Data Processing Agreement
Last updated: April 25, 2026 · Pursuant to GDPR Article 28
1. Parties
Data Controller
You, the Yellsy user, in respect of personal data you provide about yourself or third parties (e.g. co-travellers).
Data Processor
Yellsy SAS, acting as processor when processing your data to deliver the Service on your behalf.
2. Subject Matter & Duration
Yellsy processes personal data to provide price monitoring, booking, and notification services. Processing continues for the duration of your active account and for the retention periods specified in our Privacy Policy.
3. Nature & Purpose of Processing
Processing activities include: storing account credentials and PII (encrypted at rest), executing price searches via third-party APIs, recording booking confirmations, sending transactional notifications, and maintaining audit logs for security purposes.
4. Categories of Data Subjects & Personal Data
Data subjects
Registered account holders and co-travellers
Identity data
Name, email, phone number
Financial data
Stripe customer tokens
Travel data
Preferences, search history, bookings
Technical data
IP address, device identifiers
5. Processor Obligations
Yellsy as processor shall:
- ✓Process personal data only on documented instructions from the controller (your use of the Service)
- ✓Ensure persons authorised to process data are bound by confidentiality obligations
- ✓Implement appropriate technical and organisational security measures (Art. 32 GDPR)
- ✓Assist the controller in responding to data subject rights requests
- ✓Delete or return all personal data upon termination of the Service at the controller's choice
- ✓Provide all information necessary to demonstrate compliance with Art. 28 obligations
6. Sub-Processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | SCCs applied |
| Resend, Inc. | Transactional email | USA | SCCs applied |
| Twilio, Inc. | SMS delivery | USA | SCCs applied |
| Duffel Technologies Ltd | Flight search & booking API | UK/EEA | UK adequacy decision |
| Amadeus IT Group SA | Flight/hotel/car search API | Spain (EEA) | EEA transfer — no SCC needed |
| Cloudflare, Inc. | CDN, DDoS, bot management | USA | SCCs applied |
We will inform you of intended sub-processor changes with 30 days' notice. You may object to new sub-processors; if unresolved, you may terminate the Service without penalty.
7. Security Measures
Technical measures
- →AES-256-GCM encryption at rest for all PII
- →bcrypt password hashing with unique salt
- →TLS 1.2+ in transit
- →JWT (2h access / 30d refresh tokens)
- →Redis IP-based brute-force protection
- →Mandatory 2FA for all accounts
Organisational measures
- →Principle of least privilege access control
- →Background checks for staff with production access
- →Documented incident response plan
- →Annual security reviews
8. Data Breach Notification
In the event of a personal data breach, Yellsy will notify affected controllers within 72 hours of becoming aware, as required by GDPR Art. 33.
9. Audits
Yellsy will make available all information necessary to demonstrate compliance. Audits may be conducted upon reasonable written notice, no more than once per year, at the controller's expense.
10. Governing Law
This DPA is governed by French law and subject to GDPR as implemented in French national law (Loi Informatique et Libertés).
11. Contact
Questions? Contact us