Last updated: February 19, 2026
This Data Processing Agreement ("DPA") is entered into between the customer entity that has agreed to the Yander Terms of Service ("Customer," "Controller," or "you") and Yander Labs, Inc. ("Yander," "Processor," "we," "us," or "our"). This DPA supplements and forms part of the Yander Terms of Service ("Agreement") and the Yander Privacy Policy.
This DPA sets out the terms that apply when Personal Data is processed by Yander on behalf of the Customer in the course of providing the Service. The purpose of this DPA is to ensure that such processing is conducted in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection legislation.
By using the Service, the Customer enters into this DPA on behalf of itself and, to the extent required under applicable data protection laws, on behalf of its authorized users and employees.
The following terms shall have the meanings set out below. Any capitalized terms not defined in this DPA shall have the meanings given to them in the Agreement.
The Customer acts as the Controller and Yander acts as the Processor with respect to the Personal Data processed in connection with the Service. Yander shall process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law, in which case Yander shall inform the Customer of that legal requirement before Processing (unless prohibited by law from doing so).
The categories of Personal Data processed under this DPA include workplace communication content and metadata from connected integrations. This includes email content (subject lines, message bodies, sender and recipient addresses, timestamps), messaging content (message text, channel information, timestamps from Slack and similar tools), calendar event details (titles, descriptions, attendees, times, locations), meeting transcripts (speaker-attributed text from recorded meetings), and document content (page text and comments from tools such as Notion). This data is processed by AI models to extract facts, collaboration patterns, and engagement insights. Raw communication content is not displayed to end users; only AI-generated summaries and scores are surfaced in the Service. The Data Subjects include the Customer's employees, contractors, and other authorized users of workplace tools connected to the Service.
The duration of Processing shall be for the term of the Agreement between the Customer and Yander, plus the period from expiry of the Agreement until deletion of all Personal Data by Yander in accordance with this DPA.
The Customer, as Controller, shall be responsible for the following:
Yander, as Processor, shall comply with the following obligations:
Yander shall process Personal Data only in accordance with the Customer's documented instructions as set out in this DPA and the Agreement, unless required to do so by applicable law. Yander shall immediately inform the Customer if, in its opinion, an instruction infringes applicable data protection laws.
Yander shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be limited to those personnel who require such access to perform the Service.
Yander shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, as described further in Section 7 of this DPA.
Yander shall promptly assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection laws, as further described in Section 9 of this DPA.
Yander shall notify the Customer without undue delay upon becoming aware of a Personal Data breach and shall assist the Customer in meeting its breach notification obligations, as further described in Section 8 of this DPA.
Yander shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by applicable data protection laws and taking into account the nature of the Processing and the information available to Yander.
Upon termination of the Agreement, Yander shall, at the Customer's election, delete or return all Personal Data to the Customer and delete existing copies, unless applicable law requires further storage, as further described in Section 11 of this DPA.
Yander shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits and inspections, as further described in Section 12 of this DPA.
The Customer provides general authorization for Yander to engage Sub-processors to process Personal Data on the Customer's behalf. Yander shall maintain an up-to-date list of Sub-processors, as set out in Schedule 1 below.
Yander shall notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days prior to such change, thereby giving the Customer the opportunity to object to such changes. If the Customer objects to a new Sub-processor on reasonable grounds related to data protection, Yander shall use commercially reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to Sub-processor. If no alternative is reasonably available, either party may terminate the portion of the Service that cannot be provided without the use of the objected-to Sub-processor.
Yander shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA by way of a written contract. Yander shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway (AWS) | Application hosting, database infrastructure, and Redis | United States |
| Clerk | Authentication and user management | United States |
| Nango | OAuth and integration API proxy | United States / European Union |
| OpenRouter | LLM inference (AI processing) | United States |
| Stripe | Payment processing | United States |
| Sentry | Error monitoring (no personally identifiable information transmitted) | United States |
| PostHog | Product analytics (anonymous event data) | United States / European Union |
Yander shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures include, but are not limited to:
Yander shall notify the Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed under this DPA (a "Personal Data Breach").
Such notification shall include, to the extent reasonably available:
Yander shall cooperate with the Customer and take such commercially reasonable steps as the Customer may direct to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
Yander shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws. These rights include:
If Yander receives a request directly from a Data Subject, Yander shall promptly notify the Customer and shall not respond to the request without the Customer's prior written authorization, unless required to do so by applicable law.
The Customer acknowledges that Yander processes and stores Personal Data primarily in the United States. Where Personal Data originating from the European Economic Area ("EEA"), the United Kingdom, or Switzerland is transferred to the United States or any other country that has not been deemed to provide an adequate level of data protection by the relevant authority, the parties agree to rely on the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) as the lawful mechanism for such transfer.
For transfers subject to the UK GDPR, the parties shall rely on the International Data Transfer Addendum to the EU Standard Contractual Clauses, as issued by the UK Information Commissioner's Office. For transfers subject to the Swiss Federal Act on Data Protection, the Standard Contractual Clauses shall be interpreted to cover such transfers.
Yander shall ensure that any onward transfer of Personal Data to Sub-processors in third countries is subject to appropriate safeguards as required by applicable data protection laws.
Yander shall retain Personal Data for the duration of the Agreement and as necessary to provide the Service. Upon termination or expiration of the Agreement, Yander shall, at the Customer's written request, delete all Personal Data processed on behalf of the Customer within thirty (30) days of receiving such request, unless applicable law requires continued retention.
If no deletion request is received within ninety (90) days of termination, Yander shall proceed to delete the Customer's Personal Data in accordance with its standard data retention policies.
Yander may retain anonymized or aggregated data that cannot be used to identify any individual. Such data is not considered Personal Data and is not subject to the deletion obligations of this DPA.
Yander shall make available to the Customer, on request, all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
Audits shall be subject to the following conditions:
Yander may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II reports), or other documentation that reasonably demonstrates compliance with the obligations of this DPA. The Customer shall consider such documentation in good faith before requiring an on-site audit.
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service). For the avoidance of doubt, Yander's total aggregate liability under this DPA shall be subject to the same caps and limitations as set forth in the Agreement.
Nothing in this DPA shall limit either party's liability for breaches of applicable data protection laws to the extent that such limitation is not permitted by law.
This DPA shall become effective on the date the Customer agrees to the Agreement and shall remain in effect for the duration of the Agreement. This DPA shall automatically terminate upon the termination or expiration of the Agreement, subject to the provisions of this DPA that by their nature are intended to survive termination.
The following provisions shall survive termination of this DPA: Section 5.2 (Confidentiality), Section 5.7 (Deletion and Return of Data), Section 8 (Data Breach Notification) to the extent a breach is discovered after termination, Section 11 (Data Retention and Deletion), Section 12 (Audit Rights) for a period of twelve (12) months following termination, and Section 13 (Liability).
If you have questions about this Data Processing Agreement or wish to exercise any rights under it, please contact us: