Data Processing Agreement (DPA)

1. Parties

Data Controller: Customer. Data Processor: YapMap Labs GmbH, Rigaer Straße 12, 10247 Berlin, Germany.

2. Subject matter

Provision of language usage analysis, mini-lesson generation, and analytics services.

3. Duration

Term of the Customer’s subscription unless terminated earlier in accordance with the Terms.

4. Nature & purpose

• Transient processing of text snippets supplied by users.
• Optional storage of dimensional metadata for analytics.
• Provision of audit logs, mini-lesson and review results (if enabled).

5. Categories of data

• Contact data (email, name) for authenticated users.
• Usage metadata (hashed ID, event type, timestamp, language dimension).
• No special categories of personal data are required. Customers must ensure they have a lawful basis for any personal data processed.

6. Subprocessors

Cloudflare, Supabase, Stripe, Plausible. Customer will be notified of changes via email at least 30 days in advance.

7. Security measures

Technical and organisational measures include TLS 1.3 encryption in transit, encryption at rest (Supabase), transient processing in memory, role-based access controls, logging, least privilege IAM, and regular penetration tests.