Data Processing Agreement

1. Definitions

2. Scope and Roles

2.1 Scope

This DPA applies to the Processing of Personal Data by Upstat on behalf of Customer in connection with the provision of the Services as described in the Agreement.

2.2 Roles of the Parties

The parties acknowledge and agree that with respect to the Processing of Personal Data under this DPA: (a) Customer is the Controller; (b) Upstat is the Processor acting on behalf of Customer; and (c) Upstat will process Personal Data only in accordance with Customer's documented instructions as set forth in this DPA and the Agreement.

2.3 Customer Responsibilities

Customer is responsible for:

• Ensuring that it has all necessary rights and lawful bases to collect and transfer Personal Data to Upstat for Processing;
• Ensuring that Data Subjects have been informed of, and have given any necessary consent to, such Processing;
• Ensuring that Customer's instructions to Upstat comply with Applicable Data Protection Laws;
• Complying with all Applicable Data Protection Laws in its use of the Services and its Processing of Personal Data.

3. Processing of Personal Data

3.1 Instructions

Upstat shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Upstat is subject. In such a case, Upstat shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Agreement (including this DPA) constitutes Customer's complete instructions to Upstat for the Processing of Personal Data.

3.2 Details of Processing

The details of Upstat's Processing of Personal Data are as follows:

• Subject Matter: Provision of the Upstat incident management platform and related Services as described in the Agreement.
• Duration: The term of the Agreement plus any period during which Upstat retains Personal Data in accordance with Section 8.
• Nature and Purpose: Processing necessary to provide the Services, including storing, retrieving, and transmitting Customer Data; sending notifications and alerts; and providing customer support.
• Categories of Data Subjects: Customer's employees, contractors, end users, and other individuals whose Personal Data is submitted to the Services by Customer.
• Types of Personal Data: Names, email addresses, IP addresses, user identifiers, and any other Personal Data submitted by Customer through the Services.

3.3 Compliance with Laws

Each party shall comply with its obligations under Applicable Data Protection Laws. Upstat shall inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws.

4. Confidentiality and Personnel

4.1 Confidentiality

Upstat shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Personnel

Upstat shall take reasonable steps to ensure the reliability of any personnel who have access to Personal Data and shall ensure that such personnel process Personal Data only as instructed by Customer and as necessary to provide the Services.

5. Security

5.1 Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Upstat shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption of Personal Data in transit and at rest;
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• Measures to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing;
• Access controls to limit access to Personal Data to authorized personnel;
• Secure user authentication mechanisms.

5.2 Security Incidents

Customer acknowledges that Upstat's security measures are subject to technical progress and development and that Upstat may update or modify such measures from time to time, provided that such updates and modifications do not result in a material decrease in the overall security of the Services.

6. Sub-processors

6.1 Authorized Sub-processors

Customer authorizes Upstat to engage the Sub-processors listed below to process Personal Data in connection with the provision of the Services:

6.2 Sub-processor Obligations

When engaging a Sub-processor, Upstat shall: (a) enter into a written agreement with the Sub-processor that imposes data protection obligations on the Sub-processor that are no less protective than those imposed on Upstat under this DPA; and (b) remain responsible for the Sub-processor's compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Upstat to breach any of its obligations under this DPA.

6.3 Changes to Sub-processors

Upstat shall notify Customer of any intended changes to the addition or replacement of Sub-processors by updating this DPA or by other reasonable means. If Customer has a legitimate objection to the engagement of a new Sub-processor based on data protection concerns, Customer shall notify Upstat in writing within fourteen (14) days of receiving notice. In the event of such objection, Upstat and Customer shall work together in good faith to find a mutually acceptable resolution. If no resolution can be reached, Customer may terminate the affected Services by providing written notice to Upstat.

7. Data Subject Rights

7.1 Assistance with Requests

Taking into account the nature of the Processing, Upstat shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing.

7.2 Direct Requests

If Upstat receives a request from a Data Subject in relation to Personal Data, Upstat shall promptly notify Customer and shall not respond to such request except on Customer's documented instructions or as required by applicable law.

8. Data Retention and Deletion

8.1 Retention

Upstat shall retain Personal Data only for as long as necessary to provide the Services and fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by applicable law.

8.2 Deletion

Upon termination or expiration of the Agreement, Upstat shall, at Customer's election, delete or return all Personal Data to Customer within twenty-four (24) hours of account termination and delete existing copies unless applicable law requires storage of the Personal Data. Customer may export Personal Data prior to termination using the functionality provided within the Services or via the API.

9. Personal Data Breach

9.1 Notification

Upstat shall notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer.

9.2 Breach Information

Such notification shall include, to the extent known:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• The name and contact details of the point of contact where more information can be obtained;
• A description of the likely consequences of the Personal Data Breach;
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

9.3 Cooperation

Upstat shall cooperate with Customer and take such reasonable steps as are directed by Customer to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

10. Audits and Assessments

10.1 Audit Rights

Upstat shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, subject to the following conditions:

• Customer shall provide at least thirty (30) days' prior written notice of any audit;
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with Upstat's business operations;
• Any third-party auditor shall be bound by confidentiality obligations;
• Customer shall bear the costs of any audit.

10.2 Compliance Assistance

Taking into account the nature of the Processing and the information available to Upstat, Upstat shall assist Customer in ensuring compliance with Customer's obligations under Applicable Data Protection Laws, including with respect to data protection impact assessments and prior consultations with supervisory authorities.

11. International Data Transfers

11.1 Data Location

Personal Data is stored and processed in the United States (Google Cloud US-Central data center). Customer acknowledges and consents to the transfer and processing of Personal Data in the United States.

11.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States, the parties agree that such transfers shall be subject to the Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission. By entering into this DPA, the parties are deemed to have signed the Standard Contractual Clauses, which are incorporated into this DPA by reference.

11.3 Supplementary Measures

Upstat implements the security measures described in Section 5 as supplementary measures to protect Personal Data transferred internationally.

12. California Consumer Privacy Act

To the extent the California Consumer Privacy Act ("CCPA") applies to the Processing of Personal Data under this DPA:

• Upstat is a "service provider" as defined in the CCPA;
• Upstat shall not sell or share Personal Data;
• Upstat shall not retain, use, or disclose Personal Data for any purpose other than for the specific purpose of providing the Services or as otherwise permitted by the CCPA;
• Upstat shall not retain, use, or disclose Personal Data outside of the direct business relationship with Customer;
• Upstat certifies that it understands the restrictions set forth in this Section and will comply with them.

13. General Provisions

13.1 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

13.2 Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.

13.3 Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions set forth in the Agreement, except to the extent that Applicable Data Protection Laws require that certain provisions of this DPA be governed by the laws of a different jurisdiction.

13.4 Term

This DPA shall remain in effect for as long as Upstat processes Personal Data on behalf of Customer.

13.5 Modifications

Upstat may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or our data processing practices. Upstat will provide notice of material changes in accordance with the notice provisions in the Agreement.

14. Contact Information

For questions or concerns regarding this DPA or data processing practices, please contact us at: