Data Processing Addendum
Last updated: April 2026 — Version 1.0
1. Definitions
- “UK GDPR” means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
- “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” shall have the meanings given in UK GDPR.
- “Client Data” means any Personal Data submitted to, stored in, or processed through the Services by or on behalf of the Controller.
- “Services” means the products and services provided by YEW Technologies under a service agreement, including YEW EPOS, DCReceipt, online ordering portals, and website hosting.
2. Roles
The parties acknowledge that, in relation to Client Data processed through the Services:
- The client is the Controller — they determine the purposes and means of processing Client Data.
- YEW Technologies is the Processor — we process Client Data only on the documented instructions of the Controller and for the purpose of providing the Services.
3. Scope of Processing
The subject matter, nature, purpose, and duration of processing, and the types of Personal Data and categories of Data Subjects, are as follows:
| Subject matter | Provision of EPOS, document management, online ordering, and website hosting services |
| Nature | Collection, storage, retrieval, transmission, deletion |
| Purpose | Delivery and support of the contracted Services |
| Duration | For the term of the service agreement, plus 30 days for data export, then deletion |
| Personal Data types | Names, contact details, transaction records, order history, device/session data |
| Data Subjects | The Controller’s customers, employees, and end users |
4. Processor Obligations
YEW Technologies, as Processor, shall:
- Process Client Data only on the documented instructions of the Controller, unless required to do so by law (in which case, we will inform the Controller before processing, unless legally prohibited from doing so).
- Ensure that all personnel authorised to process Client Data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS) and at rest, access controls, and regular security assessments.
- Not engage any sub-processor without the prior written consent of the Controller (general written consent is given via clause 6 of this DPA for the sub-processors listed therein).
- Assist the Controller in responding to Data Subject requests under UK GDPR (access, erasure, portability, etc.) in relation to Client Data, taking into account the nature of the processing.
- Assist the Controller in meeting its obligations under UK GDPR Articles 32–36 (security, breach notification, DPIAs) as reasonably required.
- Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Client Data.
- At the choice of the Controller, delete or return all Client Data upon termination of the Services, and delete existing copies, unless storage is required by law.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with UK GDPR Article 28, and allow for and contribute to audits conducted by the Controller or a mandated auditor (with reasonable notice and at the Controller’s cost).
5. Data Transfers
All Client Data is stored and processed within the United Kingdom using Microsoft Azure infrastructure in UK South and UK West regions.
Where the use of a sub-processor (such as SendGrid / Twilio) involves a transfer of Personal Data to the United States, such transfers are made in accordance with the UK–US Data Bridge adequacy regulations (SI 2023/1305) or, where required, under an appropriate International Data Transfer Agreement (IDTA) pursuant to s.119A of the Data Protection Act 2018. YEW Technologies does not otherwise transfer Client Data outside the UK unless expressly agreed in writing with the Controller.
6. Sub-Processors
The Controller provides general written consent for YEW Technologies to engage the following sub-processors in connection with the Services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, storage, compute | UK (UK South / UK West) |
| SendGrid (Twilio) | Transactional email delivery | USA (UK–US Data Bridge) |
| Stripe | Payment processing (online ordering portals) | UK / EU |
YEW Technologies will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller an opportunity to object. Objections must be raised in writing within 30 days of notification.
7. Controller Obligations
The Controller warrants and confirms that:
- It has a lawful basis for processing the Client Data it submits to the Services.
- All necessary notices have been provided to, and consents obtained from, Data Subjects whose data will be processed through the Services.
- Its instructions to YEW Technologies with respect to processing Client Data comply with applicable law.
8. Governing Law
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
9. Contact
For any queries relating to this DPA or data protection matters, please contact us.