Data Processing Agreement

1. Definitions and Interpretation

1.1 Terms used in this DPA have the meanings set forth below or in the UK GDPR:

• "Controller": You (the subscriber), who determines the purposes and means of processing personal data
• "Processor": GYBN, who processes personal data on behalf of the Controller
• "Personal Data": Any information relating to an identified or identifiable natural person contained in listing data
• "Processing": Any operation performed on personal data (collection, storage, transmission, deletion, etc.)
• "Sub-processor": Third-party service providers engaged by GYBN to assist in processing
• "Data Subject": The individual whose personal data is being processed (e.g., vessel owner)
• "UK GDPR": The UK General Data Protection Regulation
• "Authorized Platforms": Platforms approved by you to receive listing data

2. Scope and Roles

2.1 Controller-Processor Relationship

You are the Controller and GYBN is the Processor for all personal data submitted via the API. This includes:

• Names and contact details of vessel owners
• Email addresses and phone numbers in listing data
• Any other identifiable information about natural persons

2.2 Your Responsibilities as Controller

You warrant that:

• You have a lawful basis for processing personal data
• You have obtained necessary consents from data subjects
• You have provided privacy notices to data subjects
• You comply with all applicable data protection laws
• You will only submit personal data necessary for the service

2.3 Our Responsibilities as Processor

GYBN will:

• Process personal data only according to your documented instructions
• Implement appropriate technical and organizational security measures
• Assist you in responding to data subject requests
• Notify you of any data breaches within 24 hours of discovery
• Delete or return personal data upon termination

3. Nature and Purpose of Processing

3.1 Subject Matter

Processing of personal data contained within yacht listing submissions.

3.2 Duration

For the term of your subscription plus 30 days retention period (except as required for legal compliance).

3.3 Purpose

To distribute yacht listing data to platforms authorized by you.

3.4 Types of Personal Data

• Names (vessel owners, contacts)
• Contact details (email addresses, phone numbers)
• Location data (if vessel location is disclosed)
• Any other personal information included in listing descriptions

3.5 Categories of Data Subjects

• Vessel owners
• Authorized representatives
• Contact persons for inquiries

4. Instructions for Processing

4.1 GYBN will process personal data only in accordance with your documented instructions, which include:

• Storing personal data securely on our infrastructure
• Distributing personal data to platforms you authorize via your account settings
• Deleting personal data upon your request or account termination
• Providing data exports in JSON format upon request

4.2 If GYBN believes an instruction violates UK GDPR or other data protection law, we will immediately inform you and suspend processing until resolved.

5. Security Measures

5.1 GYBN implements appropriate technical and organizational measures to protect personal data:

5.1.1 Technical Measures

• Encryption: TLS 1.2+ in transit, AES-256 at rest
• Access Controls: Role-based access, IP whitelisting options
• Authentication: JWT tokens, optional two-factor authentication
• Monitoring: 24/7 intrusion detection and logging
• Backups: Daily encrypted backups with 30-day retention

5.1.2 Organizational Measures

• Staff training on data protection
• Confidentiality agreements for all personnel
• Incident response procedures
• Annual security audits (planned)
• Data protection impact assessments for high-risk processing

6. Sub-Processors

6.1 Authorized Sub-Processors

You authorize GYBN to engage the following sub-processors:

6.2 Sub-Processor Changes

GYBN will notify you via email at least 30 days before engaging new sub-processors. You may object to new sub-processors within 14 days. If we cannot accommodate your objection, you may terminate your subscription without penalty.

6.3 Sub-Processor Obligations

GYBN ensures all sub-processors:

• Are bound by written contracts with data protection obligations equivalent to this DPA
• Implement appropriate security measures
• Process personal data only as instructed
• GYBN remains fully liable for sub-processor performance

7. Data Subject Rights

7.1 GYBN will assist you in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) within 7 business days of your request.

7.2 If GYBN receives a data subject request directly, we will forward it to you within 2 business days. You are responsible for responding to the data subject.

7.3 GYBN will provide technical assistance at no additional charge for straightforward requests (e.g., data exports). Complex requests may incur fees at our standard rate of £25/hour.

8. Personal Data Breaches

8.1 GYBN will notify you within 24 hours of becoming aware of a personal data breach affecting your data.

8.2 Notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8.3 You are responsible for determining whether to notify data subjects or supervisory authorities as required by law.

9. Data Protection Impact Assessments and Audits

9.1 GYBN will provide reasonable assistance if you need to conduct a Data Protection Impact Assessment (DPIA) or prior consultation with supervisory authorities.

9.2 You may audit GYBN's compliance with this DPA once per year upon 30 days notice. Audits must be conducted during business hours and not interfere with operations. You may use a qualified third-party auditor subject to confidentiality obligations.

9.3 GYBN will provide annual SOC 2 Type II reports (when available) as evidence of compliance.

10. International Data Transfers

10.1 Personal data is primarily stored in AWS data centers in the EU and UK.

10.2 If personal data is transferred outside the UK/EU, GYBN ensures appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the EU Commission
• Adequacy decisions where applicable
• Additional security measures to address Schrems II requirements

11. Return and Deletion of Data

11.1 Upon termination of your subscription, GYBN will:

• Cease processing personal data immediately
• Provide a data export in JSON format within 30 days (upon request)
• Delete all personal data from production systems within 30 days
• Delete all backups containing personal data within 90 days

11.2 GYBN may retain personal data longer if required by law (e.g., tax records for 7 years).

12. Liability and Indemnification

12.1 Each party is liable for damages caused by its breach of data protection obligations as determined by UK GDPR Article 82.

12.2 GYBN's total liability under this DPA is limited to the amounts specified in the main Terms of Service.

13. Term and Termination

This DPA takes effect on the date you subscribe to the Service and continues until termination of your subscription.

14. Governing Law

This DPA is governed by the laws of England and Wales and complies with UK GDPR. Disputes shall be resolved according to the dispute resolution procedures in the Terms of Service.

15. Contact Information