Skip to main content

Data Processing Agreement (DPA)

Last updated: March 9, 2026

1. Parties and Object

1.1 Data Processor

Yellowhak OÜ, registered at Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415, Estonia, acts as Data Processor for the personal data accessed or processed during cybersecurity engagements (penetration tests, Red Team operations, AI security audits) conducted on behalf of the Client.

1.2 Data Controller

The Client (the company or individual that engages Yellowhak OÜ) acts as Data Controller for the personal data within its systems, networks, and applications that may be accessed during authorized security assessments.

1.3 Object

This DPA governs the processing of personal data by Yellowhak OÜ on behalf of the Client in the context of cybersecurity engagements, including access to system logs, network traffic, user databases, application data, and any other personal data within the authorized scope of testing.

2. Processing Instructions

Yellowhak OÜ shall process personal data only in accordance with: (i) the signed Statement of Work (SOW); (ii) the Client's documented instructions; (iii) applicable data protection laws. Yellowhak OÜ will inform the Client if any instruction, in its professional opinion, would infringe applicable data protection legislation.

3. Obligations of Yellowhak OÜ as Processor

Yellowhak OÜ shall: (i) process personal data exclusively for the purposes defined in the SOW; (ii) ensure all personnel involved in the engagement are bound by confidentiality agreements; (iii) implement and maintain appropriate technical and organizational security measures (Art. 32 GDPR); (iv) assist the Client in responding to data subject rights requests; (v) delete or return all personal data within 30 days of engagement completion, unless retention is required by law.

4. Sub-processors

Yellowhak OÜ may engage sub-processors (e.g., cloud infrastructure, specialized scanning tools) subject to: (i) prior general authorization from the Client; (ii) contractual obligations equivalent to this DPA; (iii) notification to the Client of any new sub-processor, with a 14-day objection period. Yellowhak OÜ remains fully liable for the acts and omissions of its sub-processors.

5. Security Measures (Art. 32 GDPR)

5.1 Technical Measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256) for all engagement data.
  • Secure, encrypted VPN connections for remote testing activities.
  • Isolated testing environments to prevent data contamination.
  • Automated log purging after the defined retention period.
  • Multi-factor authentication (MFA) for all Yellowhak OÜ personnel systems.

5.2 Organizational Measures

  • Security clearance and background checks for all operators.
  • Need-to-know access controls for engagement data.
  • Regular internal security training and awareness programs.
  • Documented incident response procedures with defined escalation paths.

6. Assistance with Data Subject Rights

When Yellowhak OÜ directly receives a data subject rights request (access, rectification, erasure, portability, restriction, or objection) related to personal data for which the Client is the Controller, Yellowhak OÜ shall: (i) forward the request to the Client within 5 business days; (ii) provide the Client with reasonably necessary technical assistance; (iii) not respond directly to the data subject without the Client's authorization, unless legally required.

7. Breach Notification

In the event of a security breach affecting personal data processed on behalf of the Client, Yellowhak OÜ shall notify the Client without undue delay and in any case within 36 hours of becoming aware, providing: (i) nature of the breach; (ii) DPO contact details; (iii) possible consequences; (iv) remedial measures taken or proposed. It is the Client's responsibility as Controller to notify the supervisory authority (within 72 hours per Art. 33 GDPR) and, where applicable, affected data subjects.

8. International Data Transfers

When personal data processing involves a transfer outside the EEA, Yellowhak OÜ ensures the transfer is made solely: (i) to countries with an adequate level of protection recognized by the European Commission; (ii) under Standard Contractual Clauses (SCCs) per Decision (EU) 2021/914; or (iii) under other appropriate safeguards per Art. 46 GDPR. SCCs are available upon request to legal@yellowhak.com.

9. Audit and Accountability

Yellowhak OÜ shall make available to the Client all information necessary to demonstrate compliance with this DPA and allow and contribute to audits, including inspections. Audits require 30 days' prior written notice, are limited to once per year, conducted during business hours, subject to confidentiality agreements, and at the Client's expense.

10. Duration and Termination Effects

This DPA remains in effect for the duration of the cybersecurity engagement. Upon completion: (i) the Client has 30 days to request the return of any personal data accessed; (ii) Yellowhak OÜ will then securely delete all personal data from its systems and those of its sub-processors; (iii) upon request, Yellowhak OÜ will issue a written deletion certification; (iv) only data required by legal mandate (e.g., tax records) will be retained.

11. Governing Law

This DPA is governed by the laws of the Republic of Estonia and EU law, particularly the GDPR. Disputes are resolved in accordance with the arbitration clause in the Terms of Service, with specialties proper to data protection regulation.

    Data Processing Agreement (DPA) | YellowHak