Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between 388 LABS PTY LTD (trading as Yak App, "yak," "we," or "us") and the customer ("Customer," "you") that governs your use of the yak platform (the "Service"). It applies where, in providing the Service, yak processes Personal Data on your behalf and you act as the controller (or as a processor for your own end users). In the event of a conflict with the main agreement, this DPA controls with respect to the processing of Personal Data.

1. Definitions

"Personal Data," "controller," "processor," "data subject," and "processing" have the meanings given in applicable data protection laws (including, where applicable, the EU/UK GDPR and the Australian Privacy Act 1988). "Subprocessor" means a third party engaged by yak to process Personal Data. "Customer Personal Data" means Personal Data that yak processes on your behalf in providing the Service.

2. Roles of the parties

With respect to Customer Personal Data, you are the controller (or processor) and yak is the processor (or subprocessor). Each party will comply with its obligations under applicable data protection laws. You are responsible for ensuring you have a lawful basis and appropriate notices and consents in place to provide Customer Personal Data — and to permit your end users' conversation content — to yak and its Subprocessors.

3. Scope and nature of processing

yak processes Customer Personal Data only to provide and support the Service, in accordance with your documented instructions (including as configured through the Service), and as otherwise required by law. The subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of data subjects are described in the Annex below.

4. Processor obligations

• Process Customer Personal Data only on your documented instructions.
• Ensure personnel authorized to process Customer Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Section 5).
• Assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
• Make available information reasonably necessary to demonstrate compliance with this DPA.

5. Security

yak maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit, access controls and least-privilege credentials, network and infrastructure isolation, key management, and logging and monitoring. Customer-configurable conversation retention and deletion controls are described in our Privacy Policy.

6. Subprocessors

You authorize yak to engage the Subprocessors listed on our Subprocessors page to process Customer Personal Data. yak imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains responsible for its Subprocessors' performance. We will update the Subprocessors page before engaging a new Subprocessor that processes Personal Data; you may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection.

7. International data transfers

Where the provision of the Service involves transferring Personal Data across borders, yak will ensure such transfers are carried out in accordance with applicable data protection laws, including by relying on appropriate safeguards such as Standard Contractual Clauses or an equivalent transfer mechanism where required.

8. Personal data breaches

yak will notify you without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide information reasonably available to help you meet your notification obligations.

9. Return and deletion of data

Conversation data is deleted automatically according to the retention period the Customer configures per application, measured from each conversation's creation. On termination of the Service, yak will delete or return Customer Personal Data in accordance with the main agreement and this DPA, except where retention is required by law. Residual copies in routine backups are deleted in the ordinary course.

10. Audit

On reasonable prior written request, and subject to confidentiality obligations, yak will make available information necessary to demonstrate compliance with this DPA. Audits are limited in frequency and scope as set out in the main agreement.

Annex — Details of processing

• Subject matter: provision of the yak AI assistant platform.
• Duration: for the term of the agreement and any configured retention period thereafter.
• Nature and purpose: hosting, processing, and generating AI assistant responses; storing conversation history (when enabled); billing; analytics; and operating and supporting the Service.
• Types of Personal Data: account and contact details, authentication data, billing data, conversation content (prompts, messages, responses, attachments), and usage and device metadata.
• Categories of data subjects: Customer's personnel and the Customer's end users who interact with a yak-powered assistant.

Contact

To request a countersigned copy of this DPA or for questions about data processing, contact: