Upmetrics

Terms & Policies

Last updated: May 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between Upmetrics, Inc. ("Upmetrics", "we", "us") and the customer agreeing to those terms ("Customer", "you") (together, the "Agreement") for the use of Upmetrics' services (the "Services").

This DPA applies to the extent that Upmetrics processes Personal Data on behalf of Customer in the course of providing the Services. By using the Services, Customer agrees to this DPA. If Customer requires a counter-signed copy, contact [email protected].

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. The following definitions apply:

  • "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including without limitation the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR and the UK Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other U.S. state privacy laws including the Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA.
  • "Customer Data" means any data, including Personal Data, that Customer or its end users submit to or generate through the Services.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" have the meanings given in the GDPR. "Sell", "Share", and "Service Provider" have the meanings given in the CCPA.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914, as amended or replaced.
  • "Sub-processor" means any third party engaged by Upmetrics to process Personal Data on its behalf in connection with the Services.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner's Office.

2. Roles and Scope

The parties acknowledge that, with respect to the processing of Personal Data under the Agreement:

  • Customer is the Controller (or, where Customer is itself processing on behalf of a third party, the Processor on behalf of that third party).
  • Upmetrics is the Processor (or, where applicable, the Sub-processor) acting on Customer's documented instructions.
  • For purposes of the CCPA, Upmetrics acts as a Service Provider with respect to Customer Data.

This DPA applies only to Personal Data that Upmetrics processes on Customer's behalf in connection with the Services. It does not apply to Personal Data that Upmetrics processes as a Controller, such as account administrator contact details, billing information, or marketing data, which is governed by the Upmetrics Privacy Policy.

3. Processing of Personal Data

3.1 Customer Instructions

Upmetrics will process Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by law to which Upmetrics is subject. Customer's instructions are set out in (a) the Agreement, (b) this DPA, and (c) Customer's use of the Services through the standard product configuration. Upmetrics will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

3.2 Subject Matter, Duration, Nature, and Purpose

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1.

3.3 Compliance with Laws

Each party will comply with its respective obligations under Applicable Data Protection Laws.

3.4 No Sale or Sharing

Upmetrics will not (a) sell or share (as those terms are defined under the CCPA) Personal Data processed on Customer's behalf, (b) retain, use, or disclose such Personal Data for any purpose other than the specific purpose of providing the Services or as otherwise permitted by the CCPA, (c) retain, use, or disclose such Personal Data outside the direct business relationship between Customer and Upmetrics, or (d) combine such Personal Data with personal information received from other sources, except as permitted by the CCPA.

4. Confidentiality

Upmetrics will ensure that any personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty, and have received appropriate training on their responsibilities.

5. Security

Upmetrics will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of the current measures is set out in Annex 3. Upmetrics may update these measures from time to time, provided that the level of protection is not materially decreased.

6. Sub-processors

6.1 General Authorization

Customer provides general authorization for Upmetrics to engage the Sub-processors listed in Annex 2 and any other Sub-processors notified to Customer under Section 6.2.

6.2 Notification of Changes

Upmetrics will notify Customer by email (sent to the email address associated with Customer's account or any address Customer has designated for legal notices) at least 30 days before authorizing any new Sub-processor to process Personal Data. Customer may object to the change in writing within 30 days of the notice on reasonable data protection grounds. If Customer objects and the parties cannot agree on a resolution, either party may terminate the affected Services for convenience and Customer will receive a pro rata refund of prepaid fees for the unused portion of the term.

6.3 Sub-processor Obligations

Upmetrics will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Upmetrics remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as if performed by Upmetrics directly.

7. Assistance with Data Subject Requests

Taking into account the nature of the processing, Upmetrics will provide Customer with reasonable assistance, including by appropriate technical and organizational measures and insofar as possible, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making).

If Upmetrics receives a request from a Data Subject directly relating to Personal Data processed on Customer's behalf, Upmetrics will, where legally permitted, promptly forward the request to Customer and not respond to it directly.

8. Personal Data Breach Notification

Upmetrics will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent known at the time:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
  • The likely consequences of the Personal Data Breach;
  • The measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and
  • Contact details of the Upmetrics representative who can provide further information.

Where it is not possible to provide all information at the same time, Upmetrics may provide it in phases without undue further delay. Upmetrics will reasonably cooperate with Customer in investigating and responding to the Personal Data Breach.

9. Data Protection Impact Assessments and Prior Consultation

Upmetrics will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Applicable Data Protection Laws, taking into account the nature of the processing and the information available to Upmetrics.

10. Audit Rights

Upmetrics will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon written request from Customer (no more than once per twelve-month period, except as required by Applicable Data Protection Laws or following a Personal Data Breach), Upmetrics will:

  • Provide a written description of its security and data handling practices, including the results of its most recent internal security audit, within 30 days of the request; and
  • Respond to a reasonable security questionnaire submitted by Customer within 30 days.

If Customer requires further assurance that cannot reasonably be addressed through the materials described above, Customer may, at its own expense, appoint an independent third-party auditor (subject to confidentiality obligations reasonably acceptable to Upmetrics) to conduct an audit. Such audits will be conducted during normal business hours, with at least 30 days' prior written notice, in a manner that does not interfere with Upmetrics' operations, and no more than once per twelve-month period.

11. Return or Deletion of Personal Data

Upon expiration or termination of the Agreement, Upmetrics will, at Customer's election, return or delete all Personal Data processed on Customer's behalf within 90 days, unless retention is required by applicable law. Customer may also delete its account and associated Personal Data at any time using the in-product account deletion option, subject to the same 90-day deletion timeline.

Personal Data residing in routine, encrypted backups will be overwritten in the normal course of the backup rotation cycle, typically within 90 days. Backed-up Personal Data is not used or restored for any purpose other than disaster recovery during this period.

12. International Data Transfers

12.1 Transfer Mechanism

Where Upmetrics processes Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties agree that the transfer is governed by the Standard Contractual Clauses, which are hereby incorporated into this DPA by reference, as follows:

  • Module Two (Controller to Processor) applies where Customer is a Controller and Upmetrics is a Processor;
  • Module Three (Processor to Processor) applies where Customer is a Processor and Upmetrics is a Sub-processor.

12.2 SCC Specifications

  • Clause 7 (Docking clause): applies.
  • Clause 9 (Sub-processors): Option 2 (general written authorization) applies, with the 30-day notice period in Section 6.2 of this DPA.
  • Clause 11 (Redress): the optional independent dispute resolution language does not apply.
  • Clause 17 (Governing law): the SCCs are governed by the law of Ireland.
  • Clause 18 (Forum and jurisdiction): disputes arising from the SCCs will be resolved by the courts of Ireland.
  • Annexes I, II, and III of the SCCs are populated by Annexes 1, 2, and 3 of this DPA.

12.3 UK Transfers

Transfers from the United Kingdom are governed by the UK Addendum, which is incorporated by reference. The information required by Table 1 of the UK Addendum is set out in Annex 1; Tables 2 and 3 are populated by the SCC selections in Section 12.2 and Annexes 2 and 3; for Table 4, neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

12.4 Swiss Transfers

For transfers subject to Swiss data protection law, the SCCs apply with the following modifications: references to GDPR are deemed to include the Swiss Federal Act on Data Protection; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and Data Subjects in Switzerland may enforce their rights in Switzerland.

13. CCPA Service Provider Terms

To the extent Upmetrics processes Personal Data subject to the CCPA, Upmetrics is acting as a Service Provider and:

  • Will process Personal Data only for the limited and specified purposes set out in this DPA and the Agreement;
  • Will comply with applicable obligations under the CCPA and provide the same level of privacy protection as required of Customer;
  • Will notify Customer if Upmetrics determines that it can no longer meet its obligations under the CCPA;
  • Grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data; and
  • Will not sell or share Personal Data, will not retain, use, or disclose Personal Data outside the direct business relationship between Customer and Upmetrics, and will not combine Personal Data with information from other sources except as permitted by the CCPA.

14. Liability

Each party's total aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is limited to the total fees paid by Customer to Upmetrics under the Agreement in the twelve (12) months immediately preceding the event giving rise to the claim.

The foregoing limitation does not apply to: (a) either party's indemnification obligations under the Agreement; or (b) liability arising from gross negligence, willful misconduct, or fraud.

To the extent permitted by Applicable Data Protection Laws, the liability limitations in the Agreement (including any liability cap) apply to all claims under this DPA.

15. Term and Termination

This DPA is effective as of the start date of the Agreement and continues until the Agreement terminates or expires, except that Sections 1, 11, 14, and 16 survive termination.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Delaware, USA, without regard to its conflict of laws provisions. The exclusive jurisdiction for disputes arising out of or related to this DPA is the state and federal courts located in Delaware, USA. The foregoing does not apply to disputes arising under the Standard Contractual Clauses, which are governed by the law and jurisdiction specified in Section 12.

17. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA prevails with respect to the parties' data protection obligations. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

18. Updates to this DPA

Upmetrics may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, our Sub-processors, or our processing activities. We will post the updated DPA on this page and update the "Last updated" date. For material changes, we will provide at least 30 days' notice (for Sub-processor changes, see Section 6.2). Customer's continued use of the Services after the effective date of an update constitutes acceptance of the updated DPA.

19. Contact

For questions or notices relating to this DPA, contact:

Upmetrics, Inc.
Attn: Privacy Team
1301 N Broadway STE 32302
Los Angeles, CA 90012
Email: [email protected]

Annex 1 β€” Description of the Processing

A. List of Parties

Data exporter: Customer, as identified in the Agreement, acting as Controller (or Processor on behalf of a third-party Controller).

Data importer: Upmetrics, Inc., 1301 N Broadway STE 32302, Los Angeles, CA 90012, USA. Contact: [email protected]. Acting as Processor (or Sub-processor).

B. Description of Transfer

Categories of Data Subjects: Customer's authorized users (employees, contractors, advisors), and any individuals whose Personal Data Customer chooses to include in business plans, financial models, pitch decks, or other content created within the Services (which may include investors, co-founders, team members, customers, suppliers, or other contacts).

Categories of Personal Data:

  • Identifiers: name, email address, account credentials;
  • Profile information: job title, company affiliation, profile picture;
  • Usage data: IP address, browser type, device information, pages visited, actions performed within the Services;
  • User-generated content: any Personal Data that Customer voluntarily includes in business plans, forecasts, narratives, attachments, or other content created within the Services;
  • Communications: support tickets, in-product messages.

Special categories of Personal Data: Upmetrics does not request or require special categories of Personal Data (such as health, biometric, racial, political, or religious data). Customer is responsible for ensuring it does not upload such data into free-text fields except as strictly necessary for its business purposes.

Frequency of transfer: Continuous, for the duration of the Agreement.

Nature of processing: Hosting, storage, retrieval, display, transmission, backup, deletion, and incidental processing necessary to operate, support, and improve the Services, and to comply with legal obligations.

Purpose of processing: To provide the Upmetrics business planning Services to Customer in accordance with the Agreement.

Duration of processing: For the term of the Agreement, plus any post-termination period required to fulfill deletion, return, or legal obligations as set out in Section 11.

Sub-processor information: See Annex 2.

C. Competent Supervisory Authority

For SCC purposes, the competent supervisory authority is the supervisory authority of the EU Member State of Customer's establishment, or if Customer is not established in the EU, the supervisory authority of the Member State of the EU representative or of the Data Subjects whose Personal Data is being transferred.

Annex 2 β€” List of Sub-processors

Upmetrics engages the following Sub-processors to provide the Services. The list below is current as of the "Last updated" date at the top of this DPA. We will notify Customer of any changes in accordance with Section 6.2.

Infrastructure and Hosting

  • Amazon Web Services (AWS), Inc. β€” cloud hosting infrastructure (United States)
  • Amazon Web Services (AWS) RDS β€” managed relational database (United States)

Payment Processing

  • Stripe, Inc. β€” payment processing (United States)
  • Chargebee, Inc. β€” subscription billing and management (United States / India)

Email and Communications

  • Zoho Corporation (ZeptoMail) β€” transactional email delivery (United States / India)
  • Customer.io β€” customer engagement and marketing email (United States)

Customer Support

  • Help Scout, Inc. β€” customer support and ticketing (United States)

Analytics and Product Insights

  • Google LLC (Google Analytics) β€” website analytics (United States)
  • Microsoft Corporation (Microsoft Clarity) β€” session and behavior analytics (United States)
  • Google LLC (Google Tag Manager) β€” tag management container (United States)

Advertising and Marketing Pixels

  • Meta Platforms, Inc. (Facebook Pixel) β€” advertising measurement and retargeting (United States)
  • Google LLC (Google Ads) β€” advertising measurement and retargeting (United States)
  • Reddit, Inc. (Reddit Pixel) β€” advertising measurement and retargeting (United States)

AI and Machine Learning

  • OpenAI, L.L.C. β€” large language model APIs powering AI features (United States)
  • Anthropic, PBC β€” large language model APIs powering AI features (United States)

Forms and Authentication

  • Google LLC (reCAPTCHA) β€” bot protection on forms (United States)
  • Google LLC (Google Identity Services) β€” Sign in with Google authentication (United States)
  • WS Form LLC β€” form processing on website (United States)
  • Xero Limited β€” Sign in with Xero authentication for users who choose this option (New Zealand / Australia / United States)

Other

  • Google LLC (Google Custom Search Engine) β€” site search functionality (United States)
  • Automattic, Inc. (Gravatar) β€” avatar image hosting (United States)

Each Sub-processor processes Personal Data solely to provide the service identified above. Where a Sub-processor is located outside the EEA, UK, or Switzerland, Upmetrics relies on the Standard Contractual Clauses, the UK Addendum, or other appropriate safeguards to govern the transfer.

Annex 3 β€” Technical and Organizational Security Measures

Upmetrics implements and maintains the following technical and organizational measures to protect Personal Data. These measures are reviewed and updated periodically.

Encryption

  • Personal Data in transit is protected using industry-standard TLS encryption.
  • Personal Data at rest is encrypted using AES-256 or equivalent.
  • Database backups are encrypted at rest.

Access Control

  • Access to production systems and Personal Data is restricted to authorized personnel on a need-to-know basis.
  • Multi-factor authentication is required for administrative access to production systems.
  • Access rights are reviewed regularly and revoked promptly upon role change or departure.
  • Strong password policies are enforced for all employee accounts.

Network and Infrastructure Security

  • Production infrastructure is hosted on Amazon Web Services in secure data centers with industry-standard physical security controls.
  • Firewalls, security groups, and private networks segregate production workloads from public access.
  • Security patches and updates are applied promptly to operating systems and supported software.

Application Security

  • Code changes are reviewed before deployment to production.
  • Dependency vulnerabilities are monitored using automated scanning.
  • Authentication and session management follow recognized security best practices.

Monitoring and Logging

  • Production systems generate audit logs of access and significant administrative actions.
  • Logs are retained for a period sufficient to support security investigations.
  • Anomalies and security events are monitored and triaged.

Incident Response

  • Upmetrics maintains an incident response plan to detect, respond to, and remediate security incidents.
  • Customer notification of confirmed Personal Data Breaches is provided within 72 hours as set out in Section 8.

Backup and Disaster Recovery

  • Production data is backed up regularly using encrypted, geographically distributed storage.
  • Backup restoration is tested periodically.

Personnel

  • All employees and contractors are bound by written confidentiality obligations.
  • Personnel receive periodic security and privacy training appropriate to their role.
  • Background checks are conducted for personnel with production access, where permitted by law.

Vendor Management

  • Sub-processors are evaluated for security and privacy practices before engagement.
  • Data processing agreements are in place with all Sub-processors that process Personal Data.

Audits and Reviews

  • Upmetrics conducts internal security reviews on a regular basis.
  • Internal audit reports may be provided to Customer on request as set out in Section 10.

If you want to learn more about us, just drop us a line at [email protected]