Data Processing Agreement

5. Upmos Obligations

When acting as a Processor, Upmos shall:

• Process personal data only on the Seller’s documented instructions, unless required by applicable law (in which case Upmos will inform the Seller of that legal requirement before processing, unless prohibited by law)
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational security measures as described in Section 9
• Engage sub-processors only in accordance with Section 7 of this DPA
• Assist the Seller in responding to data subject rights requests as described in Section 8
• Assist the Seller in ensuring compliance with obligations relating to security, breach notification, impact assessments, and prior consultation
• At the Seller’s choice, delete or return all personal data upon termination of services, and delete existing copies unless storage is required by applicable law
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits

6. Seller Obligations

The Seller warrants and undertakes that:

• It has a lawful basis for processing personal data and for instructing Upmos to process personal data on its behalf
• It has provided all required notices and obtained all necessary consents from data subjects
• Its instructions to Upmos comply with Applicable Data Protection Law
• It will promptly notify Upmos of any changes to applicable data protection laws that may affect Upmos’s processing obligations
• It will maintain its own records of processing activities as required by GDPR Article 30

7. Sub-processors

The Seller grants Upmos general written authorization to engage sub-processors to perform specific processing activities. Upmos maintains a current list of sub-processors at https://upmos.com/sub-processors/.

7.1 Notification of Changes

Upmos will provide 30 days’ prior written notice before engaging any new sub-processor. The Seller may object to a new sub-processor by notifying Upmos within 14 days of receiving such notice.

7.2 Sub-Processor Agreements

Upmos will impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA. Upmos remains fully liable to the Seller for the performance of each sub-processor’s obligations.

8. Data Subject Rights

Upmos will assist the Seller in fulfilling its obligations to respond to data subject requests, including:

• Right of access (GDPR Art. 15 / CCPA § 1798.100)
• Right to rectification (GDPR Art. 16)
• Right to erasure (“right to be forgotten”) (GDPR Art. 17 / CCPA § 1798.105)
• Right to restriction of processing (GDPR Art. 18)
• Right to data portability (GDPR Art. 20 / CCPA § 1798.100)
• Right to object (GDPR Art. 21)
• Right to opt-out of sale/sharing (CCPA § 1798.120)
• Right to non-discrimination (CCPA § 1798.125)

Upmos will respond to data subject requests within 48 hours and will notify the Seller without undue delay if it receives a request directly from a data subject.

9. Security Measures

Upmos implements and maintains the following technical and organizational security measures:

9.1 Technical Measures

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Regular vulnerability assessments and penetration testing
• Intrusion detection and prevention systems
• Multi-factor authentication for all administrative access
• Role-based access controls with least-privilege principles
• Automated backup with encryption and geographic redundancy
• Web Application Firewall (WAF) and DDoS protection

9.2 Organizational Measures

• Annual security awareness training for all employees
• Background checks for employees with access to personal data
• Documented incident response procedures
• Regular internal audits of data processing activities
• Data protection impact assessments for high-risk processing
• Designated Data Protection Officer

10. Data Breach Notification

In the event of a personal data breach, Upmos will:

• Notify the Seller without undue delay and no later than 48 hours after becoming aware of the breach
• Provide the following information:
  • The nature of the breach, including categories and approximate number of affected data subjects
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects
  • The name and contact details of Upmos’s Data Protection Officer
• Cooperate with the Seller and take reasonable commercial steps to assist in investigating, mitigating, and remediating the breach
• Maintain a written record of all data breaches, including facts, effects, and remedial actions taken

11. International Data Transfers

Upmos primarily processes personal data in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, Upmos relies on:

• Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor) and Module Three (Processor to Processor) as applicable
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for transfers from the United Kingdom
• Supplementary measures including encryption, pseudonymization, and access controls as recommended by the EDPB

Copies of the executed SCCs are available upon request by contacting privacy@upmos.com.

12. Audit Rights

Upmos will make available to the Seller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Seller or a qualified third-party auditor mandated by the Seller.

• Audits may be conducted once per calendar year upon 30 days’ prior written notice
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Upmos’s operations
• The Seller shall bear the costs of any audit, unless the audit reveals material non-compliance, in which case Upmos shall bear the costs
• Upmos may satisfy audit requests by providing relevant SOC 2 Type II reports or equivalent third-party certifications

13. Data Retention & Deletion

Upon termination of the MPA or upon the Seller’s written request:

• Upmos will delete or return all personal data processed on the Seller’s behalf within 90 days
• Upmos will provide written certification of deletion upon request
• Upmos may retain personal data as required by applicable law, regulation, or legal obligation, provided that such data is isolated and protected from further processing
• Backup copies will be deleted in accordance with Upmos’s standard backup rotation schedule (no later than 180 days)

14. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the MPA. Nothing in this DPA limits either party’s liability for:

• Breaches of applicable data protection law caused by willful misconduct or gross negligence
• Obligations that cannot be limited under applicable law
• Indemnification obligations relating to third-party claims arising from a party’s breach of this DPA

15. Term & Termination

This DPA takes effect on the date the Seller accepts the MPA and remains in effect for so long as Upmos processes personal data on behalf of the Seller. Termination of the MPA automatically terminates this DPA, subject to the data retention obligations in Section 13.

16. Contact

For questions about this DPA or to exercise rights under it:

Mailing Address

Upmos Inc.
9896 Bissonnet St
Houston, TX 77036
United States