Data Processing Agreement

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person processed by Yuzu on behalf of the Client.

Processing: Any operation performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

Sub-Processor: Any third party appointed by Yuzu to process Personal Data on behalf of the Client.

2. Subject Matter and Duration

Subject Matter: Yuzu processes Personal Data to provide services under the Agreement, including creating personalized marketing prints for inclusion in the Client’s eCommerce packages, analyzing and optimizing campaign performance, and tracking platform usage to improve services.

Duration: This DPA remains in effect for the duration of the Agreement and until all Personal Data is deleted or returned to the Client as per Section 9.

3. Nature and Purpose of Processing

Nature of Processing: Yuzu will perform operations including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, and destruction of Personal Data.

Purpose of Processing: To generate personalized prints for the Client's customers, analyze performance, and improve Yuzu's platform.

4. Types of Personal Data and Categories of Data Subjects

Types of Personal Data:

Customer names
Postal addresses
Email addresses
Purchase history
Product preferences
Any other data provided by the Client through the use of the application and integrations

Categories of Data Subjects:

Customers of the Client (end-users purchasing products from the Client’s eCommerce platform)
Users of Yuzu's platform (which may include the Client, the Client's employees, outsourced fulfillment teams, marketing agencies)

5. Obligations of the Client (Controller)

Lawful Basis: The Client confirms that it has a lawful basis for processing Personal Data and has obtained all necessary consents from Data Subjects.

Compliance: The Client is responsible for ensuring that its instructions to Yuzu comply with all applicable data protection laws.

6. Obligations of Yuzu (Processor)

6.1 Processing According to Instructions

Yuzu shall process Personal Data only on documented instructions from the Client, as outlined in this DPA and the Agreement.

6.2 Security Measures

Yuzu shall implement appropriate technical and organizational measures to ensure the security of Personal Data, including:

Encryption of data in transit and at rest
Access controls and authentication procedures
Regular security assessments and penetration testing
Anonymization where possible

6.3 Confidentiality

All Yuzu personnel authorized to process Personal Data are bound by confidentiality obligations.

6.4 Sub-Processors

Yuzu may engage sub-processors to assist in providing the services.

All sub-processors are required to comply with data protection obligations equivalent to those set out in this DPA.

Yuzu will inform the Client of any intended changes concerning the addition or replacement of sub-processors, giving the Client the opportunity to object.

6.5 Assistance to the Client

Yuzu will promptly notify the Client of any data subject requests received and assist in fulfilling them as required.

Yuzu will assist the Client in ensuring compliance with obligations under data protection laws, including security measures, breach notifications, and data protection impact assessments.

7. Data Breach Notification

In the event of a personal data breach affecting the Client's Personal Data, Yuzu will notify the Client without undue delay and, where feasible, within 48 hours of becoming aware of the breach.

The notification will include:

Description of the nature of the breach
Categories and approximate number of Data Subjects concerned
Likely consequences of the breach
Measures taken or proposed to address the breach

8. International Data Transfers

Yuzu processes and stores Personal Data within the UK/EU where possible.

If Personal Data is transferred outside the UK/EU, Yuzu will ensure appropriate safeguards are in place, such as Standard Contractual Clauses, to comply with applicable data protection laws.

9. Return or Deletion of Personal Data

Upon termination of the Agreement or upon the Client’s request, Yuzu will delete all Personal Data within 30 days, unless retention is required by law.

Yuzu may retain anonymized data for analytical and service improvement purposes, provided that such data cannot identify any individual.

10. Compliance Verification

Yuzu will maintain a security page documenting our security practices and will notify clients of material changes to these practices.

In the event of a security incident affecting client data, Yuzu will:

Notify affected clients within 48 hours
Provide a summary of the incident and remediation steps taken
Answer reasonable follow-up questions

Upon written request and no more than once per year, Yuzu will provide clients with:

Confirmation of security measures in place
List of current sub-processor categories
Answers to reasonable security and compliance questions

All information sharing will be conducted remotely and in a manner that protects Yuzu's confidential information and that of other clients.