DemoPricingContact usTry For Free
Yolk
Log In
Last updated: October 30, 2025

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement (the “Agreement”) between Goodsize Inc. (d/b/a Yolk) (“Processor,” “Yolk,” “we,” “us”) and [Customer Name] (the “Controller,” “Customer,” “you”).

The parties enter into this DPA to ensure compliance with applicable data-protection laws, including the EU GDPR, UK GDPR, and CCPA.

1. Definitions

Except as otherwise defined in this DPA, capitalized terms have the meaning given in the Agreement.

  • Customer Data means all data uploaded or provided by Customer or its users to the Service, including text, audio, and video content.
  • Personal Data means information relating to an identified or identifiable natural person, as defined under applicable data-protection laws.
  • Processing, Controller, Processor, Data Subject, and Personal Data Breach have the meanings given under the GDPR.
  • Sub-Processor means a third party engaged by Yolk to Process Personal Data on Yolk's behalf.

2. Scope and Purpose

(a) Yolk Processes Customer Data solely to provide and improve the Yolk AI-driven sales-coaching platform (the “Service”). (b) Processing includes storage, analysis, and automated evaluation of audio, video, and text data to generate performance feedback and simulated role-plays. (c) Processing is performed only on documented instructions from Customer, except as otherwise required by law.

Territorial Scope

Yolk is a U.S.-based company and does not intentionally target or market the Service to individuals in the European Economic Area (EEA), the United Kingdom, or Switzerland.

To the extent a Customer is subject to data-protection laws in those jurisdictions and requires data-transfer mechanisms (such as the EU Standard Contractual Clauses or UK Addendum), Yolk will make such mechanisms available upon written request and only to the extent legally required.

3. Roles of the Parties

  • Customer acts as Controller and is responsible for obtaining all required consents and providing lawful notice for call recording and data transfer.
  • Yolk acts as Processor and shall (i) process Customer Data only for the purposes described in this DPA; (ii) maintain confidentiality; and (iii) implement the security measures described in Annex II.

4. Processor Obligations

Yolk shall:

  1. Process Personal Data only in accordance with Customer's written instructions;
  2. Ensure persons authorized to Process Personal Data are bound by confidentiality;
  3. Maintain appropriate technical and organizational measures (“TOMs”) per Annex II;
  4. Notify Customer of any Personal Data Breach without undue delay;
  5. Assist Customer in fulfilling its data-subject obligations (access, deletion, etc.);
  6. Delete or anonymize Personal Data at the end of retention as described in Section 9;
  7. Keep written records of Processing as required by Article 30 GDPR.

5. Customer Obligations

Customer shall:

  • Obtain consent from all call participants before recording or sharing with Yolk;
  • Configure data-retention preferences;
  • Refrain from uploading or syncing any call for which required consent has not been obtained. If Yolk becomes aware that data lacks appropriate consent, Yolk may remove it.

6. Sub-Processors

(a) Customer authorizes Yolk to engage Sub-Processors listed in Annex III and future Sub-Processors subject to reasonable notice. Please see full list as following:

  • Hosting & Storage: Amazon Web Services (AWS); Google Cloud Platform (GCP) — USA
  • Networking / Transport: Daily.co — USA
  • AI / Speech / Video Services: ElevenLabs; Avaturn Live — USA
  • Analytics / Monitoring: Posthog; Sentry — USA
  • Email Delivery: Resend — USA
  • Security / Backups: AWS KMS; GCS Encryption — USA

(b) Customers may object to a new Sub-Processor on reasonable grounds relating to data protection within 15 days of notice. If no objection is raised within that period, the Sub-Processor shall be deemed approved.

7. Security

Yolk implements industry-standard security measures, including encryption of data at rest and in transit, access controls, and regular security reviews. Goodsize Inc. undergoes independent audits (such as, but not limited to SOC 2) to evaluate the design of its controls.

Yolk maintains:

  • Role-based access controls; multi-factor authentication;
  • Network segmentation and vulnerability management;
  • Incident response plans and 72-hour breach notification policy; and
  • Employee training and confidentiality agreements.

8. AI and Manual Review Transparency

Yolk uses automated systems to analyze audio, video, and text data to assess communication dynamics (including tone, clarity, body language, and emotional expression) for coaching purposes. Outputs are automatically generated; human review occurs periodically for quality assurance, not for each analysis. Yolk does not perform facial or voice recognition or make employment decisions based on these analyses.

9. Retention and Deletion

  • Configurable Retention: Customer may define its own data-retention periods.
  • Default Retention: If none is set, Yolk retains Customer Data for up to three (3) years after termination for legal and audit purposes.
  • Deletion: Personal Data will be deleted or anonymized at the end of the retention period or upon Customer request, except where retention is required by law.
  • Aggregated/De-identified Data: May be retained indefinitely for research and service improvement.

10. Audits and Documentation

Yolk will make available information reasonably necessary to demonstrate compliance and may satisfy audit requests by providing third-party audit reports (e.g., SOC 2). Physical audits are permitted only if required by law or regulator and subject to reasonable notice and confidentiality.

11. International Transfers and SCC Incorporation

Where Customer Data originates from the EEA or UK and is transferred to Yolk in the U.S., the parties agree that the EU Standard Contractual Clauses (2021/914 – Module 2, Controller→Processor) and the UK International Data Transfer Addendum (2022) are incorporated by reference and form part of this DPA. The SCCs are governed by the law of Ireland and the competent supervisory authority is the Irish Data Protection Commission. For the UK Addendum, the Information Commissioner's Office applies.

12. Liability and Limitation

Each party's aggregate liability under this DPA is subject to the same limitations of liability that apply under the Agreement. Nothing in this DPA limits either party's liability for violation of applicable data-protection laws where such limitation is prohibited by law.

13. Governing Law

This DPA and any non-SCC dispute arising from it shall be governed by and construed in accordance with the laws of the State of Delaware, USA, without regard to conflicts of laws principles. Each party submits to the exclusive jurisdiction of the state and federal courts located in Delaware.

Annex I – Description of Processing

  • A. Subject Matter – Provision of Yolk's AI-based sales-coaching platform.
  • B. Duration – For the term of the Agreement and retention period described in Section 9.
  • C. Nature and Purpose – Storage and analysis of text, audio, and video to provide feedback and performance training.
  • D. Categories of Data Subjects – Customer employees, contractors, and sales representatives; third-party call participants.
  • E. Categories of Personal Data – Name, email, employment details, call content (audio/video/text), role-play interactions, usage data.
  • F. Special Categories – None intentionally processed; voice/image data may appear incidentally; no biometric identifiers stored.
  • G. Transfers – Data stored and processed in the United States with appropriate SCC safeguards.

Annex II – Technical and Organizational Measures (TOMs)

  • Encryption (AES-256 at rest, TLS 1.2+ in transit).
  • Access control and authentication (MFA, least privilege).
  • Network segmentation and firewall protection.
  • Vulnerability management and patch cycles.
  • Continuous logging and monitoring.
  • Regular security reviews and penetration tests.
  • SOC 2 audit program to evaluate control design.
  • Employee training and confidentiality agreements.
  • Incident response plan with 72-hour notification to Controller.

Annex III – Authorized Sub-Processors

  • Hosting & Storage: Amazon Web Services (AWS); Google Cloud Platform (GCP) — USA
  • Networking / Transport: Daily.co — USA
  • AI / Speech / Video Services: ElevenLabs; Avaturn Live — USA
  • Analytics / Monitoring: Posthog; Sentry — USA
  • Email Delivery: Resend — USA
  • Security / Backups: AWS KMS; GCS Encryption — USA

Yolk maintains an updated Sub-Processor list available on request.

Annex IV – Standard Contractual Clauses Reference

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 – Controller to Processor) and the UK International Data Transfer Addendum (2022) are hereby incorporated by reference and form part of this DPA.

All Annexes of this DPA shall be deemed the corresponding Annexes of the SCCs. In case of conflict between the SCCs and this DPA, the SCCs shall prevail.

Applicability of Transfer Mechanisms. The EU Standard Contractual Clauses and/or UK Addendum apply only where Customer is established in the EEA or UK or where otherwise required by applicable law.

Goodsize Inc. (d/b/a Yolk)
800 N King Street
Suite 304-2136
Wilmington, DE 19801
United States

Boost Your Team’s Sales Performance.

Unlock higher win rates and shorter ramp times through automated coaching.

Try For Free
Data Processing Agreement — Yolk