Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:

yellow67 SAS, a company registered in France (“Processor”),
and
the Customer using the yeSync Service (“Controller”).

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and governs the processing of personal data by the Processor on behalf of the Controller.

1. Scope and Purpose of Processing

The Processor shall process personal data solely for the purpose of providing the yeSync Service, which synchronizes inventory and related information between warehouse systems and online stores.

Processing shall occur only on documented instructions from the Controller unless required by applicable law.

2. Duration of Processing

The Processor shall process personal data for the duration of the Controller’s use of the yeSync Service and until termination of the Service, unless otherwise required by law.

3. Categories of Data Subjects

Personal data processed may relate to the following categories of data subjects:

Users of the Controller’s online store or systems
Employees or representatives of the Controller
Customers whose data may appear within the Controller’s systems

4. Types of Personal Data

Depending on the Controller’s systems and configuration, processed data may include:

Store identifiers
Product identifiers
Inventory levels
User account information
Technical identifiers required for synchronization

The Processor does not intentionally process sensitive personal data.

5. Processor Obligations

The Processor agrees to:

Process personal data only on documented instructions from the Controller
Ensure that persons authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures
Assist the Controller in fulfilling obligations regarding data subject rights under GDPR
Assist the Controller in complying with obligations related to security, breach notification, and data protection impact assessments where applicable

6. Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including where appropriate:

Access controls
Encryption in transit and at rest where applicable
Infrastructure security and monitoring
Authentication and authorization controls

7. Subprocessors

The Processor may engage subprocessors to support the operation of the Service, including infrastructure and hosting providers.

The Processor shall ensure that any subprocessor is bound by data protection obligations equivalent to those set out in this Agreement.

The Processor remains fully liable for the performance of its subprocessors.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed under this Agreement.

The notification shall include relevant information available to the Processor to allow the Controller to comply with its GDPR obligations.

9. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to respond to requests from data subjects exercising their rights under GDPR.

10. Audits and Compliance

The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and the GDPR.

Audits may be conducted by the Controller with reasonable notice and without disrupting normal operations.

11. International Data Transfers

Personal data shall be processed within the European Economic Area (EEA) unless appropriate safeguards in accordance with the GDPR are implemented.

12. Data Deletion or Return

Upon termination of the Service, the Processor shall delete or return personal data processed on behalf of the Controller unless retention is required by applicable law.

13. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of France.