Data Processing Addendum
Where applicable, this Data Processing Addendum ("DPA") is hereby incorporated in the Yva Terms of Service for Cloud Services (the "Terms"), found at yva.ai/en/terms, unless you ("Customer") have entered into a superseding written agreement with Yva, in which case, it forms a part of such written agreement. All capitalized terms not defined herein shall have the meaning set forth in the Terms. Unless you have a superseding written agreement with Yva, Yva may amend this Data Processing Addendum from time to time on its Website (https://yva.ai/en/), as its business evolves. Any revisions will become effective on the date Yva publishes the changes. You can review the most current version of the Data Processing Addendum at any time by visiting this page. If Customer uses the Cloud Services after the effective date of any changes, that use will constitute the acceptance of the revised Data Processing Addendum.

DPA specifies the data protection obligations of the parties, which arise from contract data processing on behalf, as stipulated in the Terms. It applies to all activities performed in connection with the Terms in which the staff of Yva or a third party acting on behalf of Yva may come into contact with Customer Data.

DPA sets out the additional terms, requirements and conditions on which Yva will process Customer Data when providing services under the Terms. DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) ("GDPR").


1. DEFINITIONS AND INTERPRETATION.

The following capitalized terms shall have the meaning ascribed to them below: "Customer" means the entity which determines the purposes and means of Processing of Customer Data.

"Customer Data" means any "Personal Data" (as defined in GDPR) that is provided by or on behalf of Customer in the course of using the Cloud Services and Processed by Yva pursuant to DPA.

"Data Protection Regulator" means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;

"Data Subject" has the meaning set out in GDPR;

"Data Controller" has the meaning set out in GDPR;

"Data Processor" has the meaning set out in GDPR;

"Instruction" means the written instruction issued by Customer to Data Processor in order to direct Data Processor to perform a specific action with regard to Customer Data (including, but not limited to, de-personalizing, blocking, deletion, making available). Instruction shall initially be specified in DPA and may, from time to time, thereafter, be amended, amplified or replaced by Customer in separate written instruction (individual instruction).

"Privacy Laws" means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Data including but not limited to Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"); and

"Process", "Processing" or "Processed" have the meaning set out in GDPR.

"Personal Data Breach" has the meaning set out in GDPR.


2. PROTECTION OF PERSONAL INFORMATION.

2.1. Supersedence. DPA shall supersede any and all provisions of the Terms inconsistent herewith.

2.2. Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Yva is the Data Processor of Customer Data. Yva will Process Customer Data in accordance with DPA. In some circumstances, Customer may be a Processor, in which case Customer appoints Yva as Customer's sub-processor, which shall not change the obligations of either Customer or Yva under DPA, as Yva will always remain a Processor with respect to Customer in such event.

2.3. Customer's Obligations. Customer warrants that Customer Data has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws.

2.4. Yva's Obligations as Data Processor.

Yva shall:

2.4.1. Process Customer Data only within the scope of Customer's Instructions as set-out in DPA, including with regard to transfers of Customer Data to a third country, save where:

2.4.1.1. such Instructions are not complaint with Privacy Laws;

2.4.1.2. such Instructions would cause Yva to breach its own obligations under Privacy Laws or the Terms or any other agreement with a third party;

2.4.1.3. Yva is under a legal obligation to Process Customer Data, in which case Yva shall inform Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or

2.4.1.4. such Instructions severely violate functionality of the Cloud Services (e.g. functioning of the Cloud Services IT infrastructure), including but not limited to its existence.

2.4.2. inform the Customer if, in its opinion, an Instruction received from Customer infringes the Privacy Laws;

2.4.3. ensure that all Yva employees and personnel who are involved in the Processing of Customer Data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality;

2.4.4. undertake to enter into a written agreement with any applicable sub-processors and such agreement will contain the same data protection obligations as set out in DPA. Yva will remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the sub-processors. Customer acknowledges that Yva's contractual obligations hereunder, or the parts of the Cloud Services, will be performed by a subcontractor and consents to use of sub-processors by Yva as described in DPA to fulfil its contractual obligations under the Terms and to provide certain services on Yva's behalf.

2.4.5. Yva may, by giving no less than thirty (30) days' notice to Customer and/or publishing the changes in DPA on the Website (https://yva.ai/), add or make changes to the sub-processors. Customer may object to the appointment of an additional sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of Customer Data, in which case Yva shall have the right to cure the objection through one of the following options (to be selected at Yva's sole discretion):

  • (a) Yva will cancel its plans to use the sub-processor with regard to Customer Data or will offer an alternative to provide the Cloud Services without such sub-processor; or
  • (b) Yva will take the corrective steps requested by Customer in its objection (which remove Customer's objection) and proceed to use the sub-processor with regard to Customer Data; or
  • (c) Yva may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Cloud Services that would involve the use of such sub-processor with regard to Customer Data, subject to a mutual agreement of the parties to adjust the remuneration for the Cloud Services considering the reduced scope of the Cloud Services.

If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Yva's receipt of Customer's objection, either party may terminate the Terms.

2.4.5.1. The Customer hereby approves following sub-processors: Microsoft Corporation (Microsoft Azure); Yva's Affiliates.

2.4.6. implement and maintain following appropriate technical and organizational security measures to protect against unauthorized or unlawful Processing of the Customer Data and against accidental loss, disclosure or destruction of, or damage to, the Customer Data , taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing:

2.4.6.1. pseudonymization and/or encryption of Customer Data;

2.4.6.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

2.4.6.3. the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and

2.4.6.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

2.4.7. Yva will, insofar this is possible, by appropriate technical and organizational measures, reasonably assist Customer with meeting Customer's compliance obligations with respect to the rights exercised by Data Subjects under the Privacy Laws (particularly the Data Subject's Rights stated in Chapter 3 of the GDPR and related to Data Subject's requests), taking into account the nature of the Processing. Taking into account the nature of Processing and any information available to Yva, Yva will further assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, in particular its obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Privacy Laws. In a situation where requested level of assistance will be excessive or unreasonably burdensome for Yva, any such assistance will be exercised at Customer's cost.

2.4.8. make available to Customer or an independent third party auditor mandated by the Customer (but not being a competitor of Yva or affiliated with Yva's competitor), to a maximum of once a year or when a Personal Data Breach is reasonably suspected, all reasonable information that Yva deems necessary to demonstrate compliance with the obligations imposed on Yva under Section 2 of DPA, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance. Notwithstanding of the above, if an audit is excessive or unreasonably burdensome for Yva, then Customer shall reimburse Yva for such excessive or unreasonably burdensome audit. Yva may object to the deployment of a specific auditor if such auditor is not subject to confidentiality regarding the results of such audit (except vis-à-vis Yva and Customer); and

2.4.9. unless required by law, at Customer's request following termination or expiry of the Terms for whatever reason, securely delete all of the Customer Data.

2.5. Data Centers and International Data Transfers. Yva's data centers for hosting Cloud Services are located in the USA and the EU. Yva is authorized to process Customer Data itself as well as including its engagement of sub-processors in accordance with DPA outside the country in which Customer is located including countries where the data protection may not be as stringent in the country of (i) Customer's domicile and/or registered address or (ii) the EEA.

Yva shall process Customer Data outside of the EEA as permitted under the Privacy Laws as follows:

(i) Customer Data of an EEA based Customer is processed in a country outside the EEA (a "third country") that is determined by the European Union to have adequate level of data protection under Art. 45 GDPR; or

(ii) Customer Data is processed in a third country pursuant to adequate safeguards under Art. 46 GDPR including, but not limited to execution of Standard Contractual Clauses or an approved code of conduct or other appropriate safeguards (for instance EU-U.S. Privacy Shield/Swiss-U.S. Privacy Shield mechanism). In the event of using the SCC, Customer hereby (itself as well as on behalf of each Controller established within the EEA or Switzerland) accedes to the SCC between Yva and the sub-processor. Yva will enforce the SCC against the sub-processor on behalf of the Customer or Data Subject if a direct enforcement right is not available under Privacy Laws.


3. INSTRUCTIONS FOR PROCESSING OF CUSTOMER DATA.

Yva will Process Customer Data in accordance with the following instructions:
Categories of Data Subjects: Customer's employees and End-Users.

The nature of Processing under this DPA: handling (including recording, structuring, organization) storing, sharing with subprocessors, accessing and reviewing Customer Data for the Processing purposes set out in this DPA.

Categories of Customer Data
Purposes of Processing
Duration of Processing
  • Account ID: Email address
  • Job-related Profile Information (e.g. First and last name; Job Title;
  • Timezone:
  • Department/Group; Employee ID)
  • End User Corporate Activity Data (e.g. IP Address; Email Meta Data; Content of the message; Other connected corporate sources data)
  • End User Answers to Surveys and other information that Shared on the Cloud Services by Customer or End Users

  • To provide Cloud Services in order to deliver End User engagement and performance analytics of the past and current activities and the predictive analytics insights about the best practices inside your organization and to detect areas of improvement (Account ID, Job-related Profile Information, End User Corporate Activity Data, End User answers to Surveys and other information)
  • To provide support services (Account ID, Job-related Profile Information)
  • To develop and improve our Cloud Services (Account ID, Job-related Profile Information, End User Corporate Activity Data, End User answers to Surveys and other information).
  • During the period of duration of the Terms