Data Processing Agreement
Last updated: May 23, 2026 · Yellsy LLC · Pursuant to GDPR Article 28
This Data Processing Agreement applies exclusively to professional enterprise users, commercial corporate clients, and validated platform Partners whose use of Yellsy involves the processing of personal data relating to their own employees, customers, or travelers. Individual consumer accounts are governed by our Privacy Policy and are not subject to this document.
Regulatory alignment
Yellsy LLC is a United States company. This agreement applies GDPR-aligned data processing standards to all processing activities involving personal data originating from the European Economic Area, the United Kingdom, and any other jurisdiction where equivalent data protection obligations exist. For EEA controllers instructing Yellsy LLC as a processor, this DPA serves as the Article 28 agreement required by the General Data Protection Regulation.
1. Purpose and Structural Scope
This Data Processing Agreement ("DPA") sets out the binding contractual commitments between Yellsy LLC ("Company", "we", "us") and any professional enterprise user, commercial corporate client, or validated platform Partner (collectively, the "Client") whose corporate use of the Yellsy platform at yellsy.com (the "Platform") involves the processing of personal information relating to third parties.
This DPA is incorporated into and forms an indivisible part of the Yellsy LLC Global Terms of Service. In the event of any conflict between the terms of this DPA and any other agreement between the parties, the data protection requirements outlined in this document shall prevail with respect to the processing of personal data.
By accessing the Platform or by entering into a service agreement that references this DPA, the Client agrees to be legally bound by these terms in their entirety. If the Client is applying on behalf of a company or organization, the person accepting these terms confirms that they have the authority to bind that entity.
2. Definitions
For the purposes of this DPA, the following definitions apply:
Personal Data
Any structured information relating to an identified or identifiable natural person captured during the use of the Platform, including traveler profiles, identity documents, and booking records.
Sensitive Personal Data
Personal data that reveals racial or ethnic origin, political opinions, religious beliefs, health information, biometric data, or criminal records. Yellsy does not intentionally collect sensitive personal data and asks that Clients avoid transmitting it through the Platform.
Data Controller
The entity that determines the purposes and means of processing personal data. In the context of this DPA, the Client acts as the Data Controller with respect to personal data of their travelers or employees.
Data Processor
The entity that processes personal data exclusively on behalf of and under the documented instructions of the Data Controller. Yellsy LLC acts as the Data Processor when handling personal data on the Client's instructions.
Sub-Processor
Any external downstream technical or commercial partner engaged by Yellsy LLC to execute specific processing activities. A full list is provided in Section 9.
Processing
Any operation performed on personal data, including collection, storage, retrieval, use, transmission, encryption, and deletion.
Personal Data Breach
A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted or stored by Yellsy LLC.
Standard Contractual Clauses (SCCs)
The standard data protection clauses adopted by the European Commission for the transfer of personal data to third countries, as applicable under GDPR Article 46(2)(c).
3. Roles of the Parties
Data Controller
The Client, meaning the enterprise, company, or professional Partner accessing the Platform. The Client determines the purposes for which traveler or employee personal data is processed and is responsible for having a valid legal basis for instructing Yellsy LLC to process that data.
Data Processor
Yellsy LLC, acting exclusively on the documented instructions of the Client when processing personal data to deliver the travel booking and management services. Yellsy LLC does not determine the purposes of processing and does not use Client personal data for its own commercial purposes.
Note: In certain scenarios where Yellsy LLC also determines the purposes of processing independently, including for fraud prevention, platform security, and aggregated analytics across all users. In those situations, Yellsy LLC may act as a Data Controller in its own right. Those activities are described in our Privacy Policy and are not governed by this DPA.
4. Categories of Personal Data Processed
When the Client uses the Platform to book corporate travel or manage employee travel programs, the following categories of personal data may be processed:
Identity data
- →Full legal name
- →Date of birth
- →Nationality
- →Passport or national ID number
- →Document expiration date
Contact data
- →Email address
- →Phone number
- →Billing or delivery address
Travel data
- →Flight itineraries and booking references
- →Hotel and transfer reservations
- →Seat preferences and meal requests
- →Frequent flyer numbers
Financial data
- →Stripe payment tokens (no raw card numbers stored)
- →Transaction identifiers and amounts
- →Refund and chargeback records
Technical data
- →IP address (truncated in analytics)
- →Device and browser identifiers
- →Session tokens and access logs
Yellsy LLC does not seek to process sensitive personal data as defined in Section 2. The Client is responsible for ensuring that no sensitive categories of personal data are transmitted to the Platform without appropriate safeguards and legal authorization.
5. Nature, Purpose, and Duration of Processing
Yellsy LLC processes personal data on behalf of the Client for the following operational purposes, and no other:
Duration of processing
Processing continues for the duration of the Client's active enterprise account. Upon termination of the service relationship, Yellsy LLC will retain personal data only for the periods required by applicable law, as described in Section 13, and will not use it for any new processing activity.
6. Documented Instructions and Purpose Limitation
Yellsy LLC shall process personal data solely on the basis of documented instructions from the Client. The Client's use of the Platform features, including submitting traveler profiles, initiating booking sequences, and managing itineraries, constitutes documented instructions for the purposes of this DPA.
Yellsy LLC shall not process the Client's personal data for any purpose beyond what is described in Section 5 of this agreement, including for Yellsy LLC's own commercial purposes, marketing activities, or cross-client profiling. If Yellsy LLC is required by applicable law to process personal data in a manner not covered by the Client's instructions, Yellsy LLC will inform the Client before processing unless that law prohibits such notification.
If Yellsy LLC believes that a documented instruction infringes applicable data protection law, Yellsy LLC will promptly notify the Client of that concern in writing. Yellsy LLC may suspend the relevant processing pending written clarification from the Client.
Controller representation
By submitting traveler data through the Platform, the Client represents and warrants that it has a valid legal basis for the processing it is instructing, that the data subjects whose information is submitted have been informed of this processing in accordance with applicable law, and that the Client has obtained any consent or other authorization required to share this data with Yellsy LLC and its sub-processors.
7. Confidentiality Obligations
Yellsy LLC shall ensure that all employees, contractors, and personnel who have access to Client personal data are bound by written confidentiality obligations that survive the termination of their engagement with Yellsy LLC. Access to personal data is restricted to personnel who require it for the specific purpose of delivering the services described in Section 5.
Yellsy LLC applies a strict need to know access control policy. Database access to production systems containing personal data requires role-based authorization and is reviewed on a regular basis. Administrative access is logged, and logs are retained for a minimum of twelve months for audit purposes.
These confidentiality obligations apply with equal force to all sub-processors engaged by Yellsy LLC under Section 9. Yellsy LLC shall ensure, through contractual means, that sub-processors are subject to equivalent restrictions.
8. Technical and Organizational Security Measures
Yellsy LLC implements the following technical and organizational measures to protect Client personal data against unauthorized access, accidental loss, destruction, or disclosure. These measures reflect the current state of technology, the cost of implementation, and the nature and risks of the personal data processed.
Technical measures
- →AES-256-GCM encryption at rest for all personal data, including passport records and travel identifiers
- →TLS 1.3 encryption in transit across all connections between the Platform, cloud infrastructure, and travel partners
- →bcrypt password hashing with a unique cryptographic salt per account
- →Short-lived JWT access tokens (2 hours) with rotating refresh tokens (30 days)
- →Redis-backed IP rate limiting and brute force protection on all authentication endpoints
- →Web Application Firewall (WAF) and DDoS mitigation via Cloudflare
- →Automated vulnerability scanning and dependency auditing on each deployment
- →Database access restricted to encrypted private network connections
Organizational measures
- →Role-based access control with least privilege principles applied to all production systems
- →Written confidentiality agreements for all personnel with access to production data
- →Documented security incident response plan with designated response roles
- →Annual security architecture reviews and periodic penetration testing
- →Formal off-boarding procedure to revoke access credentials on departure
- →Change management process for modifications to data pipeline architecture
- →Vendor security assessments before onboarding new sub-processors
The measures described above represent the minimum baseline. Yellsy LLC reserves the right to update, strengthen, or modify these measures at any time. Updates that reduce the overall level of protection will be communicated to Clients in writing with a minimum of thirty (30) calendar days notice before implementation.
9. Sub-Processor Management and Authorization
By entering into this DPA, the Client grants Yellsy LLC a general written authorization to engage the sub-processors listed below for the purposes described. Yellsy LLC has assessed each sub-processor and is satisfied that they offer sufficient guarantees regarding the technical and organizational measures they apply to processing activities that involve Client personal data.
Yellsy LLC shall impose data protection obligations on each sub-processor by way of a written contract that requires the sub-processor to protect personal data to a standard no less protective than that required by this DPA.
| Sub-Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing and fraud detection | United States | EU Standard Contractual Clauses |
| Resend, Inc. | Transactional email delivery | United States | EU Standard Contractual Clauses |
| Twilio, Inc. | SMS and voice notifications | United States | EU Standard Contractual Clauses |
| Duffel Technologies Ltd | Flight search, booking, and ticketing services | United Kingdom | UK adequacy decision + SCCs |
| Amadeus IT Group SA | Flight, hotel, and car rental search services | Spain (EEA) | EEA processing (no transfer) |
| GoKyte | Ancillary travel payment relay services | Varies by airline | EU Standard Contractual Clauses |
| Travelport Worldwide Ltd | Global travel booking and inventory services | United States | EU Standard Contractual Clauses |
| Hotelbeds Group SL | Hotel and accommodation inventory services | Spain (EEA) | EEA processing (no transfer) |
| Cloudflare, Inc. | CDN, DDoS protection, and bot management | United States | EU Standard Contractual Clauses |
| Oracle Cloud Infrastructure | Cloud hosting and compute infrastructure | United States (multi-region) | EU Standard Contractual Clauses |
Notice of sub-processor changes
Yellsy LLC will notify the Client of any intended addition or replacement of a sub-processor by updating this page and sending notice to the Client's registered administrative email address at least thirty (30) calendar days before the change takes effect. The Client has the right to raise a reasonable written objection within ten (10) business days of receiving such notice. If the parties cannot resolve the objection within a further fifteen (15) business days, the Client may terminate the service relationship without penalty, subject to receiving a prorated refund of any prepaid fees covering the period after the effective termination date.
10. International Data Transfers
Because Yellsy LLC is incorporated in the United States and its cloud infrastructure spans multiple regions, some processing activities under this DPA involve the transfer of personal data originating from the European Economic Area or the United Kingdom to servers or service providers located outside those territories. Yellsy LLC ensures that all such transfers are carried out with an appropriate legal safeguard in place.
Transfers to the United States
Yellsy LLC relies on the Standard Contractual Clauses adopted by the European Commission (Module 2: Controller to Processor) as the legal basis for transfers of EEA personal data to Yellsy LLC and to US-based sub-processors. The SCCs are incorporated by reference into this DPA.
Transfers to the United Kingdom
For transfers from the EEA to UK-based processors, Yellsy LLC relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
EEA to EEA processing
Where data originates from and is processed within the EEA (for example, through Amadeus or Hotelbeds infrastructure located in Spain), no additional transfer mechanism is required.
Yellsy LLC monitors changes in transfer mechanism requirements and will update its transfer safeguards accordingly. Clients who require a copy of the applicable SCCs may request them by contacting contact@yellsy.com.
11. Data Subject Rights Assistance
Yellsy LLC shall provide the Client with reasonable technical assistance to help the Client respond to requests from individual data subjects exercising their rights under applicable data protection law. Given that the Client is the Data Controller, requests from data subjects are the Client's responsibility to handle. Yellsy LLC's obligation is to facilitate, not to respond directly to data subjects on the Client's behalf.
Right of access (Art. 15 GDPR)
Yellsy LLC will provide the Client with an export of personal data associated with a specific data subject identifier upon written request.
Right to rectification (Art. 16 GDPR)
The Client may update traveler profile data directly through the Platform dashboard. Yellsy LLC will correct records in downstream systems where technically feasible.
Right to erasure (Art. 17 GDPR)
Upon the Client's written instruction, Yellsy LLC will delete or anonymize the relevant personal data, subject to lawful retention requirements described in Section 13.
Right to restriction and portability (Arts. 18, 20 GDPR)
Yellsy LLC will restrict processing and provide data exports in machine-readable format upon written request from the Client.
Yellsy LLC will respond to Client assistance requests within five (5) business days. Where a request is technically complex, Yellsy LLC will provide a progress update within that period and a final response within thirty (30) calendar days.
12. Data Protection Impact Assessments
Where the Client, as Data Controller, determines that a planned processing activity under this DPA is likely to result in a high risk to the rights and freedoms of natural persons and therefore requires a Data Protection Impact Assessment (DPIA) under GDPR Article 35, Yellsy LLC shall provide reasonable cooperation and assistance in completing that assessment.
This assistance may include providing documentation of the technical and security measures described in Section 8, confirming the sub-processor list in Section 9, and offering written responses to specific questions raised in the DPIA process. Yellsy LLC reserves the right to charge reasonable fees for assistance that requires significant engineering or legal resources, and will communicate any such fee before providing the assistance.
13. Data Retention and Deletion
Yellsy LLC will retain Client personal data only for as long as is necessary to fulfill the purposes described in Section 5, or as required by applicable law. The following retention principles apply:
Active account data
Retained for the duration of the Client's active enterprise account and for a period not exceeding ninety (90) calendar days after account closure, during which the Client may request data portability or deletion.
Financial transaction records
Payment transaction records, booking invoices, and commission records are retained for seven (7) years from the date of the transaction, in compliance with applicable tax and accounting regulations.
Security and audit logs
Access logs, authentication records, and security event logs are retained for twelve (12) months for incident investigation purposes.
Anonymized analytics
Aggregated, anonymized data from which no individual can be identified may be retained indefinitely for platform improvement and statistical purposes.
Upon termination of the service relationship and the expiry of the applicable retention periods, Yellsy LLC shall securely delete or permanently anonymize all personal data processed on behalf of the Client, including copies held by sub-processors, to the extent that sub-processors provide deletion certification upon request.
The Client may request written certification of deletion within sixty (60) calendar days of the termination date by contacting contact@yellsy.com.
14. Personal Data Breach Notification
72-hour notification commitment
In the event that Yellsy LLC becomes aware of a verified personal data breach affecting Client personal data, Yellsy LLC will notify the Client's designated technical administrator by email within seventy-two (72) hours of confirming that a breach has occurred. Where it is not possible to provide complete information within this window, Yellsy LLC will provide an initial notification followed by further details as the investigation progresses.
The breach notification will include, to the extent then known:
Yellsy LLC will cooperate with the Client in preparing any notifications to supervisory authorities or affected individuals that the Client is required to make in its capacity as Data Controller under GDPR Articles 33 and 34.
15. Audits and Compliance Verification
Yellsy LLC shall make available to the Client all information reasonably necessary to demonstrate compliance with the obligations laid out in this DPA. This may include security compliance certifications, independent penetration test reports, security policy documentation, and written responses to structured questionnaires submitted by the Client.
Where the Client requires an on-site audit or inspection of Yellsy LLC's data processing facilities and systems, such an audit shall be:
Where Yellsy LLC holds an applicable third-party security certification (such as SOC 2 Type II or ISO 27001), that certification may be provided in lieu of a full on-site audit, at Yellsy LLC's discretion.
16. Liability and Indemnification
Each party shall be liable for the portion of any regulatory fine, compensation award, or third-party claim that is attributable to its own failure to comply with applicable data protection law or the obligations of this DPA. The following principles govern the allocation of liability between the parties:
Processor liability limitation
Yellsy LLC shall not be liable for any loss or damage arising from the Client's instructions, including where those instructions were unlawful or exceeded the Client's authority as a Data Controller. Yellsy LLC shall also not be liable for breaches caused by unauthorized modifications to the Platform by the Client or their technical personnel.
Sub-processor liability
Where Yellsy LLC is at fault for a breach that arises from a sub-processor's failure, Yellsy LLC shall bear liability for that sub-processor's acts and omissions in the same way it bears liability for its own acts. Where a sub-processor fails independently of any failure by Yellsy LLC, liability is limited to the extent Yellsy LLC failed in its contractual obligation to ensure the sub-processor met required standards.
Cap on liability
Unless otherwise agreed in a separate enterprise contract, Yellsy LLC's total aggregate liability to the Client under or in connection with this DPA shall not exceed the total fees paid by the Client to Yellsy LLC in the twelve (12) months preceding the event giving rise to the claim.
Nothing in this section limits Yellsy LLC's liability for gross negligence, willful misconduct, or fraudulent misrepresentation, or for any type of liability that cannot be excluded or limited by applicable law.
17. Governing Law and Dispute Resolution
This Data Processing Agreement is governed by and shall be construed in accordance with the laws of the United States and the jurisdiction in which Yellsy LLC is formally registered as a corporate entity. For Clients located in the European Economic Area or the United Kingdom, the mandatory data protection standards of the GDPR and the UK GDPR apply as a matter of regulatory law, irrespective of this governing law clause.
Before initiating any formal legal proceedings, both parties agree to attempt to resolve any dispute arising out of or in connection with this DPA in good faith through direct written communication for a period of no less than thirty (30) calendar days from the date the dispute is first raised in writing to contact@yellsy.com.
If the parties cannot reach a resolution within that period, either party may refer the matter to the competent courts of the jurisdiction governing this agreement. Clients in the EEA retain the right to lodge a complaint with their local supervisory authority at any time, independently of any dispute resolution process between the parties.
18. Modifications to This Agreement
Yellsy LLC may update this DPA at any time to reflect changes in applicable law, regulatory guidance, or our technical infrastructure. Material changes will be communicated to active enterprise Clients by email at least thirty (30) calendar days before they take effect. The updated DPA will be published at this page with a revised effective date.
If a Client does not agree with a material change, they may notify Yellsy LLC in writing within the notice period and terminate their service agreement without penalty with respect to the data processing relationship, subject to a prorated refund of any prepaid fees.
19. Contact
Yellsy LLC · Data Privacy Team
Email: contact@yellsy.com
For all DPA-related inquiries including requests for SCC documentation, sub-processor details, deletion certifications, audit requests, and data subject rights assistance. We will acknowledge your request within three (3) business days and provide a substantive response within fifteen (15) business days.
Questions? Contact us