Data Processing Agreement

Last Updated August 2024

This Yai Brands Data Processing Agreement and its Annexes A, B, and C ("DPA") is between Yai Brands, LLC. ("Yai Brands" & "yaiBrands") and the party executing this agreement as Customer ("Customer"). This DPA reflects the parties' agreement with respect to the Processing of Personal Data by Yai Brands on behalf of Customer in connection with the Service under the contemporaneously-executed Terms of Use agreement between the parties ("Agreement").

This DPA is part of the Agreement and is effective upon execution or another time as specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency, and it will supersede any previous DPA.

1. Definitions

a. CCPA means California Civil Code Sec. 1798.100 et seq. as amended (also known as the California Consumer Privacy Act of 2018), including the California Privacy Rights Act amendments to the CCPA.

b. California Personal Information means Personal Data that is subject to the protection of the CCPA.

c. Business Purpose, Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process, and Processing shall have the meaning given to them in the Data Protection Laws;

d. Customer Personal Data means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data provided under the Agreement; and (ii) is protected as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

e. Data Protection Laws means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation, the European Data Protection Laws, the CCPA, and other US laws; in each case as amended, repealed, consolidated or replaced from time to time.

f. Europe means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

g. European Data means Personal Data that is subject to the protection of European Data Protection Laws.

h. European Data Protection Laws means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, the GDPR; (ii) Directive 2002/58/EC concerning the Processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.

i. GDPR means the General Data Protection Regulation ((EU) 2016/679), and the retained UK version of the same;

j. Standard Contractual Clauses means the standard contractual clauses annexed to the European Commission's Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded or replaced;

k. UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as may be amended, superseded, or replaced.

2. Compliance

Both parties will comply with all applicable requirements of Data Protection Laws. This schedule is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Data Protection Laws.

3. Controller/Processor

The parties have determined that for the purposes of Data Protection Laws, Yai Brands shall process the Customer Personal Data as processor on behalf of the Customer. Customer may be either a Controller or Processor.

4. Consents

Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to Yai Brands, and the lawful collection of the same by the Customer using the Yai Brands Services for the duration and purposes of the Agreement and DPA, and shall indemnify Yai Brands against all loss and damage (including fines) arising from a failure to do so.

5. Nature, Scope, Purpose of Processing, and Data Subjects

Annex A sets out the scope, nature, and purpose of Customer Personal Data Processing by Yai Brands, the duration of the Processing and the types of Customer Personal Data and categories of Data Subjects.

6. Customer Instructions

Yai Brands shall process Customer Personal Data only on the documented instructions of the Customer, unless Yai Brands is required by any applicable laws to otherwise process that Customer Personal Data. The Agreement and DPA are deemed to be the instructions of Customer; the parties may agree to additional instructions. Yai Brands shall inform the Customer if, in the opinion of Yai Brands, the instructions of the Customer breach Data Protection Laws.

7. Yai Brands Obligations

Yai Brands will:

1. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from Personal Data Breaches, as described under Annex B to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, Yai Brands may modify or update the Security Measures at Yai Brands' discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
2. Ensure that any personnel engaged and authorised by Yai Brands to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
3. Assist the Customer insofar as this is reasonably possible (taking into account the nature of the Processing and the information available to Yai Brands), and at the Customer's cost and written request, in responding to any request from a Data Subject and in ensuring the Customer's compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
4. Notify the Customer without undue delay on becoming aware of a Personal Data Breach involving the Customer Personal Data;
5. At the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless Yai Brands is required by any applicable law to continue to process that Customer Personal Data. For the purposes of this paragraph, Customer Personal Data shall be considered deleted where it is put beyond further use by Yai Brands;
6. For European Data, assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR; make available all information reasonably necessary to demonstrate compliance with this DPA available to Customer and allow for and reasonably contribute to audits, including inspections conducted by Customer to assess compliance with this DPA to the extent required by Data Protection Laws; and will make available all information reasonably necessary to demonstrate compliance with GDPR Article 28 requirements for Processors; and
7. Maintain records to demonstrate its compliance with this paragraph.

8. Service Provider

The parties agree that if the CCPA applies, Customer is a "business" and Yai Brands is a "service provider" as defined under the CCPA. Yai Brands will not retain, use, or disclose the California Personal Information it collects pursuant to the Agreement for any purposes other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; and Yai Brands will not retain, use, or disclose the California Personal Information it collects pursuant to the Agreement outside of the direct business relationship between Yai Brands and Customer, unless otherwise permitted by the CCPA. Yai Brands will not "sell" or "share" California Personal Information as those terms are defined in the CCPA or combine the California Personal Information with personal information obtained from sources other than Customer, except to the extent permitted by the CCPA. From time to time, Customer may ask for, and Yai Brands will provide, reasonable evidence of its compliance with this Section 8.

9. Subprocessors

The Customer provides its prior, general authorization for Yai Brands to appoint Processors to process the Customer Personal Data, provided that Yai Brands shall ensure that the terms on which it appoints such processors comply with Data Protection Laws, and are consistent with the obligations imposed on Yai Brands in this paragraph; and shall remain responsible for the acts and omission of any such Processor as if they were the acts and omissions of Yai Brands. Yai Brands has currently appointed, as Sub-Processors, the third parties listed in Annex C to this DPA. Yai Brands will notify Customer if Yai Brands adds or replaces any Sub-Processors listed in Annex C at least 30 days prior to any such changes, if Customer opts-in to receive such emails by contacting Yai Brands. Yai Brands will include substantially the same protections for Customer Personal Data as those in the DPA.

10. European Data: Transfer Mechanisms for Data Transfers

a. Yai Brands will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws.

b. Customer acknowledges that in connection with the performance of the Service, Yai Brands is a recipient of European Data in the United States. The parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement.

EEA Transfers. In relation to European Data that is subject to the GDPR: (i) Customer is the "data exporter" and Yai Brands is the "data importer"; (ii) the Module Two terms apply to the extent the Customer is a Controller of European Data and the Module Three terms apply to the extent the Customer is a Processor of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the 'Sub-Processors' section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be the Republic of Ireland; (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail.

UK Transfers. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply with the following modifications: (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting "neither party"; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

Swiss Transfers. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply with the following modifications: (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland".

c. If Yai Brands cannot comply with its obligations under the Standard Contractual Clauses for any reason, and Customer intends to suspend the transfer of European Data to Yai Brands or terminate the Standard Contractual Clauses, Customer agrees to provide Yai Brands with reasonable notice to enable Yai Brands to cure such non-compliance. If Yai Brands has not or cannot cure the non-compliance, Customer may suspend or terminate the affected part of the Service in accordance with the Agreement without liability to either party.

11. Amendments

Notwithstanding anything else to the contrary in the Agreement, Yai Brands reserves the right to make any updates and changes to this DPA, including to address changes in Data Protection Laws and to revise the security provisions in this DPA, so long as Yai Brands does not materially reduce the overall security level provided to Customer Personal Data.

ANNEX A — Details of Processing

A. List of Parties

Data exporter:

• Name: You, as defined in Yai Brands' Terms of Use
• Address: Your address as specified by your Platform Account
• Contact: Your contact details, as specified by your Platform Account
• Activities: Performance of the Agreement between the parties as a Controller.
• Role: Controller or Processor

Data importer:

• Name: Yai Brands, LLC.
• Address: 30 N Gould St Ste R, Sheridan, WY, USA
• Contact: Dan Mirolli, Founder and CEO
• Activities: Performance of the Agreement between the parties.
• Role: Processor

B. Description of Transfer

• Categories of Data Subjects: Customers and potential customers of clients.
• Categories of Personal Data: Name, age, date of birth, phone number, email address, social media profiles.
• Sensitive Data: The parties do not anticipate the transfer of sensitive data.
• Frequency: Variable during the Agreement term.
• Subject Matter: Yai Brands will provide the Services to the Customer under the Agreement. The Customer will use the Services to collect and process Personal Data of their customers and potential customers for managing and carrying out marketing activities.
• Purpose: Yai Brands will Process Personal Data as necessary to provide the Service pursuant to the Agreement.
• Retention Period: The duration of the period in which the Customer accesses and uses the platform under the Services Agreement.

C. Competent Supervisory Authority

The supervisory authority that will act as competent supervisory authority will be determined in accordance with the Transfer Mechanisms for Data Transfers section of this DPA.

ANNEX B — Technical and Organisational Security Measures

Measure	Description
Pseudonymisation and encryption	All personal data at rest is encrypted with AES 256 CBC. All personal data in transit is encrypted with TLS V1.2+.
Confidentiality, integrity, availability and resilience	Endpoint protection on APIs. Uptime monitors for availability. Access control with user-based and subaccount-based authentication. Managed services (AWS, Google Cloud) for integrity.
Restore availability and access	Personal data backed up on AWS and Google Cloud with 5-minute granularity.
User identification and authorisation	Encrypted signed tokens, role-based authorizations, and password protection.
Protection during transmission	SSL certificates and HTTPS. Protected with TLS v1.2+.
Protection during storage	Encrypted at rest with AES-256 CBC encryption.
Physical security	Managed services (AWS, Google Cloud) ensure physical security of server locations.
Events logging	Logging for all user actions and audit logs via Google Cloud Ops and AWS CloudWatch.