September 1, 2025
This Data Processing Agreement (“DPA” or “Addendum“) forms part of the Terms and Conditions (“Principal Agreement“) between SV Tech Cloud Pte Ltd, a company incorporated in Singapore (“Yuko“) and the Merchant as defined in the Principal Agreement (“Merchant” or “you“).
This DPA sets out the terms that apply when Personal Data is processed by Yuko on behalf of the Merchant in connection with the provision of the Yuko Service.
1.1 In this DPA, the following terms shall have the meanings set out below:
(a) "Applicable Data Protection Laws" means:
(i) the Personal Data Protection Act 2012 of Singapore ("PDPA");
(ii) the EU General Data Protection Regulation 2016/679 ("GDPR");
(iii) the UK Data Protection Act 2018 and the UK GDPR;
(iv) the US Data Protection Laws;
(v) the data protection and privacy laws of Australia, Canada, New Zealand; and
(vi) any other applicable data protection or privacy laws in any relevant jurisdiction;
(b) "Controller" means the entity that determines the purposes and means of the Processing of Personal Data;
(c) "Data Subject" means an identified or identifiable natural person to whom Personal Data relates;
(d) "EU Data Protection Laws" means the GDPR and the Privacy and Electronic Communications Directive 2002/58/EC, as transposed into domestic legislation of each EU Member State;
(e) "GDPR" means the EU General Data Protection Regulation 2016/679;
(f) "Merchant Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the Merchant;
(g) "Merchant Group Member" means the Merchant or any Merchant Affiliate;
(h) "Merchant Personal Data" means any Personal Data processed by Yuko or any Sub-processor on behalf of a Merchant Group Member pursuant to or in connection with the Principal Agreement;
(i) "Personal Data" means any information relating to an identified or identifiable natural person, and includes "personal data" and "personal information" as defined under Applicable Data Protection Laws;
(j) "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed;
(k) "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction;
(l) "Processor" means the entity that processes Personal Data on behalf of the Controller;
(m) "Service" means the Yuko application and related services provided under the Principal Agreement, including the Reviews, Loyalty, Referral, and Membership features;
(n) "Standard Contractual Clauses" or "SCCs" means:
(i) the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Commission Decision 2021/914/EU (Module Two: Controller to Processor); and
(ii) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018;
(o) "Sub-processor" means any third party (including any Yuko affiliate) appointed by Yuko to process Merchant Personal Data on behalf of the Merchant in connection with the Service;
(p) "Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 of the GDPR, or any equivalent regulatory authority under Applicable Data Protection Laws;
(q) "UK Data Protection Laws" means the UK Data Protection Act 2018, the UK GDPR, and the Privacy and Electronic Communications Regulations 2003;
(r) "UK GDPR" means the GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;
(s) "US Data Protection Laws" means the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other applicable US state or federal data protection laws.
1.2 Capitalised terms not defined in this DPA shall have the meanings given to them in the Principal Agreement.
1.3 The terms "Commission", "Member State", and "Supervisory Authority" shall have the same meaning as in the GDPR.
2.1 Scope: This DPA applies to the Processing of Merchant Personal Data by Yuko in connection with the provision of the Service under the Principal Agreement.
2.2 Roles of the Parties:
(a) The Merchant is the Controller of the Merchant Personal Data;
(b) Yuko is the Processor of the Merchant Personal Data, processing such data on behalf of the Merchant.
2.3 Merchant Responsibilities: The Merchant shall:
(a) comply with all Applicable Data Protection Laws in connection with its use of the Service and its Processing of Merchant Personal Data;
(b) ensure that it has all necessary rights, consents, and lawful bases to collect, transfer, and process Merchant Personal Data and to authorise Yuko to process such data;
(c) provide all required notices to, and obtain all necessary consents from, Data Subjects as required by Applicable Data Protection Laws;
(d) ensure that its instructions to Yuko comply with Applicable Data Protection Laws.
2.4 Merchant Warranty: The Merchant warrants that it is and will remain duly authorised to give instructions on behalf of each Merchant Affiliate in relation to the Processing of Merchant Personal Data.
3.1 Processing Instructions: Yuko shall:
(a) process Merchant Personal Data only on the documented instructions of the Merchant, unless required to do so by Applicable Data Protection Laws, in which case Yuko shall (to the extent permitted by law) inform the Merchant of such legal requirement before Processing;
(b) not process Merchant Personal Data for any purpose other than to provide the Service as set out in the Principal Agreement and this DPA;
(c) immediately inform the Merchant if, in Yuko's opinion, an instruction from the Merchant infringes Applicable Data Protection Laws.
3.2 Merchant Instructions: The Merchant instructs Yuko to process Merchant Personal Data as necessary to:
(a) provide, operate, and maintain the Service;
(b) enable the Reviews, Loyalty, Referral, and Membership features;
(c) transfer Merchant Personal Data to any country or territory as reasonably necessary for the provision of the Service;
(d) comply with the Principal Agreement and any other documented instructions provided by the Merchant.
3.3 Details of Processing: The details of the Processing of Merchant Personal Data, including the subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data, are set out in Annex 1to this DPA.
4.1 Confidentiality: Yuko shall ensure that any person authorised to process Merchant Personal Data:
(a) is subject to a duty of confidentiality (whether contractual or statutory); and
(b) processes Merchant Personal Data only on Yuko's instructions or as required by Applicable Data Protection Laws.
4.2 Access Limitation: Yuko shall take reasonable steps to ensure that access to Merchant Personal Data is limited to those personnel who need access to perform their duties in connection with the Service.
5.1 Security Measures: Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Yuko shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
(a) the pseudonymisation and encryption of Personal Data where appropriate;
(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing.
5.2 Security Assessment: In assessing the appropriate level of security, Yuko shall take into account the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Merchant Personal Data.
5.3 Security Details: The technical and organisational security measures implemented by Yuko are described in Annex 2to this DPA. Yuko shall not materially decrease the overall security of the Service during the term of the Principal Agreement.
6.1 Authorisation: The Merchant hereby provides general authorisation for Yuko to engage Sub-processors to process Merchant Personal Data in connection with the Service, subject to the requirements of this Section 6.
6.2 Current Sub-processors: Yuko’s current Sub-processors as of the effective date of this DPA are listed at https://yuko.so/terms/supplementary-terms-for-integrations/. The Merchant agrees to the use of these Sub-processors.
6.3 New Sub-processors: Yuko shall:
(a) maintain an up-to-date list of Sub-processors at https://yuko.so/terms/supplementary-terms-for-integrations/;
(b) provide the Merchant with prior written notice (which may be by email or through the Service) of any intended addition or replacement of Sub-processors, including the Sub-processor's name, location, and the Processing activities to be performed;
(c) provide the Merchant with at least fourteen (14) days to object to the appointment of a new Sub-processor.
6.4 Objection to Sub-processors: If the Merchant has a reasonable, legitimate objection to the appointment of a new Sub-processor based on data protection grounds:
(a) the Merchant shall notify Yuko in writing within fourteen (14) days of receiving notice of the new Sub-processor, setting out the specific grounds for objection;
(b) Yuko shall use reasonable efforts to address the Merchant's objection, which may include proposing an alternative Sub-processor or modifying the Processing arrangements;
(c) if Yuko is unable to address the Merchant's objection to the Merchant's reasonable satisfaction, either party may terminate the affected Service by providing written notice, and the Merchant shall receive a pro-rata refund of any prepaid fees for the terminated Service.
6.5 Sub-processor Obligations: Yuko shall:
(a) carry out appropriate due diligence on each Sub-processor before engagement to ensure that the Sub-processor is capable of providing the level of protection required by this DPA;
(b) enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA;
(c) remain fully liable to the Merchant for the performance of each Sub-processor's obligations.
7.1 Assistance with Data Subject Requests: Taking into account the nature of the Processing, Yuko shall assist the Merchant by implementing appropriate technical and organisational measures, insofar as this is possible, to fulfil the Merchant’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of:
(a) access to Personal Data;
(b) rectification of Personal Data;
(c) erasure of Personal Data ("right to be forgotten");
(d) restriction of Processing;
(e) data portability;
(f) objection to Processing;
(g) not being subject to automated decision-making.
7.2 Notification of Requests: Yuko shall promptly notify the Merchant if Yuko receives a request from a Data Subject in respect of Merchant Personal Data, unless prohibited by law from doing so.
7.3 No Direct Response: Unless otherwise instructed by the Merchant or required by Applicable Data Protection Laws, Yuko shall not respond directly to any Data Subject request without the Merchant’s prior written authorisation.
8.1 Breach Notification: Yuko shall notify the Merchant without undue delay (and in any event within seventy-two (72) hours) upon becoming aware of a Personal Data Breach affecting Merchant Personal Data.
8.2 Breach Information: The notification shall include, to the extent known:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) the name and contact details of Yuko's data protection contact;
(c) a description of the likely consequences of the Personal Data Breach;
(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
8.3 Cooperation: Yuko shall:
(a) cooperate with the Merchant and take reasonable steps as directed by the Merchant to assist in the investigation, mitigation, and remediation of the Personal Data Breach;
(b) maintain a record of all Personal Data Breaches and provide the Merchant with reasonable access to such records;
(c) not inform any third party of a Personal Data Breach without the Merchant's prior written consent, unless required by law.
9.1 Assistance: Taking into account the nature of the Processing and the information available to Yuko, Yuko shall provide reasonable assistance to the Merchant with:
(a) data protection impact assessments, to the extent required under Article 35 of the GDPR or equivalent provisions of other Applicable Data Protection Laws;
(b) prior consultations with Supervisory Authorities or other competent authorities, to the extent required under Article 36 of the GDPR or equivalent provisions of other Applicable Data Protection Laws.
10.1 Upon Termination: Upon termination or expiration of the Principal Agreement, Yuko shall, at the Merchant’s election:
(a) return all Merchant Personal Data to the Merchant in a commonly used, machine-readable format; and/or
(b) delete all Merchant Personal Data and existing copies, unless retention is required by Applicable Data Protection Laws.
10.2 Timeframes:
(a) The Merchant may request a return of Merchant Personal Data within thirty (30) days of termination;
(b) Yuko shall complete the return or deletion of Merchant Personal Data within ninety (90) days of the termination date (or receipt of the Merchant's election);
(c) Merchant Personal Data contained in system backups shall be deleted within three hundred sixty-five (365) days of the termination date.
10.3 Retention for Legal Compliance: Yuko may retain Merchant Personal Data to the extent required by Applicable Data Protection Laws, and only for as long as required by such laws. Any retained data shall remain subject to the confidentiality and security obligations of this DPA.
10.4 Certification: Upon request, Yuko shall provide written certification to the Merchant confirming that it has complied with this Section 10.
11.1 Information and Audit: Yuko shall:
(a) make available to the Merchant all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws;
(b) allow for and contribute to audits, including inspections, conducted by the Merchant or a third-party auditor mandated by the Merchant, subject to the conditions in this Section 11.
11.2 Audit Conditions: Any audit or inspection shall be:
(a) conducted during normal business hours with reasonable advance notice (at least thirty (30) days, unless a shorter period is required due to a Personal Data Breach or regulatory requirement);
(b) conducted in a manner that minimises disruption to Yuko's business operations;
(c) subject to reasonable confidentiality obligations;
(d) at the Merchant's expense, unless the audit reveals a material breach of this DPA by Yuko.
11.3 Frequency: The Merchant may conduct no more than one (1) audit per calendar year, unless:
(a) required by a Supervisory Authority or Applicable Data Protection Laws;
(b) a Personal Data Breach has occurred; or
(c) Yuko has materially breached this DPA.
11.4 Third-Party Certifications: Yuko may satisfy audit requests by providing:
(a) relevant third-party certifications (such as ISO 27001 or SOC 2 reports);
(b) summaries of penetration test results;
(c) other documentation that demonstrates compliance with this DPA.
12.1 Transfer Restrictions: Yuko shall not transfer Merchant Personal Data to a country or territory outside the jurisdiction of the Merchant unless:
(a) the transfer is to a country or territory that has been deemed to provide an adequate level of data protection by the relevant authority (such as the European Commission or UK Secretary of State);
(b) appropriate safeguards are in place, such as the Standard Contractual Clauses or other legally approved transfer mechanisms;
(c) a derogation under Applicable Data Protection Laws applies.
12.2 Standard Contractual Clauses: To the extent that Yuko processes Merchant Personal Data originating from the European Economic Area ("EEA") or the United Kingdom and transfers such data to a country that has not been deemed to provide an adequate level of protection:
(a) the parties agree that the Standard Contractual Clauses shall apply to such transfers and are hereby incorporated into this DPA by reference;
(b) the Merchant shall be deemed the "data exporter" and Yuko shall be deemed the "data importer" under the Standard Contractual Clauses;
(c) the details set out in Annex 1shall apply for the purposes of Appendix 1 of the Standard Contractual Clauses;
(d) the technical and organisational measures set out in Annex 2shall apply for the purposes of Appendix 2 of the Standard Contractual Clauses;
(e) the supplementary terms in Annex 3shall apply.
12.3 Additional Safeguards: Yuko shall implement supplementary measures as necessary to ensure that Merchant Personal Data transferred internationally is afforded a level of protection substantially equivalent to that required under Applicable Data Protection Laws.
Where the PDPA applies to the Processing of Merchant Personal Data:
(a) Yuko shall comply with its obligations as a data intermediary under the PDPA;
(b) Yuko shall not transfer Merchant Personal Data outside Singapore except in accordance with the PDPA, including ensuring that the recipient provides a comparable standard of protection;
(c) Yuko shall implement reasonable security arrangements to protect Merchant Personal Data from unauthorised access, collection, use, disclosure, or similar risks.
Where the GDPR or UK GDPR applies to the Processing of Merchant Personal Data:
(a) Yuko shall comply with Article 28 of the GDPR and equivalent provisions of the UK GDPR;
(b) the Standard Contractual Clauses shall apply to international transfers as set out in Section 12;
(c) Yuko shall maintain records of Processing activities as required by Article 30 of the GDPR.
Where US Data Protection Laws apply to the Processing of Merchant Personal Data:
(a) Yuko is a "Service Provider" (as defined under the CCPA) or equivalent term under other US Data Protection Laws;
(b) Yuko shall process Merchant Personal Data only for the specific business purposes set out in this DPA and the Principal Agreement;
(c) Yuko shall not sell or share (as those terms are defined under the CCPA/CPRA) Merchant Personal Data;
(d) Yuko shall not retain, use, or disclose Merchant Personal Data for any purpose other than performing the Service, including for commercial purposes other than providing the Service;
(e) Yuko shall not combine Merchant Personal Data with personal information received from other sources, except as permitted under US Data Protection Laws;
(f) Yuko shall, to the extent required by US Data Protection Laws, assist the Merchant in responding to verifiable consumer requests;
(g) Yuko certifies that it understands and will comply with the restrictions and obligations set out in this Section 13.3.
(a) This DPA shall be governed by and construed in accordance with the laws of the Republic of Singapore, without regard to its conflict of laws principles.
(b) Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Principal Agreement.
(a) Nothing in this DPA reduces Yuko's obligations under the Principal Agreement in relation to the protection of Personal Data.
(b) In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Merchant Personal Data.
(c) In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
(a) Yuko may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or Yuko's Processing practices.
(b) Material changes to this DPA shall be notified to the Merchant in accordance with the notice provisions of the Principal Agreement.
(c) The Merchant may propose amendments to this DPA that the Merchant reasonably considers necessary to comply with Applicable Data Protection Laws.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
This DPA, together with the Principal Agreement and its annexes, constitutes the entire agreement between the parties with respect to the Processing of Merchant Personal Data.
For questions or concerns regarding this DPA or data protection matters, please contact:
SV Tech Cloud Pte Ltd
Data Protection Contact: [email protected]
Address: 160 Robinson Road, Singapore
Website: https://yuko.so
