Data Processing Addendum
Effective Date: July 17, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between YPA Group Inc., doing business as Weorda ("Processor" or "Weorda"), and the customer that has accepted the Agreement ("Controller" or "Customer"). This DPA applies to Weorda's processing of personal data on behalf of Customer.
By accepting the Agreement, Customer accepts this DPA. In the event of any conflict between the Agreement and this DPA with respect to data processing, this DPA controls.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Agreement.
- "Controller" means Customer, the entity that determines the purposes and means of processing Personal Data.
- "Processor" means Weorda, which processes Personal Data on behalf of Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person that Controller uploads to or generates through the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Subprocessor" means a third party engaged by Processor to process Personal Data on Controller's behalf.
- "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Roles of the Parties
2.1 With respect to Personal Data processed in connection with the Service, Controller is the data controller and Processor is the data processor.
2.2 Processor processes Personal Data only on Controller's documented instructions, as set forth in the Agreement, this DPA, and any other written instructions provided by Controller and accepted by Processor.
2.3 Processor does not determine the purposes or means of processing Personal Data and acquires no ownership rights in Personal Data.
3. Nature and Purpose of Processing
3.1 Processor processes Personal Data solely to provide the Service to Controller, including:
- Workflow management, including check-ins, route confirmations, inspections, and operational acknowledgments.
- Boarding status, attendance, and visit verification.
- Operator-initiated communications with workers, beneficiaries, or other authorized parties.
- Providing parents, guardians, and other authorized beneficiaries with visibility into services (such as live vehicle location, arrival estimates, boarding status, and ride confirmations) via SMS notifications, web tracking links, and the Weorda Parents mobile application.
- Issue reporting and optional SOS communication features.
- Compliance and audit reporting.
- Technical operation, maintenance, and security of the Service.
- Customer support and account management.
3.2 Processor does not provide emergency response services, safety supervision, or regulatory compliance services.
3.3 The duration of processing is the term of the Agreement, plus any post-termination retention period set forth in Section 11 of this DPA.
4. Categories of Personal Data and Data Subjects
4.1 The categories of Personal Data processed depend on Controller's industry and use of the Service. Categories may include:
- Names of workers, supervisors, and authorized contacts.
- Names of beneficiaries (such as students, patients, or clients) and parents or guardians.
- Contact information, including email addresses and phone numbers.
- Route, schedule, and assignment information.
- Boarding, attendance, or visit status.
- Timestamps and device-generated metadata.
- Geolocation data, where enabled.
- Photos or files uploaded by users.
- Operational and compliance records.
4.2 Categories of Data Subjects include Controller's employees, contractors, and the individuals served by Controller's operations (such as students, patients, clients, or beneficiaries), and their authorized representatives.
4.3 The following categories of data will NOT be processed unless separately agreed in writing:
- Residential addresses of minors.
- Medical or health records (except as permitted under home care vertical agreements).
- Financial account information.
- Government identification numbers.
4.3 The following categories of data will NOT be processed unless separately agreed in writing or expressly required by the Service for Controller's vertical:
- Residential addresses of minors, except student pickup and drop-off locations processed solely for route planning, navigation, and ride status in the school-transportation vertical, which are processed as Education Records under Exhibit A (FERPA Terms);
- Medical or health records (except as permitted under home-care vertical agreements);
- Financial account information;
- Government identification numbers.
5. Data Ownership
5.1 All Personal Data provided by Controller remains the sole property of Controller. Processor acquires no ownership rights in Personal Data.
5.2 Processor will not sell, lease, rent, or otherwise monetize Personal Data.
5.3 Processor will not use Personal Data to train artificial intelligence models for external customers without Controller's prior written consent.
6. Data Minimization
6.1 Processor will process only the minimum Personal Data necessary to provide the Service.
6.2 Controller is responsible for ensuring that only necessary Personal Data is uploaded to the Service. Controller acknowledges that uploading data not necessary for the Service may increase risk and should be avoided.
7. Security Measures
7.1 Processor implements reasonable administrative, technical, and organizational safeguards to protect Personal Data, including:
- Encryption in transit using Transport Layer Security (TLS/HTTPS).
- Encryption of Personal Data at rest in cloud storage.
- Role-based access control.
- Authentication requirements for all user accounts.
- Multi-factor authentication for administrative access.
- Access logging and monitoring for administrative access to production systems.
- Restricted internal employee access on a need-to-know basis.
- Personnel confidentiality obligations.
- Subprocessor security obligations.
- Periodic review of security practices.
7.2 Access to Personal Data is limited to authorized personnel who have a need to access such data to provide the Service.
7.3 Processor does not guarantee uninterrupted connectivity, availability, or real-time delivery of communications. No security system is impenetrable.
8. Subprocessors
8.1 Controller authorizes Processor to engage Subprocessors to provide infrastructure and supporting services. As of the effective date of this DPA, Processor uses the following Subprocessors:
- Google Cloud Platform (cloud hosting and infrastructure).
- Firebase by Google (authentication services).
- Stripe (payment processing).
- Email and SMS delivery providers (transactional communications).
A current list of Subprocessors is maintained at weorda.com/subprocessors.
8.2 Processor will provide thirty (30) days' written notice (which may be by email or notice in the operator dashboard) before engaging a new material Subprocessor.
8.3 Controller may object to a new Subprocessor by emailing privacy@weorda.com within the notice period. If Processor cannot reasonably accommodate Controller's objection, Controller may terminate the affected portion of the Service.
8.4 Processor remains responsible for the acts and omissions of its Subprocessors to the same extent Processor would be responsible if it performed the services directly.
9. Confidentiality
9.1 Processor ensures that personnel authorized to process Personal Data are bound by confidentiality obligations.
9.2 Confidentiality obligations survive termination of employment and engagement.
10. Security Incident Notification
10.1 In the event Processor becomes aware of a Security Incident affecting Controller's Personal Data, Processor will notify Controller without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware.
10.2 The notification will include, to the extent known at the time of notification:
- A description of the Security Incident.
- The categories of Personal Data affected.
- The approximate number of Data Subjects and records affected, where known.
- The likely consequences of the Security Incident.
- The mitigation steps taken or proposed.
10.3 Processor will provide Controller with reasonable assistance in fulfilling Controller's obligation to notify affected individuals and regulators, where required by law.
10.4 Controller is responsible for determining whether notification to Data Subjects or regulators is required under applicable law and for delivering any such notices, unless Processor is required by law to make such notifications directly.
11. Data Retention and Deletion
11.1 Processor will retain Personal Data only as long as necessary to provide the Service or as required by law.
11.2 Upon termination of the Agreement, Processor will, upon Controller's written request:
- Return Personal Data to Controller in a structured, commonly used, machine-readable format, OR
- Securely delete Personal Data,
within thirty (30) days of the request, unless retention is required by law.
11.3 Upon completion of deletion, Processor will provide written confirmation upon Controller's request.
11.4 Backups containing Personal Data may be retained for up to ninety (90) days in encrypted backup systems and are deleted in the ordinary course of backup rotation.
12. Data Subject Rights
12.1 Where Data Subjects exercise rights under applicable law (such as rights to access, correct, delete, port, or restrict processing), Controller is responsible for responding to such requests.
12.2 Processor will reasonably assist Controller in responding to Data Subject requests, taking into account the nature of the processing. Assistance may include providing technical means to access, export, correct, or delete Personal Data.
12.3 If Processor receives a request directly from a Data Subject regarding Controller's Personal Data, Processor will promptly forward the request to Controller and will not respond directly except to confirm receipt and direct the Data Subject to Controller.
13. Controller Responsibilities and Representations
13.1 Controller represents, warrants, and covenants that:
- Controller has lawful authority to collect and provide the Personal Data to Processor.
- Controller has obtained all consents, authorizations, and notices required under applicable law, including under FERPA, COPPA, state student privacy laws, HIPAA (where applicable), and applicable state and federal privacy laws.
- The Personal Data provided is accurate, current, and lawfully obtained.
- Controller has provided Data Subjects with appropriate notice of Controller's data processing practices.
- Controller will use the Service in compliance with applicable laws and regulations.
13.2 Processor is not responsible for the legality of Controller's data collection practices.
14. International Data Transfers
14.1 Personal Data is processed and stored on servers located in the United States.
14.2 If Controller provides Personal Data of individuals located outside the United States, Controller is responsible for ensuring that the transfer of such data to Processor in the United States complies with applicable law, including any cross-border transfer requirements.
14.3 If transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States is required, the parties agree to enter into the Standard Contractual Clauses or other appropriate transfer mechanisms required by applicable law.
15. Audit Rights
15.1 Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, including responses to reasonable security and compliance questionnaires.
15.2 Upon Controller's written request and no more than once per calendar year (except as required following a confirmed Security Incident or as required by a regulator), Processor will provide Controller with reasonable cooperation in an audit conducted by Controller or a mutually agreed third-party auditor, subject to confidentiality and reasonable advance notice (at least thirty (30) days).
15.3 Audits will be conducted during normal business hours, will not unreasonably interfere with Processor's operations, and will be at Controller's expense.
15.4 Processor may, in lieu of supporting a direct audit, provide attestation reports (such as SOC 2 reports, when available) from independent auditors.
16. Limitation of Liability
16.1 Each party's liability under this DPA is subject to the limitation of liability set forth in the Agreement.
16.2 Nothing in this DPA limits a party's liability where prohibited by applicable law.
17. Governing Law
This DPA is governed by the laws of the State of Delaware, as set forth in the Agreement, except where applicable law requires otherwise.
18. Term and Termination
18.1 This DPA is effective as of the date Customer accepts the Agreement and remains in effect for the term of the Agreement, plus any post-termination period required for return or deletion of Personal Data.
18.2 Termination of the Agreement automatically terminates this DPA, except for provisions that by their nature survive termination.
19. Order of Precedence
In the event of a conflict between the Agreement and this DPA with respect to the processing of Personal Data, this DPA controls.
20. Contact Information
Questions or requests under this DPA should be directed to:
YPA Group Inc. (d/b/a Weorda)
Privacy: privacy@weorda.com
Legal: legal@weorda.com