中文
Legal

Data Processing Addendum

How YAS processes personal data on behalf of customers and partners when providing the platform and related services.

This Data Processing Addendum ("DPA") forms part of the agreement between YAS DIGITAL LIMITED ("YAS", "we", "us", or "our") and the customer, fleet operator, or partner organisation ("Customer") that governs the provision of the YAS platform and related services (the "Services"). It applies wherever YAS processes personal data on behalf of the Customer in connection with the Services.

This DPA operates alongside applicable data protection law, including the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) and, where applicable, other data protection regimes governing the Customer's operations. Where the Customer's regulatory obligations require additional or specific terms, those are agreed in the executed order form or master agreement; this DPA is the baseline that applies in their absence.

AURA provides risk scoring that supports underwriting. Where a licensed insurer uses AURA output, that insurer acts as an independent controller for its own underwriting and pricing decisions, and a qualified person retains authority over those decisions. YAS does not make underwriting or pricing decisions on the insurer's behalf.

This DPA is a template provided for transparency. The operative version is the one executed between the parties; in the event of conflict, the executed agreement prevails.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", and "data subject" have the meanings given under applicable data protection law. "Customer Personal Data" means personal data that YAS processes on behalf of the Customer under the Services. "Sub-processor" means a third party engaged by YAS to process Customer Personal Data.

2. Roles of the Parties

For Customer Personal Data processed under the Services, the Customer is the controller (or, where the Customer is itself a processor, the relevant controller's processor) and YAS acts as a processor. Each party complies with its respective obligations under applicable data protection law.

Where a licensed insurer receives data to perform underwriting, that insurer is a separate and independent controller for its own purposes, as described in the YAS Privacy Policy.

3. Scope and Purpose of Processing

YAS processes Customer Personal Data only to provide and support the Services, and only on documented instructions from the Customer, except where required by law. The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are described in the agreement and the Services documentation.

Typical categories of Customer Personal Data processed include:

  • Account and contact details of the Customer's authorised users;
  • Vehicle, device, and trip telemetry, including location, speed, motion, and timing data;
  • Derived risk scores and explanations generated by AURA.

4. Obligations of YAS as Processor

YAS undertakes to:

  • Process Customer Personal Data only on the Customer's documented instructions;
  • Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality;
  • Implement appropriate technical and organisational security measures (see Section 5);
  • Assist the Customer, taking into account the nature of processing, in responding to data subject requests and in meeting the Customer's security, breach-notification, and impact-assessment obligations;
  • Make available information reasonably necessary to demonstrate compliance with this DPA.

5. Security Measures

YAS maintains technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include encryption of data in transit and at rest, role-scoped access control, request-level fleet scoping, audit logging of scoring inputs and outputs, and regular review of systems and sub-processors. Measures are reviewed and updated as the Services evolve.

6. Sub-processors

The Customer authorises YAS to engage Sub-processors to support the Services. YAS imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor's performance of those obligations.

Categories of Sub-processors currently include infrastructure and hosting providers, a payment processor (Stripe), and application monitoring (Firebase Crashlytics), as described in the YAS Privacy Policy. YAS provides a mechanism to notify the Customer of intended changes to Sub-processors and to allow the Customer to object on reasonable data protection grounds.

7. International Data Transfers

Customer Personal Data relating to accounts is stored on servers located in Singapore and Hong Kong. Where Customer Personal Data is transferred across borders, YAS uses a lawful transfer mechanism appropriate to the jurisdictions involved, and applies safeguards consistent with applicable data protection law.

8. Data Subject Rights

Taking into account the nature of the processing, YAS assists the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights, including rights of access, correction, and erasure. Where YAS receives a request directly from a data subject relating to Customer Personal Data, YAS will refer the data subject to the Customer unless otherwise required by law.

9. Personal Data Breach

YAS notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provides information reasonably available to YAS to assist the Customer in meeting any breach-notification obligations it may have under applicable law.

10. Audit and Compliance

YAS makes available to the Customer information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, in a manner that does not compromise the security or confidentiality of other customers' data.

11. Return and Deletion of Data

On termination of the Services, and at the choice of the Customer, YAS deletes or returns Customer Personal Data and deletes existing copies, unless retention is required by applicable law. Retention periods are limited to what is necessary for the purposes for which the data was processed.

12. Liability and Governing Law

The liability of each party under this DPA is subject to the limitations and exclusions set out in the agreement between the parties. This DPA is governed by the laws of Hong Kong, and the parties submit to the non-exclusive jurisdiction of the Hong Kong courts.

For questions about this DPA or to exercise a data protection request, contact [email protected].

In case of discrepancies between the English and Chinese versions, the English version shall prevail.