This Data Processing Agreement (“DPA”) forms part of and is incorporated into the upcell Terms of Service and any applicable Order Form (collectively, the “Agreement”) between upcell, LLC (“upcell”) and the Client identified in the applicable Order Form (“Client” or “Controller”).
This DPA governs the processing of personal data by upcell on behalf of Client in connection with the Service, and applies where Client processes personal data of individuals located in the European Economic Area, the United Kingdom, California, or other jurisdictions whose laws impose obligations on data processors. This DPA supplements and does not replace the Agreement. In the event of a conflict between this DPA and the Agreement with respect to data processing, this DPA controls.
By executing an Order Form that incorporates this DPA, or by accepting the upcell Terms of Service where this DPA is incorporated by reference, Client agrees to the terms of this DPA.
Definitions
Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or in applicable Data Protection Laws. The following definitions apply:
Applicable Data Protection Laws means all laws and regulations applicable to the processing of personal data under this DPA, including (as applicable) the GDPR, UK GDPR, CCPA/CPRA, and any other applicable national, state, or local privacy laws.
Controller means the party that determines the purposes and means of processing personal data. For the purposes of this DPA, Client is the Controller.
Customer Personal Data means personal data submitted to or processed through the Service by or on behalf of Client in connection with Client’s use of the Service.
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council.
UK GDPR means the GDPR as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018.
CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2022 (CPRA).
Processor means the party that processes personal data on behalf of the Controller. For the purposes of this DPA, upcell is the Processor.
Processing has the meaning given under Applicable Data Protection Laws and includes any operation performed on personal data, including collection, storage, use, disclosure, deletion, and transfer.
Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in upcell’s possession or control.
Standard Contractual Clauses or SCCs means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission under Decision 2021/914, as may be updated from time to time.
Sub-Processor means any third party engaged by upcell to process Customer Personal Data on upcell’s behalf in connection with the Service.
Roles and Scope of Processing
2.1 Processor Role. With respect to Customer Personal Data, upcell acts as Processor and Client acts as Controller. upcell will process Customer Personal Data only on behalf of and in accordance with Client’s documented instructions, as set out in this DPA, the Agreement, and any Order Form.
2.2 Controller Responsibilities. Client is responsible for (a) ensuring it has a lawful basis for processing Customer Personal Data and for instructing upcell to process it; (b) ensuring that data subjects have been provided with appropriate notice of processing where required; (c) the accuracy, quality, and legality of Customer Personal Data; and (d) ensuring that Client’s use of the Service complies with Applicable Data Protection Laws.
2.3 Scope of Processing. upcell processes Customer Personal Data solely to provide the Service as described in the Agreement and as further specified in Exhibit A (Processing Details) to this DPA. upcell will not process Customer Personal Data for any other purpose, including upcell’s own commercial purposes, without Client’s prior written consent.
2.4 Instructions. Client’s instructions to upcell are set out in the Agreement and this DPA. If upcell receives an instruction that it believes violates Applicable Data Protection Laws, upcell will promptly notify Client. upcell may suspend processing of the affected data until Client provides a lawful instruction.
Confidentiality of Customer Personal Data
3.1 Confidentiality Obligation. upcell will treat Customer Personal Data as confidential. upcell will ensure that personnel authorized to process Customer Personal Data are subject to binding confidentiality obligations and are trained on data protection requirements applicable to their role.
3.2 Limitation on Access. upcell will limit access to Customer Personal Data to personnel who need access to provide the Service, and will ensure such access is revoked when no longer required.
Security Measures
4.1 Technical and Organizational Measures. upcell will implement and maintain appropriate technical and organizational security measures (“TOMs”) to protect Customer Personal Data against unauthorized access, accidental loss, destruction, alteration, or disclosure, taking into account the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of natural persons. Such measures include as a minimum:
Encryption of Customer Personal Data in transit using TLS and at rest
Access controls and authentication requirements for personnel accessing Customer Personal Data
Regular security testing and vulnerability assessments
Hosting on Google Cloud Platform infrastructure with industry-standard security certifications
Application monitoring and logging via Datadog
Incident response procedures including defined escalation paths
4.2 Updates to Security Measures. upcell may update or modify its security measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Customer Personal Data.
4.3 Client Responsibilities. Client is responsible for implementing appropriate security measures within its own systems and for the security of Customer Personal Data after it has been delivered to Client’s CRM or other systems.
Security Incident Notification
5.1 Notification. In the event that upcell becomes aware of a confirmed Security Incident affecting Customer Personal Data, upcell will notify Client without undue delay and, where required by Applicable Data Protection Laws, within seventy-two (72) hours of becoming aware of the Security Incident.
5.2 Notification Content. upcell’s notification will, to the extent known at the time of notification, include: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of Customer Personal Data affected; (d) the likely consequences of the Security Incident; and (e) the measures taken or proposed to address the Security Incident. Where not all information is available at the time of initial notification, upcell will provide additional information as it becomes available.
5.3 Cooperation. upcell will reasonably cooperate with Client’s investigation of a Security Incident and with any notification obligations Client may have to data subjects or supervisory authorities. Client is solely responsible for determining whether a Security Incident requires notification to data subjects or supervisory authorities under Applicable Data Protection Laws and for making any such notifications.
5.4 No Acknowledgment of Fault. upcell’s notification of or response to a Security Incident will not constitute an acknowledgment of fault or liability.
Sub-Processors
6.1 Authorization. Client provides general authorization for upcell to engage Sub-Processors to process Customer Personal Data in connection with the Service, subject to the requirements of this Section 6.
6.2 Current Sub-Processors. upcell’s current Sub-Processors are listed in Exhibit B to this DPA. upcell will impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA.
6.3 Changes to Sub-Processors. upcell will notify Client of any intended addition or replacement of Sub-Processors by updating the Sub-Processor list at upcell.io/legal/subprocessors and providing Client with thirty (30) days’ prior written notice. If Client reasonably objects to a new Sub-Processor on data protection grounds, Client must notify upcell in writing within fourteen (14) days of the notice. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, either party may terminate the affected portion of the Service on thirty (30) days’ written notice without liability for early termination.
6.4 Liability. upcell remains liable to Client for the acts and omissions of its Sub-Processors to the same extent as if upcell had performed the processing directly.
Data Subject Rights
7.1 Assistance. upcell will provide reasonable assistance to Client in responding to data subject requests to exercise rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection), taking into account the nature of processing and the information available to upcell.
7.2 Redirection. If upcell receives a data subject request directly in relation to Customer Personal Data for which Client is the Controller, upcell will promptly redirect the data subject to Client and will not respond to the request on Client’s behalf without Client’s prior written authorization.
7.3 Suppression. upcell maintains a suppression file for individuals who have submitted opt-out or deletion requests through upcell’s Privacy Center at upcell.io/data-claim. upcell will honor such requests and exclude suppressed individuals from data delivered through the Service. Client is responsible for honoring data subject requests it receives directly in relation to data within Client’s own systems.
Data Protection Impact Assessments and Prior Consultation
Where required by Applicable Data Protection Laws, upcell will provide reasonable assistance to Client in conducting data protection impact assessments (DPIAs) and in any required prior consultation with supervisory authorities, in each case solely to the extent such assistance relates to upcell’s processing of Customer Personal Data and taking into account the information available to upcell.
Audit Rights
9.1 Information and Audit. upcell will make available to Client, upon reasonable written request, information necessary to demonstrate compliance with this DPA. upcell will permit, and contribute to, audits and inspections conducted by Client or a mutually agreed independent auditor, subject to the following conditions: (a) Client provides at least thirty (30) days’ prior written notice; (b) audits are conducted no more than once per calendar year absent a confirmed Security Incident; (c) audits are conducted during normal business hours and in a manner that minimizes disruption to upcell’s operations; and (d) the auditor is subject to binding confidentiality obligations.
9.2 Third-Party Certifications. upcell may satisfy its audit obligations under this Section 9 by providing Client with copies of relevant third-party audit reports, certifications, or security assessments, to the extent they cover the processing of Customer Personal Data under this DPA.
International Data Transfers
10.1 Transfers from EEA and UK. To the extent that upcell processes Customer Personal Data that is transferred from the EEA or UK to the United States or another country not recognized as providing an adequate level of data protection, the parties agree that such transfers are governed by the Standard Contractual Clauses (Module Two: Controller to Processor), which are incorporated by reference into this DPA and available upon request from [email protected].
10.2 SCC Hierarchy. In the event of a conflict between the SCCs and this DPA, the SCCs will prevail with respect to the international transfer of Customer Personal Data.
10.3 UK Transfers. For transfers of Customer Personal Data from the UK, the parties agree to execute the UK International Data Transfer Addendum to the SCCs (the “UK Addendum”) as required by the UK Information Commissioner’s Office, which is incorporated by reference into this DPA.
10.4 Sub-Processor Transfers. upcell will ensure that any international transfer of Customer Personal Data by a Sub-Processor is subject to an appropriate transfer mechanism under Applicable Data Protection Laws.
CCPA Service Provider Obligations
11.1 Service Provider Status. For the purposes of the CCPA, upcell acts as a “Service Provider” with respect to Customer Personal Data. upcell will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than providing the Service as specified in the Agreement and this DPA; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties; or (d) combine Customer Personal Data with personal information received from other sources except as permitted by the CCPA.
11.2 CCPA Cooperation. upcell will cooperate with Client in responding to verifiable consumer requests received by Client under the CCPA, including requests to know, delete, correct, or opt out of sale or sharing, to the extent such requests relate to Customer Personal Data processed by upcell on Client’s behalf.
Retention and Deletion of Customer Personal Data
12.1 Retention During Term. upcell will retain Customer Personal Data for the duration of the Agreement and as set out in Section 4.2 of the Terms of Service: transaction and enrichment logs are retained for the duration of Client’s subscription plus thirty (30) days following termination.
12.2 Deletion on Termination. Upon expiration or termination of the Agreement, upcell will, at Client’s election, delete or return all Customer Personal Data within thirty (30) days, except to the extent upcell is required by Applicable Data Protection Laws to retain it. Where retention is required by law, upcell will notify Client, limit further processing to the minimum necessary, and delete such data as soon as the retention obligation expires.
12.3 Suppression File. Notwithstanding the above, upcell may retain suppression records (i.e., records of individuals who have exercised data subject rights) indefinitely and solely for the purpose of honoring those rights on an ongoing basis. This is consistent with regulatory guidance and upcell’s obligations under Applicable Data Protection Laws.
Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits either party’s liability to data subjects or supervisory authorities under Applicable Data Protection Laws, to the extent such liability cannot be limited by contract.
Term and Termination
This DPA is effective as of the date the Agreement becomes effective and continues for the duration of the Agreement. Termination of the Agreement automatically terminates this DPA. Sections 3 (Confidentiality), 5 (Security Incident Notification), 10 (International Data Transfers), 12 (Retention and Deletion), and 13 (Liability) survive termination of this DPA.
General
15.1 Order of Precedence. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs control with respect to international transfers of Customer Personal Data.
15.2 Amendments. upcell may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or upcell’s processing activities, provided that such updates do not materially reduce Client’s rights or upcell’s obligations under this DPA. upcell will provide thirty (30) days’ prior written notice of material changes. Client’s continued use of the Service following the effective date of any update constitutes acceptance of the updated DPA.
15.3 Governing Law. This DPA is governed by the same governing law as the Agreement, except that with respect to the SCCs, the governing law provisions of the SCCs apply.
15.4 Entire Agreement. This DPA, together with the Agreement and any applicable SCCs, constitutes the complete agreement between the parties with respect to the processing of Customer Personal Data and supersedes all prior agreements or understandings on this subject.
Exhibit A — Processing Details
Subject Matter of Processing
upcell processes Customer Personal Data to provide its B2B sales intelligence and CRM enrichment platform, including the Prospector Chrome extension and multi-vendor enrichment Service.
Duration of Processing
For the duration of the Agreement, plus the retention periods specified in Section 12 of this DPA.
Nature and Purpose of Processing
Facilitating capture of public professional profile data via the Chrome extension and pushing records to Client’s CRM
Routing enrichment requests through Client’s third-party API credentials, mapping returned data fields, and delivering enriched records to Client’s CRM
Maintaining transaction and enrichment audit logs accessible to Client through the platform’s compliance dashboard
Matching and deduplicating records against existing entries in Client’s CRM
Categories of Personal Data
First name, last name, job title, employer/company name (from public professional profiles)
Business email addresses (from third-party enrichment providers via Client’s API credentials)
Professional telephone numbers (from third-party enrichment providers via Client’s API credentials)
CRM record identifiers used for matching and deduplication
Categories of Data Subjects
Business professionals acting in their professional or employment capacity
Individuals whose professional contact information is processed in connection with Client’s B2B sales and marketing activities
Special Categories of Data
None. upcell does not process special categories of personal data as defined under GDPR Article 9 or equivalent provisions of Applicable Data Protection Laws.
Exhibit B — Authorized Sub-Processors
upcell’s current list of authorized Sub-Processors is maintained at:
https://www.upcell.io/legal/subprocessors
This page is updated whenever upcell adds, replaces, or removes a Sub-Processor. upcell will notify Client of any material changes in accordance with Section 6.3 of this DPA. The Sub-Processor list identifies each Sub-Processor by name, processing activity, and location. For Sub-Processors whose identity is competitively sensitive, upcell will disclose full details to enterprise Clients upon written request under a non-disclosure agreement.
Exhibit C — Standard Contractual Clauses
Where Customer Personal Data is transferred from the EEA or UK to a country not recognized as providing an adequate level of protection, the parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission under Decision 2021/914, and where applicable the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office.
The SCCs and UK Addendum are available upon written request to [email protected] and will be executed as a separate addendum to this DPA where required by Applicable Data Protection Laws or Client’s enterprise requirements.
For the purposes of the SCCs, the following apply:
Clause 7 (Docking Clause): Not applicable
Clause 9 (Use of Sub-Processors): Option 2 (General written authorization) applies, with thirty (30) days’ notice of Sub-Processor changes
Clause 11 (Redress): The optional language is not included
Clause 17 (Governing Law): The law of Ireland applies
Clause 18 (Choice of Forum): The courts of Ireland have jurisdiction