Data Processing Policy

Last updated: 26/04/2022
Estimated reading time: 7 minutes

1.   Introduction

Welcome to yaiLab Ltd.

yaiLab Ltd ("Company", "Our", "We") operates https://yailab.net (hereinafter referred to as "Services"). Our Data Processing Policy governs your visit to https://yailab.net, and explains how we collect, safeguard and disclose information that results from your use of our Services.

We use your data to provide and improve Services. By using Services, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Data Processing Policy, the terms used in this Data Processing Policy have the same meanings as in our Terms and Conditions.

Our Terms and Conditions ("Terms") govern all use of our Service and web pages and together with the Data Processing Policy constitute your agreement with us ("Agreement").

2.   Definitions

In this Part of the Schedule the following terms shall have the meanings set out below.

Applicable Laws: means:

  1. To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.
  2. To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Company is subject.

Applicable Data Protection Laws: means:

  1. To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
  2. To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Company is subject, which relates to the protection of personal data.

Company Personal Data: any personal data which the Company processes in connection with this Agreement, in the capacity of a controller.

Customer Personal Data: any personal data which the Company processes in connection with this Agreement, in the capacity of a processor on behalf of the Customer.

Controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR. EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

Purpose: the purposes for which the Customer Personal Data is processed, as set out in paragraph 3.5(a).

UK GDPR: has the meaning given to it in the Data Protection Act 2018.

3.   Data Protection

Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This paragraph 3 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.

The parties have determined that, for the purposes of Applicable Data Protection Laws:

  1. the Company shall act as controller of the personal data of the Customer required for the Company to manage and provide the Services; and
  2. the Company shall process the personal data set out in the Annex, as a processor on behalf of the Customer.

The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Company Personal Data and the Customer Personal Data to the Company for the duration and purposes of this Agreement.

In relation to the Customer Personal Data, the Annex to this Part of the Schedule sets out the nature and purpose of processing by the Company, the duration of the processing and the types of personal data and categories of data subject.

The Company shall, in relation to the Customer Personal Data:

  1. process that Customer Personal Data only on the documented instructions of the Customer unless the Company is required by Applicable Laws to otherwise process that Customer Personal Data. Where the Company is relying on Applicable Laws as the basis for processing Customer Processor Data, the Company shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer on important grounds of public interest. The Company shall inform the Customer if, in the opinion of the Company, the instructions of the Customer infringe Applicable Data Protection Legislation;
  2. implement technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, having regard to the state of technological development and the cost of implementing any measures;
  3. ensure that any personnel engaged and authorised by the Company to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
  4. assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Company), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  5. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
  6. at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of this Agreement unless the Company is required by Applicable Law to continue to process that Customer Personal Data, and
  7. maintain records to demonstrate its compliance with this paragraph and allow for reasonable audits by the Customer or the Customer's designated auditor, for this purpose, on reasonable written notice.

The Customer hereby provides its prior, general authorisation for the Company to:

  1. appoint processors to process the Customer Personal Data, provided that the Company: (i) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Company in this Part of the Schedule; (ii) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Company; and (iii) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes.
  2. transfer Customer Personal Data outside of the UK as required for the Purpose, provided that the Company shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws.

4.   Annex Particulars of the processing

Subject Matter: The provision of the Company’s software as a service offering for the development of machine learning models by the Customer.

Nature: Collection, recording, organisation, structuring, storage (including hosting), analysis, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).

Purpose of processing: The Company shall undertake processing on behalf of the Customer for the performance of the Services in accordance with this Agreement.

Duration of the processing: The term of this Agreement.

Types of Personal Data: Subject to the Customer’s use of the Services, it is envisaged that the Customer may include personal data from the following categories:

  • personal data (such as place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth)
  • authentication data (for example user name, password or PIN code, security question, audit trail);
  • contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details).

Categories of Data Subject: Subject to the Customer’s use of the Services, it is envisaged that the Customer may include personal data from the following types of data subjects:

  • employees, contractors and temporary workers (current, former, prospective).