Data Processing Agreement

This Data Processing Agreement (“Agreement”) is incorporated by reference into Yotpo’s Terms of Service at entered into between you (“Controller“) and Yotpo (“Processor“) (“Terms of Service“). All defined terms contained herein shall have the same meaning as the definitions set forth in the Terms of Service.

Processor shall comply with the following in respect of personal data (as defined under Regulation (EU) 2016/679 (General Data Protection Regulation) (“PII” and “GDPR” respectively)):

  1. Controller’s Compliance. Controller’s instructions for processing of PII shall comply with all applicable privacy and data protection laws, including the GDPR. Controller shall have sole responsibility for the accuracy, quality and legality of PII and the means by which Controller acquired PII.

  2. Details of Processing. The details of the processing activities to be carried out by Processor in respect of the Services are specified in Appendix 1.

  3. Data Subjects Rights. Processor shall assist Controller, by using appropriate technical and organizational measures, in the fulfillment of Controller’s obligations to respond to requests by data subjects in exercising their rights under applicable laws.

  4. Confidentiality. Processor shall ensure that its personnel engaged in the processing of PII are bound by a confidentiality undertaking.

  5. Data Breach. Processor will promptly notify Controller after becoming aware of any suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PII (“Data Breach“).

  6. Records. Processor will maintain up-to-date written records of its processing activities, including, inter alia, Processor’s and Controller’s contact details, details of data protection officers (where applicable), the categories of processing, transfers of PII across borders and the technical and organizational security measures implemented by the Processor. Upon request, Processor will provide an up-to-date copy of these records to Controller.

  7. Sub-Processors. Controller acknowledges and agrees that Processor may engage any of the third-party sub-processors listed in Appendix 2, which Processor may update from time to time, subject to Controller’s prior written approval. Such sub-processors shall be bound by data protection obligations no less protective than those in this Agreement to the extent applicable to the nature of the Services provided by such sub-processor.

  8. Assistance. Processor will assist Controller in ensuring compliance with Controller’s obligations related to the security of the processing, notification and communication of Data Breaches, conduct of data protection impact assessments and any inquiry, investigation or other request by a supervisory authority.

  9. Possible Violation. Where Processor believes that an instruction would result in a violation of any applicable data protection laws, Processor shall notify the Controller thereof.

  10. Information. Processor will make available to Controller, upon request, information necessary to demonstrate compliance with the obligations set forth in this Agreement.

  11. Audits. Upon Controller’s request, Processor shall cooperate with audits and inspections of its compliance with the requirements and obligations herein and/or under applicable law. Such audits and inspections may be conducted by Controller or by any third party designated by Controller.

  12. Technical and Organizational Measures.

    1. Processor shall implement and maintain all technical and organizational measures that are required for protection of the PII and ensure a level of security that is appropriate to for dealing with and protecting against any risks to the rights and freedoms of the data subjects, and as required in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to PII and/or as otherwise required pursuant to the GDPR, including, inter alia, the measures set forth in Appendix 3. When complying with this Section 12.1, Processor shall take into consideration the state of technological development existing at the time and the nature, scope, context and purposes of processing as well as the aforementioned risks.

    2. Processor shall regularly monitor its compliance with this Agreement and will provide Controller, upon request, with evidence that will enable verification of such monitoring activities. Processor shall promptly implement all changes to Appendix 3, as requested by Controller. Processor shall ensure that all persons acting under its authority or on its behalf and having access to the PII, do not process the PII except as instructed by Controller and permitted herein.

  1. Transfer of PII to Third Countries. Processor will not transfer PII to a recipient located in a country that is not a Member State of the European Union or European Economic Area, unless that country is considered by the European Commission to have an adequate level of protection or pursuant to an EU standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision 2010/87/EC), before such transfer.

  2. Return and Deletion of PII. On the Controller’s request, Processor shall return or destroy PII to the extent allowed by applicable law.

Appendix 1- Processing Details

  1. Nature, purpose and subject matter of the Processing. The nature, purpose and subject matter of the Processing is the provision of the Services set forth in the Terms of Service.

  2. Categories of Data Subjects. Users that purchased products and/or services from Controller or submitted a review via the onsite widget that is installed on the Controller website.

  3. Email address, Full (first and last) name and IP address.

Appendix 2- Sub-Processors

Segment, SendGrid, AWS, Google Seller Rating (*when feature is enabled), Google PLA (*when feature is enabled),

Appendix 3- Technical and Security Measures

  1. The pseudonymisation and encryption of PII.

  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

  3. The ability to restore the availability and access to PII in a timely manner in the event of a physical or technical incident.

  4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.


Interested in Yotpo?
Schedule a call with one of our marketing consultants to learn more.
Thank you!
We'll be in touch in no time! In the meantime, take a look at what our customers are saying about Yotpo.
Yotpo Success Stories >
logos logos logos
Trusted by the worlds
fastest-growing brands