Yeastar P-Series Cloud Edition Data Processing Agreement

The Yeastar P-Series Cloud Edition (hereinafter referred to as “Services”) is provided by Xiamen Yeastar Digital Technology Co., Ltd.(hereinafter referred to as “Data Processor”, “Yeastar” ).

To clarify the rights and obligations of the Customer (also referred to as the Data Controller) and the Data Processor in the course of personal data processing, and to ensure that the processing of personal data complies with relevant laws and regulations, please read and fully understand this Data Processing Agreement (“DPA”) before using the Services.

By accessing or using Services, Data Controller acknowledges that it has read, understood, and agreed to be bound by this DPA, and Data Controller consents to the processing of Data Controller information in accordance with its terms. If Data Controller does not agree to this DPA, please do not use the Services.

1. DEFINITIONS

1.1 The terms used in this DPA shall be deemed to have the same meaning as in the applicable data-protection regulations and the practice developed at any given time regarding the applicable data-protection regulations. This means that definitions in this DPA may change during the term of the agreement. The above means that this DPA involves the following definitions:

Processing: the measure or combination of measures concerning Personal Data or sets of Personal Data, e.g., collection, registration, organization, structuring, storage, processing or alteration, creation, reading, use, surrender through transfer, dissemination or other provision, adjustment or consolidation, limitation, deletion or destruction.

Applicable Data Protection Law: the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), and other regulations with the relevant implementation statutes and the regulations in this area applying at any given time. Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.

Standard Contractual Clauses (SCCs): contractual provisions adopted by the European Commission to ensure appropriate data protection safeguards for data transferred from the EEA to third countries which do not provide an adequate level of data protection. SCCs constitute a lawful data transfer mechanism under GDPR.

Data Controller: the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Processor: the entity that processes Personal Data on behalf of the Controller.

Personal Data: any information relating to an identified or identifiable natural person.

Data Subject: an identified or identifiable natural person to whom Personal Data relates, as defined under Applicable Data Protection Laws.

Personal Data Breach: security incidents leading to unintentional or unlawful destruction, loss or alteration, or to unauthorized disclosure of or unauthorized access to the Personal Data that has been transferred, stored and otherwise been the subject of Processing.

Sub-processor: any personal-data processor engaged by the Data Processor or Data Controller that processes Personal Data on behalf of the Data Controller.

2. Purpose Limitation

Data Processor shall process the Personal Data for the purposes described in Annex A, except where otherwise required by applicable law.

3. Obligation of Data Processor

3.1 Security. Data Processor will maintain appropriate technical and organizational security measures to safeguard the security of Personal Data. These security measures are detailed in Annex B (Technical and Organizational Measures). Data Processor will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of Personal Data with administrative, technical and physical measures conforming to generally recognized industry standards and practices. Data Processor shall implement appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

3.2 Confidentiality. Data Processor shall ensure that any personnel whom Data Processor authorizes to process Personal Data on its behalf are subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.

3.3 Personal Data Breaches. Data Processor will notify the Data Controller without undue delay and will use reasonable efforts to do so within 24 hours after becoming aware of a Personal Data Breach affecting any Personal Data. At the Data Controller’s request, Processor will promptly provide the Data Controller with all reasonable assistance necessary to enable the Data Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Data Controller is required to do so under the Data Protection Law.

3.4 Data Subject Requests. Data Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Data Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such a request is made directly to Data Processor, Data Processor will promptly inform Data Controller and will advise Data Subjects to submit their request to the Data Controller. Data Controller shall be solely responsible for responding to any Data Subjects’ requests. Data Controller shall reimburse Data Processor for the costs arising from this assistance.

3.5 Sub-processors. Data Processor shall be entitled to engage Sub-processors to fulfil Data Processor’s obligations only with Data Controller’s written consent. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of any Sub-processors, and the Data Controller has the right to object to such changes. The Data Processor shall ensure that its data protection obligations set out in the DPA and in Applicable Data Protection Law are imposed to any Sub-processors by a written agreement. Any Sub-processor shall in particular provide sufficient guarantees to implement appropriate technical and organizational measures to comply with Applicable Data Protection Law, and provide the Data Controller and relevant supervisory authorities with access and information necessary to verify such compliance. The Data Processor shall remain fully liable to the Controller for the performance of any Sub-processor.

Yeastar relies on Sub-processors (such as AWS and Azure) to provide services as listed in Annex A and requires that their data protection practices, including the use of Standard Contractual Clauses (SCCs) or equivalent safeguards, comply with Applicable Data Protection Laws.

3.6 International Transfers. Yeastar may transfer and process Customer Personal Data outside the European Economic Area (“EEA”), in accordance with the applicable Sub-processor list, to locations where Yeastar, its Affiliates or its Sub-processors maintain data processing operations. To the extent that Yeastar processes (or causes to be processed) any Customer Personal Data originating from the EEA in a country that has not been recognized by the European Commission as providing an adequate level of protection for Customer Personal Data, Yeastar will comply with the European Economic Area data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area, and shall put in place such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws, which include the execution of the EU Commission’s Standard Contractual Clauses, or the putting in place of any other valid transfer mechanism under Applicable Data Protection Laws.

Such measures include, but are not limited to, the execution of the European Commission’s Standard Contractual Clauses (SCCs), or the putting in place of any other valid data transfer mechanism under Applicable Data Protection Laws. The Standard Contractual Clauses applicable to transfers conducted by Yeastar are set out in Annex C.

3.7 Deletion or Return of Data. Upon termination or expiry of the Agreement, Yeastar shall, on the Data Controller’s documented request and at its direction, delete or return all Customer Personal Data (including copies), unless retention is required by applicable law or necessary for back-up systems, in which case the data shall be securely isolated and eventually deleted in line with Yeastar’s retention policies.

4. Data Controller Responsibility

Within the scope of the DPA and in its use of the services, Data Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Data Processor and the Processing of Personal Data. Customer, as Data Controller, shall be responsible for ensuring that:

4.1 It has complied, and will continue to comply, with all Applicable Data Protection Laws, including in any instructions it issues to Yeastar under this DPA.

4.2 It has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Yeastar for processing in accordance with this DPA.

4.3 Where required by Applicable Data Protection Law, and upon the Data Controller’s request and at its expense, Yeastar shall provide reasonable assistance with Data Protection Impact Assessment (DPIA) or prior consultation, limited to the scope of Services under this DPA.

5. Validity

This DPA shall take effect upon Customer’s acceptance of this Agreement and remain in force until the Data Processor’s processing of Personal Data ceases.

6. Indemnity

Customer will indemnify, keep indemnified and hold harmless Yeastar, its clients, officers, directors, employees, agents, and representatives (each an “Indemnified Party”) from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Customer’s non-compliance with the requirements of this DPA.

7. Contact

If the Data Controller has any questions about Yeastar’s practices or this DPA, please contact Yeastar as follows:

Email: newsletter@yeastar.com

Mailing Address: Building C09, Software Park Phase III, Xiamen 361024, Fujian, China.

In principle, Yeastar does not charge any fee for your reasonable requests, but Yeastar will charge a certain fee at its discretion for repeated requests that exceed reasonable limits. Yeastar may refuse requests that require the use of technology beyond industry norms to achieve or substantially affect the legitimate rights and interests of others.

 

Annex A Details of Processing

These instructions form an integral part of the DPA and shall be adhered to by the Data Processor in the processing of Personal Data, unless expressly stated otherwise in the DPA. The Data Controller may unilaterally change these instructions at a later date by notifying the Data Processor of the change in writing. By accepting the DPA, the Data Controller Processor has confirmed the meaning of these instructions.

Purpose

The purpose of the processing is
1) to deliver communication and collaboration Services
2) to support the Services with which the customer is supplied
3) to support enhanced service features powered by artificial intelligence, such as transcription and AI call summary, where applicable and enabled by the Customer.

These AI-enabled features are disabled by default and can be activated at the Customer’s discretion. They may leverage third-party AI providers and will only process personal data within the scope of the agreed Services and in accordance with the data protection and security measures specified in this Agreement.

Type of Personal Data

The following categories of Personal Data may be processed, depending on the Services used and features enabled:

  • Service Account Data: name, email address, phone number, job title,user ID, login credentials (username and password), profile information.
  • Usage Data: system logs, connection metadata, Call Detail Records (CDRs), and other communications metadata.
  • User-generated Content: call information, voicemails, chat messages, transcripts, callnotes, and any other content voluntarily uploaded or created through the Services.
  • Optional Uploaded Data by Controller: profile picture, company name, contact directory, and any other contentvoluntarily provided by the Data Controller or its users.
  • Feature-Specific Data: data collected or processed via specific features, such as recording and AI-related features(subject to user enablement).

The Personal Data processed is determined and controlled by the Data Controller in its sole discretion. As such, Yeastar has no control over the nature, volume and sensitivity of Personal Data processed through its Services by the Data Controller or its users.

Duration of Processing

Processing lasts for as long as the Data Processor represents the Data Controller. Upon termination of the Services, Personal Data can be deleted by resetting the P-Series Cloud Edition to factory default.

Sub-processors

The Sub-processors are used for hosting of servers, and these Sub-processors operate with an adequate level of protection for personal data and comply with Applicable Data Protection Law. The list of Sub-processors is as follows:

Entity Name Purpose Entity Country
Amazon Web Services Cloud Service Provider Australia, Brazil, Bahrain, Canada, France, Germany, Hong Kong, Ireland, Italy, Singapore, South Africa, United Kingdom, United States
Any other customer-assigned local data center Cloud Service Provider
Agora Provide Video Conferencing service¹ United States, Canada, Singapore, Malaysia, Indonesia, Australia, Germany, United Kingdom, Russia, South Africa
Netease, Inc. Provide Instant Messaging services¹ (The server connection can be disabled if the Internal Chat service is not required) China
Amazon Web Services Provide Transcription services¹
(Text-to-Speech to generate voice prompt, Speech-to-Text for Call Transcription and Voicemail Transcription)		 Germany, Hong Kong, Indonesia, Singapore, Thailand, United States, United Kingdom
Azure Provide Call Summary services¹ Germany, Hong Kong, Indonesia, Singapore, Thailand, United States, United Kingdom

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Note: Items marked with “¹” refer to features that can be disabled or Customer may choose not to use. In such cases, no personal data will be transferred to the relevant sub-processor.

Disclosure of Personal Data
Personal Data may be disclosed to:

  • With the Data Controller’s explicit consent.
  • In cases where legal requirements, legal procedures, litigation, or government authorities require mandatory disclosure, the Data Processor may publicly disclose the Personal Data.
  • Within the scope permitted by laws and regulations, it may be necessary to disclose your personal information to protect the legitimate interests, property, or safety of Yeastar, Yeastar ‘s affiliated companies or partners, the Data Controller, other Yeastar users, or the public.
  • Emergency services. For example, in the event of a call to SOS Alarm or when placing calls to another operator, certain Personal Data may be registered with the relevant operator.
  • Other operators or service providers that provide the Service
  • Other circumstances stipulated by laws and regulations.
  • According to legal provisions, sharing and transferring de-identified personal information, ensuring that the data recipient cannot reconstruct and re-identify the individual to whom the personal information belongs, does not qualify as sharing, transferring, or publicly disclosing personal information. Separate notice and consent are not required for the storage and processing of such data.

 

Annex B Technical and Organizational Measures to Ensure the Security of the Data

Yeastar incorporates the following technical and organizational measures:

  1. Access Management
    • Data processing systems are inaccessible without prior authorization.
      • For Yeastar personnel, Single Sign On (SSO) and Multifactor Authentication (MFA) are required for all systems containing Personal Data.
      • Customers are able to access their account, including Personal Data, using either a Single-Sign-OnSystem, or a unique username and password combination.
      • All personnel access Yeastar’s systems with a unique identifier (user ID), which is tied back to the user’s Yeastar email address.
    • Access to data is limited based on separation of duties, multiple authorization levels, and least privilege.
      • Access is reviewed regularly and modified or revoked if not required.
      • Yeastar has procedures in place so that requested authorization changes are implemented only in accordance with the Information Security Policy. In case personnel leave the company, their access rights are revoked.
    • Password Management
      • Yeastar’s Access Management Policy governs password policies.
    • Network Security
      • Yeastar will maintain a network security program to meet best practices on physical and virtual networks.
    • Logging
      • Yeastar will maintain logs of critical infrastructure and systems that affect Yeastar’s services and customer data. Logging shall be in place to monitor security, confidentiality and availability of Yeastar’s products and services.
    • Physical Access
      • Unauthorized persons are prevented from gaining physical access to premises, buildings, or devices where data processing occurs or from where data may be accessed. Yeastar’s physical access controls are detailed in its Information Security Policy.
      • Offices have entry protocols that are assigned to individuals. Facial recognition is used for access authentication in Yeastar offices.
    • Infrastructure providers that are used to store customer data and provide capabilities to serve Yeastar products are SOC2 Type II or ISO 27001 certified environments.
      • Hosting providers are reviewed by the Security and Compliance team prior to data and infrastructure being stored in such environments.
      • Physical security is reviewed on an annual basis to ensure compliance is kept up to date.
  2. Data Processing Control
    • Data Categorization
      • Data is classified into different components based on their sensitivity in order to determine the requirements associated with their processing.
      • Personal Data within any data classification is handled as sensitive and confidential.
    • Processing Responsibilities
      • Customer Data may only be used for what is necessary to deliver the Services. Consistent with Yeastar’s Privacy Policy, additional safeguards such as encryption may be applied based on the nature and sensitivity of the data.
      • Prior to processing data within Yeastar, the basis for obtaining and using Personal Data must be determined based on an appropriate method as provided in Applicable Data Protection Laws. Appropriate methods to obtain and use data from a data subject include:
        1. Consent: an individual has given explicit consent to Yeastar to process their Personal Data for a specific purpose.
        2. Contract: data processing is necessary for a contract we have with the individual, or because they have asked Yeastar to take specific steps before entering into a contract.
        3. Legitimate Interest: the processing is necessary for Yeastar’s legitimate interests or the legitimate interest of a third party unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests.
        4. Legal Obligation: the processing is necessary for Yeastar to comply with the law (not including contractual obligations).
        5. Vital Interest: the processing is necessary to protect someone’s life.
      • Yeastar may conduct data privacy assessments in accordance with applicable Data Protection Laws, where required.
      • Customer Data should be disposed of based on contractual requirements and terms of service agreements. Disposal can include permanent deletion of data or return of such data.
    • Data Distribution Requirements
      • Any disclosure of Yeastar non-public data requires a Non-Disclosure Agreement.
      • Prior to any transfer or processing of non-general/public data outside of Yeastar’s personnel or wholly-owned systems, a risk determination should be performed.
  3. Data Availability
    • Yeastar maintains a current Disaster Recovery Plan and Incident Management Policy.
    • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) projections are tested and validated by Yeastar.
  4. Data Integrity
    • Risk Assessment
      • Information risk assessments are performed against an industry-acceptable standard to determine areas of vulnerability within the organization. The control framework should be updated on a regular basis to include changes in the areas required to be covered.
      • The information risk assessment must classify risk levels assigned to identified risks based on likelihood and impact and prioritize remediation according to the risk levels. Any Service Level Agreements committed by Yeastar for risks identified should be taken into account when planning remediation.
    • Security Awareness
      • All personnel must complete security awareness training upon onboarding to Yeastar, as well as on an annual basis.
      • The security awareness training is updated, at a minimum on an annual basis to ensure that any process and technology changes within the organization.
    • Data Protection and Encryption
      • Data is encrypted in transit and at rest based on the risk and classification of the data, using the algorithms that have received substantial public review and have been proven to work effectively.
      • Cryptographic keys are generated and stored in a secure manner that prevents loss, theft, or compromise.
      • Sensitive data is backed up to environments that are not the primary source of use. Backup frequency is determined based on data criticality.
      • All customer data that is used to serve Yeastar products is backed up daily.
  5. External Certification
    • Yeastar undergoes annual independent third-party audit(s) to verify the operating effectiveness and design of its controls.

 

Annex C Standard Contractual Clauses

For international data transfers, Yeastar implements the European Commission’s Standard Contractual Clauses (SCCs) as the primary transfer mechanism, or other appropriate safeguards as permitted under Applicable Data Protection Laws. The current version of the SCCs is available at the following link:

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914

 

 

HOW TO CONTACT US
If you have any questions or concerns regarding this Privacy Policy, please feel free to contact us at the following email or phone number.
Email: info@yeastar.com
Phone Number: +86-592-5503301

Last Modified: September. 15, 2025

Grow together with Yeastar.

Bring real results to your customers.

Become a Partner