Data Processing Agreement
GDPR Article 28 compliant terms for business customers
Effective Date: July 8, 2025 | Last Updated: July 8, 2025
1. Introduction and Definitions
🏢 Parties to this Agreement
Data Controller (You)
The organization using Yet.Rest services to process personal data for their own business purposes.
Data Processor (Yet.Rest)
Yet Technologies S.à r.l.
15 Avenue Dr Klein
5630 Mondorf-les-Bains
Luxembourg
Key Definitions
- Personal Data:
- Any information relating to an identified or identifiable natural person that you store or process through Yet.Rest
- Processing:
- Any operation performed on personal data, including collection, storage, organization, retrieval, use, disclosure, erasure, or destruction
- Data Subject:
- The identified or identifiable natural person to whom the personal data relates
- GDPR:
- Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)
2. Scope and Purpose of Processing
📋 Processing Activities
What We Process For You:
- • Store your application's data in secure databases
- • Execute API requests on your behalf
- • Backup and maintain data integrity
- • Provide access controls and authentication
- • Generate logs for security and debugging
Processing Purposes:
- • Provision of Yet.Rest backend services
- • Data storage and retrieval operations
- • System maintenance and updates
- • Security monitoring and incident response
- • Technical support and troubleshooting
👥 Categories of Data and Data Subjects
Types of Personal Data:
- • Contact information (names, emails, addresses)
- • User-generated content and profiles
- • Transaction and financial data
- • Technical identifiers (IP addresses, device IDs)
- • Behavioral and preference data
- • Any other data you choose to store
Data Subject Categories:
- • Your customers and end users
- • Website visitors and prospects
- • Employees and contractors
- • Business partners and vendors
- • Any individuals whose data you process
3. Data Controller Obligations
🎯 Your Responsibilities as Data Controller
Legal Basis and Consent
- • Ensure you have a valid legal basis for all personal data processing
- • Obtain necessary consents from data subjects where required
- • Maintain records of consent and legal basis documentation
- • Handle consent withdrawal requests appropriately
Data Subject Rights
- • Respond to data subject access requests
- • Handle rectification, erasure, and portability requests
- • Process objections and restriction requests
- • Coordinate with Yet.Rest when technical assistance is needed
Data Accuracy and Minimization
- • Ensure personal data is accurate and up to date
- • Process only data that is necessary for your purposes
- • Implement appropriate retention periods
- • Regularly review and clean up stored data
4. Data Processor Obligations (Yet.Rest)
🔒 Our Commitments to You
Processing Instructions
- • Process personal data only on your documented instructions
- • Not process data for our own purposes
- • Immediately notify you of any conflicts with EU law
- • Implement your processing instructions through APIs and configs
Confidentiality
- • Ensure all personnel are bound by confidentiality
- • Limit access to data on a need-to-know basis
- • Provide security awareness training to our team
- • Maintain strict access controls and monitoring
🛡️ Technical and Organizational Measures
Technical Safeguards
- • Encryption: AES-256 at rest, TLS 1.3 in transit
- • Access Controls: Multi-factor authentication, RBAC
- • Network Security: Firewalls, VPCs, DDoS protection
- • Monitoring: 24/7 security monitoring and logging
- • Backups: Encrypted, geographically distributed
Organizational Measures
- • Staff Training: Regular GDPR and security training
- • Background Checks: For all personnel with data access
- • Incident Response: Documented procedures and team
- • Audits: Regular internal and external security audits
- • Policies: Comprehensive data protection policies
5. Data Transfers and Sub-processing
🇪🇺 EU-Only Data Processing
Data Location Guarantee
- • All data stored in EU AWS regions only
- • Primary: Luxembourg and Germany
- • Backup locations: Other EU member states
- • No data transfers outside the EU
- • No access from non-EU locations
Legal Framework
- • No need for SCCs or adequacy decisions
- • Full GDPR protection at all times
- • EU jurisdiction for all data processing
- • Luxembourg data protection law applies
🔗 Authorized Sub-processors
Current Sub-processors
| Sub-processor | Service | Location | Purpose |
|---|---|---|---|
| AWS Europe | Cloud Infrastructure | Luxembourg, Germany | Data hosting and storage |
| Cloudflare EU | CDN and Security | EU Data Centers | DDoS protection, performance |
Sub-processor Changes
- • We'll notify you 30 days before adding new sub-processors
- • You have the right to object to new sub-processors
- • All sub-processors are bound by equivalent DPA terms
- • We maintain liability for all sub-processor activities
6. Data Subject Rights Assistance
🤝 How We Support Your GDPR Compliance
Technical Assistance
- • Data Access: API endpoints to retrieve individual's data
- • Data Rectification: Update/correct personal data via API
- • Data Erasure: Delete personal data upon request
- • Data Portability: Export data in structured formats
- • Processing Restriction: Flag/restrict data processing
Response Timeframes
- • Data Access Requests: Within 48 hours
- • Data Deletion: Within 24 hours
- • Data Export: Within 24 hours
- • Processing Restrictions: Immediate
- • Data Corrections: Real-time via API
🔧 Self-Service Tools
Your Yet.Rest dashboard provides built-in tools for GDPR compliance:
- • User data search and filtering
- • Bulk data export functionality
- • Data retention policy configuration
- • Audit logs for all data access and modifications
- • Automated data deletion workflows
7. Security Incident Management
🚨 Personal Data Breach Procedures
Detection
- • 24/7 security monitoring
- • Automated threat detection
- • Staff incident reporting
- • External security alerts
Response
- • Immediate containment
- • Impact assessment
- • Evidence preservation
- • Root cause analysis
Notification
- • Customer notification within 24 hours
- • Detailed incident report
- • Remediation steps taken
- • Prevention measures implemented
📋 Breach Notification Details
What We'll Tell You
- • Nature and categories of personal data affected
- • Approximate number of data subjects and records involved
- • Likely consequences of the breach
- • Measures taken to address the breach
- • Measures to mitigate adverse effects
- • Contact details for more information
Your Notification Obligations
As the data controller, you are responsible for:
- • Notifying supervisory authorities within 72 hours (if required)
- • Informing affected data subjects (if high risk)
- • Maintaining breach documentation
- • Implementing additional safeguards if needed
8. Audits and Compliance
📊 Audit Rights and Information
Available Documentation
- • SOC 2 Type II reports: Annual third-party audits
- • ISO 27001 certification: Information security management
- • GDPR compliance reports: Data protection assessments
- • Penetration testing results: Regular security evaluations
- • Incident reports: Security incident summaries
Audit Process
- • Request: Submit audit request to dpo@yet.rest
- • Scope: Define audit scope and objectives
- • Access: Remote access to relevant documentation
- • Cost: Reasonable costs may apply for extensive audits
- • Timeline: 30-day notice required for on-site audits
🔒 Confidentiality Requirements
All audit activities are subject to confidentiality agreements. Auditors must be approved by Yet.Rest and must agree to protect our confidential information and intellectual property.
9. Data Return and Deletion
🔄 End of Processing Procedures
Data Return Options
- • API Export: Download via secure APIs
- • Database Dump: Complete database backup
- • Structured Formats: JSON, CSV, XML formats
- • Encrypted Transfer: Secure file transfer protocols
- • Physical Media: Available upon request
Deletion Timeline
- • Account Termination: 90 days retention
- • Immediate Deletion: Upon written request
- • Backup Systems: Up to 12 months
- • Log Files: 24 months maximum
- • Legal Holds: Extended as required by law
🏆 Deletion Certification
Upon completion of data deletion, we will provide you with:
- • Written certification of complete data deletion
- • Details of all systems and backups affected
- • Timeline of deletion activities
- • Confirmation that sub-processors have also deleted data
10. Contact and Legal Terms
📞 Data Protection Contacts
- • Data Protection Officer: dpo@yet.rest
- • Privacy Questions: privacy@yet.rest
- • Security Incidents: security@yet.rest
- • Legal Compliance: legal@yet.rest
- • General Inquiries: hello@yet.rest
Postal Address:
Yet Technologies S.à r.l.Data Protection Officer
15 Avenue Dr Klein
5630 Mondorf-les-Bains
Luxembourg
⚖️ Legal Framework
- • Governing Law: Luxembourg and EU law
- • Jurisdiction: Luxembourg courts
- • Supervisory Authority: Luxembourg CNPD
- • Language: English (binding version)
- • Precedence: This DPA supersedes conflicting terms
Amendment Process:
Changes to this DPA require written agreement from both parties, except for updates required by law or regulation.
This Data Processing Agreement was last updated on July 8, 2025