Data Processing Agreement

Last updated: 29 April 2026

Note for businesses:Under GDPR Art. 28, you (the Business) are the data controller for your customers' personal data. YXEO acts as a data processor on your behalf. This DPA governs that relationship. Have your legal counsel review before relying on it.

1. Parties

Data Controller: The Business using YXEO (the "Controller").
Data Processor:YXEO.eu (the "Processor").

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller to provide the YXEO booking management service. Processing continues for the duration of the Controller's active subscription and up to 30 days after termination (for orderly data handover).

3. Nature and purpose of processing

Processing includes: storing, retrieving, updating, and deleting customer booking records; sending transactional emails (confirmations, reminders, cancellations) on the Controller's behalf.

4. Types of personal data

Name, email address, phone number, appointment details, IP address.

5. Categories of data subjects

The Controller's customers and employees.

6. Processor obligations

Process data only on documented instructions from the Controller.
Ensure persons authorised to process data are bound by confidentiality.
Implement appropriate technical and organisational security measures (Art. 32 GDPR).
Assist the Controller with data subject rights requests.
Delete or return all personal data after the end of services.
Make available all information necessary to demonstrate compliance.

7. Sub-processors

The Processor uses the following sub-processors:

Supabase Inc. — database and authentication (EU region, Dublin).
Vercel Inc. — application hosting (EU region).
Resend Inc. — transactional email delivery.

The Processor will notify the Controller of any intended changes to sub-processors with at least 14 days notice, giving the Controller the opportunity to object.

8. International transfers

Data is stored in the EU. Where sub-processors transfer data outside the EEA, appropriate safeguards (Standard Contractual Clauses) are in place.

9. Security incidents

The Processor will notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach.

10. Governing law

This DPA is governed by the laws of the Republic of Lithuania.

To execute this DPA formally, email legal@YXEO.eu.