1. Introduction

1. This Data Processing Agreement (DPA) is made by and between YakChat Ltd (registered in England and Wales registration number: 10475503), whose registered office is at Belfield House, Chepstow Gwent, NP16 7NU (“YakChat”), and the “Customer” identified on the signature page of this DPA and any Service Order Form or Agreement already existing between the parties or that may incorporate this DPA by reference. This DPA shall be in addition to any obligations set out in any Service Order Form or Agreement.

2. Definitions and Interpretation

• Capitalized terms in this DPA shall have the meaning as prescribed by the YakChat Terms as located at https://www.yakchat.co.uk/terms-and-conditions or as otherwise agreed between the parties, unless specified below.

• • References to any Applicable Laws (including to the Data Protection Laws and of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting, or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable. A reference to a law includes all subordinate legislation made under that law.
  • Unless the context otherwise requires, each reference in this DPA to “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
    • a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
    • “DPA” is a reference to this Data Processing Agreement and each of the Schedules as amended or supplemented at the relevant time;
    • a Schedule is a schedule to this DPA; and
    • a Clause or paragraph is a reference to a Clause of this DPA (other than the Schedules) or a paragraph of the relevant Schedule.
    • a "Party" or the "Parties" refer to the parties to this DPA.
  • The headings used in this DPA are for convenience only and shall have no effect upon the interpretation of this DPA.
  • Words imparting the singular number shall include the plural and vice versa.
  • References to any gender shall include all other genders.

3. Scope and Application of this DPA

• This DPA takes effect from the date the Customer accepts its terms.

  • and shall continue until the end of the YakChat’s provision of the Services (including any period of suspension, where relevant) (“Term”).
  • The provisions of this DPA shall apply to the processing of the Personal Data carried out for the Customer by YakChat, and to all Personal Data held by YakChat in relation to all such processing whether such Personal Data is held at the date of this DPA or received afterwards.
  • The provisions of this DPA do not include the processing of Special Category Data which, as stated in Clause 5, should not be requested to be processed by the Customer.
  • Except for the changes made by this DPA, the Agreement remains in full force and effect. To the extent that there is any conflict between this DPA and the Agreement or Service Order Form, the clauses of this DPA shall prevail.
  • Any claims brought under or in conjunction with this DPA shall be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set out in the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Any penalties issued by a Supervisory Authority and incurred by YakChat in relation to Protected Data arising from or in connection with the Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall reduce YakChat’s liability under the Agreement and be considered a liability to the Customer under the Agreement.
  • This DPA shall continue in full force and effect for so long as YakChat is processing Personal Data on behalf of the Customer, and thereafter as provided in Clause 12

4. Roles of the Parties and Processing

• The parties acknowledge and agree that with regard to the processing of Protected Data, the Customer is a Data Controller and YakChat shall be a Data Processor.

  • YakChat shall process Protected Data in compliance with:
    • The obligations of Data Processors under Data Protection Laws in respect of performance of its obligations under this agreement; and
    • The terms of this DPA, the Terms and the Service Order Form which sets out the Customer’s instructions in relation to such processing activities.
  • The Customer shall comply with:
    • All Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws: and
    • The terms of this DPA.
  • The Customer warrants, represents and undertakes, that:
    • all data provided to YakChat for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing or procuring all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
    • all instructions given by it to YakChat in respect of Personal Data shall at all times be in accordance with Data Protection Laws;
    • the Personal Data provided to YakChat does not include Special Category Data; and
  • The Customer shall not unreasonably withhold, delay, or condition its agreement to any change or amendment requested by YakChat in order to ensure the Services and YakChat (and each Sub-Processor) can comply with Data Protection Laws.
  • YakChat shall maintain records of processing activities in accordance with Article 30 UK GDPR.

5. Special Character Data

• The Customer acknowledges and agrees that the Services are not designed for the processing of Special Category Data or criminal-offence data. The Customer shall not transmit such data to YakChat, and YakChat shall have no liability for such data inadvertently provided.

6. Provision of the Services and Processing Personal Data

• By entering into this DPA, the Customer instructs YakChat to process the Controller’s Protected Data only in accordance with Applicable Law:

  • To provide the Services;
  • As further specified by the Customer’s use of the Services or the Software;
  • As documented in the form of the terms and this DPA;
  • In accordance with the instructions of each respective Data Controller; and
  • As further documented in any other written instructions provided by the Customer and acknowledged by YakChat as being instructions for the purpose of this DPA.
  • The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Customer:
    • for the purposes of those Services and not for any other purpose;
    • to the extent and in such a manner as is necessary for those purposes; and
    • strictly in accordance with the express written authorisation and instructions of the Customer (which may be specific instructions or instructions of a general nature or as otherwise notified by the Customer).

• This shall be without prejudice to clauses 4 and 9; and

• To the maximum extent permitted by mandatory law, YakChat shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of that information; and

  • The subject matter and details of the processing of Protected Data to be carried out by YakChat under this DPA shall comprise the processing set out in Schedule 3 (Data processing details), as may be updated from time to time as agreed between the parties.

7. Technical and Organizational Measures

• YakChat shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required under Article 32 UK GDPR, taking into account the nature of the processing and the state of the art.

  • The current technical and organisational measures applied by YakChat are set out in Schedule 2. YakChat may update such measures from time to time to reflect technological or organisational developments, provided that such updates do not materially reduce the overall level of security.
  • YakChat shall ensure that all persons authorised to process Personal Data are subject to appropriate confidentiality obligations.

8. Using Sub-Processors

• Customer specifically authorizes the engagement of existing YakChat’s affiliates and third parties as Sub-Processors which are listed in Schedule 4.

9. Data Protection Compliance

• All instructions given by the Customer to YakChat shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. YakChat shall act only on such written instructions from the Customer unless the YakChat is required by law to do otherwise (as per Article 29 of the GDPR).

  • YakChat shall promptly comply with any request from the Customer requiring YakChat to amend, transfer, delete, or otherwise dispose of the Personal Data.
  • YakChat shall transfer all Personal Data to the Customer on request in the formats, at the times, and in compliance with the Customer’s written instructions.
  • Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this DPA or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
  • YakChat agrees to comply with any reasonable measures required by the Customer to ensure that its obligations under this DPA are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the Information Commissioners Office (ICO).
  • YakChat shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
  • YakChat shall ensure that all persons authorized by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case YakChat shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
  • When processing the Personal Data on behalf of the Customer, YakChat shall:
    • not cause or permit any Protected Data to be transferred outside of the EEA unless such transfer is necessary for the purposes of YakChat carrying out is obligations under the Agreement, in which case, the provisions of this clauses 9.8.2 and 9.8.3 shall apply
    • Subject to clause 9.8.3, if Protected Data is to be processed outside of the EEA, YakChat agrees to provide and maintain Appropriate Safeguards as set out in Article 46 GDPR to lawfully transfer the Personal Data to a third country.
    • Clause 9.8.2 shall not apply if the processing of the Protected Data is carried out in a country that the European Commission has considered as offering an adequate level of protection.
    • process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Customer or as may be required by law (in which case, YakChat shall inform the Customer of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
    • implement appropriate technical and organizational measures, as described in Schedule 2, and take all reasonable steps to protect the Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. YakChat shall inform the Customer in advance of any changes to such measures; and
    • The subject matter and details of the processing of Protected Data to be carried out by YakChat under this DPA shall comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time as agreed between the parties.
  • YakChat shall provide the Customer with at least 30 days’ prior written notice of any intended appointment of a new Sub-Processor. The Customer may object on reasonable data-protection grounds. YakChat will work in good faith to address such objections. If no mutually acceptable solution is found, the Customer may terminate only those Services affected by the change.

10. Assistance with Customer’s compliance and Data Subject rights

1. YakChat shall refer all Data Subject Requests it receives to the Customer within five Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds three per calendar month, the Customer shall pay YakChat’s Charges calculated on a time and material basis for recording and referring the Data Subject Requests in accordance with this clause 10.

   1. Further to the above and notwithstanding anything to the contrary in the Terms, YakChat reserves the right to disclose the identity of the Customer to any relevant Data Subject Requests following any such request from a Data Subject.

11. Breach Notification

1. YakChat shall without undue delay (but in any event within 24 hours) from when YakChat becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data:

   1. notify the Customer of the Personal Data Breach; and
   1. provide the Customer with details of the Personal Data Breach;

12. Deletion and/or Disposal of Personal Data

1. YakChat shall, at the written request of the customer, delete or return all the Personal Data to the Customer in the format(s) reasonably requested by the Data Controller within a reasonable time after whichever is the earlier from the following:

   1. the end of the provision of the Services; or
   1. the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under this DPA.

13. Cooperation

1. If a party receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:

   1. make no admission of liability nor agree to any settlement of compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and

14. Intellectual Property Rights

1. All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Customer or YakChat) shall belong to the Customer or to any other applicable third party from whom the Customer has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). YakChat is licensed to use such Personal Data under such rights only for the term of the Agreement, for the purposes of the Services, and in accordance with this DPA.

15. Confidentiality

1. The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.

   1. The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
   1. The obligations set out in this Clause 15 shall continue for a period of the longer of (a) three (3) years after the cessation of the provision of Services by the Data Processor to the Data Controller or (b) such period as may be required by applicable Data Protection Laws.
   1. Nothing in this DPA shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

16. Law and Jurisdiction

1. This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.

AGREED by the parties on the date set out below:

Schedule 1

1. Services

The following services are to be provided by YakChat to the Customer:

1. Send and receive SMS text messages from a desktop computer or mobile device.

   1. Store text messages that are sent and received by the Data Controller.
   1. Store the telephone numbers that SMS text messages are sent to and received from.

2. First Name

3. Last Name

4. Telephone Number

5. Email Address

6. 1. Store the name and email address of Data Controller registered users
   1. Access the Microsoft Outlook contact information for each Data Controller User. Optional consent is required, and contact information is not synchronized or stored except for messages sent or received from the contact where the name and telephone number of the contact is stored with the messages.
   1. Access the Microsoft Active Directory contact information of the Data Controller. Optional consent is required, and contact information is not synchronized or stored except for messages sent or received from the contact where the name and telephone number of the contact is stored with the messages.

Schedule 2

1. Technical and Organizational Data Protection Measures

1. YakChat maintains a comprehensive information security programme aligned with ISO/IEC 27001 principles and incorporating the following controls:

   1. Encryption: AES-256 encryption at rest and TLS 1.2+ encryption in transit.
   1. Access Controls: Multi-factor authentication for privileged accounts; role-based access control (RBAC); least-privilege access enforcement; periodic access reviews.
   1. Monitoring: Logging of security-relevant events; centralised monitoring and alerting (SIEM); anomaly and intrusion detection mechanisms.
   1. Testing: Regular vulnerability scanning; at least annual independent penetration testing; timely remediation of identified risks.
   1. Secure Development: Secure coding practices, code review, dependency scanning, and secure build/deployment processes following industry standards.
   1. Business Continuity & Disaster Recovery: Documented and regularly tested business continuity and disaster recovery plans; validated backup and restoration procedures.
   1. Data Minimisation & Retention: Personal Data minimised to what is strictly necessary; retention controlled in accordance with the Agreement and Applicable Law.
   1. Personnel Security: Confidentiality undertakings; role-based security training; continuous education on data protection and cyber security.

Schedule 3

1. Data Processing Details

Schedule 4

1. List of Sub-Processors

1.1     List of Sub-Processors

1. Data Processor shall use the following Sub-Processors:

• Data Processor shall use the following Sub-Processors to provide services not related to the provision of Services to the Company: