Yovale dataprocessing agreement

"Service" means the Yovale managed WordPress hosting service made available under the Yovale End User License Agreement.

"Customer Personal Data" means personal data that Yovale processes on behalf of the Customer in connection with the Service.

"Data Subject" means an identified or identifiable natural person whose personal data is contained in Customer Personal Data.

"Sub-processor" means any third party engaged by Yovale to process Customer Personal Data in connection with the Service.

Terms not defined here — including "Controller", "Processor", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" — have the meanings given in Article 4 of the GDPR.

The Customer is the Controller of Customer Personal Data. The Customer determines the purposes and means of processing.

Yovale is the Processor of Customer Personal Data. Yovale processes Customer Personal Data only on documented Customer instructions, including those contained in the Service configuration set by the Customer through the Yovale dashboard.

Where Yovale collects personal data directly from individuals for its own purposes — for example, in the relationship with the account-holder — Yovale acts as a Controller for that data, and that processing is governed by the Yovale Privacy Policy rather than this DPA.

The subject matter of the processing is the hosting, storage, transmission, backup, and operational maintenance of Customer Personal Data within the Customer's WordPress sites and related dashboard surfaces.

The duration of the processing matches the duration of the Service. Yovale's obligations under this DPA continue until all Customer Personal Data has been deleted or returned in accordance with Section 10.

The nature of the processing comprises the collection, recording, organisation, structuring, storage, retrieval, transmission, hosting, and erasure of Customer Personal Data, as required to provide the Service.

The purpose of the processing is to enable the Customer to operate the WordPress site(s) hosted by the Service, including serving site content to visitors, accepting form submissions, providing the administrative dashboard, generating backups, surfacing logs, and supporting customer-elected integrations.

Categories of Customer Personal Data: identification data (names, email addresses, account identifiers), contact data submitted through Customer site forms, content authored by Customer users, transactional data within WooCommerce sites where applicable, technical signals (IP addresses, user agents, timestamps), and any other personal data that the Customer chooses to store within the Service.

Categories of Data Subjects: the Customer's own users and personnel, the Customer's site visitors, the Customer's customers and members, and other natural persons whose personal data the Customer chooses to process through the Service.

Special-category data: the Customer should not upload special-category personal data as defined in Article 9 GDPR without separately notifying Yovale in writing.

Yovale processes Customer Personal Data only on documented instructions from the Customer. The instructions are: (i) this DPA, (ii) the Yovale End User License Agreement, (iii) the Service configuration the Customer sets through the dashboard, and (iv) any further written instructions the Customer issues to Yovale by email to dpo@yovale.com.

If Yovale is required by EU or member-state law to process Customer Personal Data otherwise than on the Customer's instructions, Yovale will inform the Customer of that legal requirement before processing, unless that law prohibits such notification on grounds of important public interest.

Yovale ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations, whether through their employment contract or through equivalent written undertakings.

Access to Customer Personal Data within Yovale is limited to personnel who require access to perform their role and is logged for audit purposes.

Network: TLS 1.2 or higher for all data in transit. Cloudflare DDoS protection on every customer site. WAF rules tuned to WordPress threat patterns.

Compute: each Customer WordPress site runs in a dedicated Docker container with isolated filesystem, memory ceilings, and dedicated PHP-FPM workers. No shared PHP runtime between Customers.

Storage: at-rest encryption on backup storage (Cloudflare R2) using AES-256. Encryption keys managed under the standard provider key-management contract.

Authentication: dashboard access requires email-verified credentials. Inter-service calls between the dashboard and per-VPS agents are HMAC-signed with per-server secrets.

Monitoring: per-site activity logs and AI crawler logs surfaced to the Customer dashboard; infrastructure-level metrics retained and reviewed for anomaly detection.

Yovale maintains a written information security policy reviewed at least annually.

Personnel with access to production systems are subject to a documented onboarding and offboarding process, including credential issuance, revocation, and access review.

Change management to production infrastructure is reviewed and logged. Critical changes are validated in a staging environment before deployment.

Backups are tested for restorability on a quarterly cadence at minimum.

Yovale performs periodic testing, assessment, and evaluation of the effectiveness of its technical and organisational measures, including vulnerability scanning of the production stack and review of access logs.

Material weaknesses identified through testing are addressed through Yovale's change management process. Findings of relevance to Customers — for example, vulnerabilities affecting hosted WordPress core — are communicated to Customers through the dashboard or by email.

The Customer authorises Yovale to engage Sub-processors to process Customer Personal Data subject to the conditions in this Section 5. Yovale maintains the current list of Sub-processors on its trust page and provides at least 30 days' advance notice of any addition or replacement.

Infrastructure: Hetzner (DE), OVH (FR, CA, DE), Vultr (multiple regions), Cloudflare (global edge, DNS, WAF, R2 storage).

Email delivery: Postmark, where the Customer enables Yovale-sent transactional email. If the Customer configures their own SMTP provider, that provider is not a Yovale Sub-processor.

Payments: Razorpay (primary), PayPal (secondary), Stripe (where applicable). Payment processors receive only the data necessary to process a transaction.

Customer support: the Customer's contact details and support communications are processed in Yovale's internal helpdesk system.

Each Sub-processor is engaged under a written contract containing data protection obligations equivalent in substance to those set out in this DPA, including security obligations under Article 32 GDPR.

If the Customer reasonably objects to a new Sub-processor on data-protection grounds within 30 days of notification, the parties will discuss the objection in good faith. If no resolution can be reached, the Customer may terminate the affected portion of the Service for cause without penalty, with effect from the proposed Sub-processor onboarding date.

The Customer can directly export, modify, or delete Customer Personal Data stored within the Service through the Yovale dashboard, WP-CLI access, and the WordPress administrative interface.

These self-service tools are normally sufficient for the Customer to respond to access, rectification, erasure, restriction, and portability requests under Articles 15-20 GDPR.

Where the self-service tools are insufficient — for example, retrieval of data from a deleted environment — the Customer may submit a written request to dpo@yovale.com. Yovale will provide reasonable assistance within 10 business days of receipt, subject to legal and technical constraints, and at no additional charge unless the request requires materially disproportionate effort.

If a Data Subject contacts Yovale directly about Customer Personal Data, Yovale will not respond to the substance of the request and will instead forward the request to the relevant Customer without undue delay.

Yovale will notify the Customer of any confirmed Personal Data Breach affecting Customer Personal Data without undue delay and in any case within 72 hours of confirmation.

The notification will be sent to the email address associated with the Customer account. If that channel is unavailable, Yovale will attempt notification through the Yovale dashboard and any alternative contact on file.

Each notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address it and mitigate its possible adverse effects.

Information not available within the initial 72-hour window will be provided in subsequent updates as it becomes available. Yovale will cooperate with the Customer in fulfilling any obligations the Customer has to notify Supervisory Authorities or Data Subjects under Articles 33 and 34 GDPR.

Yovale makes available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR, including this DPA, the public Sub-processor list, and the Yovale security overview published at /security.

On reasonable written request, Yovale will respond within 30 days to specific questions reasonably necessary to allow the Customer to comply with its own GDPR obligations.

Where the Customer reasonably believes that the information above does not provide sufficient evidence of compliance, the Customer may request an audit of Yovale's processing activities. Audits are limited to once per twelve-month period, must be conducted during normal business hours, must not disrupt Yovale operations or compromise the security of other Customers, and must be performed by the Customer or by an independent third-party auditor under a confidentiality undertaking acceptable to Yovale.

The Customer bears the costs of any audit it initiates under this section, except where the audit reveals a material breach of this DPA by Yovale, in which case Yovale will bear reasonable audit costs.

Customers can select their hosting region at provisioning time. Yovale operates infrastructure in the European Union (Hetzner DE, OVH FR/DE) and several non-EU regions. Customer Personal Data remains in the region the Customer selects, subject to the necessary edge-cache behaviour of Cloudflare and the global reach of the dashboard control plane.

Where Customer Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an applicable adequacy decision, the transfer is subject to the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and apply automatically to such transfers.

Yovale and any non-EEA Sub-processor act respectively as data exporter and data importer for the purpose of the Standard Contractual Clauses. Yovale will provide a copy of the relevant clauses on request.

On termination of the Service, the Customer may, within 30 days of the termination date, request return of Customer Personal Data through the standard export tools available in the dashboard, or request that Yovale delete it.

After this 30-day window, Yovale will permanently delete Customer Personal Data within a further 30 days, except to the extent retention is required by EU or member-state law, in which case Yovale will continue to apply the security and confidentiality obligations in this DPA for as long as the data is retained.

Routine backups of the production environment may continue to contain residual copies of deleted Customer Personal Data for up to 90 days from the date of deletion. Such residual copies are subject to the same security obligations and are not used for any other purpose.

Liability under this DPA is subject to the limitations set out in the Yovale End User License Agreement.

Where any provision of this DPA conflicts with the Yovale End User License Agreement on a matter of data protection, this DPA prevails to the extent of the conflict.

Data Protection Officer contact: dpo@yovale.com. General data protection enquiries can also be sent to support@yovale.com.

The Yovale EU Representative can be contacted on request through dpo@yovale.com.