Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Data Processing Agreement
Effective from Sept 5th, 2025

This Data Processing Agreement, together with the Standard Contractual Clauses, and any Appendices (collectively the “DPA”) supplements the Hosted Services Agreement (or an agreement mutually acceptable to both parties for the access and use of UpGuard’s Services has been executed in writing) entered into by and between the entity accessing the Services (“Customer” or “you” or “your”) and UpGuard, Inc., (“UpGuard” or “Company” or “we” or “us”). UpGuard and Customer may each be referred to in the DPA individually as a “Party” and together as the “Parties”.

  1. PURPOSE AND INCORPORATION
    1. Agreement: This DPA supplements the Agreement (as defined below) which governs UpGuard’s provision of Services to you.
    2. Scope: This DPA reflects the Parties’ commitment to abide by the relevant Data Protection Laws (as defined below) concerning the Processing of Customer Personal Data (as defined below) in connection with our performance under the Agreement. For the avoidance of doubt, this DPA does not apply to any Personal Data for which we act as the Controller.
    3. Roles: The Parties acknowledge that with respect to Customer Personal Data, you at all times acts as Controller (or Business, as applicable) and we at all times act as Processor (or Service Provider, as applicable).
  2. DEFINITIONS
    1. Agreement” means the UpGuard Hosted Services Agreement (“HSA”), together with any applicable Order Forms, exhibits, or addendums incorporated therein by reference, or other negotiated agreement executed in writing between the Parties which governs our provision of Services to you;
    2. Customer Personal Data” means Customer Content that is Personal Data Processed by us on your behalf. For the avoidance of doubt, Customer Personal Data does not include any Personal Data for which we act as the Controller.
    3. Relevant Communication” means: (i) a validated request from a Data Subject to exercise any applicable rights under the relevant Data Protection Laws; or (ii) any complaint, notice or other communication from a Data Subject or Supervisory Authority, government authority or judicial body which relates to the Processing of Personal Data under the Agreement;
    4. Relevant Data Protection Laws” means the relevant privacy laws, rules and regulations in any relevant jurisdiction that are applicable to the collection, use, transfer or other processing of Customer Personal Data under the Agreement. Relevant Data Protection Laws may include, but are not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations, the United Kingdom Data Protection Act 2018, the United Kingdom General Data Protection Regulation (“UK GDPR”), the Australian Privacy Act of 1988; the Swiss Federal Act on Data Protection; and the US State Data Protection Laws (as further defined below) and in each case, as amended, adopted, or superseded from time to time.
    5. “Data Security Incident(s)” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that is transmitted, stored or otherwise processed under the Agreement.
    6. “Sensitive Personal Data” means personal data or personal information of a “sensitive” nature, including without limitation: sensitive personal data (as defined under GDPR), information relating to minors, bank account or card information, credit information and social security numbers or other government-issued identification numbers or other government-issued identifying information.
    7. Services” means the products and services provided by us, that you purchase pursuant to an Order Form.
    8. Subprocessor(s)” means any third-party appointed by us to Process Customer Personal Data.
    9. US State Data Protection Laws” means the relevant privacy laws and regulations in any state, district, or commonwealth of the United States that are applicable to the collection, use, transfer, or other processing of Personal Data under the Agreement, including but not limited to: (i) the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Utah Consumer Privacy Act; (iv) the Connecticut Data Privacy Act; and (v) the Colorado Privacy Act.
    10. Business, Controller, Data Subject, Personal Data, Personal Information, Process, Processing, Processor, Sell, Share, Service Provider, and Supervisory Authority shall have the meanings given to them in the Relevant Data Protection Laws, as applicable.
    All other capitalized terms used but not expressly defined in this DPA will have the meanings given to them in the Agreement.
  3. COMPLIANCE WITH DATA PROTECTION LAWS
    1. Compliance With Law. This DPA is in addition to, and does not relieve, remove or replace a Party’s obligations or rights under the Relevant Data Protection Laws. Each Party is responsible for its compliance with the Relevant Data Protection Laws in relation to the Customer Personal Data under its control, and:
      1. You will comply with all obligations applicable to you under the Relevant Data Protection Laws as the Controller; and
      2. We will comply with all obligations applicable to us under the Relevant Data Protection Laws as the Processor.
    2. Consents. You represent and warrant that you have all required consents and notices in place and all necessary rights to lawfully transfer Customer Personal Data to us for the duration and purposes of this DPA. For the avoidance of doubt, you will not solicit or collect Personal Data from third parties unless you have obtained such third party’s prior express written consent or have established an alternative legal basis for such Processing.
    3. Sensitive Personal Data.You represent and warrant that you will not use the Services to store, collect or solicit Sensitive Personal Data. You acknowledge the risks inherent in respect of Sensitive Personal Data, and you disclaim all liability against us for any claims, causes of action, damages, judgements, settlements and costs arising out of your violation of this Section 3.3.
  4. TERMS OF PROCESSING
    1. Details of Processing. The type of Personal Data, the categories of Data Subjects, and the scope, nature, purpose, and duration of Processing are set forth in Annex 1 to this DPA.
    2. Data Processing Requirements. For Customer Personal Data that we Processes on your behalf, we will:
      1. Confidentiality. Keep Customer Personal Data confidential and will ensure that any person authorized to Process Customer Personal data is contractually obligated to maintain the confidentiality of such information or is otherwise under an appropriate statutory obligation of confidentiality.
      2. Documented Instructions. We will Process the Customer Personal Data only on your documented instructions, as set forth in the Agreement and this DPA, including your instructions with respect to transfers of Customer Personal Data to a third country or an international organization, unless otherwise required by Data Protection Laws to which we are subject; in such case, unless otherwise prohibited by Data Protection Laws, we will inform you of such legal requirement prior to Processing. For purposes of this DPA, you instruct us to:
        1. Process the Customer Personal Data;
        2. conduct transfers of Customer Personal Data (including, where applicable, International Transfers); and
        3. engage Sub-Processors in accordance with Section 6 of this DPA, in each case as reasonably necessary for us to provide the Services and to otherwise comply with our obligations and exercise our rights under the Agreement;
      3. Unlawful Instructions. We will immediately inform you if, in our reasonable opinion, your instruction violates any Relevant Data Protection Law. In such an event, we will not be obligated to carry out that Processing and will not be deemed in breach of the Agreement or otherwise liable to you as a result of our failure to carry out that Processing. Notwithstanding the foregoing, you represent and warrant that your instructions relating to Processing of Customer Personal Data will not put us in breach of Relevant Data Protection Laws.
      4. Relevant Communications. We will (i) upon receipt of a Relevant Communication regarding Customer Personal Data; and (ii) upon identifying you as the Controller, promptly (and in any event within five business days) notify you of that Relevant Communication. To the extent we receive a Relevant Communication regarding Customer Personal Data, we will: (i) refuse the request; (ii) provide the third party with your contact information; and (iii) instruct the third party to make such request directly to you. You will be responsible for responding to such Relevant Communication and for ensuring that any data subject requests for erasure, restriction or cessation of processing or withdrawal of consent to processing are communicated to us, and, if applicable, for ensuring that a record of consent to Processing is maintained with respect to each Data Subject.
      5. Assistance. Taking into account the nature of our Processing under the Agreement, and the information available to us, then promptly following receipt of your written request we will provide reasonable cooperation and assistance to you, at your expense, in order for you to:
        1. comply with your obligations under the Relevant Data Protection Laws relating to the security of Processing Customer Personal Data;
        2. pursuant to Relevant Data Protection Laws, respond to or fulfil (as the case may be) a Relevant Communication in respect of Customer Personal Data;
        3. to the extent required by Relevant Data Protection laws, conduct privacy impact assessments with Supervisory Authorities or other competent data privacy authorities related to your use of the Services.
      6. Demonstrable Compliance. We agree to keep appropriate records and promptly upon your written request to provide information reasonably necessary to demonstrate our compliance with our obligations in this DPA.
  5. SECURITY
    1. Security Program. We will implement and maintain appropriate technical, physical and organizational measures in accordance with Relevant Data Protection Laws (including as described in Article 32 GDPR) to ensure the ongoing confidentiality, security, availability and integrity of Customer Personal Data and to prevent unauthorized or unlawful processing of Customer Personal Data and accidental loss or destruction of, or damage to, Customer Personal Data. Further information about our security program, including a copy of our Security Requirements and Technical Organizational Measures, is available on UpGuard’s Trust Page found at https://security.upguard.com.
    2. Data Security Incidents. In the event of a Data Security Incident, we will:
      1. after discovering such Data Security Incident, notify you in writing of such Data Security Incident promptly and without undue delay;
      2. provide all cooperation, assistance and information you reasonably request with respect to such Data Security Incident;
      3. not make any notification to any third party (including any Supervisory Authority or Data Subject) regarding the Data Security Incident without your prior written consent. For the avoidance of doubt, the foregoing obligation shall not preclude us from (i) notifying any third party whose information is also implicated in the same Data Security Incident whose Personal Data we are the Controller; (ii) or from making any notifications required by relevant Data Protection Laws;
      4. assist you in responding to any request from a Data Subject and in ensuring compliance with your obligations under the Relevant Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
      5. take such steps as are reasonably required to mitigate the impact of the Data Security Incident on you and/or any Data Subjects and to prevent its reoccurrence.
    For the avoidance of doubt, we will have no liability for failure to comply with the terms of this Section to the extent that the Data Security Incident was caused by you or on the basis of your instructions.
  6. SUB-PROCESSORS
    1. Authorization to Use Subprocessors. You provide a general authorization for us to engage any person as a Subprocessor (including our affiliates) to Process Customer Personal Data as reasonably necessary for us to provide the Services and to otherwise comply with our obligations and exercise our rights under the Agreement. We will at all times remain liable for the acts and omissions of our Subprocessors.
    2. UpGuard and Subprocessor Compliance. We will not permit any Subprocessor to process Customer Personal Data except in the following circumstances:
      1. We have complied with the obligations set forth in this Section with respect to the Processing of Personal Data by the Subprocessor; and
      2. The Processing of Customer Personal Data by the Subprocessor is solely for the purpose of provisioning, enhancing, and/or improving the Services provided under the Agreement.
    3. Updates to Subprocessor List. We maintain an up-to-date list of Sub-Processors at https://www.upguard.com/company/subprocessors (the “Subprocessor List”) which contains a mechanism for you to subscribe for notifications of updates to the Subprocessor list. We will provide notice to subscribers at least thirty (30) days before allowing any new Subprocessor to Process Customer Personal Data.
    4. Right to Object to Subprocessors. You may object to the use of a Subprocessor solely to the extent that use of that Subprocessor objectively has caused, or is likely to cause, a Data Protection Risk (as defined below), provided that you provide us with written notice of your objection within 30 calendar days of the date on which our Subprocessor List is updated to reflect the use of the relevant subprocessor. To the extent you object to the use of a Subprocessor in accordance with this Section, then the Parties will (acting reasonably and in good faith) promptly discuss your objections.
  7. US LAWS
    For the avoidance of doubt, this section will apply solely to the extent Customer Personal Data is subject to US State Data Protection Laws.
    1. Roles. The Parties agree that UpGuard is a Service Provider and you are a Business.
    2. Details of Processing. In connection with the performance of a Party’s obligations under the Agreement, with respect to the Processing of Customer Personal Data, each Party will comply with all obligations applicable to it under US State Data Protection Laws; and
      1. We will not:
        1. “sell” or “share” Customer Personal Data (as those terms are defined in the US State Data Protection Laws);
        2. retain, use, disclose, or otherwise Process Customer Personal Data for any purpose other than the business purposes of providing the Services set out in the Agreement, or as otherwise permitted by relevant US State Data Protection Laws;
        3. retain, use, disclose, or otherwise process Customer Personal Data in any manner outside of the direct business relationship between you and UpGuard; and/or
        4. combine Customer Personal Data with any Personal Data that we collect or receive from another source, except to perform any business purpose permitted by relevant US State Data Protection Laws.
    3. UpGuard Obligations. To the extent we determine that we can no longer meet our obligations under this Section, we will notify you in writing no later than the time period prescribed by the relevant US State Data Protection Laws.
    4. Unauthorized Use of Customer Personal Data. To the extent we are engaged in unauthorized use of Customer Personal Data, you may (upon reasonable written notice to us), take reasonable and appropriate steps to stop and remediate the unauthorized use of such Customer Personal Data.
    5. Transfers of Customer Personal Data. The Parties hereby acknowledge and agree that the transfer of Customer Personal Data from you does not constitute the sale or sharing of personal information to us. We receive such Customer Personal Data pursuant to the business purpose of providing the Service(s) in accordance with the Agreement.
    6. Compliance. Upon written request, we will make available to you reasonably requested information necessary to demonstrate compliance with the US State Data Protection Laws.
    7. Audits. We will, at our option, allow and cooperate with reasonable assessments by you or your designated representative, or we may arrange for a qualified and independent auditor to assess our policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for the assessments. We will provide a report of the assessment to you on written request.
    8. Certification. We certify that we understand and will comply with the contractual restrictions set out in this section.
  8. AUDIT
    1. You (or another auditor mandated by you, bound by appropriate confidentiality obligations) may audit or otherwise monitor our compliance with the terms of this DPA, by requiring us to:
      1. respond to your reasonable requests for information, including responses to information security and audit questionnaires;
      2. provide you appropriate information; records; and certifications and audit reports issued by reputable independent third parties (provided that there have been no material changes to the controls used by us since the certification or audit report was issued).
    2. You will be solely responsible for all fees associated with any such audit under this Section, including any fees charged by any auditor you may appoint and for any damage, injury, or disruption to our premises, equipment, personnel, and business caused by such auditor.
    3. You will provide us with any audit reports generated in connection with any audit under this Section, unless prohibited by law. Any information obtained during an audit may be used solely to the extent necessary to demonstrate compliance with Data Protection Laws and regulatory requests. You may perform one audit per year unless required to perform more by Data Protection Laws, upon specific request by a regulatory body, or in response to a Data Security Incident.
  9. TRANSFERS OF PERSONAL DATA
    1. You acknowledge and agree that we may access and Process Customer Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement and that Customer Personal Data may be transferred to and Processed by us in the United States and other jurisdictions where we, our Affiliates and our Sub-Processors have operations.
    2. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by you to us in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the Parties hereby enter into and execute the SCCs by deeming that the SCCs are attached to and incorporated into this DPA, and by subsequently executing this DPA and/or by using the Services. Where the SCCs require the parties to supplement the SCCs with additional information, all required information is set forth in Exhibit A to this DPA, the terms of which are incorporated herein by reference.
    3. If any SCCs the Parties rely on are superseded or otherwise invalidated, the Parties agree that such new or updated SCCs as may be prescribed by the relevant governmental authority shall apply without the need to amend this DPA.
    4. In the event of a conflict between this DPA and the applicable SCCs, the SCCs will prevail.
  10. RETURN AND DESTRUCTION OF PERSONAL DATA
    1. Upon termination of the Agreement (or as otherwise instructed by you in writing), we will cease Processing and return Customer Personal Data by way of making available for download in a commercially readable format and/or, within thirty (30) days of your written request, delete all Customer Personal Data in our possession or control and, in the event of a return, subsequently irretrievably delete all copies of such data, subject to Section 10.2 of this DPA.
    2. We may retain one copy of Customer Personal Data solely to the extent that it is required to do so by law or for insurance, accounting, taxation or record keeping purposes, provided that we continue to comply with the requirements of this DPA with regard to such Customer Personal Data.
  11. GENERAL
    1. The provisions in this DPA will apply as long as we process Customer Personal Data, in accordance with the Agreement.
    2. Any notice or other communication to be provided by one Party to the other Party under this DPA will be provided in accordance with the notice provision of the HSA.
    3. Should any provision or condition of this DPA be held or declared invalid, unlawful, or unenforceable by a competent authority or court, then the remainder of this DPA will remain valid.
    4. This DPA and the documents referred to in it, including the Agreement, constitute the entire understanding and agreement of the parties with respect to the Processing of the Customer Personal Data and shall supersede all prior agreements, discussions, negotiations, arrangements and understandings of the parties and/or their representatives in relation to such Processing. The terms of this DPA are governed by the terms of the Agreement. Notwithstanding the foregoing, in the event of any conflict or inconsistency between any documents, the following order of precedence shall apply: (i) the SCCs (where applicable); (ii) the relevant Order Form; (iii) this DPA; and (iv) the Agreement.

ANNEX 1 - DATA PROCESSING ACTIVITIES – CUSTOMER PERSONAL DATA

Description of service: 
UpGuard offers  subscription-based, cloud-hosted, third-party risk management Services, which may include data breach monitoring, attack surface management, security questionnaire management, threat intelligence and compliance monitoring and management.
Categories of individuals whose personal data is being processed:
Customer’s current employees, agents, advisors, freelancers or other service providers (including employees of Customer’s vendors) who are natural persons.
Purpose(s) of data processing:
Performance of the Services pursuant to the Agreement.
Type(s) of data processing involved:

Depending on the nature of the Services used by the Customer, Customer Personal Data may include:

  • Contact information (such as addresses, email address, and phone number)
  • Log data and device information (such as IP address, information about your Internet service provider, computer and device information including device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting, authentication and security credential information, access dates and times, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs)
  • visited URLs;
  • Employment information (such as job title, position, office location and/or remote working location, employment status;
  • user ID
Duration of data processing:
As defined in the Agreement.

EXHIBIT A – STANDARD CONTRACTUAL CLAUSES

List of Parties

Data Exporter: Customer (as defined in the Agreement).

Address: As set forth in the Notices Section of the Agreement.

Contact Person’s Name, Position and Contact Details: Customer’s designated point of contact as set forth in the Agreement.

Activities Relevant to the Data Transferred Under These Clauses: UpGuard’s Services provided to Customer in accordance with the terms of the Agreement.

Role: Controller

Data Importer: UpGuard, Inc. (as defined in the Agreement) and/or any of its Affiliates that may receive data from Customer.

Address: As set forth in the Notices Section of the Agreement.

Contract Person’s Name, Position and Contact Details: UpGuard’s designated point of contact as set forth in the Agreement.

Activities Relevant to the Data Transferred Under These Clauses: UpGuard’s Services provided to Customer in accordance with the terms of the Agreement.

Role: Processor

Applicability

For exports from the European Economic Area:

  • For International Transfers where Customer (as a Data Controller) transfers Customer Personal Data to UpGuard (as a Data Processor), Module 2 of the EU SCC that corresponds to the parties’ roles as Controller or Processor in the context of the International Transfer. 

For exports from the United Kingdom (“UK”):

  • The modules of the EU SCC that correspond to the parties’ roles as Processor or Controller in the context of the International Transfer, as such EU SCC are amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B.10 (21 March, 2022), issued under S1198A(1) of Data Protection Act 2018 (“UK Addendum”), each of which shall be completed as set forth in the UK SCC section below.

For exports from Switzerland:

  • The modules of the EU SCC that correspond to the parties’ roles as Controller or Processor in the context of the International Transfer, each of which shall be completed as set forth in the EU SCC section below, as amended as set forth in the Swiss SCC section below. For the avoidance of doubt, nothing in these amendments is intended to decrease the level of protection to be provided by the EU SCC.

EU SCC

  • The parties select Option 2 (General Written Authorisation) in Clause 9 (Use of Sub-Processors), in relevant modules. UpGuard maintains an up-to-date list of Sub-Processors here https://www.upguard.com/company/subprocessors.  The time period within and process by which an importer must inform the exporter of intended changes to Sub-Processors is that set forth in the Data Processing Agreement between the parties (hereinafter, the “DPA”).
  • The optional clause in Clause 7 (Docking) of the EU SCC does not apply. 
  • The optional clause in Clause 11(a) (Redress) of the EU SCC does not apply.
  • The parties select Option 1 in Clause 17 (Governing Law) of the EU SCC, in relevant modules, and agree to the law and courts of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers) for purposes of Clause 17 and Clause 18 (Choice of Forum and Jurisdiction).
  • For purposes of Annex I of the EU SCC:
    The description of Processing in the DPA applies to International Transfers, unless otherwise specified. 
  • Personal Data may be transferred on a continuous basis.
  • The Irish DPA is the competent Supervisory Authority. For purposes of Annex II of the EU SCC, the technical and organizational measures are set forth at https://security.upguard.com.

UK SCC

For International Transfers under the EU SCC, as modified by the UK Addendum:

  • Table 1 shall be completed as set forth in the DPA and the Agreements.
  • Table 2: The selection shall be “the Approved EU SCC, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCC brought into effect for the purposes of this Addendum” and the table shall be completed as follows:
    • The operative modules shall be deemed completed in a manner corresponding with the parties’ roles as set forth in the DPA.
    • Clause 7 (Docking Clause) does not apply.
    • Clause 11 (Option) does not apply.
    • Clause 9a (Prior Authorisation or General Authorisation) shall be “General Authorisation,” and the time period and process by which this is done is, “as set forth in the DPA.”
    • The question, “is personal data received from the Importer combined with personal data collected by the Exporter” shall be “no,” unless otherwise specified in the DPA.
  • Table 3 shall be completed as follows:
  • Table 4: The selection shall be “Importer.”

Swiss SCC

  • References to GDPR shall be interpreted to also include references to the Swiss Federal Act on Data Protection (“FADP”)
  • Clause 13 and Annex I.C. of the EU SCC shall include the Federal Data Protection and Information Commissioner as an additional competent Supervisory Authority.
  • In the event that the International Transfer is exclusively subject to the FADP, Clause 17 of the EU SCC shall include Swiss law as the governing law; and 

In Clause 18 of the EU SCC, references to “member state” shall also include references to Switzerland in order to ensure that Swiss Data Subjects may exercise their rights under FADP.