YurifyApp
Back

Data Processing Addendum

Last updated: June 14, 2026 · v2026-06-14

In short

This DPA is for organisations (employers, teams, clinicians) who use YurifyApp on behalf of their own users and need GDPR Article 28 terms. For individual consumers, the Privacy Policy is the controlling document.

1. Parties and roles

"Customer" (data controller) and Yurify Pte. Ltd. ("Yurify", data processor) agree that, where Customer submits personal data into the Service, Yurify acts as a processor on Customer's documented instructions.

2. Subject matter and duration

Subject matter: providing the YurifyApp service. Duration: the term of Customer's subscription plus the deletion window described below.

3. Nature and purpose

Storage, AI-based analysis of message text and metadata, and return of structured insight to Customer's authorised users.

4. Categories of data and data subjects

  • Data subjects: Customer's authorised users and the individuals named or quoted in messages they submit.
  • Categories: account identifiers (email, user id), message content submitted for analysis, AI-generated insights, usage metadata.
  • Customer must not submit special-category data (health, biometric, political opinions) unless lawfully permitted.

5. Sub-processors

Customer authorises Yurify to engage the sub-processors listed on the Sub-processors page. Yurify will give at least 15 days' notice of any new sub-processor; Customer may object on reasonable data-protection grounds.

6. International transfers

Where personal data of EU/UK/Swiss data subjects is transferred outside their jurisdiction, the transfer is governed by the EU Standard Contractual Clauses (SCCs, 2021) Module Two (controller-to-processor), the UK International Data Transfer Addendum, and equivalent Swiss measures, which are incorporated into this DPA by reference.

7. Security

Yurify maintains industry-standard technical and organisational measures: encryption in transit (TLS 1.2+), encryption at rest (AES-256), least-privilege access, row-level security on the database, audit logging, secret-management for API keys, and a documented incident-response process.

8. Personal data breaches

Yurify will notify Customer without undue delay (and in any case within 72 hours of becoming aware) of any personal data breach affecting Customer's data, with the information required by GDPR Art. 33(3).

9. Data-subject rights & assistance

Yurify will assist Customer in responding to data-subject requests (access, rectification, erasure, portability, objection) within reasonable cost and timeframes. Individual users can also exercise these rights directly via info@yurify.co.

10. Return / deletion of data

On termination, Yurify will delete Customer's personal data within 30 days, except where retention is required by law or for the establishment, exercise or defence of legal claims.

11. Audits

Customer may request, no more than once per year, a written attestation of compliance with this DPA and Yurify's most recent third-party security assessments. On-site audits are available subject to reasonable notice and confidentiality undertakings.

12. Acceptance

Organisations that need a counter-signed DPA can email info@yurify.co with their entity name and we will return a signed PDF.

HomeAnalyzeUpgradeSign in