Weorda ← Back to Home

Data Processing Addendum

Effective Date: July 17, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between YPA Group Inc., doing business as Weorda ("Processor" or "Weorda"), and the customer that has accepted the Agreement ("Controller" or "Customer"). This DPA applies to Weorda's processing of personal data on behalf of Customer.

By accepting the Agreement, Customer accepts this DPA. In the event of any conflict between the Agreement and this DPA with respect to data processing, this DPA controls.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

2. Roles of the Parties

2.1 With respect to Personal Data processed in connection with the Service, Controller is the data controller and Processor is the data processor.

2.2 Processor processes Personal Data only on Controller's documented instructions, as set forth in the Agreement, this DPA, and any other written instructions provided by Controller and accepted by Processor.

2.3 Processor does not determine the purposes or means of processing Personal Data and acquires no ownership rights in Personal Data.

3. Nature and Purpose of Processing

3.1 Processor processes Personal Data solely to provide the Service to Controller, including:

3.2 Processor does not provide emergency response services, safety supervision, or regulatory compliance services.

3.3 The duration of processing is the term of the Agreement, plus any post-termination retention period set forth in Section 11 of this DPA.

4. Categories of Personal Data and Data Subjects

4.1 The categories of Personal Data processed depend on Controller's industry and use of the Service. Categories may include:

4.2 Categories of Data Subjects include Controller's employees, contractors, and the individuals served by Controller's operations (such as students, patients, clients, or beneficiaries), and their authorized representatives.

4.3 The following categories of data will NOT be processed unless separately agreed in writing:

4.3 The following categories of data will NOT be processed unless separately agreed in writing or expressly required by the Service for Controller's vertical:

5. Data Ownership

5.1 All Personal Data provided by Controller remains the sole property of Controller. Processor acquires no ownership rights in Personal Data.

5.2 Processor will not sell, lease, rent, or otherwise monetize Personal Data.

5.3 Processor will not use Personal Data to train artificial intelligence models for external customers without Controller's prior written consent.

6. Data Minimization

6.1 Processor will process only the minimum Personal Data necessary to provide the Service.

6.2 Controller is responsible for ensuring that only necessary Personal Data is uploaded to the Service. Controller acknowledges that uploading data not necessary for the Service may increase risk and should be avoided.

7. Security Measures

7.1 Processor implements reasonable administrative, technical, and organizational safeguards to protect Personal Data, including:

7.2 Access to Personal Data is limited to authorized personnel who have a need to access such data to provide the Service.

7.3 Processor does not guarantee uninterrupted connectivity, availability, or real-time delivery of communications. No security system is impenetrable.

8. Subprocessors

8.1 Controller authorizes Processor to engage Subprocessors to provide infrastructure and supporting services. As of the effective date of this DPA, Processor uses the following Subprocessors:

A current list of Subprocessors is maintained at weorda.com/subprocessors.

8.2 Processor will provide thirty (30) days' written notice (which may be by email or notice in the operator dashboard) before engaging a new material Subprocessor.

8.3 Controller may object to a new Subprocessor by emailing privacy@weorda.com within the notice period. If Processor cannot reasonably accommodate Controller's objection, Controller may terminate the affected portion of the Service.

8.4 Processor remains responsible for the acts and omissions of its Subprocessors to the same extent Processor would be responsible if it performed the services directly.

9. Confidentiality

9.1 Processor ensures that personnel authorized to process Personal Data are bound by confidentiality obligations.

9.2 Confidentiality obligations survive termination of employment and engagement.

10. Security Incident Notification

10.1 In the event Processor becomes aware of a Security Incident affecting Controller's Personal Data, Processor will notify Controller without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware.

10.2 The notification will include, to the extent known at the time of notification:

10.3 Processor will provide Controller with reasonable assistance in fulfilling Controller's obligation to notify affected individuals and regulators, where required by law.

10.4 Controller is responsible for determining whether notification to Data Subjects or regulators is required under applicable law and for delivering any such notices, unless Processor is required by law to make such notifications directly.

11. Data Retention and Deletion

11.1 Processor will retain Personal Data only as long as necessary to provide the Service or as required by law.

11.2 Upon termination of the Agreement, Processor will, upon Controller's written request:

within thirty (30) days of the request, unless retention is required by law.

11.3 Upon completion of deletion, Processor will provide written confirmation upon Controller's request.

11.4 Backups containing Personal Data may be retained for up to ninety (90) days in encrypted backup systems and are deleted in the ordinary course of backup rotation.

12. Data Subject Rights

12.1 Where Data Subjects exercise rights under applicable law (such as rights to access, correct, delete, port, or restrict processing), Controller is responsible for responding to such requests.

12.2 Processor will reasonably assist Controller in responding to Data Subject requests, taking into account the nature of the processing. Assistance may include providing technical means to access, export, correct, or delete Personal Data.

12.3 If Processor receives a request directly from a Data Subject regarding Controller's Personal Data, Processor will promptly forward the request to Controller and will not respond directly except to confirm receipt and direct the Data Subject to Controller.

13. Controller Responsibilities and Representations

13.1 Controller represents, warrants, and covenants that:

13.2 Processor is not responsible for the legality of Controller's data collection practices.

14. International Data Transfers

14.1 Personal Data is processed and stored on servers located in the United States.

14.2 If Controller provides Personal Data of individuals located outside the United States, Controller is responsible for ensuring that the transfer of such data to Processor in the United States complies with applicable law, including any cross-border transfer requirements.

14.3 If transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States is required, the parties agree to enter into the Standard Contractual Clauses or other appropriate transfer mechanisms required by applicable law.

15. Audit Rights

15.1 Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, including responses to reasonable security and compliance questionnaires.

15.2 Upon Controller's written request and no more than once per calendar year (except as required following a confirmed Security Incident or as required by a regulator), Processor will provide Controller with reasonable cooperation in an audit conducted by Controller or a mutually agreed third-party auditor, subject to confidentiality and reasonable advance notice (at least thirty (30) days).

15.3 Audits will be conducted during normal business hours, will not unreasonably interfere with Processor's operations, and will be at Controller's expense.

15.4 Processor may, in lieu of supporting a direct audit, provide attestation reports (such as SOC 2 reports, when available) from independent auditors.

16. Limitation of Liability

16.1 Each party's liability under this DPA is subject to the limitation of liability set forth in the Agreement.

16.2 Nothing in this DPA limits a party's liability where prohibited by applicable law.

17. Governing Law

This DPA is governed by the laws of the State of Delaware, as set forth in the Agreement, except where applicable law requires otherwise.

18. Term and Termination

18.1 This DPA is effective as of the date Customer accepts the Agreement and remains in effect for the term of the Agreement, plus any post-termination period required for return or deletion of Personal Data.

18.2 Termination of the Agreement automatically terminates this DPA, except for provisions that by their nature survive termination.

19. Order of Precedence

In the event of a conflict between the Agreement and this DPA with respect to the processing of Personal Data, this DPA controls.

20. Contact Information

Questions or requests under this DPA should be directed to:

YPA Group Inc. (d/b/a Weorda)

Privacy: privacy@weorda.com

Legal: legal@weorda.com