Effective Date: December 7, 2022

This Data Protection Agreement (“DPA”) is made as of the DPA Effective Date (defined below) between Yembo, Inc., a Delaware corporation with a place of business at 4445 Eastgate Mall, Suite 200, San Diego, California 92121, United States of America (“Supplier” or “Company”), and _________________________, a ___________________________________ located at __________________________________________________________________ (“Customer”).

This DPA is incorporated into and forms part of the Yembo Software-As-A-Service Agreement between Company and Customer (a generic template of which is available at https://yembo.ai/legal/saas-agreement), as applicable, or such other written or electronic agreement between Company and Customer for the use of services to be provided by Company (the “Principal Agreement”).


RECITALS


Company provides video surveys powered by artificial intelligence and related services to Customer under the Agreement. Pursuant to the Agreement, Company may from time to time process Personal Data (as defined below) for which Customer may be a “Data Controller” as defined by Applicable Data Protection Law (defined below), including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). When processing such Personal Data, Company may be a “Data Processor” as defined by Applicable Data Protection Law.

Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, and because such processing may, from time to time, involve the transfer of Personal Data from the European Union to the United States, Customer and Company have agreed to execute this DPA in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.


1. Definitions


1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:


  • "Affiliate" means in relation to either Customer or Supplier, an entity that owns or controls, is owned or controlled by or is or under common control or ownership of such entity, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity;
  • "Applicable Laws" means (a) UK, European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer or any Customer Affiliate is a Controller under EU Data Protection Laws and the UK Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which Customer or any Customer Affiliate is a Controller (or its equivalent) under any other Data Protection Laws;
  • "Contracted Processor" means Supplier or Supplier Affiliate and/or a Subprocessor, as the context requires;
  • Controller to Processor SCCs" means Module 2 of the EU Standard Contractual Clauses, as set out in Appendix 4 to this Agreement; and, in relation to UK Restricted Transfers, deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK Addendum, and as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;
  • "Customer Personal Data" means any Personal Data Processed by any Contracted Processor pursuant to or in connection with the Principal Agreement and irrespective of whether the Contracted Processor is acting as Controller or Processor in relation to such Processing;
  • "Data Protection Laws" means the European Data Protection Laws, UK Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country including the U.S. Privacy Laws as described in Appendix 5;
  • "Delete" means the removal or obliteration of Personal Data such that it cannot be recovered or reconstructed;
  • "EU Restricted Transfer" means either: (i) a transfer of Personal Data by Customer or any Customer Affiliate (“Transferor”) to the Supplier or any Supplier Affiliate (“Transferee”); or (ii) an onward transfer from a Supplier to a Subprocessor (also a “Transferee”), in each case, where such transfer would be prohibited by EU Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses or any other mechanism permitted under Applicable Laws;
  • "European Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR"); and laws implementing or supplementing the GDPR;
  • "EU Standard Contractual Clauses" means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;
  • "Member State" means a member state of the EU;
  • "Relevant Date" means the date falling on the earlier of (i) the cessation of Processing of Customer Personal Data by any Contracted Processor; or (ii) termination of the Principal Agreement;
  • "Restricted Transfer" means an EU Restricted Transfer and/or a UK Restricted Transfer as the context dictates;
  • "Services" means the services supplied by Supplier and/or Supplier Affiliates to Customer and/or Customer Affiliates pursuant to the Principal Agreement;
  • "Standard Contractual Clauses" means (i) the EU Standard Contractual Clauses or the UK Standard Contractual Clauses (as applicable), as updated, amended, replaced or superseded from time to time by the European Commission or by the UK Supervisory Authority, as applicable; or (ii) where required from time to time by a Supervisory Authority for use with respect to any specific Restricted Transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such regulatory authority or Applicable Laws;
  • "Subprocessor" means any Processor (including any third party and any Supplier Affiliate, but excluding an employee of Supplier or an employee of any of its sub-contractors) appointed by or on behalf of Supplier or any Supplier Affiliate to Process Customer Personal Data;
  • "Supervisory Authority" means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
  • "UK Data Protection Laws" means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom;
  • “UK IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner, as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR;
  • "UK Restricted Transfer" means either: (i) a transfer of Personal Data by Customer or any Customer Affiliate (“Transferor”) to the Supplier or any Supplier Affiliate (“Transferee”); or (ii) an onward transfer from a Supplier to a Subprocessor (also a “Transferee”), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the UK Standard Contractual Clauses or any other mechanism permitted under Applicable Laws to be established under Section 9 below; and
  • "UK Standard Contractual Clauses" means, as applicable, (i) the EU Standard Contractual Clauses as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (“UK Addendum”), as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR; or (ii) the UK IDTA as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.


  • 1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Special Categories of Personal Data" shall have the same meaning as in Data Protection Laws (or where not defined in applicable Data Protection Laws, shall have the meaning as in the GDPR), and in each case their cognate terms shall be construed accordingly. Capitalized terms not defined herein shall have the meaning given to them in the Principal Agreement.

    2. Obligations on Supplier when Processing Customer Personal Data as a Controller


    1. The parties agree that, to the extent Supplier and/or any Supplier Affiliate is acting as Controller in relation to Customer Personal Data, each acts as a separate and independent Controller from Customer and/or Customer Affiliates.
    2. To the extent that Supplier and/or any Supplier Affiliate is acting as a Controller, Supplier and each Supplier Affiliate shall:
        2.1   comply with all applicable Data Protection Laws when Processing Customer Personal Data;
        2.2   only Process the Customer Personal Data: (i) in order to perform its obligations under the Principal Agreement; and (ii) solely to the extent permitted by applicable Data Protection Laws to the extent necessary for the following purposes as Controller: (a) maintaining and developing Supplier's relationship with Customer; (b) billing and invoicing; (c) compliance with quality control and risk management procedures; (d) security-related processing (for example, automated scanning of incoming and outgoing emails for viruses); (e) complying with legal and regulatory obligations; and (f) establishing, exercising and defending legal claims and no other purpose;
        2.3  notify Customer and each relevant Customer Affiliate as soon as reasonably practicable upon becoming aware of a Personal Data Breach affecting Customer Personal Data, and, where reasonably practicable, provide a copy of any proposed notification and consider in good faith any comments made by Customer or relevant Customer Affiliate before notifying the Personal Data Breach to any third parties; and
        2.4   comply with applicable Data Protection Laws in relation to any Restricted Transfer.

    3. Obligations on Supplier when Processing Customer Personal Data as a Processor


      3.1   Supplier and each Supplier Affiliate at all times Process Customer Personal Data in accordance with Data Protection Laws (as applicable to Processors) and comply with all obligations applicable to Processors under such laws and shall:
      • not Process Customer Personal Data other than on Customer or the relevant Customer Affiliate's documented instructions unless Processing is required by UK, EU or Member State law to which the relevant Contracted Processor is subject, in which case Supplier or the relevant Supplier Affiliate shall inform Customer or the relevant Customer Affiliate of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest. Subsequent instructions may also be given by the Customer or the relevant Customer Affiliate throughout the duration of the processing of Customer Personal Data. These instructions shall always be documented;
      • inform Customer or relevant Customer Affiliate if, in the Supplier or relevant Supplier Affiliate’s opinion, instructions given by the controller infringe Data Protection Laws;
      • grant access to the Customer Personal Data undergoing Processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the Principal Agreement. The Supplier and each Supplier Affiliate shall ensure that persons authorised to process the Customer Personal Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      • promptly notify Customer or the relevant Customer Affiliate if it receives a request from a Data Subject under any Data Protection Laws in respect of Customer Personal Data (including full details and copies of the complaint, communication or request), and provide full co-operation and support to Customer or the relevant Customer Affiliate to comply with any request from a Data Subject under any Data Protection Laws. Supplier or relevant Supplier Affiliate shall not respond to the request itself, unless authorised to do so by the Customer or the relevant Customer Affiliate;
      • assist the Customer or the relevant Customer Affiliate in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the processing and implement any additional technical and organisational measures as may be reasonably required by Customer or any Customer Affiliate to allow Customer or any Customer Affiliate to respond effectively to relevant complaints, communications or requests from Data Subjects;
      • implement the technical and organisational measures specified in Appendix 2 (Technical and Organisational Measures); to ensure the security of the Customer Personal Data. This includes protecting the Customer Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data. In assessing the appropriate level of security, the Supplier and each Supplier Affiliate shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the Data Subjects;
        • maintain a record of its Processing activities conducted for and on behalf of Customer. Such record shall contain:
        • the name and contact details of the Supplier and the name and contact details of Customer;
        • the categories of Processing carried out on behalf of Customer;
      • where applicable, details of any EU Restricted Transfers or UK Restricted Transfers of Customer Personal Data including the identification of the country or international organisation that the Customer Personal Data is transferred to and record of the safeguards the Supplier has put in place to ensure that the transfer will be in accordance with Data Protection Laws; details of the technical and organisational measures the Supplier has put in place to ensure the security of Customer Personal Data,
      • where requested by Customer, make available the record of Processing activities referred to in clause 3.1.6 above to Customer within 48 hours of receiving such request;
      3.2   Customer instructs Supplier and each Supplier Affiliate (and authorises Supplier and each Supplier Affiliate to instruct each Subprocessor) to Process Customer Personal Data, including to transfer Customer Personal Data to any country which is outside of the UK and/or EEA, subject always to the relevant Contracted Processor(s) complying with the terms of this DPA, as reasonably necessary to provide the Services and consistent with the Principal Agreement.
      3.3   Appendix 1 to this DPA sets out certain information regarding the Contracted Processors' Processing of the Customer Personal Data. Supplier and each Contracted Processor shall Process the Customer Personal Data only for the specific purposes of the Processing as set out in Appendix 1, unless it receives further instructions from Customer or a relevant Customer Affiliate and Processing by Supplier and each Contracted Processor shall only take place for the duration specified in Appendix 1. As between the parties, nothing in Appendix 1 (including as amended pursuant to this clause 3.3) confers any right or imposes any obligation on either party.

    4. Subprocessing

      4.1   Neither Supplier nor any Supplier Affiliate shall engage any Subprocessors to Process Customer Personal Data other than with the prior written consent of Customer, which Customer may refuse in its absolute discretion, and in each case subject to Supplier or the relevant Supplier Affiliate:
      • carrying out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for the Customer Personal Data as is required by this DPA including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of GDPR or equivalent provisions of any Data Protection Laws and this DPA and provide evidence of such due diligence to Customer or relevant Customer Affiliate where requested by Customer or relevant Customer Affiliate or a Supervisory Authority;
      • providing Customer or the relevant Customer Affiliate with full details of the Processing to be undertaken by each Subprocessor; including terms in the contract between Supplier and each Subprocessor that provides for, in substance, the same data protection obligations as those binding the data importer under this DPA;
      • provide, at the Customer’s or relevant Customer Affiliate’s request, a copy of such a Subprocessor agreement and any subsequent amendments to the Customer or relevant Customer Affiliate. To the extent necessary to protect business secrets or other confidential information, including personal data, the Supplier may redact the text of the agreement prior to sharing a copy
      • insofar as that contract involves a Restricted Transfer ensuring that the applicable Standard Contractual Clauses are at all relevant times entered into between the Supplier and each Subprocessor to ensure the adequate protection of the transferred Customer Personal Data; insofar as that contract involves a Restricted Transfer, carry out a transfer impact assessment in relation to each Subprocessor to ensure that the laws and practices in the relevant third country of the destination applicable to the Processing of the Customer Personal Data by the Subprocessor, including any requirements to disclose Customer Personal Data or measures authorising access by public authorities, do not prevent Supplier or Supplier Affiliate from fulfilling its obligations under this DPA, and provide a copy of such transfer impact assessment to Customer or relevant Customer Affiliate where so requested;
      • ensuring that the Subprocessor will not Process Customer Personal Data beyond the scope of the processing description set out in Annex 1;
      • remaining fully liable to Customer or the relevant Customer Affiliate for any act or omission of its Subprocessor. The Supplier shall notify the Customer or any relevant Customer Affiliate of any failure by the Subprocessor to fulfil its obligations under that contract; and
      • agree a third-party beneficiary clause with the Subprocessor whereby - in the event the Supplier has factually disappeared, ceased to exist in law or has become insolvent - the Customer shall have the right to terminate the Subprocessor contract and to instruct the Subprocessor to erase or return the Customer Personal Data.

    5. Personal Data Breach

    1. Supplier shall notify Customer without undue delay, and in any event within 24 hours, upon Supplier or any Supplier Affiliate becoming aware of or reasonably suspecting a Personal Data Breach. Supplier shall provide Customer with sufficient information to allow Customer and each Customer Affiliate to meet any obligations to assess and report a Personal Data Breach under the Data Protection Laws, which may be provided in stages as it becomes available to Supplier and shall include the following: (a) a description of the nature of the Personal Data Breach, including details of any sub-processors involved, the categories and numbers of Data Subjects concerned, and the categories and numbers of Customer Personal Data records concerned; (b) the name and contact details of Supplier's or the relevant Supplier Affiliate's data protection officer or other relevant contact from whom more information may be obtained; (c) the likely consequences of the Personal Data Breach; and (d) the measures taken or proposed to be taken to address the Personal Data Breach.
    2. Supplier and each Supplier Affiliate shall co-operate with Customer and Customer Affiliates and take such reasonable commercial steps as are directed by Customer to assist in the investigation, containment and remediation of each Personal Data Breach.
    3. In the event of a Personal Data Breach, neither Supplier nor any Supplier Affiliate shall inform any third party without first obtaining Customer’s prior written consent, unless notification is required by a law to which Supplier is subject, in which case Supplier shall to the extent permitted by such law (i) not refer to Customer or any Customer Affiliate in any such notification, and (ii) inform Customer of that legal requirement, provide a copy of the proposed notification and consider any comments made by Customer before notifying the Personal Data Breach.

    6. Assistance to the Customer and relevant Customer Affiliate

      6.1   Supplier and each relevant Supplier Affiliate shall assist Customer and each relevant Customer Affiliate in ensuring compliance with the following obligations, taking into account the nature of the Processing and the information available to the Supplier and each relevant Supplier Affiliate:
      • the obligation to carry out an assessment of the impact of the envisaged Processing on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
      • the obligation to consult the competent Supervisory Authority prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
      • the obligation to ensure that Customer Personal Data is accurate and up to date, by informing the Customer and each relevant Customer Affiliate without delay if the Supplier or relevant Supplier Affiliate becomes aware that the Customer Personal Data it is Processing is inaccurate or has become outdated; and
      6.2  The appropriate technical and organisational measures by which the Supplier and each relevant Supplier Affiliate is required to assist the Customer and each relevant Customer Affiliate in the application of this Clause 6 as well as the scope and the extent of the assistance required is set out in Appendix 2 (Technical and Organisations Measures).

    7. Deletion or return of Customer Personal Data

    1. Subject to clause 7.2, Supplier and each Supplier Affiliate shall promptly and in any event within 90 (ninety) calendar days of the Relevant Date: (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as notified by Customer to Supplier; and (b) Delete and procure the Deletion of all other copies of Customer Personal Data Processed by each Contracted Processor; and (c) provide written certification to Customer that it has fully complied and that all other Contracted Processors have fully complied with this clause 7.1.
    2. Each Contracted Processor may retain Customer Personal Data to the extent and for such period as required by EU or Member State law provided that Supplier shall ensure and shall procure that each Contracted Processor shall ensure (i) the confidentiality of all such Customer Personal Data and (ii) that such Customer Personal Data is only Processed for the purpose(s) specified in such law.
    3. Until the Customer Personal Data is Deleted or returned, each Contracted Processor shall continue to ensure compliance with this DPA

    8. Audit rights

    1. Supplier and each Supplier Affiliate shall be able to demonstrate compliance with this DPA and shall deal promptly and adequately with enquiries from the Customer or relevant Customer Affiliate about the processing of Customer Personal Data in accordance with this DPA
    2. Supplier and each Supplier Affiliate shall make available to the Customer on request all information necessary to demonstrate compliance with the obligations that are set out in this DPA, and, at the Customer’s or relevant Customer Affiliate’s request, shall also permit and contribute to audits of the Processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Customer or relevant Customer Affiliate may take into account relevant certifications held by the Supplier or Supplier Affiliate.
    3. The Customer or relevant Customer Affiliate may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Supplier or relevant Supplier Affiliate and shall, where appropriate, be carried out with reasonable notice.

    9. Restricted Transfers

      9.1   In respect of any EU Restricted Transfer, Customer and each Customer Affiliate (each as “data exporter”) and Supplier and each Contracted Processor (each as “data importer”) with effect from the commencement of the relevant transfer hereby enter into the EU Standard Contractual Clauses in respect of any transfer from Customer or any Customer Affiliate to a Contracted Processor (or onward transfer). The Controller to Processor SCCs shall apply between Customer (or each Customer Affiliate) and Supplier (or each Supplier Affiliate) and Module 3 of the EU Standard Contractual Clauses shall apply between Supplier and each of Supplier’s Subprocessors, and:
        • Clause 7 – Docking clause of the EU Standard Contractual Clauses shall not apply;
        • Clause 9 – Use of subprocessors of the EU Standard Contractual Clauses Option 2 shall apply and the “time period” shall be 10 days;
        • Clause 11(a) – Redress of the EU Standard Contractual Clauses, the optional language shall not apply;
        • Clause 13(a) – Supervision of EU Standard Contractual Clauses, the following shall be inserted: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
        • Clause 17 – Governing law of the EU Standard Contractual Clauses Option 1 shall apply and the “Member State” shall be __________;
        • Clause 18 – Choice of forum and jurisdiction of the EU Standard Contractual Clauses the Member State shall be __________;
        • Annex 1 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Appendix 2 to this DPA and the processing operations are deemed to be those described in the Principal Agreement; and
        • Annex 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Appendix 3 to this DPA.
      9.2   In respect of any UK Restricted Transfer, Customer and each Customer Affiliate (each as “data exporter”) and Supplier and each Supplier Affiliate (each as “data importer” ), hereby enter into the UK Standard Contractual Clauses in respect of any transfer from Customer or any Customer Affiliate to Supplier or Supplier Affiliate with Module 2 of the EU Standard Contractual Clauses applying between Customer (or each Customer Affiliate) and Supplier (or each Supplier Affiliate). The provisions of Sections 9.1.1 to 9.1.3 and 9.1.7 to 9.1.9 of this Agreement shall apply to the UK Addendum.

      9.3   If, at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that transfers from Controllers in the EEA or the UK to Processors established outside the EEA or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of Customer Personal Data is conducted with the benefit of such additional safeguards.

    10. Non-compliance with the Clauses and Termination

    10.1   Without prejudice to any provisions of relevant Data Protection Laws, in the event that the Supplier or relevant Supplier Affiliate is in breach of its obligations under this DPA, Customer or relevant Customer Affiliate may instruct Supplier or relevant Supplier Affiliate to suspend the processing of Customer Personal Data until the latter complies with this DPA or the Principal Agreement is terminated. The Supplier or relevant Supplier Affiliate shall promptly inform Customer or relevant Customer Affiliate in case it is unable to comply with this DPA, for whatever reason.

    10.2  Customer shall be entitled to terminate the Principal Agreement insofar as it concerns processing of Customer Personal Data in accordance with this DPA if:
    • Processing of Customer Personal Data by Supplier or relevant Supplier Affiliate has been suspended by Customer or relevant Customer Affiliate pursuant to clause 10.1 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
    • Supplier or relevant Supplier Affiliate is in substantial or persistent breach of this DPA or its obligations under Data Protection Laws;
    • Supplier or relevant Supplier Affiliate fails to comply with a binding decision of a competent court or the competent Supervisory Authority regarding its obligations pursuant to this DPA or applicable Data Protection Laws.

    11. General Terms

    1. Survival. Any obligation imposed on Supplier or any Supplier Affiliate under this DPA in relation to the Processing of Personal Data shall survive any termination or expiration of this DPA.
    2. Cross-default. Any breach of this DPA shall constitute a material breach of the Principal Agreement.
    3. Third Party Rights: A Customer Affiliate may enforce any term of this DPA which is expressly or implicitly intended to benefit it. A person who is not a party to this DPA shall otherwise have no right to enforce any term of this DPA, save to the extent set out in the relevant SCCs. The rights of the parties to rescind or vary this DPA are not subject to the consent of any other person (including any Customer Affiliate).
    4. Precedence: The provisions of this DPA are supplemental to the relevant Principal Agreement. In the event of inconsistencies between the provisions of this DPA and the provisions of the relevant Principal Agreement the provisions of this DPA shall prevail.
    5. Compliance with Data Protection Laws: Each party to this DPA shall comply with all applicable Data Protection Laws when Processing Customer Personal Data.
    6. Cooperation with Supervisory Authorities. Supplier shall provide full co-operation to Customer or the relevant Customer Affiliate in relation to any communication from a Supervisory Authority.

    7. IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Principal Agreement with effect from the DPA Effective Date first set out above.


      _______________________________         Yembo, Inc. (“Company”)
      ("Customer")
      Signature
      ________________________________         Signature ________________________________
      Name
      ________________________________         Name _______________________________
      Date
      _________________________________         Date _________________________________
      Signature
      _________________________               Signature _________________________

    APPENDIX 1 – DESCRIPTION OF THE PROCESSING


    Subject matter and duration of the Processing of the Personal Data: The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement.


    The nature and purpose of the Processing of the Personal Data: The nature and purpose of the Processing of the Customer Personal Data are set out in the Principal Agreement.


    The type of Personal Data: The Customer Personal Data Processed may include some or all of the following attributes: Data exporter may submit Personal Data to the Company Service, the extent of which is determined and controlled by the data exporter in its sole discretion due to the nature of the Services. Categories of personal data with a high probability of transfer include names, addresses, telephone numbers, email addresses, IP addresses, and videos or images that may contain personal data contained within the end user data subject’s home that is captured by the end user data subject’s use of the Services.


    Special Categories of Personal Data: None.


    The categories of Data Subject to whom the Customer Personal Data relates: The categories of Data Subject may include some or all of the following:


    Data exporter may submit Personal Data to the data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:


    • Data exporter’s assigned users of the Company software and services, including end users
    • Data exporter’s employees, agents, contractors or advisors, and the employees, agents, contractors or advisors of data exporter’s customers

    The obligations and rights of Customer and Customer Affiliates
    The obligations and rights of Customer and Customer Affiliates are set out in the Principal Agreement.

    APPENDIX 2: DESCRIPTION OF THE TRANSFER


    A. LIST OF PARTIES

    Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union


    Name: _____________________________
    Address: ____________________________________
    Contact person’s name, position and contact details:
    ________________________________________
    ________________________________________
    ________________________________________
    Role (controller/processor): Controller

    Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection


    Name: Yembo, Inc.
    Address: 4445 Eastgate Mall, Suite 200, San Diego, California, 92121, United States of America
    Contact person’s name, position and contact details: Zachary Rattner, Chief Technology Officer, privacy@yembo.ai , 1-833-469-3626


    Role (controller/processor): Processor


    B. DESCRIPTION OF TRANSFER

    Categories of data subjects whose personal data is transferred


    Data exporter may submit Personal Data to the data importer, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:


    • Data exporter’s assigned users of the Company software and services, including end users
    • Data exporter’s employees, agents, contractors or advisors, and the employees, agents, contractors or advisors of data exporter’s customers

    Categories of personal data transferred


    The personal data transferred concern the following categories of data:


    Data exporter may submit Personal Data to the Company Service, the extent of which is determined and controlled by the data exporter in its sole discretion due to the nature of the Services. Categories of personal data with a high probability of transfer include names, addresses, telephone numbers, email addresses, IP addresses, and videos or images that may contain personal data contained within the end user data subject’s home that is captured by the end user data subject’s use of the Services.


    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.


    None

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).


    Continuous


    Nature of the processing


    The nature of Processing Personal Data by the data importer is the performance of the services by Company as set forth in the Agreement.

    Purpose(s) of the data transfer and further processing


    The purposes of Processing Personal Data by the data importer is the performance of the services by Company as set forth in the Agreement.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period


    For the term of the Agreement and for as long as Processor retains the Personal Data under applicable law.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing


    COMPETENT SUPERVISORY AUTHORITY

    Identify the competent supervisory authority/ies in accordance with Clause 13: _______________________________



    APPENDIX 3 - TECHNICAL AND ORGANISATIONAL MEASURES

    Description of the technical and organisational measures implemented by the Contracted Processors (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

    The Data Importer has implemented and will maintain appropriate technical and organisational measures to protect the personal data against misuse and accidental loss or destruction as set forth in Company’s Security Practices Datasheet, a version of which is provided below that is current as of the DPA Effective Date.

    Company may update its Security Practices Datasheet from time to time at its sole discretion, as described in this DPA. Company will provide an updated version of its Security Practices Datasheet upon request.



    Yembo Security Practices Summary


    A summary of Yembo's security practices is available here.


    APPENDIX 4 - SUBPROCESSORS


    A list of Yembo's subprocessors is available here.


    APPENDIX 5 - U.S. PRIVACY LAWS


    1. Definitions

    • “U.S. Privacy Laws” means, as applicable and as amended: (a) the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020 and the California Consumer Privacy Act Regulations; (b) the Colorado Privacy Act; (c) the Connecticut Data Privacy Act; (d) the Utah Consumer Privacy Act; (e) the Virginia Consumer Data Protection Act; and (f) other applicable data privacy laws.
    • The terms “business”, “business purpose”, “commercial purpose”, “consumer”, “controller”, “contractor”, “deidentified data”, “personal data”, “personal information”, “processor”, “process/processing”, “sales”, “sell”, “service provider” and “share” shall have the meanings given in the applicable U.S. Privacy Laws.
    • Capitalized terms used but not defined in this Addendum will have the meanings given in the Principal Agreement.
    2. Service Provider Appointment. Customer is a business or controller and discloses personal information to Company as its service provider or processor only for the limited and specific business purposes set forth specifically in the Principal Agreement, this Addendum and order form. Each party is responsible for its compliance with this Addendum and the applicable obligations under the U.S. Privacy Laws. Company shall provide the same level of privacy protection as is required by Customer under applicable U.S. Privacy Laws. Customer is solely liable for its compliance with each of the applicable U.S. Privacy Laws in its use of the Services.
    3. Service Provider’s Processing of Personal Information. Company shall not retain, use, or disclose Customer’s personal information that it collected under the Principal Agreement: (i) for any purpose other than business purposes specified in Principal Agreement and the applicable order forms (including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Principal Agreement and the applicable order forms) or as otherwise expressed permitted by the U.S. Privacy Laws and regulations or (ii) outside of the direct business relationship between Company and Customer. Company is prohibited from combining personal information that Company receives from, or on behalf of, Customer pursuant to the Principal Agreement with personal information that it receives from, or on behalf of, another source, or collected from Company’s own interaction with the consumer, provided that Company may combine personal information to perform any business purpose, as expressly permitted by applicable U.S. Privacy Laws or as defined in any relevant regulations adopted pursuant to U.S. Privacy Laws. The parties agree that the Services and the business purposes may include the retention, use, and disclosure of personal information and deidentified data to improve the Services and for the specific business purposes as set forth in the Principal Agreement. Company shall not sell or share the personal information it receives from Customer under the Principal Agreement. If Company is considered a contractor under applicable U.S. Privacy Laws, Company certifies that it understands the restrictions described in this section and will comply with them in accordance with applicable U.S. Privacy Laws.
    4. Rights of Consumer. Customer shall inform Company of any consumer request made pursuant to applicable U.S. Privacy Laws that the parties must comply with and provide the information necessary for Company to comply with the request or Company may enable Customer to comply with consumer requests made pursuant to applicable U.S. Privacy Laws. Service Provider will, to the extent legally permitted and as not otherwise subject to an exemption, promptly notify Customer if Service Provider receives a request from a Consumer to exercise the Consumer’s rights under the applicable U.S. Privacy Laws, to the extent applicable. Service Provider will cooperate with Customer in responding to and complying with a Consumer’s rights, to the extent legally permitted and applicable under the U.S. Privacy Laws.
    5. Use of Subprocessors. After providing Customer a reasonable opportunity to object, Service Provider may disclose Customer personal information only to: (i) Service Provider’s subprocessors pursuant to a written contract that contains restrictions at least as protective as those contained in this Addendum and solely to enable the subprocessors to provide the services for Customer’s benefit; and (ii) Service Provider’s employees and personnel who are under obligations of confidentiality and have need to know such Customer personal information in order to provide the Services.
    6. Deidentified Data. To the extent that Customer discloses or otherwise makes available deidentified data to Company and required by applicable U.S. Privacy Laws, Company agrees to (i) take reasonable measures to ensure that the deidentified data cannot be associated with an individual or household; (ii) publicly commit to maintain and use the information in deidentified form and not attempt to reidentify the information; and (iii) contractually obligate any further recipient to comply with all provisions of this Section.
    7. Notice and Compliance. If Company believes it will be unable to comply with the applicable U.S. Privacy Laws, Company will promptly notify Customer. If required by applicable U.S. Privacy Law, Company grants to Customer the right to take reasonable and appropriate steps: (i) to help ensure that Company uses personal information collected pursuant to the Principal Agreement in a manner consistent with Customer’s obligations under U.S. Privacy Laws (e.g., provision by Company of summaries of annual third party assessments such as SOC 2 reports); and (ii) to, upon notice, stop and remediate any unauthorized use of personal information.
    8. Reasonable Assistance. Service Provider shall adhere to the instructions of the Customer and provide reasonable assistance to Customer in ensuring compliance with Customer’s obligation to carry out data protection assessments, considering the nature of the Processing and the information available to Service Provider.
    9. Deletion/Return of Personal Information. At Customer’s direction, Service Provider shall delete or return all Customer personal information at the end of the provision of Services, unless retention of the Customer personal information is permitted or required under applicable law.
    10. Demonstrate Compliance. Upon the reasonable request of Customer, Service Provider shall make available to Customer all information in Service Provider’s possession necessary to demonstrate the Service Provider’s compliance with its obligations under applicable U.S. Privacy Laws.
    11. Audits. Service Provider shall provide a copy of its SOC 2 report or allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor or Service Provider may arrange for a qualified and independent assessor to conduct an assessment of Service Provider’s policies and technical and organizational measures in support of the obligations under applicable U.S. Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and Service Provider shall provide a report of such assessment to Customer upon request.
    12. Details of Processing. The nature and purpose of the processing is to enable Company to provide Customer with Services that entail the processing of personal information on Customer’s behalf, and its duration is determined by the term of the Principal Agreement. Service Provider will process the categories of personal information as described in the Principal Agreement or order form.
    13. Cooperation with Legal Authorities. Upon Customer’s request, Service Provider shall provide Customer with reasonable cooperation and assistance, at Customer’s expense, needed to assist Customer in its compliance with any investigation by the appropriate legal authorities of Customer regarding in connection with their applicable U.S. Privacy Laws.
    14. Legal and Other Disclosures. Where Service Provider is legally obliged to disclose personal information pursuant to, regulation, warrant, court order, or otherwise in accordance with this Addendum, promptly after it becomes aware that it will be legally obliged to make such a disclosure it shall, unless prohibited by law, notify Customer in writing of the legal directive, the reason, and the form of the disclosure.
    15. Security. Each party shall implement and maintain reasonable security procedures appropriate to the type and nature of personal information it will provide and/or process to protect that personal information from authorized processing.