YavioYavio
Book a call
Back to Home

Data Processing Agreement (DPA)

Last updated: December 10, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service or any other agreement entered into between Yavio GmbH, Maria-Goeppert-Str. 1, 23562 Lübeck, Germany, registered with the Commercial Register of Lübeck under HRB 26773 HL ("Yavio" or "Processor"), and the Customer ("Customer" or "Controller") regarding the Customer's use of the Yavio platform (the "Services").

If any provision of this DPA conflicts with the Agreement, this DPA shall prevail with respect to the processing of personal data. The parties explicitly agree:

  1. The parties do not act as joint controllers under Article 26 GDPR.
  2. The Customer acts as Controller; Yavio acts as Processor.
  3. Yavio processes Customer Personal Data solely on documented instructions from the Customer.
  4. Yavio may process Service Data, Log Data, aggregated, or de-identified data as an independent controller for analytics, security, billing, and product-improvement purposes.
  5. Yavio does not engage in automated decision-making with legal or similar effects.

A privacy contact point for Yavio can be reached at contact@yavio.ai.

Address: Maria-Goeppert-Str. 1, 23562 Lübeck, Germany

1. Definitions

Unless otherwise defined, capitalized terms have the meanings given in the Agreement or under the GDPR.

  • Applicable Data Protection Laws: All data protection and privacy laws applicable to the processing of personal data, including GDPR, UK GDPR, national implementations, and applicable US state privacy laws.
  • Customer Personal Data: Any personal data that Yavio processes on behalf of the Customer under this DPA.
  • Data Subject: Any identifiable natural person whose personal data is processed.
  • Data Transfer: Any transfer of Customer Personal Data outside the EEA or UK requiring a transfer mechanism under Applicable Data Protection Laws.
  • EU SCCs: The Standard Contractual Clauses approved by the European Commission in Decision 2021/914.
  • Service Data: Data relating to the operation, usage, or performance of the Services collected by Yavio for its own purposes.
  • Sub-processor: Any third party engaged by Yavio to process Customer Personal Data on behalf of the Customer.
  • Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access to Customer Personal Data.
  • Processing: Any operation performed on personal data, such as storage, use, transmission, or deletion.

For EU/UK personal data: Customer = Controller, Yavio = Processor. For US personal data: Customer = "business," Yavio = "service provider/contractor."

2. Subject Matter, Nature, and Duration of Processing

  1. Yavio processes Customer Personal Data to provide, operate, support, secure, and enhance the Services.
  2. Details regarding the nature of processing, data categories, and data subjects are contained in Annex 1.
  3. Yavio may reject or suspend instructions that are unlawful or compromise the security or integrity of the Services.
  4. This DPA remains effective for the duration of the Agreement.

3. Customer Responsibilities

The Customer agrees to:

  1. Serve as the single point of contact for all instructions submitted to Yavio.
  2. Ensure it has a lawful basis for transferring Customer Personal Data to Yavio.
  3. Provide only the minimum necessary data required for the Services.
  4. Not upload or provide sensitive categories of data unless explicitly agreed in writing.
  5. Maintain the security of its own access credentials, systems, and devices.
  6. Configure the Services in a manner compliant with Applicable Data Protection Laws.
  7. Cooperate with Yavio regarding Data Subject requests and reimburse reasonable costs when applicable.

4. Yavio's Obligations

Yavio shall:

  1. Process Customer Personal Data only on documented instructions from the Customer.
  2. Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality.
  3. Maintain appropriate technical and organizational security measures.
  4. Provide reasonable assistance with Data Subject requests and DPIAs where required by law.
  5. Notify the Customer if Yavio considers an instruction to violate Applicable Data Protection Laws.
  6. After termination of the Agreement, delete or return Customer Personal Data as described in Section 11.
  7. Make available all information necessary to demonstrate compliance with this DPA.

Yavio may charge reasonable fees for assistance that goes beyond standard operational support.

5. Security Measures

  1. Yavio implements administrative, technical, and organizational safeguards designed to protect Customer Personal Data from unauthorized access, accidental loss, destruction, or alteration.
  2. Such measures may include access restrictions, encryption, network segmentation, monitoring, and secure development practices.
  3. Yavio may update its security practices as needed to maintain an industry-appropriate standard.

6. Personal Data Breaches

  1. Yavio will notify the Customer without undue delay after confirming a Personal Data Breach.
  2. Yavio will investigate the breach, mitigate its effects, and provide relevant information as it becomes available.
  3. The notification does not serve as an admission of fault or liability.
  4. If the Customer issues external notifications referencing Yavio, the Customer must share the draft notice with Yavio beforehand and consider Yavio's reasonable input.

7. Sub-processors

  1. Yavio may engage Sub-processors to support the Services. A list will be provided upon request or published in Yavio's documentation.
  2. Yavio will impose data protection obligations on Sub-processors equivalent to those in this DPA.
  3. The Customer may object to new Sub-processors on reasonable data protection grounds.
  4. If no resolution is found, the Customer may terminate the affected Services.

8. International Data Transfers

  1. Yavio will only transfer Customer Personal Data internationally in compliance with Applicable Data Protection Laws.
  2. Transfers from the EEA use the EU SCCs; transfers from the UK use the UK Addendum.
  3. Yavio will notify the Customer of government access requests unless legally prohibited.
  4. If a transfer mechanism becomes invalid, the parties shall implement a replacement mechanism in good faith.

9. Service Data (Independent Controller Role)

Yavio may process Service Data for operating and improving the Services, security, abuse prevention, diagnostics, billing, account management, and compliance with legal obligations. Service Data is not Customer Personal Data, and Yavio may retain anonymized or aggregated data indefinitely.

10. Use of Data for AI and Machine Learning

  1. Yavio does not use Customer Personal Data to train, fine-tune, or develop generalized AI or ML models.
  2. Customer Personal Data is processed only to provide, secure, and maintain the Services.
  3. Yavio may process anonymized or aggregated data derived from Customer Personal Data, provided such data cannot identify a natural person or Customer.

11. Return or Deletion of Data

  1. Upon termination of the Agreement, Yavio will cease processing Customer Personal Data except for secure storage as required by law.
  2. The Customer may request return or deletion of Customer Personal Data within thirty days after termination.
  3. Absent a request, Yavio may delete or anonymize Customer Personal Data in accordance with its retention schedule.
  4. Complex export or deletion tasks that exceed two hours may incur reasonable fees unless prohibited by law.

12. Liability and Governing Law

  1. The liability limitations and exclusions in the Agreement apply to this DPA.
  2. This DPA is governed by the same law and courts as the Agreement.

13. US Privacy Laws

Where US Privacy Laws apply, Yavio shall:

  • act as a "service provider" or "contractor",
  • not sell or share Customer Personal Data,
  • use Customer Personal Data only for permitted business purposes,
  • notify the Customer if Yavio determines it cannot meet its obligations,
  • support remediation of unauthorized use.

14. Miscellaneous

  1. If any provision of this DPA is held invalid, the remaining provisions remain in full force.
  2. Amendments must be made in writing unless a stricter form is required by law.
  3. This DPA constitutes the entire data processing agreement between the parties.

Annex 1 – Description of Processing Activities

A. Parties

Data Exporter: The Customer using the Yavio Services.

Data Importer: Yavio GmbH, Maria-Goeppert-Str. 1, 23562 Lübeck, Germany — Register number: HRB 26773 HL — Email: contact@yavio.ai

B. Description of Processing

Nature and Purpose: Yavio processes Customer Personal Data to operate its platform for building and running applications inside AI models, including account management, authentication, hosting, configuration storage, API operations, logging, monitoring, debugging, and support.

Categories of Personal Data: User account information (name, email), authentication and access data, configuration and project metadata, logs, IP addresses, device information, and data submitted by Customer users during use of Customer-built apps.

Categories of Data Subjects: Customer employees, contractors, collaborators, and end users interacting with Customer-created applications.

Retention: Customer Personal Data is retained for the duration of the Agreement. After termination, data is returned or deleted as required by Section 11. Backups may persist temporarily until overwritten. Aggregated or anonymized data may be stored indefinitely.