Data Processing Agreement

Last updated: March 7, 2026

This Data Processing Agreement ('DPA') forms part of the agreement between YBuffet Inc. ('YBuffet' or 'Processor') and the Customer identified below ('Controller' or 'Customer') (together, the 'Parties'). This DPA applies where YBuffet processes personal data on behalf of the Customer in connection with the Customer's use of the YBuffet Platform.

This DPA is incorporated by reference into YBuffet's Terms of Service. In the event of conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA controls.

1. Definitions

In this DPA:

'Applicable Data Protection Law' means the GDPR, UK GDPR, Swiss FDPA, and any applicable national implementing legislation

'Controller' means the Customer, who determines the purposes and means of processing personal data

'Data Subject' means any identified or identifiable natural person whose personal data is processed

'GDPR' means Regulation (EU) 2016/679 of the European Parliament and of the Council

'Personal Data' means any information relating to an identified or identifiable natural person

'Processing' has the meaning given in the GDPR

'Processor' means YBuffet Inc., which processes personal data on behalf of the Controller

'Security Incident' means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data

'Services' means the YBuffet Platform and related services provided to the Customer under the Terms of Service

'Sub-processor' means any processor engaged by YBuffet to process personal data on behalf of the Customer

2. Processing Details

The following details apply to YBuffet's processing of personal data under this DPA:

Subject matter: The processing is carried out in connection with the Customer's use of the YBuffet Platform, including the startup marketplace, community forum, service matching, company profiles, and related features.

Duration: Processing continues for the duration of the Customer's use of the Services, unless otherwise agreed in writing.

Nature and purpose: YBuffet processes personal data to provide, maintain, and improve the Platform services on behalf of the Controller, including account management, content hosting, communication facilitation, analytics, and support.

Categories of data subjects: Users of the Customer's account on YBuffet, including employees, contractors, and any individuals whose personal data is submitted to the Platform by the Customer.

Types of personal data: Name, email address, profile information, uploaded content, usage data, IP addresses, device identifiers, and any other personal data the Customer submits to the Platform.

Sensitive data: YBuffet does not intentionally collect or process special categories of personal data (Article 9 GDPR) unless the Customer uploads such data. The Customer is responsible for ensuring a lawful basis exists for any sensitive data submitted.

3. Processor Obligations

YBuffet, as Processor, shall:

Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries, unless required by Union or Member State law to do so

Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6

Respect the conditions for engaging sub-processors as set out in Section 5

Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, DPIAs, prior consultation)

Assist the Controller in responding to data subject requests, to the extent possible given the nature of the processing

At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage

Make available to the Controller all information necessary to demonstrate compliance with this Article, and allow for and contribute to audits and inspections

Regarding instructions: If YBuffet believes any instruction infringes GDPR or other applicable data protection law, YBuffet will immediately inform the Controller. YBuffet will not be required to follow such instructions until the Controller has confirmed them in writing.

4. Controller Obligations

The Controller shall:

Ensure there is a valid legal basis for processing and for instructing YBuffet to process personal data on its behalf

Provide all necessary notices and obtain all necessary consents from data subjects as required by applicable law

Ensure the accuracy of personal data submitted to the Platform

Not instruct YBuffet to process personal data in a manner that would violate applicable data protection law

Be responsible for the security and accuracy of any personal data submitted to the Platform by the Controller or its end users

5. Sub-Processors

The Controller grants YBuffet general authorization to engage sub-processors for the processing of personal data. YBuffet's current sub-processors are:

YBuffet will notify the Controller of any intended changes to this sub-processor list, providing the Controller with reasonable opportunity to object. YBuffet will ensure that any sub-processor is bound by data protection obligations equivalent to those in this DPA.

6. Technical and Organizational Security Measures

YBuffet implements and maintains the following technical and organizational measures:

Encryption in transit: TLS 1.2+ for all data in transit

Encryption at rest: AES-256 encryption for stored personal data

Access controls: role-based access control (RBAC), principle of least privilege, multi-factor authentication for all internal system access

Pseudonymization: analytics and AI training data is pseudonymized where feasible

Data minimization: collection limited to data necessary for stated purposes

Regular security testing: annual penetration testing and ongoing vulnerability scanning

Incident response: documented incident response procedure with internal escalation within 24 hours and external notification within 72 hours

Business continuity: regular backups, disaster recovery planning, and tested recovery procedures

Vendor management: all sub-processors subject to security assessment and contractual data protection obligations

Employee training: all personnel with access to personal data receive regular data protection training

YBuffet may update these measures from time to time to reflect changes in technology and best practices, provided that updates do not materially reduce the level of protection.

7. Security Incidents and Breach Notification

In the event of a Security Incident involving personal data processed on behalf of the Controller:

YBuffet will notify the Controller without undue delay and no later than 48 hours after becoming aware of the Security Incident

Notification will include: (a) description of the nature of the incident; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the incident

YBuffet will cooperate with the Controller in investigating and resolving the incident

YBuffet will not notify supervisory authorities or affected data subjects directly without the Controller's prior written consent, except where required by law

The Controller is responsible for making notifications to supervisory authorities and affected data subjects as required by applicable law.

8. Data Subject Rights

Where data subjects exercise rights under GDPR (access, rectification, erasure, restriction, portability, objection) in respect of personal data processed by YBuffet on behalf of the Controller, YBuffet will:

Promptly forward any requests received from data subjects to the Controller

Not respond to data subject requests directly unless instructed by the Controller or required by law

Assist the Controller in fulfilling data subject requests to the extent technically feasible

Respond to Controller instructions regarding data subject requests within 10 business days

9. Data Protection Impact Assessments and Prior Consultation

YBuffet will assist the Controller with DPIAs and prior consultations with supervisory authorities under GDPR Articles 35 and 36 where the nature of the processing makes such assistance possible. The Controller is responsible for determining when a DPIA is required and for conducting the DPIA itself.

10. Audit Rights

The Controller may, upon reasonable written notice (30 days minimum), request an audit of YBuffet's compliance with this DPA. YBuffet may satisfy audit requests by providing:

A current summary of relevant security certifications or third-party audit reports (e.g., SOC 2 Type II, ISO 27001) where available

Responses to a reasonable written questionnaire

Subject to confidentiality protections, a site visit during normal business hours (limited to once per year unless a Security Incident has occurred)

The Controller is responsible for all costs associated with an audit. YBuffet may decline to provide information that would compromise the security or confidentiality of other customers' data.

11. Return or Deletion of Data

Upon expiry or termination of the agreement, at the Controller's choice:

YBuffet will delete all personal data processed on behalf of the Controller within 90 days, subject to any retention obligations under applicable law

YBuffet will provide the Controller with a data export in a standard machine-readable format (CSV or JSON) upon written request submitted before or within 30 days of termination

YBuffet will provide written certification of deletion upon request.

12. International Transfers

Where this DPA involves the transfer of personal data from the EEA/UK/Switzerland to a third country without an adequacy decision, the Parties agree to the Standard Contractual Clauses (Module 2 - Controller to Processor) as adopted by the European Commission by Decision 2021/914 of 4 June 2021, which are incorporated herein by reference.

For UK transfers, the Parties agree to the UK International Data Transfer Addendum (IDTA) issued by the ICO on 21 March 2022.

For Swiss transfers, the Parties agree to the Standard Data Protection Clauses issued by the Federal Data Protection and Information Commissioner.

Copies of the applicable SCCs/IDTAs are available upon request from grow@ybuffet.com.

13. Term and Termination

This DPA is effective from the date the Customer first accepts YBuffet's Terms of Service and will continue for the duration of the agreement. Upon termination of the Terms of Service, this DPA will terminate automatically, subject to Section 11 (Return or Deletion of Data).

14. Liability

Each Party's liability under this DPA is subject to the limitations of liability in the Terms of Service. However, nothing in this DPA limits either Party's liability to data subjects or supervisory authorities under applicable data protection law.

15. Governing Law

This DPA is governed by the governing law provisions of the Terms of Service. For EU/EEA/UK DPA disputes involving GDPR rights and obligations, the relevant EU or UK data protection law provisions apply as mandatory law.

By using the YBuffet Platform and accepting YBuffet's Terms of Service, you agree to this Data Processing Agreement. No separate signature is required.