Skip to main content

YearOne Data Processing Agreement

Last Modified: July 1, 2025

This Data Processing Agreement ("DPA") forms part of the YearOne Terms of Service ("Agreement") between PocketMentor, Inc. ("YearOne", "we", "us", or "our") and the customer identified in the Agreement ("Customer", "you", or "your") to reflect the parties' agreement with regard to the processing of personal data.

By accepting our Terms of Service, you are also accepting this DPA on behalf of Customer. This DPA shall apply to the extent YearOne processes personal data on behalf of Customer as a data processor.

1. Definitions

For purposes of this DPA:

  • "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
  • "Customer Data" means any personal data that YearOne processes on behalf of Customer as a data processor in connection with providing the Services.
  • "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including GDPR, CCPA, and other applicable privacy laws.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
  • "Services" means YearOne's cloud-based productivity analytics and education platform services provided under the Agreement.
  • "Sub-processor" means any third party appointed by YearOne to process Customer Data.

2. Scope and Roles

2.1 Scope

This DPA applies when YearOne processes Customer Data in the course of providing the Services. The details of the processing are described in Appendix 1 (Processing Details).

2.2 Customer as Controller

Customer is the data controller of Customer Data and determines the purposes and means of processing. Customer is responsible for ensuring that it has all necessary rights and consents to permit YearOne to process Customer Data.

2.3 YearOne as Processor

YearOne is the data processor and will process Customer Data only on Customer's documented instructions, except where required by applicable law.

3. YearOne's Processing Obligations

3.1 Compliance with Instructions

YearOne will process Customer Data only in accordance with Customer's documented instructions, unless required by applicable law. The Agreement and this DPA constitute Customer's complete instructions.

3.2 Personnel

YearOne will ensure that personnel authorized to process Customer Data:

  • Have committed to confidentiality or are under appropriate statutory obligations of confidentiality
  • Receive appropriate training on data protection
  • Process Customer Data only as necessary to provide the Services

3.3 Security Measures

YearOne will implement and maintain appropriate technical and organizational measures to protect Customer Data, as described in Appendix 2 (Security Measures). These measures include:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident response procedures
  • Employee security training

3.4 Sub-processors

Customer provides general authorization for YearOne to engage Sub-processors to assist in providing the Services. YearOne maintains a list of Sub-processors at our Sub-processors page.

YearOne will:

  • Notify Customer of intended changes concerning the addition or replacement of Sub-processors
  • Ensure Sub-processors are bound by written contracts containing data protection obligations no less protective than this DPA
  • Remain fully liable to Customer for any failure by a Sub-processor to fulfill its data protection obligations
  • Ensure Sub-processor agreements meet all requirements of applicable Data Protection Laws

3.5 International Transfers

YearOne may transfer Customer Data internationally as necessary to provide the Services. For transfers outside the EEA, YearOne will ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions
  • Other valid transfer mechanisms under Data Protection Laws

4. Customer's Obligations

4.1 Lawful Basis

Customer represents and warrants that:

  • It has all necessary rights and lawful basis to provide Customer Data to YearOne
  • Its instructions comply with all applicable laws
  • It has provided all required notices and obtained all necessary consents

4.2 Data Accuracy

Customer is responsible for the accuracy, quality, and legality of Customer Data and the means by which it acquired the data.

5. Data Subject Rights

5.1 Assistance with Requests

YearOne will provide reasonable assistance to Customer in responding to data subject requests at Customer's sole expense, including requests for:

  • Access to personal data
  • Rectification or erasure
  • Data portability
  • Restriction of processing
  • Objection to processing

Such assistance will be charged at YearOne's then-current professional services rates unless included in Customer's service plan.

5.2 Direct Requests

If YearOne receives a request from a data subject regarding Customer Data, YearOne will promptly notify Customer and will not respond except on Customer's documented instructions.

6. Data Breach Notification

6.1 Notification

YearOne will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include:

  • Nature of the breach
  • Categories and approximate number of affected data subjects
  • Categories and approximate number of affected personal data records
  • Likely consequences
  • Measures taken or proposed to address the breach

6.2 Cooperation

YearOne will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

7. Audit Rights

7.1 Information and Audit

YearOne will make available to Customer information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by Customer or Customer's appointed auditor.

7.2 Audit Procedures

Customer must provide reasonable notice of any audit and must not conduct audits more than once per year unless required by Data Protection Laws or following a Personal Data Breach. Audits must be conducted during regular business hours and in a manner that minimizes disruption to YearOne's operations. All audits will be conducted at Customer's sole expense, including any time spent by YearOne personnel in supporting the audit.

8. Data Return and Deletion

8.1 Upon Termination

Upon termination of the Agreement, YearOne will, at Customer's option:

  • Return all Customer Data to Customer in a standard format
  • Delete all Customer Data from YearOne's systems

8.2 Retention

YearOne may retain Customer Data to the extent required by applicable law and will ensure the confidentiality of retained Customer Data.

9. Liability

Each party's liability under this DPA is subject to the limitations of liability provisions in the Agreement.

10. Aggregate and Anonymized Data

YearOne may collect, use, and disclose aggregated and/or anonymized data ("Aggregate Data") derived from Customer Data for the following purposes:

  • Providing industry benchmarks and comparative analytics
  • Improving the Services and developing new features
  • Enhancing algorithms and machine learning models used by the Services
  • Conducting research and statistical analysis
  • Creating and publishing industry reports and insights

Aggregate Data will:

  • Not identify Customer or any individual data subjects
  • Be irreversibly anonymized using industry-standard techniques
  • Remain YearOne's property
  • Not be subject to the data return or deletion provisions of this DPA

11. General Terms

11.1 Modification

YearOne may update this DPA from time to time to reflect changes in Data Protection Laws. YearOne will notify Customer of material changes.

11.2 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will continue in full force and effect.

11.3 Governing Law

This DPA is governed by the same law as the Agreement.

Appendix 1: Processing Details

Nature and Purpose of Processing

YearOne processes Customer Data to provide productivity analytics, educational services, and talent management tools as described in the Agreement. This includes:

  • Analyzing engineering team productivity metrics
  • Tracking work items across multiple platforms
  • Providing educational content and assessments
  • Generating insights and reports
  • Facilitating team collaboration

Categories of Data Subjects

  • Customer's employees and contractors
  • Users of Customer's development tools and platforms
  • Individuals whose data is included in integrated systems

Types of Personal Data

  • Developer Identity Data: Names, usernames, employee IDs, git profiles, GitHub/GitLab usernames
  • Contact Data: Email addresses, team affiliations
  • Professional Data: Job titles, roles, team membership, department information
  • Development Activity Data:
    • How Customer's systems and code are used, planned, accessed and developed
    • Git commits, pull requests, code reviews, merge activities
    • Work item interactions across Jira, Azure DevOps, and other platforms
    • Sprint participation and velocity metrics
    • Code contribution patterns and productivity metrics
  • Productivity Data: ActivTrak activity metrics, deep work patterns, application usage
  • Technical Data: IP addresses, device information, access logs, API tokens (encrypted)
  • Educational Data: Course progress, assessment results, certifications, skill assessments

Duration of Processing

For the duration of the Agreement and as necessary to provide the Services, unless otherwise agreed or required by law.

Appendix 2: Security Measures

YearOne implements comprehensive security measures including:

Technical Measures

  • Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
  • Access Control: Role-based access control, multi-factor authentication
  • Infrastructure: Secure cloud hosting with AWS/Heroku
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Backup: Regular automated backups with encryption

Organizational Measures

  • Security Policies: Comprehensive information security policies
  • Training: Regular security awareness training for all personnel
  • Access Management: Principle of least privilege, regular access reviews
  • Incident Response: Documented incident response procedures
  • Vendor Management: Security assessments of Sub-processors

Physical Security

  • Data centers with 24/7 physical security
  • Environmental controls and redundancy
  • Restricted access to production systems

Compliance

  • Regular security assessments and penetration testing
  • Business continuity and disaster recovery planning
  • Compliance with industry standards and best practices