web Services(AWS) facilities (S3, RDS) in the United States, and Vultr dedicated servers in the United States.

Failover and availability

Our infrastructure and data are spread across multiple server nodes and AWS availability zones and are designed to continue to work should any one of the data centers or facilities fail, per AWS's disaster recovery practices and policies.

Backups and monitoring

We produce audit logs for activity and for data storage devices we log all activity automatically. We regularly backup our servers using AWS's provided backup services.

Permissions and authorization

Access to customer data is limited only to authorized personnel who require it for their job and on a need-to-know basis. All personnel who access customer data do so pursuant to written agreements with data protection obligations consistent with applicable law. Every service hosted on our servers is served over forced HTTPS only, with HTST enabled. We have a strict SAMLSingle Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on critical cloud services used by our team like GitHub, Google, andAWS to ensure access to cloud services is protected.

Encryption and storage

All data sent to or from Yac is encrypted in transit using 256 bit encryption. Our APIs and application endpoints are TLS/SSL only. We only use strong cipher suites and have features such as HSTS enabled. We also encrypt data at rest using an industry-standardAES-256 encryption algorithm by making use of AWS's RDS encryption.

Contact Us

If you have any questions about these terms, let us know.