This Data Processing Addendum forms part of the agreement between Yezda Ltd (Processor) and the Customer (Controller) and reflects the parties' obligations under Article 28 UK GDPR. It applies whenever Yezda processes personal data on the Customer's behalf, including all BS7858, BPSS and PSA screening engagements.
This DPA is incorporated into the Master Services Agreement and any Order Form between Yezda and the Customer. It governs Yezda's processing of personal data as Processor.
"Controller", "Processor", "data subject", "personal data", "processing", "personal data breach" and "supervisory authority" have the meanings given in the UK GDPR. "Applicable Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, PECR, and any binding guidance issued by the ICO.
For the screening services, the Customer is Controller and Yezda is Processor, save that Yezda is independent Controller for: (a) account administration of the Customer's users; (b) financial records and audit logs; (c) anonymised aggregate analytics.
The subject matter, duration, nature and purpose of processing, and the categories of personal data and data subjects, are described in Annex A.
Yezda will process personal data only on the Customer's documented instructions, including those set out in the agreement, the Customer's portal configuration, and any further written instructions agreed in writing. Yezda will inform the Customer if it considers an instruction infringes Applicable Data Protection Laws (without obligation to perform a legal review).
Yezda will implement and maintain the technical and organisational measures set out in Annex B, designed to ensure a level of security appropriate to the risk in accordance with Article 32 UK GDPR. Yezda is certified to ISO/IEC 27001:2022 and aligns its security programme to the NCSC Cyber Assessment Framework.
Yezda will ensure all personnel authorised to process personal data are bound by written confidentiality obligations and receive annual data-protection and security training. Access is granted on a least-privilege basis and reviewed quarterly.
The Customer authorises Yezda's use of sub-processors listed in Annex C. Yezda will give the Customer at least 30 days' notice before adding or replacing a sub-processor. The Customer may object on reasonable grounds related to data protection, in which case the parties will work in good faith to resolve the objection; if not resolved, the Customer may terminate the affected services without penalty.
Yezda will impose data-protection terms on each sub-processor that are no less protective than those in this DPA, and remains liable for the acts and omissions of its sub-processors.
Personal data is hosted in the United Kingdom. Where any transfer outside the UK occurs, Yezda will rely on (a) a UK adequacy decision; (b) the UK International Data Transfer Agreement (IDTA); or (c) the UK Addendum to the EU SCCs, in each case supported by a transfer risk assessment.
Yezda will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil its obligations to respond to data subject rights requests under Articles 15–22 UK GDPR. Where a request is received directly by Yezda, Yezda will forward it to the Customer without undue delay and will not respond to the data subject (other than to acknowledge receipt) without the Customer's instruction.
Yezda will notify the Customer without undue delay (and in any event within 48 hours) on becoming aware of a personal data breach affecting the Customer's data, providing the information required under Article 33(3) UK GDPR to the extent then known, with updates as further information becomes available. Yezda will assist the Customer with its breach-notification obligations to the ICO and to data subjects.
Yezda will provide reasonable assistance with data protection impact assessments and prior consultations under Articles 35–36 UK GDPR.
Yezda will make available to the Customer all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Audits will (a) be carried out on at least 30 days' written notice; (b) be limited to once per 12-month period (save where required by law or following a breach); (c) be subject to confidentiality and reasonable security restrictions; and (d) where Yezda's then-current ISO 27001 certification, SOC 2 Type II report, or equivalent third-party assurance covers the audit scope, that report will be made available in lieu of an on-site audit.
On termination of the agreement, Yezda will, at the Customer's election, return or securely delete personal data within 90 days, save to the extent retention is required by law (in which case Yezda will continue to protect the data and process it solely for that purpose). Audit logs and anonymised data may be retained.
The parties' liability under or in connection with this DPA is subject to the limitation and exclusion of liability provisions of the Master Services Agreement.
If there is a conflict between this DPA and the Master Services Agreement on data-protection matters, this DPA prevails. If there is a conflict between this DPA and any UK transfer mechanism (IDTA / Addendum), that mechanism prevails.
| Item | Detail |
|---|---|
| Subject matter | Pre-employment screening to BS7858 / BPSS / PSA standards |
| Duration | For the term of the agreement, plus retention periods set out in the Privacy Policy |
| Nature & purpose | Verification of identity, history, references, financial standing, criminal record and sanctions; issue of certificates |
| Categories of data | Identity data, contact data, address & work history, financial / credit, special category (biometric, criminal), employment references |
| Categories of data subject | Candidates nominated by the Customer; nominated referees |
| Frequency | Continuous, on a per-Candidate basis |
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting (eu-west-2 London) | UK |
| Our nominated IDV provider | Identity & document verification | UK |
| CreditSafe Business Solutions Ltd | Credit, AML, PEP & sanctions | UK |
| GBG plc | Address & residency verification | UK |
| Twilio (Sendgrid) Ireland Ltd | Transactional email | EEA / UK |
| Google Ireland Ltd (Firebase) | Push notification delivery (token only) | EEA |
| Stripe Payments UK Ltd | Customer billing | UK |
| Zendesk International Ltd | Customer support ticketing | EEA / UK |