This Data Processing Addendum (“DPA”) is entered into between DFC Hub, operating YouPOS (“Processor”), and the Tenant who has accepted the Terms of Service (“Controller”).
This DPA forms part of and is incorporated into the Terms of Service. In the event of a conflict between this DPA and the Terms of Service on data processing matters, this DPA shall prevail.
1. Definitions
- “Personal Data” — any information relating to an identified or identifiable natural person, as defined under the Philippine Data Privacy Act of 2012 (RA 10173) and its implementing rules.
- “Controller” — the Tenant, who determines the purposes and means of processing Personal Data entered into YouPOS about their customers and staff.
- “Processor” — DFC Hub (YouPOS), who processes Personal Data on behalf of the Controller.
- “Sub-processor” — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Subject”— the natural person whose Personal Data is processed (e.g., the Controller's customers and staff).
2. Scope and Nature of Processing
The Processor processes the following categories of Personal Data on behalf of the Controller:
- Customer data:name, phone number or email (optional), device and repair history, transaction records, and any optional notes entered by the Controller's staff.
- Staff data: name, email address, role, and action history (audit logs).
Processing activities include: storage, retrieval, display, computation (billing calculations, inventory deductions), reporting, receipt delivery, and export.
Processing occurs for the duration of the Controller's active subscription and for a post-termination retention period as described in the Privacy Policy.
3. Controller's Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service. The Processor shall promptly notify the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law.
The Controller is responsible for:
- Ensuring a valid legal basis exists for collecting and entering Personal Data into YouPOS.
- Providing required disclosures and obtaining required consents from Data Subjects as applicable under Philippine law.
- Complying with the Controller's obligations under RA 10173 and its implementing rules.
4. Processor Obligations
The Processor agrees to:
- Process Personal Data only as necessary to provide YouPOS and only in accordance with the Controller's instructions or as required by applicable law.
- Ensure that personnel with access to Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Section 5.
- Not engage new Sub-processors without informing the Controller as described in Section 6.
- Assist the Controller in fulfilling Data Subject rights requests to the extent reasonably practicable given the nature of processing.
- Delete or return Personal Data upon termination, as described in Section 8.
5. Security Measures
The Processor implements the following technical and organizational measures to protect Personal Data:
- Encryption in transit: All data is transmitted over HTTPS/TLS. Unencrypted HTTP connections are not permitted.
- Password storage: Passwords are stored as one-way bcrypt hashes. Plain-text passwords are never stored or logged.
- Multi-tenant isolation: Tenant data is logically separated using row-level security (RLS) policies enforced at the database layer, preventing cross-tenant data access.
- Access controls: Role-based access control ensures staff can only access data within their authorized permission level.
- Rate limiting: Authentication and sensitive endpoints are rate-limited to protect against brute-force attacks.
- Automated backups: Database backups are performed automatically with documented retention and recovery procedures.
6. Sub-processors
The Controller hereby grants general authorization for the Processor to engage the following Sub-processors:
- Vercel — Application hosting and edge delivery.
- Supabase — Managed PostgreSQL database and authentication infrastructure.
- Upstash — Managed Redis cache used for rate limiting and session data.
- Resend — Transactional email delivery for receipt emails sent on behalf of Tenants. Only recipient address and receipt content are transmitted.
The Processor will notify the Controller of any changes to Sub-processors by updating this DPA or the Privacy Policy. The Controller may object to a new Sub-processor within 15 days by contacting support.youpos@dfchub.com. If the objection cannot be resolved, either party may terminate the relevant services with reasonable notice.
7. Data Subject Rights
The Processor will assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, objection, portability) as follows:
- Where the Controller can fulfill a request using YouPOS's built-in data management tools (e.g., editing or deleting customer records), the Controller should use those tools directly.
- For requests requiring Processor-level intervention (e.g., removal from backup archives), the Controller should contact legal.youpos@dfchub.com, and the Processor will assist within a reasonable timeframe.
8. Data Breach Notification
In the event of a Personal Data breach that the Processor becomes aware of, the Processor will notify the Controller without undue delay — and in any event within 72 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach.
- The categories and approximate number of Data Subjects and Personal Data records concerned.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach.
The Controller is responsible for notifying affected Data Subjects and the National Privacy Commission (NPC) as required by RA 10173 and its implementing rules.
9. Deletion and Return of Data on Termination
On termination of the Terms of Service or on written request from the Controller:
- The Processor will delete or anonymize Personal Data from live systems within the post-cancellation review window — in any event not later than 60 days after cancellation, unless a legal or accounting hold requires longer retention.
- Backup copies of the data may persist for the duration of the applicable backup retention period before being overwritten or deleted.
- The Processor will confirm in writing when deletion from live systems is complete upon request.
Current backup retention: 7 daily copies, 4 weekly copies, 3 monthly copies.
The Processor may retain anonymized or aggregated data that does not identify any individual for platform improvement and analytics purposes.
10. Audit Rights
The Controller may, with at least 30 days' written notice, request documentation or reasonable evidence of the Processor's compliance with this DPA. The Processor may satisfy audit rights by providing relevant documentation, security summaries, or third-party reports as reasonably available.
11. Duration
This DPA takes effect on the date the Controller first accepts the Terms of Service and continues until termination of the Terms of Service and completion of all post-termination data deletion obligations described in Section 9.
12. Governing Law
This DPA is governed by the laws of the Republic of the Philippines, including the Data Privacy Act of 2012 (RA 10173) and its implementing rules and regulations.
13. Contact