Yola Data Processing Addendum

Effective Date: July 24, 2018.

This Yola Data Processing Addendum forms part of, and is subject to the provisions of, the Yola Terms of Service. Capitalized terms not defined here have the meanings set forth in the Terms of Service.

The following definitions apply solely to this Data Processing Addendum:

  • a. the terms “Controller”, “data subject”, “personal data”, “process,” “processing” and “Processor” have the meanings given to these terms in EU Data Protection Law.
  • b. “EU Data Protection Law” means any data protection or data privacy law or regulation of Switzerland, the United Kingdom, or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.
  • c. “GDPR” means the EU General Data Protection Regulation 2016/679.
  • d. “Sub-Processor” means an entity engaged by Yola to process Your Controlled Data.

We, the Processor, technically operate a website and/or online shop on our systems located in countries including the US on behalf of you, the Controller.

We may also be an independent Controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a Controller, you acknowledge and confirm that this Data Processing Addendum does not create a joint-Controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users’ interactions with Your Site, you receive that as an independent data Controller and are responsible for compliance with EU Data Protection Law in that regard.

The Processor shall process personal data for the Controller in terms of Article 4(2) and Article 28 of the GDPR based on this Agreement.

The contractually stipulated service shall be performed exclusively in a Member State of the European Union or in a contracting state of the Agreement on the European Economic Area. Any relocation of the service or parts thereof to another country shall only take place if the specific requirements of Article 44 and subsequent Articles of the GDPR are met (e.g. adequacy decision by the Commission, standard data protection clauses, approved codes of conduct). We are a certified member of the EU-US and Swiss-US privacy shield. The processing of personal data by the Processor for the Controller, which is located in the USA is carried out within the framework of these adequacy decisions.

1. Type and Purpose of Processing, Type of Personal Data and Categories of Data Subjects:

We ensure that your website and/or online shop is accessible to users via the Internet within the framework of our Terms of Service. Furthermore, we process all information in connection with user orders and make it available to you. You are then responsible for the execution of the contracts concluded with your users.

Type of processing (in accordance with the definition in Article 4 No. 2 of the GDPR):

Processing is the collection, storage and use of personal data which are necessary for the operation of the respective website and/or online shop.

Type of personal data (in accordance with the definition in Articles 4 No. 1, 13, 14 and 15 of the GDPR):

  • Name
  • Company
  • Postal address
  • Phone Number
  • Payment information
  • Email Address
  • Order details
  • IP address
  • Information submitted through the Yola Contact form

Categories of data subjects (in accordance with the definition in Article 4 No. 1 of the GDPR):

Data subjects are users of the respective website and/or online shop.

2. Rights, Duties and Powers of Instruction of the Controller

The Controller shall alone be responsible for assessing the lawfulness of processing pursuant to Article 6(1) of the GDPR and for safeguarding the rights of data subjects in accordance with Articles 12-22 of the GDPR. Nevertheless, the Processor shall be obligated to forward to the Controller all such inquiries without undue delay insofar as they are recognizably intended for the Controller exclusively.

Modifications of the subject of processing and changes in procedures are to be coordinated between the Controller and the Processor and defined in writing or in a documented electronic format.

The Controller shall generally issue all orders, partial orders and instructions in writing or in a documented electronic format. Verbal instructions are to be confirmed in writing or in a documented electronic format without undue delay. The Controller shall be entitled to convince itself adequately of the Processor's adherence to technical and organizational measures taken by the Processor and with the obligations defined herein prior to commencement of the processing and on a regular basis thereafter, as set down in Section 4 hereof.

The Controller shall notify the Processor without undue delay if the Controller finds errors or irregularities when reviewing the results of the processing.

The Controller shall be obligated to treat all knowledge of business secrets and data security measures of the Processor obtained thereby within the framework of the contractual relationship confidentially. This obligation shall remain in effect even after the Termination of this Agreement.

3. Controller's Authorized Issuers, Processor's Authorized Recipients

The Controller's authorized issuers of instructions and communication channel for this Agreement shall be:

  • The Processor's authorized recipients of instructions and the communication channel to be used for instructions shall be: privacy@yola.com
  • If contact persons are changed or hindered for an extended period, the other Party shall be notified of the successors or substitutes without undue delay, generally in writing or electronically. Instructions are to be preserved for the effective term thereof and for three full calendar years thereafter.

4. Duties of the Processor

The Processor shall process personal data exclusively within the bounds of the agreements reached by the Parties and the Controller's instructions, unless it is obligated to conduct processing otherwise by the laws of the EU or of the Member States to which the Processor is subject (e.g. investigations by law enforcement and state security authorities); in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Article 28(3) Sentence 2 character a of the GDPR).

The Processor hereby warrants that all measures stipulated herein in connection with the processing of personal data under this Agreement will be taken in accordance with this Agreement. The Processor hereby warrants that the data processed for the Controller will be kept strictly separate from other data.

The data storage media originating from or used for the Controller shall be specially labelled. The arrival, departure and ongoing use thereof shall be documented.

The Processor shall be required to participate to a necessary extent and provide the Controller with reasonable assistance to the extent possible in safeguarding the rights of data subjects in accordance with Articles 12-22 of the GDPR, in compiling records of processing activities and in necessary impact assessments by the Controller (Article 28(3) Sentence 2 character e and f of the GDPR). The Processor shall provide the necessary information in this regard without undue delay in each case to the Controller. The Controller informs the Processor in writing immediately after conclusion of this DPA, which office of the Controller shall be addressed.

The Processor shall inform the Controller without undue delay if, in its opinion, an instruction issued by the Controller violates statutory provisions (Article 28(3) Sentence 3 of the GDPR). The Processor shall be entitled to delay performance of the relevant instruction until it is confirmed or amended by the Controller's controller after review. The Processor shall be required to modify, delete or restrict processing of personal data arising from the contractual relationship if the Controller makes such request by means of an instruction unless such is opposed by legitimate interests of the Processor.

The Processor may not provide personal data arising from the contractual relationship to third parties or the data subjects without the prior instruction or approval from the Controller.

  • The Processor hereby warrants that it will participate as far as necessary in this monitoring in a supportive fashion.
  • The Processor hereby confirms that it is familiar with the data protection provisions of the GDPR applicable to the commissioned processing. It also hereby agrees to observe secrecy rules of relevance for this Agreement which are incumbent upon the Controller. As far as the Controller has to observe corresponding special secrecy rules, he informs the processor in writing immediately after conclusion of this DPA, which secrecy rules are concerned.
  • The Processor hereby agrees to maintain confidentiality in connection with the processing of personal data in accordance with this Agreement. This duty shall continue to be binding after the termination of this Agreement.
  • The Processor hereby warrants that it will make employees engaged in performance of the processing familiar with the respective data protection provisions applicable to them prior to the commencement of their activity and that such employees will be obligated in suitable fashion to maintain secrecy for the period of the activity thereof and after termination of the employment relationship (Article 28(3) Sentence 2 character b and Article 29 of the GDPR).
  • The Processor shall monitor compliance with the provisions of data protection law in its company.
  • All correspondence related to this agreement are to be directed to privacy@yola.com.

5. Processor's Notification Duties in the Event of Disruptions in Processing and Breaches of the Protection of Personal Data:

The Processor shall notify the Controller by posting on Yola.com without undue delay of disruptions and violations by the Processor or the persons employed by it of provisions of data protection law or the provisions of the Agreement, as well as of the suspicion of data protection violations or irregularities in the processing of personal data. This shall apply above all with respect to possible notification and communication obligations of the Controller in accordance with Article 33 and Article 34 of the GDPR. The Processor hereby warrants that it will adequately assist the Controller with its obligations in accordance with Article 33 and Article 34 of the GDPR (Article 28(3) Sentence 2 character f of the GDPR). Notifications on behalf of the Controller under Articles 33 or 34 of the GDPR may only be executed by the Processor after prior instruction pursuant to Section 4 of this Agreement.

6. Relationships with Subcontractors (Article 28(3) Sentence 2 character d of the GDPR)

The Processor may engage third parties and/or subcontractors for the Processing of Personal Data under this Processor Agreement.

The Processor is responsible for these third parties and/or subcontractors and shall impose upon the third parties and/or subcontractors the same conditions, duties and responsibilities as mentioned in this Processor Agreement. Upon written request by Controller, the Processor is to provide information regarding the obligations of its sub-processors relevant to data protection at any time.

7. Technical and Organizational Measures in Accordance with Article 32 of the GDPR (Article 28(3) Sentence 2 character c of the GDPR)

A level of security adequate to the risk for the rights and freedoms of natural persons affected by the specific processing shall be ensured. To this end, the protective goals of Article 32(1) of the GDPR, such as the confidentiality, integrity and availability of systems and services and the resilience thereof with regard to the nature, scope, context and purpose of the processing shall be taken into account so that the risk is mitigated in a lasting manner through appropriate technical and organizational measures.

Upon written request from the Controller, and no more than once per calendar year, the Processor will make available to the Controller all information necessary to demonstrate compliance with its obligations under the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Any reviews of information, audits, or inspections conducted pursuant to this Section shall be at the Controller’s sole expense.

8. Liability

The Processor is responsible for the implementation of the measures as set out in this Data Processing Addendum. The Processor is not liable if these measures turn out to be insufficient. The Controller indemnifies the Processor against claims of third parties, including data protection authorities, ensuing for any reason whatsoever from the Processing of Personal Data as set out in this Data Processing Addendum.

Any liability of the Processor on account of imputable failure to perform the agreement or on any other ground, is governed by the limitation of liability as agreed upon in the Yola Terms of Service.