YUSH

Yush Data Processing Addendum

Last updated: 28 April, 2026

This Data Processing Addendum (DPA) forms part of the Yush Terms of Service or other written agreement between Yush Ltd and the Customer (Agreement).

This DPA applies where Yush processes personal data on behalf of a Customer in connection with the Yush Service. It is intended to satisfy applicable UK GDPR / GDPR controller-processor contract requirements.

1. Parties and scope

The Customer is the organisation or individual that creates or controls a Reaction Kit and determines why and how Respondent personal data is collected and used.

Yush is the provider of the Service and processes Customer Personal Data on behalf of the Customer, except where Yush acts as an independent controller for its own purposes as described in the Terms, Privacy Policy or this DPA.

This DPA applies to Customer Personal Data processed by Yush as processor. It does not apply to personal data for which Yush is an independent controller, such as Yush account administration, billing, security, product analytics, legal compliance and Yush marketing where permitted.

2. Definitions

Applicable Data Protection Laws: all data protection and privacy laws applicable to the processing of Customer Personal Data, including the UK GDPR, Data Protection Act 2018, GDPR where applicable, PECR and related legislation.

Customer Personal Data: personal data processed by Yush on behalf of the Customer under the Agreement.

Controller, processor, personal data, processing, data subject, personal data breach and supervisory authority: have the meanings given in Applicable Data Protection Laws.

Subprocessor: a third party appointed by Yush to process Customer Personal Data on behalf of Yush in connection with the Service.

3. Processing details

The subject matter, duration, nature, purpose, categories of data subjects and categories of personal data are described in Schedule 1.

The Customer’s documented instructions are to process Customer Personal Data as necessary to provide the Service, comply with the Agreement, support Customer use of Reaction Kits, and comply with applicable law. Additional instructions may be agreed in writing.

4. Yush processor obligations

Yush will:

process Customer Personal Data only on documented Customer instructions unless required by law;

inform the Customer if, in Yush’s opinion, an instruction infringes Applicable Data Protection Laws, unless Yush is prohibited from doing so by law;

ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations;

implement appropriate technical and organisational measures to protect Customer Personal Data;

assist the Customer, taking into account the nature of processing, with data subject rights requests where reasonably possible;

assist the Customer with security, breach notification, data protection impact assessment and prior consultation obligations where required by Applicable Data Protection Laws;

make available information reasonably necessary to demonstrate compliance with this DPA;

delete or return Customer Personal Data at the end of the provision of the Service, at the Customer’s choice where applicable, as described in this DPA, subject to legal retention, dispute resolution, security/integrity requirements and backup deletion cycles.

5. Customer obligations

The Customer will:

comply with Applicable Data Protection Laws;

ensure it has a lawful basis for collecting and using Customer Personal Data;

provide clear and accurate notices to Respondents and other data subjects;

configure Reaction Kits accurately and in line with the intended use of Responses;

not use the Service to collect special category data, children’s data or other high-risk data unless appropriate safeguards are in place and Yush has agreed any required additional measures;

ensure that Customer instructions are lawful and do not cause Yush to breach Applicable Data Protection Laws;

securely handle any Customer Personal Data exported from the Service.

6. Confidentiality

Yush will ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

7. Security measures

Yush will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. A summary of measures is set out in Schedule 2.

The Customer acknowledges that no system can be guaranteed to be completely secure and that security measures may be updated over time to reflect changes in the Service, risks, technology and legal requirements.

8. Subprocessors

The Customer authorises Yush to appoint Subprocessors to provide the Service. Yush will enter into written agreements with Subprocessors that impose data protection obligations no less protective, in substance, than those in this DPA.

Yush will remain responsible for the performance of Subprocessors to the extent required by Applicable Data Protection Laws.

A list of material Subprocessors or categories of Subprocessors is set out in Schedule 3. Yush may update its Subprocessors from time to time. Where required by Applicable Data Protection Laws, Yush will provide notice of material Subprocessor changes and give the Customer a reasonable opportunity to object on legitimate data protection grounds.

9. International transfers

Yush and its Subprocessors may process Customer Personal Data in the United Kingdom, European Economic Area, United States and other countries where Yush or its Subprocessors operate.Where required, Yush will carry out a transfer risk assessment / data protection test and implement supplementary measures where appropriate.

Where Customer Personal Data is transferred internationally in a way that requires transfer safeguards under Applicable Data Protection Laws, Yush will use appropriate safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, EU Standard Contractual Clauses or other lawful transfer mechanisms as applicable.

10. Data subject requests

If Yush receives a request from a data subject relating to Customer Personal Data, Yush may respond where it is acting as controller or may refer the request to the Customer where the Customer is the controller.

Where Yush acts as processor, Yush will provide reasonable assistance to the Customer to respond to data subject rights requests, taking into account the nature of the processing and the information available to Yush.

11. Personal data breaches

Yush will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

Yush will provide information reasonably available to Yush to assist the Customer in meeting its breach notification obligations. Yush’s notification of a breach is not an acknowledgement of fault or liability.

12. Data protection impact assessments and prior consultation

Yush will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities where required by Applicable Data Protection Laws, taking into account the nature of processing and information available to Yush.

Yush may charge reasonable fees for assistance that is extensive, bespoke or outside normal support, unless the assistance is required due to Yush’s breach of this DPA.

13. Deletion and return

On termination of the Agreement or expiry of the relevant retention period, Yush will delete or return Customer Personal Data in accordance with the Agreement, Privacy Policy, applicable settings and the Customer’s documented instructions, unless retention is required by law, necessary for legal claims or dispute resolution, required for security or service integrity purposes, or retained in backups pending ordinary deletion cycles.

Backups may persist for a limited period before being overwritten or deleted in the ordinary course of business.

14. Audits and information

Yush will make available information reasonably necessary to demonstrate compliance with this DPA. The Customer may request information about Yush’s data protection and security measures no more than once in any 12-month period unless required by a supervisory authority, a material security incident or Applicable Data Protection Laws.

Any audit or inspection must be subject to reasonable notice, confidentiality, security requirements, normal business hours and reasonable scope. Yush may refuse or limit access that would compromise security, confidentiality, other customers’ data or Yush’s systems.

15. Yush as independent controller

Yush acts as an independent controller for certain processing, including account administration, authentication, billing, payment administration, fraud prevention, security, service analytics, product improvement, support, legal compliance and Yush marketing where permitted.

Where Yush acts as independent controller, that processing is governed by the Privacy Policy and is not subject to the processor obligations in this DPA.

16. Liability and order of precedence

Liability under this DPA is subject to the liability limits and exclusions in the Agreement, unless prohibited by Applicable Data Protection Laws.

If there is a conflict between this DPA and the Terms of Service in relation to processor obligations, this DPA will prevail. If there is a conflict between this DPA and a signed data processing agreement or signed order form, the signed agreement will prevail to the extent of the conflict.

Schedule 1 - Processing details

Subject matter: Provision of the Yush Service, including Reaction Kit creation, response capture, hosting, storage, display, reporting, exports, support, security and related processing.

Duration: For the term of the Agreement and any applicable retention period, unless deleted earlier in accordance with the Agreement or Customer instructions.

Nature of processing: Collection, recording, hosting, storage, organisation, structuring, retrieval, display, transmission, analysis, export, deletion, moderation support, image processing, AI-assisted transcription and reporting.

Purpose: To provide the Service, process Responses, generate outputs, support Customers, secure the platform, maintain records and comply with documented instructions.

Data subjects: Respondents, Customer users, event attendees, visitors, participants, staff, volunteers, speakers, sponsors, exhibitors and other people whose personal data appears in Responses or Customer Materials.

Personal data: Names, email addresses, photos, images, comments, opinions, reactions, event attendance context, device/browser data, IP addresses, timestamps, session IDs, metadata and any personal data included in free text or photos.

Special category data: Not intentionally requested by default. However, comments/photos may reveal race or ethnic origin, political opinions, religious beliefs, trade union membership, health, disability, sexuality or similar sensitive information. Customers must avoid collecting this unless appropriate safeguards apply.

Frequency: Continuous or event-based, depending on Customer use of the Service.

Schedule 2 - Technical and organisational measures

This summarises Yush’s current technical and organisational measures. Yush may update these measures over time, provided the overall level of protection is not materially reduced.

Access control: User authentication, role-based or account-based access where available, admin access limited to authorised personnel, removal of access when no longer required.

Encryption: Use of HTTPS/TLS for data in transit. Encryption at rest where provided by hosting, database, storage and infrastructure providers.

Hosting and infrastructure: Use of reputable cloud and infrastructure providers with contractual and technical security commitments.

Logging and monitoring: System logs, error monitoring and security monitoring appropriate to the size and maturity of the Service.

Backups and resilience: Backups or provider-level resilience appropriate to the Service. Backups may be subject to ordinary retention and deletion cycles.

Data minimisation: Reaction Kits designed to avoid account creation for Respondents and to collect only the data requested for the relevant use case.

Internal access: Access to production data limited to personnel and contractors with a legitimate need, subject to confidentiality obligations.

Incident response: Internal process for identifying, assessing, escalating and responding to security incidents and personal data breaches.

Subprocessor controls: Use of written agreements with material Subprocessors and review of provider security where appropriate.

Schedule 3 - Subprocessors and service providers

Yush uses third-party Subprocessors and service providers to provide, secure, support and improve the Service. These Subprocessors may access Customer Personal Data only to perform services for Yush and must process Customer Personal Data under written obligations that are no less protective, in substance, than those in this DPA.

Yush may update this Schedule from time to time. Where required by Applicable Data Protection Laws, Yush will provide notice of material Subprocessor changes and give the Customer a reasonable opportunity to object on legitimate data protection grounds.

Provider / category and Purpose

Supabase: Database, authentication, storage and backend services.

Netlify: Hosting, deployment and web application delivery.

Cloudflare: Routing, security, caching, content delivery and edge services.

Stripe: Payment processing, billing and subscription administration.

Google Authentication: Third-party sign-in where a Customer chooses to use Google Sign-In.

Google Analytics / Google Tag Manager: Website and product analytics, tag management and usage measurement where enabled.

Google Cloud services: Cloud services, infrastructure services or AI/image processing services where enabled.

Hotjar: Product analytics, heatmaps, session insights and user experience analysis where enabled.

Resend: Transactional email delivery.

HubSpot: CRM, customer relationship management, marketing workflows and customer communication workflows where enabled.

OpenAI: AI-assisted analysis, summarisation, transcription, classification, question generation or report generation where enabled.

Error monitoring and support providers: Error monitoring, diagnostics, customer support, operational troubleshooting and incident investigation where such providers process Customer Personal Data.

File storage, email, analytics, design and operational tooling providers: Limited-purpose operational tooling used to provide, support, secure or improve the Service, where such providers process Customer Personal Data.

Schedule 4 - Customer instructions and high-risk use cases

The Customer instructs Yush to process Customer Personal Data to provide the Service in accordance with the Agreement, this DPA, the Customer’s settings and documented instructions.

The Customer must not use the Service for high-risk use cases without assessing the risk and agreeing any necessary safeguards with Yush. High-risk use cases include children, schools, youth groups, health or disability data, political or religious events, trade union contexts, employment grievances, vulnerable groups, public-sector statutory services, law enforcement, immigration, legal proceedings or any use where Responses could materially affect individuals’ rights, benefits, employment, access to services or reputation.