Legal
Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into as of Effective Date between Agency Legal Name (the “Agency” or “Controller”) and Yozona LLC (“Yozona” or “Processor”) — each a “Party.”
Highlighted fields are completed per engagement at execution.
Recitals
(A) The Agency is a licensed insurance producer responsible, under GLBA's Safeguards Rule and the NAIC Insurance Data Security Model Law, for safeguarding nonpublic personal information (“NPI”) and overseeing third-party providers that handle it.
(B) Yozona provides a managed certificate-of-insurance (COI) and back-office service desk: it drafts and processes certificate requests from a scoped store of commercial policies the Agency provides, and routes every client-facing output to the Agency's licensed producer for approval.
(C) In performing the Services, Yozona processes Personal Data on behalf of the Agency; this DPA governs that processing.
1. Definitions
“Personal Data” / “NPI” as Processed by Yozona for the Agency (categories in Annex A). “Process/Processing,” “Sub-processor” (Annex C), “Personal Data Breach,” and “Applicable Data Protection Law” (GLBA Safeguards Rule, NAIC Model Law as adopted in Governing-Law State, state breach-notification law) bear their standard meanings.
2. Roles and scope
The Agency is the Controller; Yozona is the Processor. Yozona Processes Personal Data only to provide the Services and on the Agency's documented instructions.
Purpose limitation: no use beyond the Services; no sale or own-commercial use.
Data minimization: only the active commercial policies and certificate-request details the Agency designates and loads — Yozona does not require the full book of business, personal-lines data, or AMS credentials. Any optional scoped, read-only AMS integration is enabled only with the Agency's express, revocable authorization.
3. Confidentiality
Yozona treats all Personal Data as confidential and binds its personnel/contractors to confidentiality. Yozona does not bind, quote, or advise on coverage; every client-facing output is routed to the Agency's designated licensed producer for sign-off — that sign-off is the Agency's accuracy and E&O control.
4. Security measures
Yozona maintains appropriate technical and organizational measures (Annex B), consistent with the GLBA Safeguards Rule and the NAIC Model Law, reviewed periodically and not materially degraded during the term.
5. AI/model processing
Yozona uses Anthropic, PBC as its model provider to draft and process certificate content. Under Anthropic's commercial API terms, Agency data is not used to train Anthropic's models and is retained for up to 30 days for operational and trust-and-safety purposes, then deleted. Anthropic is listed as a Sub-processor in Annex C. Yozona inputs only the scoped data needed to perform the Services and does not input Agency Personal Data into consumer AI accounts.
6. Sub-processors
The Agency authorizes the Sub-processors listed in Annex C. Yozona imposes data-protection obligations on each that are no less protective than this DPA, gives at least 30 days' prior written notice of any addition/replacement (Agency may object on reasonable grounds), and remains liable for each Sub-processor's performance.
7. Assistance to the Agency
Yozona provides reasonable assistance with data-subject rights requests and the Agency's security, breach-notification, and regulatory obligations, and makes available the information (including the Annex B audit trail) needed to demonstrate compliance.
8. Personal Data Breach
Yozona notifies the Agency without undue delay and within 72 hours of becoming aware of a Breach, describing (to the extent known) nature, categories/volume affected, likely consequences, and measures taken. Yozona contains the breach, cooperates, and documents root cause and remediation. The Agency notifies its end clients and regulators; Yozona supports that timeline.
9. Return and deletion
On termination/expiry or the Agency's earlier written request, Yozona returns and/or deletes the Personal Data (scoped policy store + derived artifacts) at the Agency's choice, confirming deletion in writing within 30 days of offboarding.
In-life retention: scoped policy store kept for the life of the engagement; per-request operational artifacts (audit trail, extracted fields, draft/issued certificates) purged 90 days after the request resolves; read-only record-view links expire 30 days after issuance.
Yozona is not the Agency's system of record — the durable statutory/E&O copy lives in the Agency's own management system.
10. Audit
On reasonable notice, no more than once per year (or after a Breach, or where a regulator requires), Yozona makes the audit trail and reasonable documentation available and responds to the Agency's security questionnaire, during business hours and subject to confidentiality.
11. Liability and term
Effective on the Effective Date, continuing for the duration of the Services; confidentiality, deletion confirmation, and liability survive. Liability is subject to the limitations in the underlying services agreement.
12. Governing law
Governed by the laws of Governing-Law State, without regard to conflict-of-laws principles. On data-protection matters this DPA controls over the services agreement.
Signatures
Annex A — Description of Processing
| Category | Detail |
|---|---|
| Subject matter | Drafting and processing certificates of insurance and related back-office workflows for the Agency. |
| Duration | The term of the Services; data deleted per Section 9. |
| Nature & purpose | Reading the Agency's scoped commercial policy store, drafting certificates and collecting missing request information, routing outputs to the Agency's licensed producer for approval, and — where enabled — mirroring request lifecycle status to the Agency's AMS case address. |
| Categories of data subjects | The Agency's commercial insureds and their representatives; certificate holders / requesting third parties named on requests. |
| Categories of Personal Data | Named insured and business identifiers (business name, address, EIN); policy numbers, carriers, coverage lines, limits, effective/expiry dates, bound endorsement details; certificate-holder names and contact details supplied per request. |
| Special / sensitive categories | Not intended; only the active commercial policies the Agency loads. SSNs/banking details are not requested. |
| Recipients / data flows | (a) The Agency's licensed producer (sign-off) via email + read-only record link; (b) the requester named on each request; (c) optional, Agency-enabled: the Agency's own AMS case address. Flow (c) returns data to the Controller's own system. |
| Data we deliberately do not require | The Agency's full book of business; personal-lines data; payment/banking credentials; AMS login credentials. |
Annex B — Technical and Organizational Measures
Annex C — Sub-processors
| Sub-processor | Purpose | Location | Status |
|---|---|---|---|
| Anthropic, PBC | AI drafting/processing of certificate content | USA | Commercial API terms: no model training; 30-day retention |
| [Hosting provider] | Hosting of the isolated processing environment and policy store | [Region] | To be named at execution |
| [Email / intake provider] | Dedicated intake email and delivery | [Region] | To be named at execution |