If your organisation is subject to GDPR, you need a Data Processing Agreement (DPA) with every processor that handles personal data on your behalf — Yaplet is one of them. You can sign Yaplet's DPA in a single click from the dashboard and download the signed PDF immediately. No legal email back-and-forth.
Sign the DPA
- Go to Settings → DPA.
- Click Sign DPA.
- Confirm by clicking the button. Your signature — name, email, and timestamp — is recorded immediately under your workspace owner's account.
- Click Download PDF to save a signed copy for your records.
Only the workspace owner can sign the DPA.
If Yaplet updates the DPA, the button changes to Re-sign DPA. Your new signature replaces the previous one and the updated version is recorded.
Where your data lives
Yaplet hosts customer data in Frankfurt, Germany. Your conversation data, visitor profiles, agent accounts, and media uploads stay on EU infrastructure during normal operations. International transfers, where they occur, are covered by Standard Contractual Clauses — see our privacy policy and DPA linked below for the full legal terms.
Encryption
- In transit — TLS 1.2 or higher on every connection between your team, your visitors, and Yaplet's servers.
- At rest — AES-256 encryption on the database and file storage.
Data retention
Yaplet automatically cleans up old conversation data based on your subscription:
- Paid plans — 5 years.
- Free plans — 90 days.
Old conversations and their attached media are permanently removed in a daily cleanup job. Each cleanup is recorded in the Audit log.
Sub-processors
Yaplet uses a small number of sub-processors for specific features. The full, up-to-date list is published at yaplet.com/legal/sub-processors. At the time of writing, the list includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt, Germany) |
| Stripe | Payments and subscription billing | EU / US |
| Sentry | Error monitoring and diagnostics | US |
| OpenAI | AI model processing | US |
| Anthropic | AI model processing | US |
| Google AI | AI model processing | EU / US |
| AWS (SES / SNS) | Transactional email and notifications | EU / US |
| Telnyx | Phone numbers and voice call routing | EU / US |
| OneSignal | Push notifications | US |
| DigitalOcean | Infrastructure services | EU / US |
| Cloudflare | CDN, edge security, traffic routing | Global |
| DeepL | Translation services | EU |
Each sub-processor's own DPA is linked from the public sub-processor list. AI sub-processors only receive conversation content when an AI feature is enabled on a widget. You can disable AI features per widget in Widget settings → AI.
Access controls
- Role-based permissions on every dashboard and API call, enforced server-side.
- Row-level security at the database layer — every server route is gated.
- Audit logging for critical actions — see Audit log.
Visitor data rights
If a visitor exercises their GDPR rights, you can fulfil the request directly from the dashboard:
- Subject access request — see Export visitor data.
- Right to erasure — see Erase a visitor's data.
Where to read more
- Security page: yaplet.com/security
- DPA full text: yaplet.com/legal/dpa
- Sub-processors list: yaplet.com/legal/sub-processors
- Privacy policy: yaplet.com/legal/privacy-policy