Data Processing Addendum

Data Processing Addendum

Effective Date: May 15, 2023


This Data Processing Addendum ("DPA"), together with all Schedules

and Attachments appended hereto, forms an integral part of the Terms

of Use or other governing written agreement (the "Agreement") between

YuHire Technologies Ltd ("YuHire", "we", or "us") and the contributor or

contracting party ("you" or "Contributor"). The DPA governs the

processing of personal data that you may handle in the course of

delivering labelling, annotation, data collection, or related AI training

services ("Services") to YuHire, where YuHire itself acts as a data

processor on behalf of third-party data controllers ("Controllers").

By accepting the Agreement or commencing provision of the Services,

you acknowledge that you have read, understood, and agree to be

bound by the terms of this DPA.   



1. Definitions

The following defined terms apply throughout this DPA and all

Schedules hereto:


"Adequacy Decision" refers to any formal determination by the

European Commission or, as applicable, the UK Government, that a

non-EEA or non-UK jurisdiction affords a level of protection for

personal data essentially equivalent to that provided within the EEA

or UK respectively, such that personal data subject to the GDPR or

UK GDPR may be transferred without further supplementary

safeguards.


"Affiliate" means any legal entity directly or indirectly controlling,

controlled by, or under common control with a Party, where "control"

is defined as holding more than fifty percent (50%) of the voting

rights or equivalent governance interests in that entity.



"Applicable Data Protection Law" means all applicable data

protection, privacy, and information security statutes and regulations

in force from time to time, including without limitation:


(a) Regulation

(EU) 2016/679 (the "GDPR");


(b) Directive 2002/58/EC and Directive

2009/136/EC, along with any national transpositions thereof;


(c) the GDPR as retained in UK domestic law by virtue of the European

Union (Withdrawal) Act 2018 and supplemented by the Data

Protection Act 2018 (the "UK GDPR"); and


(d) any equivalent

legislation enacted in any other applicable jurisdiction, each as

amended or replaced from time to time.

"EEA" means the member states of the European Union together

with Iceland, Liechtenstein, and Norway.



"Effective Date" means the date upon which the Agreement

incorporating this DPA is accepted or executed by the Parties.


"Party" and "Parties" mean respectively you or YuHire individually,

or both collectively, as the context requires.


"Security Incident" means any actual or reasonably suspected

breach of security that results in, or may result in, the accidental or

unlawful destruction, loss, corruption, alteration, unauthorised

disclosure of, or unauthorised access to, Personal Data that has

been transmitted, stored, or otherwise processed under this DPA.


"Standard Contractual Clauses" or "SCCs" means the

processor-to-processor transfer clauses adopted by the European

Commission by Implementing Decision (EU) 2021/914 of 4 June

2021, as set out in Schedule A (Module Three), and as may be

amended from time to time.


"Sub-processor" means any third-party processor engaged by you

to carry out processing activities on Personal Data on your behalf in

connection with the Services.



2. Roles and Scope of Processing


2.1 By entering into this DPA, you agree to act as a Sub-processor with

respect to all Personal Data you access or handle in connection with the

Services, operating at all times under the direction of YuHire, which

itself acts as a Processor on behalf of the relevant Controllers. You

accept these obligations without additional charge to YuHire.


2.2 Each Party shall independently comply with its obligations under all

Applicable Data Protection Laws in connection with the Personal Data it

processes under this DPA.


2.3 You shall at all times: (i) restrict your processing of Personal Data

strictly to what is necessary for the performance of the Services or as

otherwise required by this DPA; and (ii) process such data solely in

accordance with YuHire's documented instructions, and not for your

own benefit or that of any unaffiliated third party.


2.4 Where applicable law requires you to process Personal Data

beyond YuHire's instructions, you shall notify YuHire of that requirement

prior to commencing such processing to the maximum extent permitted

by law.


2.5 If you become aware of any instruction from YuHire that you

consider to be in breach of Applicable Data Protection Law, or if you are

unable to comply, you shall: (i) promptly notify YuHire in writing; and (ii)

suspend all processing of the affected Personal Data pending revised

instructions from YuHires.


2.6 You shall not, by any act or omission, cause YuHire to be in breach

of any Applicable Data Protection Law.


3. Sub-processing

3.1 You shall not engage any Sub-processor to process Personal Data

under this DPA without obtaining the prior written approval of YuHire.

Where YuHire provides such approval, you may only permit the

Sub-processor to process Personal Data after concluding a binding

written agreement that:


(i) imposes materially equivalent data protection

obligations; and

(ii) grants YuHire the right to enforce those obligations

directly.


3.2 You shall remain fully liable to YuHire for the performance of any

Sub-processor's obligations, and any Sub-processor failure shall be

treated as your own failure under this DPA.


4. Cooperation and Assistance


4.1 You shall provide all reasonable assistance to YuHire and the

relevant Controllers to enable them to respond to requests, complaints,

or communications from Data Subjects or from any governmental,

regulatory, or judicial body. Any such request received directly by you

shall be promptly forwarded to YuHire without response unless

expressly authorised.


4.2 You shall provide prompt and reasonable assistance to enable

YuHire and Controllers to:


(i) notify Supervisory Authorities and/or Data

Subjects of any Personal Data breach;


(ii) conduct data protection

impact assessments; and


(iii) consult with applicable Supervisory

Authorities in respect of high-risk processing activities.


5. Data Security


5.1 You shall establish and maintain throughout the Term appropriate

technical and organisational measures to protect Personal Data against

Security Incidents and to ensure ongoing confidentiality, integrity,

availability, and resilience, in accordance with Article 32 GDPR and

YuHire's Security Standards as notified from time to time.


5.2 Access to Personal Data shall be limited exclusively to you and only

to the extent strictly necessary for the performance of the Services. All

individuals authorised to access Personal Data must be bound by

confidentiality obligations.


6. Security Incidents


6.1 You shall notify YuHire immediately upon becoming aware of a

Security Incident, and in any event within twenty-four (24) hours of

discovery, providing:


(i) a description of the nature of the incident,

including categories and approximate volume of affected Data Subjects;


(ii) contact details for the incident manager;

(iii) likely consequences;

and

(iv) remedial measures taken or proposed. Where full information is

not immediately available, you may provide it in stages.


6.2 You shall promptly take all remedial and mitigating steps directed by

YuHire and shall keep YuHire fully informed of all material

developments until the incident is resolved.


7. Records and Compliance Audits


7.1 You shall:

(i) create and maintain complete and accurate written

records demonstrating compliance with this DPA throughout the Term;

(ii) retain such records for a minimum of six (6) years following expiry or

termination; and

(iii) make such records available to YuHire or any

Supervisory Authority promptly upon written request.


7.2 YuHire (or its duly authorised representatives) reserves the right to

conduct audits and inspections of your facilities during normal business

hours on reasonable prior written notice. No advance notice shall be

required following a Security Incident.


8. International Data Transfers


8.1 Neither Party shall transfer Personal Data across international

borders except in strict accordance with the international transfer

provisions of Applicable Data Protection Law.


8.2 Where you are located outside the EEA or UK and no Adequacy

Decision applies, the Parties enter into the SCCs (Module Three) in

Schedule A and, where the UK GDPR applies, the UK Addendum in

Schedule B. You are the "data importer" and YuHire is the "data

exporter".


8.3 Where you are located within the EEA or UK and transfer Personal

Data to YuHire, the Parties enter into the SCCs in Schedule A and, if

applicable, the UK Addendum in Schedule B. You are the "data

exporter" and YuHire is the "data importer"


8.4 Each Party is responsible for correctly identifying its transfer role

and shall consult the other Party where there is uncertainty.


8.5 If any change in law renders an existing transfer mechanism

unlawful, the Parties shall cooperate in adopting an alternative lawful

mechanism, and processing shall cease if so directed.


8.6 To the extent of any conflict between this DPA and the SCCs, the

SCCs prevail. Nothing in this DPA limits the rights of Data Subjects or

competent Supervisory Authorities.


9. Retention, Return, and Deletion of Personal Data

9.1 Within thirty (30) days following the end of the Term, you shall

securely and permanently delete (or, if directed by YuHire, return) all

Personal Data processed under this DPA, including all backup copies

and derivative records, unless continued retention is required by

applicable law. Where retention is legally required, you shall isolate the

affected Personal Data and restrict all further use to what is strictly

required.


10. General Provisions

10.1 This DPA takes effect on the Effective Date and remains in force

for the Term, unless terminated earlier.


10.2 Any material breach by you of this DPA shall also constitute a

material breach of the Agreement, entitling YuHire to immediate


10.3 In the event of conflict between this DPA and the Agreement, this

DPA shall govern with respect to data protection subject matter.


10.4 This DPA, together with all Schedules, constitutes the entire

agreement between the Parties with respect to the processing of

Personal Data and supersedes all prior representations and

agreements relating to that subject matter.


10.5 Notwithstanding termination of the Agreement or this DPA, all

provisions shall continue to apply until all Personal Data has been fully

deleted or returned per Clause 9.


10.6 This DPA may only be amended by a subsequent written

instrument executed by an authorised representative of YuHire. If any

provision is held invalid, the remaining provisions continue in full force.


10.7 This DPA shall be governed by the laws of England and Wales,

and the courts of England and Wales shall have exclusive jurisdiction,

unless otherwise required by mandatory applicable law.


10.8 No limitation of liability provision in the Agreement shall apply to

any liability arising from a Security Incident or your breach of this DPA

or Applicable Data Protection Law



Schedule A – Standard Contractual Clauses

(Module Three: Processor to Processor)


Section I – General Provisions

Clause 1 – Object and Purpose


(a) The purpose of these Standard Contractual Clauses is to give effect

to the requirements of Regulation (EU) 2016/679 for the transfer of

Personal Data from a Processor located in the EEA to a Sub-processor

in a third country not benefiting from an Adequacy Decision.


(b) The Parties identified as data exporter and data importer in Annex

I.A have agreed to these Clauses.


(c) These Clauses apply to the categories of Personal Data and

purposes specified in Annex I.B.


(d) The Annexes form an integral part of these Clauses.


Clause 2 – Effect and Integrity of the Clauses


(a) These Clauses establish suitable safeguards for Personal Data

transfers, including enforceable Data Subject rights and effective legal

remedies, pursuant to Articles 46(1) and 46(2)(c) and Article 28(7) of the

GDPR. They may not be modified except to choose the applicable

Module or to populate the Annexes.


(b) These Clauses are without prejudice to any obligations binding on

the data exporter under the GDPR.



Clause 3 – Third-Party Beneficiaries


(a) Data Subjects may invoke and enforce these Clauses as third-party

beneficiaries against the data exporter and/or data importer, subject to

the exceptions in the approved clause text.


(b) Paragraph (a) is without prejudice to the rights of Data Subjects

under the GDPR.


Clause 4 – Interpretation

Terms defined in the GDPR carry the same meaning when used in

these Clauses. These Clauses shall be read and interpreted in harmony

with the GDPR.


Clause 5 – Hierarchy

In the event of any conflict between these Clauses and any related

agreement between the Parties, these Clauses shall prevail.


Clause 6 – Description of Transfer

The particulars of the transfer, including categories of Personal Data

and purposes of processing, are detailed in Annex I.B.


Clause 7 – Docking Clause (Optional)

(a) A non-Party entity may accede to these Clauses at any time, with the

agreement of the existing Parties, by completing and signing Annex I.A.


(b) Upon signing, the acceding entity becomes a Party with all

associated rights and obligations.


(c) No rights or obligations arise for the acceding entity in respect of any

period prior to becoming a Party.


Section II – Obligations of the Parties


Clause 8 – Data Protection Safeguards

The data exporter warrants that it has applied reasonable diligence in

assessing the data importer's capability to fulfil its obligations through

appropriate technical and organisational measures.


8.1 Instructions: The data importer shall process Personal Data

solely on documented instructions from the Controller, as

communicated by the data exporter. It shall immediately notify the

data exporter if it is unable to follow any instruction.


8.2 Purpose Limitation: The data importer shall not use Personal

Data for any purpose beyond those specified in Annex I.B.


8.3 Transparency: Upon request, the data exporter shall provide a

Data Subject with a copy of these Clauses, subject to necessary

redactions to protect confidential business information.


8.4 Accuracy: If the data importer becomes aware that Personal

Data it holds is inaccurate or outdated, it shall notify the data

exporter and cooperate in rectifying or erasing the data.


8.5 Retention and Deletion: The data importer shall process

Personal Data only for the period specified in Annex I.B. After

Services end, all Personal Data shall be deleted or returned as

directed.


8.6 Security: The data importer shall implement the measures in

Annex II and perform regular reviews of their adequacy. Access shall

be restricted to personnel with confidentiality obligations.


Breaches shall be notified without undue delay with all required particulars.

8.7 Special Categories: Where the transfer includes sensitive

Personal Data, the data importer shall apply the additional

safeguards specified in Annex I.B.


8.8 Onward Transfers: The data importer may only disclose

Personal Data to a third party on documented instructions from the

Controller and subject to equivalent transfer safeguards.


8.9 Compliance Documentation: The data importer shall maintain

processing records and make compliance evidence available to the

data exporter, Controllers, and Supervisory Authorities upon request,

and shall permit audits.


Clause 9 – Sub-processors

(a) The data importer shall not engage any sub-processor without prior

written authorisation from the Controller, submitted at least fourteen (14)

business days in advance. Pre-authorised sub-processors are listed in

Annex III.


(b) Any sub-processor engagement shall be governed by a written

contract imposing equivalent data protection obligations.


(c) The data importer shall provide a copy of the sub-processor

agreement on request.


(d) The data importer remains fully responsible for sub-processor

performance.


(e) The data importer shall include a third-party beneficiary clause in

each sub-processor agreement enabling termination and data deletion if

the data importer ceases to exist.


Clause 10 – Data Subject Rights

(a) The data importer shall promptly notify the data exporter of any Data

Subject request, without responding unless authorised by the Controller.


(b) The data importer shall assist the data exporter and Controller in

fulfilling Data Subject rights requests using the measures described in

Annex II.


Clause 11 – Redress

(a) The data importer shall make a contact point available for Data

Subject complaints and shall deal with complaints promptly.


(b) The Parties shall cooperate in resolving any Data Subject dispute in

a timely manner.


(c)–(f) Data Subjects may exercise rights by lodging complaints with

competent Supervisory Authorities or bringing proceedings in

competent courts. The data importer shall comply with any binding

decision.


Clause 12 – Liability

Each Party shall be liable to the other and, where applicable, to Data

Subjects, for any damages caused by their breach of these Clauses.

Joint liability applies where multiple Parties cause the same damage,

with rights of contribution between responsible Parties. The data

importer may not rely on sub-processor conduct to avoid its own liability.


Clause 13 – Supervision

The competent Supervisory Authority shall be determined per Annex

I.C. The data importer submits to that authority's jurisdiction and shal



Section III – Local Laws and Public


Authority Access 

Clause 14 – Local Laws Affecting Compliance

The Parties warrant that they have no reason to believe the laws or

practices of the destination country will prevent compliance with these

Clauses. Each Party has conducted a transfer impact assessment. The

data importer shall promptly notify the data exporter of any change in

law or practice that may affect compliance.



Clause 15 – Public Authority Access

15.1 If the data importer receives a legally binding disclosure request

from a public authority, it shall notify the data exporter promptly (subject

to legal restrictions) and shall challenge any request it reasonably

believes to be unlawful.


15.2 The data importer shall provide only the minimum amount of

information necessary in response to any valid disclosure request


Section IV – Final Provisions


Clause 16 – Non-Compliance and Termination

(a) The data importer shall notify the data exporter promptly if it cannot

comply.


(b) The data exporter may suspend transfers upon notification of

non-compliance.


(c) The data exporter may terminate data processing arrangements

where non-compliance is persistent, material, or not remedied within

one month.


(d) On termination, all Personal Data shall be returned or deleted and

the data importer shall certify deletion.


(e) Either Party may terminate if the European Commission adopts an

Adequacy Decision covering the relevant transfer.


Clause 17 – Governing Law

These Clauses shall be governed by the laws of the Republic of Ireland,

as an EU Member State that recognises third-party beneficiary rights.


Clause 18 – Jurisdiction

(a) Disputes shall be resolved by the courts of an EU Member State.


(b) The Parties agree on the courts of the Republic of Ireland.


(c) Data Subjects may also bring proceedings before the courts of their

habitual residence.


(d) The Parties submit to the jurisdiction of the agreed courts.


Annex I.A – Parties

Data Exporter: The Party designated as data exporter pursuant to


Clauses 8.2 or 8.3 of this DPA.

Data Importer: The Party designated as data importer pursuant to


Clauses 8.2 or 8.3 of this DPA.

Annex I.B – Description of the Transfer

Categories of Data Subjects: All Data Subjects whose Personal Data

falls within the scope of the Agreement and this DPA.


Categories of Personal Data: All Personal Data processed in

connection with the Services as defined in the Agreement.


Sensitive Data: It is not anticipated that Special Categories of Personal

Data will be transferred. Should any such transfer become necessary,

the Parties shall agree supplementary safeguards in writing.


Frequency: Ongoing and continuous for the duration of the Services.


Nature of Processing: Provision of data labelling, annotation, data

collection, and related AI training services as described in the

Agreement.


Purposes: Performance of the Services and fulfilment of YuHire's

obligations to its Controllers.


Retention: Personal Data shall be retained only as long as required to

perform the Services and deleted or returned within thirty (30) days of

the end of the Term.


Annex I.C – Competent Supervisory Authority

The Data Protection Commission of Ireland, unless a different authority

is agreed in writing by the Parties.


Annex II – Technical and Organisational Security Measures

The technical and organisational security measures applicable under

this DPA are those described in YuHire's then-current Security

Standards, as updated and communicated from time to time,

supplemented by any project-specific security requirements set out in

the Agreement.


Annex III – Authorised Sub-processors

No Sub-processors are authorised as of the Effective Date. Any

subsequent authorisation shall be subject to the requirements of Clause

9 of these Clauses and Clause 3 of this DPA.





Schedule B – UK International Data Transfer

Addendum


This Schedule constitutes the International Data Transfer Addendum to

the EU Commission Standard Contractual Clauses issued by the UK

Information Commissioner, Version B1.0, in force 21 March 2022 ("UK

Addendum"). It is incorporated into and forms part of this DPA.



Part 1 – Tables


Table 1 – Parties

Start Date: The Effective Date of this DPA.

Exporter: The Party identified as the data exporter under this DPA.

Importer: The Party identified as the data importer under this DPA.


Table 2 – Selected SCCs, Modules and Clauses

This UK Addendum is appended to the Standard Contractual Clauses

set out in Schedule A (Module Three: Processor to Processor).


Table 3 – Appendix Information

Annex I.A (List of Parties): As set out in Schedule A.

Annex I.B (Description of Transfer): As set out in Schedule A.

Annex II (Technical and Organisational Measures): As set out in

Schedule A.


Table 4 – Ending This UK Addendum

In the event the ICO issues a revised UK Addendum, neither Party may

unilaterally terminate this UK Addendum on that basis. The Parties shall

cooperate in good faith to incorporate the revised version.


Part 2 – Mandatory Clauses

The Mandatory Clauses of Part 2 of the Approved UK Addendum

(Version B1.0, issued by the ICO and laid before Parliament on 2

February 2022) are incorporated herein by reference and shall apply to

all restricted transfers under this DPA to which the UK GDPR applies,

as if set out in full.