Last Updated: 6 June 2025

This DPA forms part of the Terms of Service between Yin Yang Inc. ("Company," "we," "us," "our") and the entity that accepts those Terms ("Customer," "you"). It applies whenever the Company processes Personal Data on Customer’s behalf.

Our Data‑Protection Officer can be reached at dpo@elaichi.ai
EU representative (GDPR Art 27) — Rickert Rechtsanwaltsgesellschaft mbH – YIN YANG INC. – Colmantstraße 15, 53115 Bonn, Germany – art‑27‑rep‑yinyang@rickert.law
UK representative (UK GDPR Art 27) — Rickert Services Ltd UK – YIN YANG INC. – PO Box 1487, Peterborough PE1 9XX, United Kingdom – art‑27‑rep‑yinyang@rickert‑services.uk

A signed version of this DPA is available on request to legal@elaichi.ai.

Both parties agree to comply with all applicable data‑protection laws, including GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and any superseding legislation (collectively, "Data Protection Laws").

1. Definitions

Unless defined here, capitalised terms have the meanings given in the Terms or relevant legislation.

• Controller, Processor, Data Subject, Processing, Personal Data Breach — as defined in the GDPR.

• Personal Data — any data relating to an identified or identifiable natural person contained in Customer Data.

• Restricted Transfer — a cross‑border transfer requiring safeguards under Data Protection Laws.

• Standard Contractual Clauses (SCCs) — EU SCCs (governed by Irish law), UK International Data Transfer Addendum, or Swiss SCCs, as applicable.

• Sub‑Processor — any Processor engaged by the Company to assist in fulfilling obligations under this DPA.

• Service Term — the period during which the Company provides Services to the Customer: for SaaS, the Subscription Term; for migration or other professional‑services engagements, the project term stated in the applicable Order Form or Statement of Work.

2. Roles and Scope

• Customer as Controller. Customer acts as Controller (or Processor on behalf of a Controller).

• Company as Processor. The Company acts as Processor (or Sub‑Processor) and processes Personal Data only on documented instructions from Customer.

• Legal compliance. Each Party will comply with its obligations under Data Protection Laws.

3. Term and Termination

This DPA remains in effect while the Company processes Personal Data for Customer. Termination follows the Terms or mutual written agreement. Clauses intended to survive (e.g., Confidentiality, Liability) will do so.

4. Processing Instructions

• The Company will process Personal Data only as necessary to deliver the Services, as set out in the Terms, Order Forms, this DPA, or later written instructions.

• If an instruction appears to violate Data Protection Laws, the Company will promptly inform Customer.

5. Personnel

The Company restricts Personal Data access to authorised personnel bound by confidentiality and security obligations.

6. Data‑Subject & Regulatory Assistance

• Taking into account the nature of Processing, the Company will assist Customer by appropriate technical and organisational measures to fulfil obligations to respond to Data‑Subject requests, conduct Data‑Protection Impact Assessments, and engage in prior consultations with supervisory authorities.

• Assistance beyond routine self‑service features may be chargeable on a time‑and‑materials basis, subject to Customer’s advance written approval.

7. Security Measures

The Company maintains appropriate technical and organisational measures ("TOMs") to safeguard Personal Data. A high‑level summary is provided in Schedule B. Detailed documentation (including ISO 27001 certification and SOC 2 Type II report) is available under NDA upon request to legal@elaichi.ai.

8. Sub‑Processors

• General authorisation. Customer authorises the Sub‑Processors listed in Schedule C.

• Changes. The Company will notify Customer at least thirty days before adding or replacing a Sub‑Processor and allow reasonable objections based on data‑protection grounds.

• Flow‑down obligations. All Sub‑Processors sign data‑processing agreements imposing obligations equivalent to this DPA, and the Company remains fully liable for their acts and omissions.

• Audit reports. Upon written request, the Company will provide summary audit reports or certifications demonstrating the Sub‑Processor’s compliance.

9. International & Regional Compliance

• Restricted Transfers — safeguarded by the SCCs or other lawful mechanisms.

• California (CPRA). The Company acts as a Service Provider; it does not sell or share Personal Data and will not retain, use, or disclose Personal Data outside the scope of Customer instructions.

• If existing transfer mechanisms become invalid, the Parties will implement lawful alternatives or suspend transfers.

10. Personal Data Breach

The Company will notify Customer without undue delay and, where feasible, within 48 hours after becoming aware of a Personal Data Breach and will cooperate in investigation, mitigation, and regulatory notifications.

11. Deletion or Return of Data

Upon termination of Services, the Company will delete Customer Data within a commercially reasonable period in line with internal retention policies. If Customer requires accelerated deletion or bespoke retention handling, the Company will review and, where feasible, accommodate such requests. Where law requires continued storage, the data will be isolated and safeguarded. Upon written request, the Company will certify deletion.

12. Audit and Compliance

• The Company will provide information necessary to demonstrate compliance with this DPA.

• Once per twelve‑month period and on thirty days’ notice, Customer may audit the Company’s Processing. Additional or unplanned audits may incur fees.

• The Company will cooperate with supervisory‑authority inquiries.

13. Liability

Liability is governed by the limitation clauses in the Terms. Nothing limits either Party’s liability for intentional or wilful breach of this DPA.

14. Miscellaneous

• In case of conflict, this DPA prevails over the Terms.

• Amendments require written agreement.

• Notices should be sent to legal@elaichi.ai and Customer’s designated contact.

• If any provision is held invalid, the remainder stays effective.

• Headings are for convenience only and do not affect interpretation.

Schedules

Schedule A — Parties & Governing Law for SCCs

• Data Exporter: Customer (as defined in the Terms).

• Data Importer: Yin Yang Inc., 9450 SW Gemini Dr PMB 69868, Beaverton OR 97008 USA, contact: legal@elaichi.ai

• For EU SCCs Clause 17: governing law is Irish law.

Schedule B — Technical & Organisational Measures (TOMs)

1. Encryption of data in transit (TLS 1.2+) and at rest (AES‑256).

2. Encryption‑key management handled by the Company with quarterly rotation.

3. Network segmentation, firewalling, and zero‑trust access policies.

4. Role‑based access control (RBAC) and multi‑factor authentication (MFA).

5. Continuous monitoring, centralised logging, and intrusion detection.

6. Regular vulnerability scanning, quarterly penetration testing, and prompt patch management.

7. ISO 27001 certification and SOC 2 Type II audit programme.

8. Annual security‑awareness and privacy training for all personnel.

9. Business‑continuity and disaster‑recovery plans with encrypted off‑site backups.

10. Sub‑Processor due‑diligence and contract reviews.

Schedule C — Authorised Sub‑Processors

The Company updates this list when Sub‑Processors are added or removed and will provide advance notice per Section 8.

Schedule D — UK Addendum

The UK International Data Transfer Addendum ("UK SCCs") is incorporated for transfers from the United Kingdom, using the details in Schedules A, B, and C.

Schedule E — Description of Processing

• Nature & purpose — Provision of the **ela