Data Processing Agreement
Last updated: May 2025 · Compliant with GDPR Article 28
1. Parties and Purpose
This Data Processing Agreement ('DPA') is entered into between the customer ('Controller') and Yey Lda., a company incorporated under Portuguese law ('Processor'). This DPA governs the processing of personal data by Yey on behalf of the Controller in connection with the Yey SaaS service.
2. Definitions
Terms used in this DPA have the meanings given in the General Data Protection Regulation (EU) 2016/679 ('GDPR'). 'Personal Data', 'Processing', 'Data Subject', 'Supervisory Authority', and 'Data Breach' all have their GDPR definitions.
3. Subject Matter and Nature of Processing
Yey processes personal data solely to provide the workforce management platform described in the Terms of Service. This includes storing worker profiles (names, nationalities, documents), recording attendance events, and sending transactional communications. Processing occurs only on documented instructions from the Controller.
4. Categories of Data Subjects and Data
Data subjects include the Controller's employees and subcontracted workers. Categories of personal data include: identification data (name, date of birth, nationality), contact data (email, phone), employment data (role, site assignments, documents), and biometric/attendance data (check-in times, GPS coordinates where enabled).
5. Duration of Processing
Processing continues for the duration of the subscription agreement. Upon termination, personal data is retained for a maximum of 90 days to allow data export, after which it is permanently deleted unless legal retention obligations require otherwise.
6. Processor Obligations (Article 28 GDPR)
Yey shall: (a) process personal data only on documented instructions from the Controller; (b) ensure all personnel are bound by confidentiality obligations; (c) implement appropriate technical and organisational security measures (Article 32); (d) respect conditions for engaging sub-processors; (e) assist the Controller with data subject rights requests; (f) assist with security, breach notification, and impact assessments; (g) delete or return all personal data upon request; (h) provide all necessary information to demonstrate compliance.
7. Sub-processors
The Controller provides general authorisation for Yey to engage the following sub-processors, all GDPR-compliant and located in the EU/EEA: Neon Inc. (database hosting, Frankfurt), Vercel Inc. (web hosting, EU region), Resend Inc. (transactional email), Stripe Inc. (payment processing — billing data only). Yey will notify the Controller 30 days before adding new sub-processors.
8. International Transfers
Personal data is stored exclusively in EU/EEA data centres. Any transfer outside the EEA is governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. Yey will not transfer personal data to countries without adequate protection without appropriate safeguards.
9. Security Measures (Article 32)
implements: encryption of personal data at rest (AES-256) and in transit (TLS 1.3); access controls with role-based permissions and 2FA for all staff; audit logging of all data access; regular security assessments; incident response procedures with 72-hour breach notification to supervisory authorities.
10. Data Subject Rights Assistance
Yey will assist the Controller in responding to data subject requests for access, rectification, erasure, restriction, portability, or objection within 5 business days of receiving the request. Yey provides built-in tools for Controllers to export or delete data for any worker.
11. Data Breach Notification
In the event of a personal data breach, Yey will notify the Controller without undue delay and no later than 48 hours after becoming aware. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
12. Governing Law
This DPA is governed by Portuguese law and is subject to the exclusive jurisdiction of the courts of Lisbon, Portugal. For enterprise customers requiring a custom DPA, please contact privacy@yeydigital.eu.
Questions about this DPA? Contact us at privacy@yeydigital.eu