← Yungle

Data Processing Agreement

Last updated 13 July 2026

Template for a self-hosted EU file-transfer service — reflects how Yungle actually works, but have it reviewed by qualified counsel before you rely on it in production.

This DPA applies where you use Yungle to process personal data of others (for example, sharing files containing your customers’ data). Here you are the controller and Yungle is your processor, acting on your documented instructions under Article 28 GDPR. It forms part of our Terms of Service.

1. Scope & roles

You (the controller) determine the purposes and means of processing the personal data you upload. Yungle (the processor) processes that data only to provide the service — storage, encryption, preview generation, transfer, and deletion — and only on your instructions, including those given through the product’s features.

2. Confidentiality & security

Yungle keeps the data confidential and applies appropriate technical and organizational measures, including:

  • Encryption at rest with per-file keys (AES-256-GCM envelope encryption) and encryption in transit (TLS).
  • A master key held outside the database, with support for key rotation.
  • Strict access controls, rate limiting, and an audit trail of security-relevant actions.
  • EU-only data residency on Hetzner (Germany).

3. Sub-processors

You authorize Yungle to engage the sub-processors listed in our Privacy Policy (Hetzner, Mollie, Brevo), each bound by equivalent data-protection obligations. We will inform you of intended changes and give you the opportunity to object.

4. International transfers

Personal data is processed and stored within the EU/EEA. Yungle does not transfer your data outside the EU/EEA.

5. Assistance & breach notification

Taking into account the nature of processing, Yungle assists you in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations. We will notify you without undue delay after becoming aware of a personal-data breach affecting your data.

6. Deletion & return

On expiry of a transfer, deletion of content, or termination of your account, Yungle deletes the relevant personal data — including by shredding the associated encryption keys — save where storage is required by EU or member-state law. You can export your data at any time from your account.

7. Audits

Yungle makes available the information necessary to demonstrate compliance with Article 28 GDPR and contributes to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and security safeguards.

8. Contact

For DPA requests or to sign a countersigned copy, contact dpo@yungle.co.