Skip to main content

DPA draft

Data processing addendum summary

This operational draft outlines processing roles and safeguards for review. It is not a final attorney-reviewed DPA.

Processing Role

For customer workforce operations data, the customer controls what is entered into Yrka and Yrka processes that data to provide the hosted service, support, security, billing, import/export, notification, AI-enabled, and operational workflows.

The customer determines which employees, admins, records, documents, schedules, messages, resources, providers, and workflows belong in the account. Yrka's processing is limited to operating, securing, supporting, measuring, and improving the hosted service according to customer configuration and documented product behavior.

Yrka may process limited account, billing, security, and support data as needed to administer the service relationship, protect the platform, investigate abuse, respond to support requests, and maintain required operational records.

Data Categories

Processed categories include account data, employee profile data, time and schedule data, payroll-prep data, leave data, documents, credentials, Resources, training, tasks, messages, notifications, imports, reports, audit logs, integration metadata, and support records.

Some categories may include personal data about employees, admins, applicants, message recipients, or customer contacts. The exact fields depend on what the customer imports, creates, uploads, configures, or authorizes through connected providers.

Provider metadata may include connection identifiers, sync job state, webhook event state, delivery state, object links, and setup evidence. Provider secrets and token material should stay server-side or behind secret-reference boundaries.

Subprocessors And Transfers

Current subprocessors are listed on the Subprocessors page. Optional providers apply only when the related feature or environment is configured.

Provider token material should remain server-side or behind secret references and should not be returned to browser clients.

Assistance And Deletion

Yrka support can assist with customer export, retention, deletion, and privacy requests according to documented operations runbooks and plan scope.

Customer-requested export and deletion work should follow the account lifecycle, privacy request, data retention, and restore-drill runbooks. Those runbooks describe expected review, identity, scope, retention, and backup-boundary handling before operational changes are made.

Deletion from active systems does not necessarily remove data from backups immediately. Backup copies may remain until the relevant backup retention period expires, and restoration procedures should preserve the same customer-account boundaries.

Security Measures

Yrka's launch controls include Supabase authentication, organization scoping, row-level security, named route permissions, private file storage, signed URLs for sensitive files, audit events, structured logs, and server-only privileged seams.

Customers are responsible for assigning owner and admin access carefully, disabling users who should no longer have access, configuring provider connections deliberately, and reviewing exported or AI-assisted output before using it outside Yrka.

Yrka uses optional analytics on the public site to understand page interest. The authenticated app does not load GA4.