Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Yaragudi Ltd (“Processor”) and the customer (“Controller”) when the Service involves processing of personal data on behalf of the Controller.

This DPA is designed to comply with Article 28 of the UK GDPR and EU GDPR.

1. Definitions

Capitalised terms have the meaning given in the UK GDPR / EU GDPR (e.g. Personal Data, Processing, Data Subject, Controller, Processor, Sub-Processor). “Customer Data” means any data submitted to or generated by the Service on behalf of the Controller.

2. Scope and roles

The Controller appoints Yaragudi as a Processor of Personal Data contained in Customer Data. Yaragudi processes Personal Data only on documented instructions from the Controller, including with regard to transfers outside the UK or EEA.

3. Subject matter and duration of processing

• Subject matter: compliance assessment of Controller’s AI systems against the EU AI Act, using evidence retrieved from Controller-authorised cloud accounts.
• Duration: for the term of the customer subscription, plus any retention period agreed in the order form.
• Nature and purpose: retrieval of cloud configuration metadata, AI-driven analysis, generation of compliance reports.
• Categories of Data Subjects: Controller employees who appear in cloud audit logs, IAM identities, or resource tags as part of normal cloud operations.
• Categories of Personal Data: identifiers (email addresses, usernames, IP addresses) appearing in cloud audit logs and IAM configurations. Yaragudi does not intentionally collect special categories of Personal Data.

4. Yaragudi’s obligations

• Process Personal Data only on the Controller’s documented instructions
• Ensure persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures (see Annex 1 below)
• Assist the Controller in responding to data subject requests, where reasonably possible
• Notify the Controller without undue delay (and within 72 hours) on becoming aware of a Personal Data breach
• Make available all information necessary to demonstrate compliance with this DPA, and allow audits as set out below
• Delete or return all Personal Data on termination of the Service, at the Controller’s choice

5. Sub-Processors

The Controller authorises Yaragudi to engage the following Sub-Processors:

• Anthropic PBC — Claude API for evidence reasoning. Data residency: US (with EU residency available on Enterprise plans). Operating under Anthropic’s Zero Data Retention agreement: prompts and outputs are not used to train models and are deleted after processing.
• Vercel Inc. — application hosting and serverless functions. Data residency: global edge network with primary processing in EU and US.
• Amazon Web Services Inc. — backend storage and compute (eu-west-1 by default; configurable per Enterprise customer). Operating under AWS’s GDPR-compliant Data Processing Addendum.
• Resend Inc. — transactional email delivery. Data residency: US.

Yaragudi will notify the Controller at least 30 days in advance of adding or replacing a Sub-Processor. The Controller may object to such changes on reasonable grounds, in which case the parties will work in good faith to find a solution.

6. International transfers

Where Personal Data is transferred outside the UK or EEA, Yaragudi relies on:

• The EU-US Data Privacy Framework, where the Sub-Processor is a certified participant
• Standard Contractual Clauses (Module 3: Processor-to-Processor) approved by the European Commission and the UK ICO
• Supplementary measures including encryption in transit and at rest

7. Security measures (Annex 1)

Yaragudi implements at minimum the following technical and organisational measures:

• TLS 1.3 for all data in transit
• AES-256 encryption at rest
• Read-only cloud credentials — Yaragudi never holds write access to Controller infrastructure
• Principle-of-least-privilege access control for Yaragudi personnel
• Audit logging of all employee access to Customer Data
• Mandatory security training for all personnel handling Customer Data
• Annual penetration test by an independent third party
• Incident response plan with 72-hour breach notification commitment
• SOC 2 Type II certification in progress (Type I report available under NDA today)

8. Audit rights

Yaragudi will make available, on request, its most recent SOC 2 report, penetration test summary, and security policies under NDA. Where this is insufficient, the Controller may request a remote audit no more than once per calendar year, on at least 30 days’ notice, conducted by the Controller or an independent auditor acceptable to Yaragudi.

9. Liability

Liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. Nothing in this DPA limits any liability that cannot be excluded by applicable data protection law.

10. Term and termination

This DPA takes effect when the Controller first uses the Service and continues for the duration of the Service. On termination, Yaragudi will, at the Controller’s option, delete or return all Personal Data within 90 days, except where retention is required by applicable law.

11. Changes

Yaragudi may update this DPA where required by law or to reflect new Sub-Processors. Material changes will be notified to the Controller at least 30 days in advance.

For a signed counterpart of this DPA, contact hello@yaragudi.com.