Data processing agreement — GDPR Article 28
This DPA is entered into between the Customer (Data Controller) and Ysae SLU operating DeployIt (Processor), pursuant to Article 28 of the General Data Protection Regulation (GDPR). Processor address: Carrer de l'Aern, n°12 atic, La Margineda — AD500 Andorra la Vella — Principat d'Andorra.
Ysae SLU processes the personal data provided by the Customer (users, team members, Git metadata, generated content) exclusively for the purpose of providing the DeployIt service and according to the Customer's documented instructions.
Hosting and infrastructure: DigitalOcean (EU). Payment: Paddle Inc. (Merchant of Record). Transactional email: Postmark. Analytics: PostHog, Google Analytics. AI: LLM providers (Claude / OpenAI models). The up-to-date list of sub-processors is available on request at privacy [at] deployit.ai.
TLS encryption in transit. Encryption at rest on databases. Two-factor authentication available. Data access strictly limited to engineers on a least-privilege basis. Security audits and continuous employee training.
In case of personal data breach, Ysae SLU notifies the Customer without undue delay, no later than 72 hours after becoming aware of it, using the email subject "URGENT – Privacy concern".
Ysae SLU assists the Customer in fulfilling obligations related to data subjects' rights of access, rectification, erasure, restriction, portability and objection, within 7 business days for privacy-related requests.
Enterprise customers have enhanced data protection: Ysae SLU explicitly waives the use of their data for AI model training without explicit consent.
At the end of the contract, Ysae SLU deletes or returns to the Customer all processed personal data within 30 days, unless legally required to retain it.
The Customer may, with reasonable notice and at most once per year, request a compliance audit conducted by an independent third party under confidentiality.
For any DPA-related request: legal [at] deployit.ai · privacy [at] deployit.ai
