Data Processing Agreement
Last updated: May 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller") and Nondela Ltd., trading as YardOS, company number 14946040 (the "Processor"), together the "Parties". This DPA supplements our Terms of Service and Privacy Policy.
By using YardOS, you instruct us to process personal data on your behalf in accordance with this DPA, the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed through YardOS on the Controller's behalf.
- "Processing" has the meaning given in UK GDPR Article 4(2).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subjects" means the individuals whose Personal Data is processed — including horse owners, riders, staff, and emergency contacts added to YardOS by the Controller.
2. Scope and purpose of processing
The Processor processes Personal Data solely to provide the YardOS service, including:
- Storing and managing horse, owner, rider, and staff records.
- Managing yard tasks, bookings, and lesson schedules.
- Generating and sending invoices.
- Sending system notifications (e.g. booking confirmations, task reminders).
3. Categories of personal data
| Category | Examples |
|---|---|
| Identity data | Names, email addresses, phone numbers |
| Yard membership data | Roles, permissions, horse assignments |
| Booking and schedule data | Lesson times, arena bookings, attendance |
| Financial data | Invoice amounts, payment status (card details held by Stripe, not YardOS) |
| Safety data | Emergency contact names and phone numbers |
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on the Controller's documented instructions, unless required to do so by law.
- Ensure that persons authorised to process the Personal Data have committed to confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption at rest (AES-256) and in transit (TLS 1.2+).
- Logical data isolation between yards — one yard cannot access another's data.
- Role-based access controls within the application.
- Regular encrypted backups retained for 30 days.
- Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability) within 30 days of notification.
- Delete or return all Personal Data at the end of the contract, subject to retention periods required by law (see Section 8).
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
5. Sub-processors
The Processor uses the following sub-processors. The Controller authorises their use by agreeing to this DPA. The Processor will notify the Controller by email at least 14 days before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Hosting, database, file storage | EU |
| Stripe | Payment processing | US (with SCCs) |
| Transactional email provider | System emails (invoices, confirmations, password resets) | US (with SCCs) |
If the Controller objects to a new sub-processor, they may terminate the agreement by cancelling their subscription within the 14-day notice period.
6. International transfers
Where Personal Data is transferred outside the UK and EEA, the Processor ensures appropriate safeguards are in place through:
- The UK International Data Transfer Agreement (IDTA).
- EU Standard Contractual Clauses (SCCs) with the UK Addendum.
- Transfers to countries with an adequacy decision from the UK Secretary of State.
7. Data breach notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of it. The notification shall include:
- The nature of the breach, including categories and approximate number of Data Subjects affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach.
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
8. Data retention and deletion
- Active accounts. Personal Data is retained for as long as the Controller's account is active.
- After cancellation. 90 days to allow resubscription, then permanently deleted.
- Billing records. 7 years after the transaction, as required by UK tax law (HMRC).
- Backups. Encrypted backups are retained for 30 days and then automatically destroyed.
9. Audits
The Controller may request information reasonably necessary to demonstrate compliance with this DPA. The Processor shall respond to written audit requests within 30 days. On-site audits may be conducted at the Controller's expense with at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations.
10. Liability
The liability of each Party under this DPA is subject to the limitations set out in the Terms of Service.
11. Term and termination
This DPA takes effect when the Controller creates a YardOS account and remains in force for the duration of the subscription. It survives termination until all Personal Data has been deleted or returned in accordance with Section 8.
12. Governing law
This DPA is governed by the laws of England and Wales. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the English courts.
13. Contact
For questions about this DPA or to exercise any rights, email info@yardos.co.uk.