Data Processing Agreement

Last updated: January 27, 2026

1. Purpose and Scope

This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) and governs the processing of personal data by IE Petr Guskov ("Processor") on behalf of customers ("Data Controllers") who use our AI-powered knowledge base and automated support system ("Service").

1.1 Processor Details

IE Petr Guskov
Merab Kostava 26 4
Tbilisi, 0105
Georgia
Email: service@yogavarta.com

2. Definitions

Terms used in this DPA have the meanings set forth in the GDPR:

  • Personal Data: Information relating to an identified or identifiable natural person (GDPR Article 4(1))
  • Data Controller: The customer who determines the purposes and means of processing personal data
  • Data Processor: IE Petr Guskov, who processes personal data on behalf of the Data Controller
  • Data Subject: The individual whose personal data is being processed
  • Processing: Any operation performed on personal data (GDPR Article 4(2))
  • Sub-processor: A third party engaged by the Processor to process personal data

3. Nature and Purpose of Processing

The Processor processes personal data solely for providing the Service as instructed by the Data Controller, including:

  • Providing AI-powered knowledge base research capabilities
  • Delivering automated support services
  • Processing and analyzing documents for semantic search
  • Generating AI responses and recommendations
  • Maintaining and improving service functionality
  • Ensuring system security and preventing abuse

4. Categories of Data

The Processor may process the following categories of personal data:

  • Identity and Contact Data: Names, email addresses, phone numbers
  • Account Data: User credentials, account settings, preferences
  • Communication Data: Chat messages, support tickets, feedback
  • Document Content: Text and metadata from uploaded documents
  • Usage Data: Service interactions, feature usage patterns
  • Technical Data: IP addresses, device information, browser data

5. Data Subject Categories

The personal data processed may relate to:

  • Customer employees and authorized users
  • Customer clients and end-users
  • Individuals mentioned in processed documents
  • Support and communication contacts

6. Processor Obligations (GDPR Article 28)

The Processor shall:

  • Process personal data only on documented instructions from the Data Controller
  • Ensure persons authorized to process have committed to confidentiality
  • Implement appropriate technical and organizational security measures (Article 32)
  • Respect conditions for engaging sub-processors
  • Assist the Data Controller in responding to data subject requests
  • Assist in ensuring compliance with Articles 32-36 (security, breach notification, DPIA)
  • Delete or return personal data at the end of the agreement
  • Make available information to demonstrate compliance

7. Security Measures (GDPR Article 32)

The Processor implements appropriate measures to ensure a level of security appropriate to the risk:

  • Encryption: Pseudonymization and encryption of personal data
  • Confidentiality: Ability to ensure ongoing confidentiality, integrity, availability
  • Resilience: Ability to restore access to personal data in a timely manner
  • Testing: Regular testing and evaluation of security measures
  • Access Control: Role-based access controls and multi-factor authentication
  • Staff Training: Regular security and privacy training for personnel

8. Sub-processors (GDPR Article 28(2)-(4))

The Data Controller authorizes the engagement of the following sub-processors:

  • Google Cloud Platform: Data hosting and storage (EU/US)
  • OpenAI / Anthropic: AI language processing and generation (US)
  • Stripe: Payment processing (US, with EU processing)

The Processor shall inform the Data Controller of any intended changes concerning addition or replacement of sub-processors, giving the Controller an opportunity to object.

9. International Data Transfers (GDPR Chapter V)

Personal data may be transferred outside the EEA only with adequate safeguards:

  • European Commission adequacy decisions (Article 45)
  • Standard Contractual Clauses approved by the EU Commission (Article 46(2)(c))
  • Binding Corporate Rules (Article 47)
  • EU-US Data Privacy Framework certifications where applicable

10. Data Subject Rights (GDPR Articles 12-22)

The Processor shall assist the Data Controller in responding to data subject requests:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Notification obligation regarding rectification or erasure (Article 19)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)

Self-Service Account Deletion: End users may exercise their right to erasure directly through the mobile application.

11. Data Breach Notification (GDPR Articles 33-34)

In case of a personal data breach, the Processor will:

  • Notify the Data Controller without undue delay (within 24 hours of becoming aware)
  • Provide information required for the Controller to notify the supervisory authority
  • Document all personal data breaches
  • Implement immediate containment and remediation measures
  • Cooperate in any required notification to data subjects

12. Audits and Compliance (GDPR Article 28(3)(h))

The Processor shall make available all information necessary to demonstrate compliance and allow for audits:

  • Provide reasonable cooperation for audits and inspections
  • Make available necessary documentation
  • Allow access to relevant facilities and systems
  • Address any compliance issues identified

13. Data Retention and Deletion

Personal data shall be retained only as long as necessary. Upon termination:

  • Delete or return all personal data as instructed by the Data Controller
  • Delete existing copies unless retention is required by law
  • Provide certification of deletion when requested

User-Initiated Deletion: End users may request deletion through the mobile application, with a 14-day grace period before permanent deletion.

14. Liability

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82. The Processor shall indemnify the Data Controller against claims arising from the Processor's non-compliance with this DPA or the GDPR.

15. Term and Termination

This DPA remains in effect for the duration of the service agreement. Either party may terminate with written notice if the other party materially breaches its obligations and fails to cure within 30 days.

16. Governing Law

This DPA is governed by the laws of Georgia. For EU data subjects, the provisions of the GDPR shall apply as mandatory law.

17. Contact Information

For questions about this DPA or to report data protection concerns:

IE Petr Guskov
Data Protection Contact
Merab Kostava 26 4
Tbilisi, 0105
Georgia

Email: service@yogavarta.com