Data Processing Agreement

In this DPA, “Controller”, “Processor”, “Sub-processor”, “Personal Data”, “Processing”, and “Data Subject” have the meanings given in the UK GDPR (the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the Data Protection Act 2018, as amended).

You are the Controller of personal data you submit to YionStack. We (YionStack Ltd, a company registered in England and Wales) are the Processor and process that data only as Article 28 permits.

We process Personal Data only on your documented instructions. Your instructions are constituted by (a) your use of the YionStack product, (b) any configuration you set in-product, and (c) any further written instructions you give us. If we believe an instruction infringes data protection law we will notify you and may suspend processing pending confirmation.

Where applicable law requires us to process Personal Data otherwise (for example a regulatory order), we will tell you before we do so unless that law forbids the disclosure on important grounds of public interest.

Every YionStack employee, contractor and director with access to Personal Data is bound by a written confidentiality undertaking that survives termination of their engagement. We apply least-privilege access controls, document role-based permissions, and run access reviews on a documented cadence. Personnel with access to production systems undergo a background-check process appropriate to UK employment law before access is granted.

Some personnel and contractors are located outside the UK (see Annex 3 — the destination country is named in our IDTA and Transfer Risk Assessment and is available on request). Each of them is, in addition to the confidentiality undertaking, bound by a written data-protection and confidentiality schedule (process only on documented instructions, security and managed-device controls, no local retention or export, breach notification within 24 hours, return / deletion on exit, cooperation with audits), works under the supplementary measures in Clause 6, and has completed our data-protection and security induction before being given access.

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with Article 32 UK GDPR. Annex 2 below lists the specific measures in place at the date of this DPA. We may update individual measures from time to time provided the level of protection is not materially diminished.

You give general written authorisation to engage Sub-processors, subject to the conditions in this clause. The current list of Sub-processors is in Annex 3. We will notify you at least 30 days before adding or replacing a Sub-processor. You may object on reasonable data-protection grounds; if a resolution cannot be reached, you may terminate the affected services with pro-rata refund of pre-paid fees.

We impose data-protection obligations on every Sub-processor that are equivalent to those in this DPA, and we remain fully liable to you for the performance of each Sub-processor.

Where a Sub-processor processes Personal Data outside the UK or the EEA, the transfer is safeguarded by the UK International Data Transfer Agreement (the “UK IDTA”) or the EU Standard Contractual Clauses with the UK Addendum issued by the ICO. For US Sub-processors we additionally rely (where they self-certify) on the UK extension to the EU-US Data Privacy Framework.

We complete a Transfer Risk Assessment for each non-adequate country and make the assessment available to you on reasonable request. Both AI Sub-processors (OpenAI, Anthropic) operate under zero-retention enterprise terms: prompts and completions are not retained beyond 30 days for abuse monitoring and are not used to train models.

This clause applies equally where the “Sub-processor” is, in substance, Yiontech's own personnel or contractors located outside the UK (see Annex 3 — the destination country is named in our IDTA and Transfer Risk Assessment and is available on request): the transfer is safeguarded by the UK IDTA and a completed Transfer Risk Assessment for the destination country, plus supplementary measures — Personal Data remains on UK / EEA infrastructure and is accessed record-by-record through the product (no bulk export), is encrypted in transit and at rest, is reachable only under role-based access with row-level isolation (a person sees only data for the businesses or systems their role covers), every access is logged, data is minimised, the person works from a managed device, and each such person is bound by a written confidentiality and data-protection undertaking (Clause 3).

If a data subject contacts YionStack directly to exercise a right (access, rectification, erasure, restriction, portability, objection, or in relation to automated decision-making), we will redirect them to you and notify you without undue delay.

YionStack provides in-product tooling so you can find, export, correct, and delete Personal Data about a specific data subject. Where you require additional assistance to respond to a request within the statutory one-month window we will provide reasonable cooperation, including bulk export and deletion, at no charge for ordinary requests.

We notify you without undue delay, and in any event within 72 hours of our becoming aware of a Personal Data breach affecting your data. Each notification includes the nature of the breach, the categories and approximate volume of data subjects and records concerned, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its possible adverse effects.

If we cannot provide the full information at the time of notification we provide it in phases as it becomes available. The 72-hour clock you owe to the ICO under Article 33 begins when you become aware — our notification is the trigger.

Taking into account the nature of processing and the information available to us, we will provide reasonable assistance to support your Data Protection Impact Assessments and any subsequent prior consultations with the ICO. This includes information about our processing operations, Sub-processors, security controls, and data flows.

We make available to you the information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR. This includes (when produced) SOC 2-style control narratives, penetration-test summaries, ISO/IEC 27001 mappings, our DPIA register, and our policies.

On reasonable notice (at least 30 days, no more than once per year save where required by law or following a breach) we will allow for and contribute to audits, including inspections, conducted by you or by an auditor mandated by you. On-site audits are by mutual agreement; remote audits via questionnaire and document review are the default.

On termination of your YionStack account or on your written instruction, YionStack will, at your choice, return or delete all Personal Data processed on your behalf. We retain Personal Data for 30 days after termination to support you in case of accidental cancellation; after that window the data is permanently deleted from production systems within a further 30 days, and from backups in line with our backup retention schedule (currently 35 days).

This obligation is qualified only where applicable law requires retention (for example, accounting and tax records under the Companies Act 2006 and HMRC requirements, typically held for six years).

This DPA is governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising from or in connection with it. Liability under this DPA is governed by the limitation of liability terms in our Terms of Service.