Data Processing Agreement (DPA)

1. Structure

This Data Processing Agreement ("DPA") is entered into between you ("Customer" or "Data Controller") and Yozzly ("Company" or "Data Processor"). If your Company account is located in North America or South America, you enter this DPA with Yozzly Inc. ("YI"), a company registered in [State, USA]. If your account is located elsewhere, you enter this DPA with Yozzly LTD ("YL"), a company registered in the United Kingdom (Company No. 15131694).

This DPA supplements and forms part of the Terms of Service or any other agreement between you and Yozzly governing the use of our services. By using our services, you agree to be bound by the terms of this DPA.

References in this DPA to "Yozzly," "we," "us," or "our" mean YI or YL, as applicable to your account location. This DPA applies to all processing of Personal Data carried out by Yozzly on your behalf under the Agreement.

2. Company as Data Processor and Data Controller

2.1 Data Processing Roles

Data Processor: Yozzly acts as a Data Processor when processing Personal Data on your behalf, following your instructions, to deliver services such as social media content scheduling, analytics, and other functionalities offered by our Platform.

Data Controller: Yozzly acts as a Data Controller when determining the purposes and means of processing Personal Data for its own operations, including:

• Monitoring, detecting, and preventing fraudulent activities.
• Maintaining and improving the Platform.
• Ensuring compliance with legal and regulatory obligations, including terms set forth by social media platforms (e.g., Facebook, Twitter, Instagram).

2.2 Data Processing Purposes

As a Data Processor: Yozzly processes Personal Data exclusively to:

• Provide authorized services under your subscription.
• Execute social media content scheduling, management, and analytics tasks as requested.

As a Data Controller: Yozzly processes Personal Data for:

• Internal business analytics and reporting.
• Security and integrity management of its systems.
• Compliance with obligations to third-party processors and hosting providers, including AWS, Digital Ocean, Hetzner, and Backblaze.

2.3 Categories of Data Subjects and Personal Data

Data Subjects: Yozzly processes Personal Data of the following categories:

• Platform users (e.g., account administrators, employees, or contractors).
• End-users interacting with content scheduled or posted through the Platform.

Personal Data: Yozzly processes:

• Identifiers such as usernames, IP addresses, or email addresses.
• Content data such as social media posts, comments, inbox messages, and audience engagement metrics.
• Metadata related to the use of the Platform, including timestamps and activity logs.

2.4 Sensitive Data

Yozzly does not intentionally collect or process Sensitive Data, as defined under applicable data protection laws, unless explicitly authorized by you. If you choose to submit Sensitive Data via the Platform, you must ensure compliance with all applicable regulations and secure appropriate consents.

2.5 Duration of Processing

Yozzly will process Personal Data for the duration of your agreement with Yozzly or as otherwise required for regulatory, operational, or legal obligations. Upon termination, Yozzly will delete or anonymize Personal Data, except where retention is mandated by law or necessary for resolving disputes.

2.6 Data Security

Yozzly implements and maintains appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

Technical Measures:

• Encryption of Personal Data using AES-256 for data at rest and NIST P-256 for data in transit
• Implementation of multi-factor authentication (MFA) for all system access
• Regular security patches and system updates
• Automated system monitoring and alerting
• Regular vulnerability scanning and penetration testing
• Secure backup systems with encryption
• Firewalls and intrusion detection systems

Organizational Measures:

• Role-based access control (RBAC) ensuring Personal Data is accessible only by authorized personnel
• Regular security training for all employees
• Formal security policies and procedures
• Background checks for employees with access to sensitive systems
• Incident response and disaster recovery plans
• Regular security audits and assessments

Infrastructure Security:

• Use of leading cloud infrastructure providers:
• Amazon Web Services (AWS) for primary processing
• Digital Ocean and Hetzner for distributed hosting
• Backblaze for secure backup storage
• Geographic data residency options where required
• Redundant systems and failover capabilities
• Regular backup testing and verification

Compliance and Monitoring:

• Regular compliance assessments
• Continuous monitoring of security systems
• Automated alerts for suspicious activities
• Regular testing of security controls

Yozzly regularly reviews and updates these security measures to ensure their effectiveness and compliance with industry standards and regulatory requirements.

3. Company Obligations as Data Processor

3.1 General Obligations

When acting as your Data Processor, Yozzly will:

• Process Personal Data solely as per your documented instructions, except where required by law.
• Ensure all employees, contractors, and Sub-processors are bound by confidentiality agreements.
• Promptly notify you of any Data Subject requests to exercise their rights (e.g., access, correction, deletion) related to Personal Data processed on your behalf.

3.2 Sub-processors

Yozzly engages trusted Sub-processors to facilitate its services. Current Sub-processors include but are not limited to:

• AWS for scalable cloud infrastructure.
• Digital Ocean and **Hetzner** for hosting solutions.
• Backblaze for secure data backup and storage.

Yozzly maintains an updated list of Sub-processors and ensures all comply with equivalent data protection obligations. You will be notified of any intended additions or changes to the Sub-processor list, allowing for objections where applicable.

3.3 CCPA Compliance

Under the California Consumer Privacy Act (CCPA), Yozzly:

• Confirms it does not sell or share Personal Data for monetary or other valuable consideration.
• Ensures adherence to all applicable requirements, including the rights of California residents.

3.4 Disclaimer of Liability

Yozzly shall not be held liable for claims resulting from processing activities that adhere to your instructions unless otherwise stipulated by law.

4. Your Obligations as Data Controller

You agree to:

• Provide lawful, clear, and documented instructions for processing Personal Data.
• Ensure compliance with all applicable data protection laws, including acquiring consent from Data Subjects when required.
• Refrain from submitting unlawful, harmful, or non-compliant data through the Platform.

5. Company’s Obligations as Data Controller

When Yozzly acts as a Data Controller, it will:

• Comply with all applicable data protection laws, including GDPR, CCPA, and UK Data Protection Act.
• Notify Data Subjects, where applicable, regarding its data processing practices.
• Implement measures ensuring transparency, accuracy, and security of processed Personal Data.

6. Data Transfers

6.1 Cross-border Data Transfers by You

You acknowledge and agree that Personal Data processed via the Platform may be transferred to Yozzly’s facilities and Sub-processors located outside your jurisdiction, including transfers outside the European Economic Area (EEA) and United Kingdom. Such transfers will only occur subject to appropriate safeguards, including:

• Transfers to countries with adequacy decisions from relevant authorities
• Implementation of Standard Contractual Clauses (SCCs)
• Binding Corporate Rules where applicable
• Other legally recognized transfer mechanisms

You authorize Yozzly to enter into Standard Contractual Clauses on your behalf where necessary for the legitimate provision of services under this Agreement.

6.2 Cross-border Data Transfers by Company

Yozzly ensures all international data transfers comply with applicable data protection laws through:

Legal Mechanisms:

• Implementation of European Commission approved Standard Contractual Clauses
• Adherence to adequacy decisions issued by relevant authorities
• Implementation of supplementary measures where required

Technical Safeguards:

• End-to-end encryption for data in transit
• Storage encryption for data at rest
• Secure data transmission protocols
• Geographic data residency options where required

Operational Controls:

• Regular assessment of transfer mechanisms
• Documentation of international data flows
• Monitoring of regulatory changes affecting transfers
• Updates to transfer mechanisms as required by law

Sub-processor Management:

• Due diligence on Sub-processor transfer mechanisms
• Regular audits of Sub-processor compliance
• Contractual requirements for data protection
• Monitoring of Sub-processor performance

Yozzly maintains records of all cross-border data transfers and will provide relevant documentation upon reasonable request.

7. Conflict

In case of conflict between this DPA and other agreements between you and Yozzly, this DPA shall govern the processing of Personal Data.

8. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

Agreement: The primary agreement between you and Yozzly governing the use of the Platform, including but not limited to the Terms of Service and any Order Forms.

Data Controller: The entity that determines the purposes and means of processing Personal Data, as defined under Article 4(7) of the GDPR and similar provisions in other applicable data protection laws.

Data Processor: The entity that processes Personal Data on behalf of the Data Controller, as defined under Article 4(8) of the GDPR and similar provisions in other applicable data protection laws.

Data Protection Laws: All laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to:

• The General Data Protection Regulation (EU) 2016/679 (“GDPR”)
• The UK Data Protection Act 2018
• The California Consumer Privacy Act (“CCPA”)
• Other applicable national data protection laws

Data Subject: An identified or identifiable natural person to whom Personal Data relates.

Personal Data: Any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the GDPR and similar provisions in other applicable data protection laws.

Platform: Yozzly’s social media management platform and related services, including all features and functionalities provided through our website and applications.

Sensitive Data: Special categories of Personal Data as defined in Article 9 of the GDPR and similar provisions in other applicable data protection laws, including:

• Personal Data revealing racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Health data
• Data concerning a person’s sex life or sexual orientation

Sub-processor: Any third party engaged by Yozzly to process Personal Data on behalf of the Customer, in connection with the Agreement.

Security Incident: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

These definitions shall apply throughout this DPA unless explicitly stated otherwise. Terms not defined in this DPA shall have the meanings set forth in the Agreement.