Data Processing Agreement
Version 1.0 — Effective July 15, 2026
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the agreement between YCD Corp. d/b/a Cookiy ("Cookiy") and the customer that accepts or executes it ("Customer") governing Customer's use of the Cookiy services, including the Cookiy Terms and Conditions (the "Agreement").
1. Parties and Scope
This DPA applies where and to the extent Cookiy processes Personal Data on behalf of Customer in the course of providing the Cookiy AI user-research platform — in particular, personal data relating to research participants in studies that Customer conducts through the platform. With respect to such Personal Data, Customer acts as Controller and Cookiy acts as Processor.
This DPA does not apply to personal data that Cookiy processes as a controller for its own purposes, such as Customer account, billing, and marketing data, which is governed by the Cookiy Privacy Policy. In performing its obligations under this DPA, Cookiy will comply with data protection laws applicable to it as Processor, and Customer will comply with data protection laws applicable to it as Controller, including establishing a lawful basis for the processing and providing any required notices to data subjects.
2. Definitions
The terms "Controller," "Processor," "Personal Data," "Processing," and "Data Subject" have the meanings given to them in Article 4 of Regulation (EU) 2016/679 (the "GDPR"), and equivalent terms under other applicable data protection laws are to be read accordingly. "Sub-processor" means any processor engaged by Cookiy to process Personal Data on behalf of Customer under this DPA.
Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.
3. Details of Processing
The details of the processing carried out under this DPA are as follows:
| Description | Details |
|---|---|
| Subject matter | Provision of the Cookiy AI user-research platform to Customer under the Agreement. |
| Duration | The term of the Agreement, until Personal Data is deleted or returned in accordance with Section 8. |
| Nature and purpose | AI-moderated interviews, surveys, transcription, analysis, and report generation performed on Customer's behalf. |
| Categories of data subjects | Research participants in Customer studies and Customer end users. |
| Categories of personal data | Contact details; interview audio and video recordings; transcripts; survey responses; voluntarily provided demographic information; device and usage metadata. |
| Special categories of data | Not intentionally processed. Participants are instructed not to disclose special categories of personal data during studies. |
4. Processor Obligations
Cookiy will process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law; in that case, Cookiy will inform Customer of the legal requirement before processing unless the law prohibits such notice. The Agreement, this DPA, and Customer's configuration and use of the platform constitute Customer's documented instructions.
Cookiy ensures that all personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality and receive regular data protection and security training. Taking into account the nature of the processing, Cookiy will assist Customer through appropriate technical and organizational measures in responding to Data Subject requests under Articles 12–23 GDPR, and will assist Customer with data protection impact assessments and prior consultations under Articles 35–36 GDPR.
Cookiy will notify Customer of a personal data breach affecting Personal Data within 48 hours of discovery, and in any event without undue delay, providing information reasonably available to Cookiy about the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.
5. Security Measures
Cookiy implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, consistent with Article 32 GDPR and Cookiy's Information Security Policy. These measures include:
- Encryption of Personal Data at rest using AWS KMS with AES-256
- Encryption of Personal Data in transit using TLS 1.2 or higher
- Multi-factor authentication and least-privilege access controls for systems processing Personal Data
- Quarterly access reviews
- Centralized logging and monitoring
- Periodic penetration testing
- A documented incident-response process
Cookiy may update these measures from time to time, provided that updates do not materially reduce the overall level of protection of Personal Data.
6. Sub-processors
Customer provides general written authorization for Cookiy to engage the Sub-processors listed at cookiy.ai/subprocessors/. Cookiy will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable to Customer for each Sub-processor's performance.
Cookiy will give Customer at least 30 days' advance notice of the addition or replacement of a Sub-processor by updating that page and notifying Customer by email. Customer may raise reasonable, documented objections to a new Sub-processor within the notice period; the parties will work together in good faith to resolve the objection, and if no resolution is reasonably available, Customer may terminate the affected services in accordance with the Agreement.
7. International Transfers
Cookiy processes Personal Data primarily in the United States. Customer authorizes Cookiy to transfer Personal Data to the United States and to the locations of the authorized Sub-processors, subject to the safeguards described in this Section.
Where Personal Data protected by EEA or UK data protection law is transferred to a country not recognized as providing an adequate level of protection, the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914, Module Two (Controller to Processor), are incorporated into and form part of this DPA, with Customer as data exporter and Cookiy as data importer, and the processing details in Section 3 and the security measures in Section 5 serving as their annexes. For transfers subject to UK data protection law, the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner is likewise incorporated and applies to such transfers. In the event of a conflict between this DPA and the Standard Contractual Clauses or the UK Addendum, the latter prevail with respect to the transfers they govern.
8. Deletion and Return of Data
Upon termination or expiry of the Agreement, Cookiy will, at Customer's choice, delete or return all Personal Data processed on Customer's behalf within 30 days, and delete existing copies unless applicable law requires further storage. Upon Customer's request, Cookiy will confirm deletion in writing.
Personal Data held in immutable backups expires and is deleted in accordance with Cookiy's standard backup cycle. Until expiry, backup copies remain isolated from production use and continue to be protected by the measures described in Section 5.
9. Audit Rights
Cookiy will make available to Customer information reasonably necessary to demonstrate compliance with the obligations in this DPA, as contemplated by Article 28(3)(h) GDPR. Customer's audit rights are satisfied primarily through Cookiy's provision of audit reports and certifications, such as SOC 2 reports, together with written responses to reasonable security questionnaires.
Where an on-site audit is required by applicable law or a supervisory authority, or where the materials above are insufficient to demonstrate compliance, Customer may conduct an audit upon at least 30 days' written notice, no more than once per year, during normal business hours, subject to reasonable confidentiality and safety requirements and without unreasonable disruption to Cookiy's operations.
10. Liability and Order of Precedence
Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, and references in the Agreement to a party's liability mean the aggregate liability of that party under the Agreement and this DPA together.
In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA prevails to the extent of the conflict.
Contact
Questions about this DPA or Cookiy's processing of Personal Data may be directed to info@cookiy.com.