Yeti Code Crew
Yeti Code Crew

Data Processing Agreement

Our data processing agreement and GDPR compliance information

Last updated: December 22, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Your Company ("Data Processor" or "we") and you ("Data Controller" or "you") and applies where and only where we process Personal Data on your behalf in providing our services.

This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

In this DPA, the following terms shall have the meanings set out below:

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including GDPR, the UK Data Protection Act 2018, and any other equivalent legislation.

"Personal Data" has the meaning given in the GDPR and relates to personal data that is processed by the Data Processor on behalf of the Data Controller.

"Processing" has the meaning given in the GDPR and includes any operation performed on Personal Data.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Sub-processor" means any processor engaged by the Data Processor to process Personal Data.

3. Scope and Roles

3.1 Scope of Processing

The Data Processor shall process Personal Data only:

  • On documented instructions from the Data Controller
  • For the purpose of providing the services
  • In accordance with this DPA and applicable Data Protection Laws

3.2 Nature and Purpose of Processing

Nature: Collection, storage, organization, retrieval, use, and deletion

Purpose: Provision of services as described in our Terms of Use

Duration: For the term of the service agreement

3.3 Types of Personal Data

The Personal Data processed may include:

  • Contact information (name, email, phone number, address)
  • Account credentials
  • Usage data and analytics
  • Payment information
  • Communication records

3.4 Categories of Data Subjects

Data Subjects may include:

  • Registered users of our services
  • Customers and clients
  • Website visitors
  • Newsletter subscribers

4. Data Processor Obligations

The Data Processor shall:

  • Process Personal Data only on documented instructions from the Data Controller
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
  • Engage Sub-processors only with prior written authorization from the Data Controller
  • Assist the Data Controller in responding to Data Subject requests
  • Assist the Data Controller in ensuring compliance with Data Protection Laws
  • Delete or return all Personal Data to the Data Controller after the end of the provision of services
  • Make available to the Data Controller all information necessary to demonstrate compliance

5. Security Measures

The Data Processor shall implement appropriate technical and organizational measures including:

5.1 Technical Measures

  • Encryption of Personal Data in transit and at rest
  • Regular security assessments and penetration testing
  • Secure authentication and access controls
  • Regular backup and disaster recovery procedures
  • Network security and firewall protection

5.2 Organizational Measures

  • Data protection policies and procedures
  • Staff training on data protection
  • Confidentiality agreements with personnel
  • Incident response procedures
  • Regular audits and compliance reviews

6. Sub-processors

The Data Controller provides general authorization for the Data Processor to engage Sub-processors. The Data Processor shall:

  • Maintain a list of Sub-processors which shall be available to the Data Controller on request
  • Inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors
  • Ensure that Sub-processors are bound by data protection obligations equivalent to those in this DPA
  • Remain fully liable to the Data Controller for the performance of Sub-processors

6.1 Current Sub-processors

Cloud Hosting: AWS - Data storage and hosting

Email Services: Google WorkSpace - Email delivery and communications

Analytics: Google Analytics - Website analytics and performance monitoring

7. Data Subject Rights

The Data Processor shall assist the Data Controller in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision making and profiling

8. Data Breach Notification

The Data Processor shall notify the Data Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach. The notification shall include:

  • The nature of the Personal Data Breach
  • The categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

9. Data Transfers

The Data Processor shall not transfer Personal Data to a country or territory outside the European Economic Area ("EEA") without the prior written consent of the Data Controller, unless:

  • The transfer is to a country deemed by the European Commission to provide adequate protection
  • Appropriate safeguards are in place (such as Standard Contractual Clauses)
  • The transfer is necessary for the performance of the contract

10. Audits and Compliance

The Data Processor shall:

  • Make available to the Data Controller all information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits, including inspections, conducted by the Data Controller or an auditor mandated by the Data Controller
  • Provide the Data Controller with audit reports and certifications demonstrating compliance

11. Data Retention and Deletion

Upon termination of the services or upon request of the Data Controller, the Data Processor shall:

  • Delete or return all Personal Data to the Data Controller
  • Delete existing copies unless storage of Personal Data is required by applicable law
  • Provide certification of deletion if requested

12. Liability and Indemnification

Each party shall be liable for damages caused by its processing of Personal Data in breach of this DPA or applicable Data Protection Laws. The Data Processor shall indemnify the Data Controller against all costs, claims, and expenses arising from any breach of this DPA by the Data Processor.

13. Term and Termination

This DPA shall remain in effect for as long as the Data Processor processes Personal Data on behalf of the Data Controller. Upon termination, the provisions relating to data deletion, return, confidentiality, and liability shall survive.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the Data Controller's jurisdiction, without regard to its conflict of law principles.

15. Contact Information

For any questions regarding this Data Processing Agreement, please contact:

Data Protection Officer

Email: legal@yeticodecrew.com

Address: Kathmandu, Nepal

Privacy PolicyCookie PolicyTerms of Use