Version 2.1 | Effective Date: 13 July 2026
This DPA applies uniformly to all Merchants entering into an Agreement with Yabie AB. For questions regarding this DPA, contact privacy@yabie.com.
For the purposes of this Data Processing Agreement (“DPA”):
1.1 “Agreement” means the master services agreement, terms and conditions, or other agreement governing the provision of Services by Yabie to the Merchant.
1.2 “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to: Regulation (EU) 2016/679 (GDPR); the UK GDPR and the Data Protection Act 2018; and any national laws implementing or supplementing the foregoing, as amended or replaced from time to time.
1.3 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
1.4 “Processor” means the entity that processes Personal Data on behalf of the Controller.
1.5 “Merchant” means the customer entity entering into the Agreement with Yabie and acting as Controller of Personal Data.
1.6 “Personal Data” means any information relating to an identified or identifiable natural person processed under the Agreement.
1.7 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.8 “Processing” / “Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure or destruction.
1.9 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.10 “Sub-Processor” means any third party engaged by Yabie to Process Personal Data on behalf of the Merchant.
1.11 “Supervisory Authority” means an independent public authority established under Applicable Data Protection Law.
1.12 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission pursuant to Article 46 GDPR (Commission Implementing Decision (EU) 2021/914 and any future versions), as amended or replaced.
2.1 Processor Appointment
This DPA applies where and to the extent that Yabie Processes Personal Data on behalf of the Merchant in connection with the Services. The parties acknowledge and agree that:
Nothing in this DPA shall be construed as creating a joint controllership relationship between the parties. This DPA applies solely to Personal Data processed by Yabie as a Processor. For data processed by Yabie as a Controller in its own right, Yabie’s Privacy Policy shall apply.
2.2 Subject Matter and Duration
The subject matter of the Processing is the provision of the Services under the Agreement. The duration of the Processing shall be for the term of the Agreement and until deletion or return of Personal Data in accordance with Section 9 of this DPA.
2.3 Nature, Purpose and Scope of Processing
Yabie shall Process Personal Data solely for the purpose of providing the Services to the Merchant and in accordance with the Merchant’s documented instructions as set out in: the Agreement; this DPA; and any lawful written instructions provided by the Merchant consistent with the Agreement. The details of the Processing, including categories of Data Subjects and Personal Data, are described in Annex I.
Yabie shall not Process Personal Data for its own purposes and shall not sell, share or otherwise exploit Personal Data except as necessary to provide the Services or as required by law.
For the avoidance of doubt, product usage analytics — including feature engagement events and application event logs — collected by Yabie for its own product improvement purposes are processed by Yabie as a Controller in its own right and are governed by Yabie’s Privacy Policy, not this DPA.
2.4 Controller Responsibilities
The Merchant shall ensure that: it has complied and will comply with Applicable Data Protection Law; it has a lawful basis for the Processing of Personal Data; it has provided all required notices to Data Subjects; and its instructions to Yabie are lawful and do not violate Applicable Data Protection Law. Yabie shall not be responsible for determining the lawfulness of the Merchant’s Processing activities.
2.5 Instructions Contrary to Law
If Yabie becomes aware that an instruction from the Merchant infringes Applicable Data Protection Law, Yabie shall inform the Merchant without undue delay. Yabie shall not be required to comply with any instruction that it reasonably believes to be unlawful.
Yabie shall ensure that any personnel authorised to Process Personal Data are: subject to appropriate confidentiality obligations, whether contractual or statutory; bound to Process Personal Data only in accordance with the Merchant’s documented instructions and this DPA; and subject to appropriate access controls limiting access to those who require it to perform the Services. Yabie shall implement appropriate measures to ensure that relevant personnel are aware of their data protection obligations, and shall ensure that access is promptly removed upon termination of employment or when no longer required.
4.1 General Security Obligation
Yabie shall implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures shall be appropriate to the risks presented by the Processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing.
4.2 Security Measures
Yabie’s security measures shall include, as appropriate:
A description of Yabie’s current security measures is set out in Annex II. Yabie may update or modify its security measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Personal Data.
4.3 Security Disclaimer
The parties acknowledge that no security measures can eliminate all security risks. Yabie shall implement reasonable and appropriate safeguards but does not warrant that the Services will be immune from all security threats.
4.4 Security Incident Notification
Yabie shall notify the Merchant without undue delay upon becoming aware of any confirmed Personal Data Breach affecting Personal Data processed on behalf of the Merchant. Notification may be provided in phases as information becomes available and shall include, to the extent known at the time: a description of the nature of the breach; the categories and approximate number of Data Subjects and Personal Data records affected; and the steps being taken or proposed to address the breach.
Notification of a Personal Data Breach under this Section shall not be construed as an acknowledgement of fault or liability by Yabie. For operational or infrastructure security incidents that do not constitute a Personal Data Breach, Yabie shall notify the Merchant without undue delay where such incidents materially affect the availability or integrity of the Services.
5.1 General Authorisation
The Merchant provides a general authorisation for Yabie to engage Sub-Processors to Process Personal Data on its behalf in connection with the Services. A current list of Sub-Processors is made available by Yabie via its website at yabie.com/legal/sub-processors and is updated in accordance with Section 5.2.
5.2 Changes to Sub-Processors
Yabie may engage new Sub-Processors from time to time. Yabie shall update its published Sub-Processor list and notify the Merchant of any changes via email (to the contact provided in the Agreement or the Merchant’s account settings) at least 30 days prior to the change taking effect.
5.3 Objection Right
The Merchant may object to the appointment of a new Sub-Processor on reasonable data protection grounds, including a material risk of non-compliance with Applicable Data Protection Law or this DPA, in accordance with Article 28(2) GDPR. Any objection must: be made in writing within thirty (30) days of the Merchant receiving notification; and clearly describe the specific data protection grounds for the objection. If the Merchant does not object within that period, the Merchant is deemed to have accepted the new Sub-Processor.
5.4 Resolution
If the parties are unable to resolve a valid objection within a reasonable period, the Merchant may terminate the affected Services in accordance with the termination provisions of the Agreement. Yabie shall have no obligation to appoint an alternative Sub-Processor.
5.5 Sub-Processor Obligations
Where Yabie engages a Sub-Processor, Yabie shall: enter into a written agreement imposing data protection obligations no less protective than those set out in this DPA; and remain responsible for the Sub-Processor’s compliance with its data protection obligations in accordance with Applicable Data Protection Law.
Yabie shall not transfer Personal Data to a country outside the European Economic Area (“EEA”) or the United Kingdom unless such transfer is made in compliance with Applicable Data Protection Law, using a lawful transfer mechanism such as an adequacy decision or Standard Contractual Clauses.
Where Personal Data is transferred outside the EEA to a country not subject to an adequacy decision, the Standard Contractual Clauses (Module 2: Controller to Processor), as incorporated in Annex IV, shall apply. For transfers subject to UK GDPR to countries not subject to a UK adequacy regulation, the UK ICO International Data Transfer Addendum, as incorporated in Annex IV, shall apply. Where required, Yabie shall implement supplementary technical and organisational measures to ensure transferred Personal Data receives an equivalent level of protection.
Where Yabie receives a legally binding request from a public authority for disclosure of Personal Data, Yabie shall comply with its legal obligations and, where legally permitted, notify the Merchant. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
You may request further information about applicable transfer safeguards by contacting privacy@yabie.com.
7.1 Data Subject Requests Received by Yabie
If Yabie receives a request from a Data Subject relating to Personal Data processed on behalf of the Merchant, Yabie shall promptly notify the Merchant and shall not respond to such request directly, except as required by Applicable Data Protection Law.
7.2 Assistance Obligation
Taking into account the nature of the Processing, Yabie shall provide reasonable assistance to the Merchant, by appropriate technical and organisational measures, to enable the Merchant to fulfil its obligations under Articles 15–22 and 34 GDPR (or equivalent provisions under Applicable Data Protection Law), within a reasonable timeframe taking into account the Merchant’s statutory deadlines. Such assistance shall be limited to Personal Data processed by Yabie on behalf of the Merchant and shall not extend to requests that are manifestly unfounded, excessive, or repetitive.
7.3 Merchant Responsibility
The Merchant shall be responsible for: assessing the validity of Data Subject requests; communicating responses to Data Subjects; and ensuring compliance with Applicable Data Protection Law in respect of such requests.
7.4 Costs and DPIA Assistance
Yabie shall provide reasonable assistance with data protection impact assessments (DPIAs) under Article 35 GDPR at no additional charge for standard requests, including provision of applicable security documentation, sub-processor information, and standard platform documentation. Where a request requires material additional effort beyond standard documentation — such as bespoke technical assessments or dedicated engagement beyond the normal scope of the Services — the parties shall agree the scope and any associated costs in advance in writing. Yabie’s obligation to provide reasonable assistance under Article 28(3)(f) GDPR shall not be limited by this provision.
8.1 Notification Obligation
Yabie shall notify the Merchant of any confirmed Personal Data Breach affecting Personal Data processed on behalf of the Merchant without undue delay after becoming aware of it. Where information is not yet fully available, Yabie may provide an initial notification followed by updates as further information becomes available.
8.2 Information to be Provided
To the extent reasonably available, Yabie shall provide the Merchant with information sufficient to enable the Merchant to meet its obligations under Applicable Data Protection Law, including: a description of the nature of the Personal Data Breach; the categories of Data Subjects affected; the categories of Personal Data concerned; and the measures taken or proposed to address the breach and mitigate its possible adverse effects.
8.3 Cooperation and No Admission
Yabie shall provide reasonable cooperation to the Merchant in connection with the investigation and remediation of a Personal Data Breach, taking into account the nature of the Processing and the information available to Yabie. Notification of a Personal Data Breach shall not be construed as an acknowledgement of fault or liability by Yabie.
8.4 Regulatory Communication and Costs
The Merchant shall be responsible for determining whether to notify a Supervisory Authority or Data Subjects of a Personal Data Breach. Yabie shall not notify any Supervisory Authority or Data Subject directly unless required to do so by Applicable Data Protection Law. Except where the Personal Data Breach is caused by Yabie’s breach of this DPA or Applicable Data Protection Law, the Merchant shall bear its own costs arising from any Personal Data Breach.
9.1 Deletion or Return Upon Termination
Upon termination or expiry of the Agreement, Yabie shall, at the Merchant’s written request, either: return Personal Data to the Merchant in a structured, commonly used and machine-readable format; or securely delete Personal Data, unless Applicable Data Protection Law requires storage of the Personal Data.
9.2 Timing and Default Deletion
Where the Merchant submits a written request following termination, deletion or return of active Personal Data shall be completed within 30 days of that request, unless otherwise agreed in writing. Where no written request is received, Yabie shall handle Personal Data in accordance with its applicable data retention policies and any statutory obligations. Personal Data that is no longer required and is not subject to a legal retention obligation shall be deleted or anonymised in accordance with Yabie’s standard retention schedules, as described in Yabie’s Privacy Policy at yabie.com.
9.3 Retention Required by Law
Where Yabie is required by Applicable Data Protection Law to retain Personal Data, Yabie shall: ensure the continued protection of such Personal Data; and not further Process such Personal Data except as required by law.
9.4 Backup Systems
The parties acknowledge that residual copies of Personal Data may remain in Yabie’s backup systems following deletion of active data. Such residual copies shall be deleted in accordance with Yabie’s standard backup retention schedules. During this period, such data is protected in accordance with this DPA and is not actively processed.
9.5 Certification
Upon written request, Yabie shall provide written confirmation that deletion has been completed in accordance with this Section.
10.1 Information Provision
Yabie shall make available to the Merchant, upon written request (limited to once per twelve-month period, except where otherwise required by Applicable Data Protection Law, required by a Supervisory Authority, or following a confirmed Personal Data Breach directly affecting the Merchant’s Personal Data), information reasonably necessary to demonstrate Yabie’s compliance with its obligations under this DPA. Such information may include summaries of security measures, policies, certifications, audit reports, or other documentation reasonably required under Article 28 GDPR. Such requests shall not unreasonably interfere with Yabie’s business operations.
10.2 Third-Party Audit Reports
Yabie engages qualified independent third-party auditors to conduct assessments against recognised standards. Upon written request, Yabie shall provide the Merchant with copies of the most recent available audit reports or executive summaries of penetration test results, subject to appropriate confidentiality obligations. The parties agree that the information and reports provided pursuant to Sections 10.1 and 10.2 shall satisfy the Merchant’s audit rights under Article 28(3)(h) GDPR in the ordinary course.
10.3 On-Site Audit Right
Notwithstanding Section 10.2, the Merchant shall be entitled to request an on-site audit or inspection where:
Any on-site audit under this Section shall be subject to: at least 20 business days’ prior written notice specifying the scope; a mutually agreed scope, schedule and confidentiality obligations; no more than one on-site audit per calendar year (unless required by a Supervisory Authority); and conduct during normal business hours with minimal disruption to Yabie’s operations.
On-site audits conducted under the first or second bullet above shall be at Yabie’s reasonable cost. On-site audits conducted under the third bullet shall be at the Merchant’s cost, including Yabie’s reasonable time-based fees for providing assistance.
11.1 Limitation of Liability
To the maximum extent permitted by Applicable Data Protection Law, the total aggregate liability of Yabie AB (including its affiliates and Sub-Processors) arising out of or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, shall be limited to the total amount paid by the Merchant to Yabie for the Services during the twelve (12) months immediately preceding the event giving rise to the claim.
11.2 Exclusion of Indirect Damages
In no event shall Yabie be liable for any indirect, incidental, special, consequential, or exemplary damages, including but not limited to loss of profits, loss of goodwill, or loss of business opportunity, even if advised of the possibility of such damages.
11.3 Carve-Outs from Liability Cap
Sections 11.1 and 11.2 shall not apply to or limit:
11.4 Liability to Data Subjects
Nothing in this Section 11 is intended to limit or exclude the liability of either party toward Data Subjects or Supervisory Authorities where such limitation is prohibited by Applicable Data Protection Law (including the Standard Contractual Clauses).
11.5 Allocation of Fines
As between the parties, the Merchant shall be responsible for any fines or penalties imposed by a Supervisory Authority that result from the Merchant’s failure to comply with its obligations as a Controller or for providing unlawful instructions to Yabie.
12.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of Sweden, without prejudice to the mandatory provisions of the Standard Contractual Clauses or Applicable Data Protection Law. As between Yabie and the Merchant only, the competent courts of Stockholm, Sweden shall have exclusive jurisdiction over any disputes arising under this DPA. For the avoidance of doubt, nothing in this clause limits the right of Data Subjects to bring claims before the courts of their habitual residence or before the competent supervisory authority, as provided under the SCCs, the UK Addendum, and Applicable Data Protection Law.
12.2 Order of Precedence
In the event of any conflict between: (1) the Standard Contractual Clauses (where applicable); (2) this DPA; and (3) the Agreement, the order of precedence shall be: first, the Standard Contractual Clauses; second, this DPA; third, the Agreement.
12.3 Amendments
Yabie may update this DPA without the Merchant’s prior consent where required to comply with changes in Applicable Data Protection Law or binding regulatory guidance, provided that Yabie shall give at least 14 days’ advance written notice of such changes, except where the change is mandated with immediate effect by applicable law or a competent authority, in which case notice shall be given as soon as reasonably practicable. For any other changes, Yabie shall provide at least 30 days’ advance written notice. If the Merchant does not object in writing within such notice period, the Merchant shall be deemed to have accepted the changes. No amendment shall materially reduce the level of protection afforded to Personal Data under this DPA.
12.4 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
12.5 Survival
Sections relating to confidentiality, liability, international transfers, and return or deletion of Personal Data shall survive termination of the Agreement for so long as Yabie Processes Personal Data on behalf of the Merchant.
A. List of Parties
Data Exporter (Controller): The Merchant, as defined in the Agreement.
Data Importer (Processor): Yabie AB, Company Registration No. 559083-2092, Sweden. Data protection contact: privacy@yabie.com.
B. Subject Matter
The Processing of Personal Data in connection with the provision of point-of-sale, online store, and related software services under the Agreement.
C. Duration
The Processing shall continue for the duration of the Agreement and until deletion or return of Personal Data in accordance with Section 9 of this DPA.
D. Nature and Purpose of Processing
Yabie shall Process Personal Data for the purpose of:
Processing activities include: collection (via Merchant systems); recording; organisation and structuring; storage and hosting; retrieval and consultation; transmission; restriction; erasure or deletion. Yabie shall not Process Personal Data for its own independent commercial purposes.
For the avoidance of doubt, product usage analytics collected by Yabie for its own product improvement purposes are processed by Yabie as a Controller and are not within the scope of this DPA.
E. Categories of Data Subjects
F. Categories of Personal Data
PAN/CVV statement: Yabie does not store full Primary Account Numbers (PAN), CVV codes, track data, or other sensitive authentication data. No in-scope PAN data transits Yabie’s application layer.
G. Sensitive Data
The parties do not anticipate the Processing of special categories of Personal Data (Article 9 GDPR) or criminal offence data under this DPA. If the Merchant uploads or provides such data contrary to this DPA, the Merchant shall remain solely responsible for ensuring compliance with Applicable Data Protection Law.
Yabie implements and maintains technical and organisational measures designed to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR. The measures below describe the principal controls in place. Yabie may update these measures from time to time provided the overall level of protection is not materially reduced.
| Control domain | Measures implemented |
|---|---|
| Organisational security | Information security policies governing the protection of Personal Data. Defined roles and responsibilities for information security and data protection. Confidentiality obligations binding personnel with access to Personal Data. Security awareness and data protection training for relevant personnel. Documented incident response procedures and escalation processes. |
| Access control | Role-based access controls limiting access to Personal Data on a need-to-know basis. Multi-factor authentication required for non-console access to production systems. Strong authentication requirements for internal systems. Processes for granting, reviewing and revoking access rights. Periodic access reviews and prompt removal of access upon termination or change of role. |
| Encryption and data protection | Encryption of Personal Data in transit using current industry-standard protocols. Encryption of Personal Data at rest using current industry-standard algorithms. Secure key management practices including periodic key rotation. Logical segregation of customer environments where applicable. |
| Network and infrastructure security | Network segmentation and access restrictions. Firewall and traffic filtering mechanisms. Monitoring of network and system activity. Protection against malware and unauthorised access. |
| Monitoring and logging | Logging of administrative and privileged activities. Monitoring systems designed to detect anomalous or suspicious activity. Security event investigation and response procedures. Audit logs retained in accordance with Yabie’s retention schedules and available to Merchants upon written request (see Section 10). |
| Vulnerability management | Regular automated vulnerability assessments of production infrastructure and applications. Periodic third-party penetration testing by independent, qualified security experts — executive summaries available to Merchants on written request subject to confidentiality obligations. A documented remediation programme with defined severity classifications and target remediation timescales. |
| Secure development | Secure software development lifecycle (SDLC) processes based on industry standards. Code review practices for security-sensitive changes. Testing procedures designed to identify security vulnerabilities prior to deployment. |
| Business continuity and availability | Backup procedures designed to protect Personal Data. Measures to restore availability of systems following incidents. Periodic testing of backup and recovery processes. |
| Incident management | Documented procedures for detecting, reporting and responding to security incidents. Internal investigation and remediation processes. Defined communication channels for security events. |
| Sub-Processor oversight | Due diligence procedures for engaging Sub-Processors. Contractual data protection obligations imposed on all Sub-Processors. Periodic security review of critical Sub-Processors, including review of security certifications (e.g. ISO 27001, SOC 2, PCI-DSS AoC) or penetration test summaries. Results retained and available to Merchants on written request. |
Yabie engages Sub-Processors in connection with the Services. The current and up-to-date list of authorised Sub-Processors is publicly available at:
https://yabie.com/legal/sub-processors
Yabie shall notify the Merchant at least 30 days in advance of any additions or changes to this list in accordance with Section 5.2 of this DPA. Yabie conducts periodic security reviews of critical Sub-Processors; results are retained and available to Merchants on written request.
A. EU Standard Contractual Clauses (Module 2 – Controller to Processor)
Where required under Section 6 of this DPA, the Standard Contractual Clauses (Module 2: Controller to Processor), as set out in Commission Implementing Decision (EU) 2021/914, are hereby incorporated by reference into and form part of this DPA. The SCCs shall apply solely to the extent that Personal Data is transferred to a third country not subject to an adequacy decision under Applicable Data Protection Law.
The full text of the SCCs is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914
For the purposes of the SCCs: Module Two (Controller to Processor) applies; the Merchant acts as data exporter and Yabie as data importer; Annex I to this DPA completes SCC Annex I; Annex II to this DPA completes SCC Annex II; Annex III to this DPA completes SCC Annex III; the governing law for Clause 17 is Sweden; and the competent supervisory authority for Clause 13 is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), as Yabie AB is established in Sweden. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
B. UK International Data Transfer Addendum
Where Personal Data is subject to the UK GDPR and is transferred to a country outside the United Kingdom not subject to a UK adequacy regulation, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office (the “UK Addendum”) is hereby incorporated by reference into this DPA.
The UK Addendum is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
For the purposes of the UK Addendum: Table 1 (parties) is as set out in Annex I; Table 2 (selected SCCs) is the Approved EU SCCs (Module 2) incorporated above; Table 3 (appendix information) is as set out in Annexes I, II and III; and Table 4 (ending the addendum) — either party may terminate as permitted under Section 19 of the UK Addendum. In the event of any conflict between the UK Addendum and this DPA, the UK Addendum shall prevail to the extent required by UK GDPR.
| Data Processor | Yabie AB, 559083-2092, Sweden |
| Privacy contact | privacy@yabie.com |
| Sub-processor list | yabie.com/legal/sub-processors |
| Supervisory Authority (SE) | Integritetsskyddsmyndigheten (IMY) — imy.se |
| Supervisory Authority (UK) | Information Commissioner’s Office (ICO) — ico.org.uk |