Back

Data Processing Agreement

Last updated: 11/30/2025

Data Processing Agreement

Agreement Overview

This Data Processing Agreement ("DPA") forms part of the Upcurve Terms of Service and governs the processing of personal data by Upcurve ("Processor") on behalf of our customers ("Controllers") in accordance with applicable data protection laws.

Definitions

Key Terms

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion
  • Controller: The entity that determines the purposes and means of processing personal data
  • Processor: Upcurve, which processes personal data on behalf of the Controller
  • Data Subject: The individual whose personal data is being processed

Applicable Laws

This DPA addresses compliance with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Other applicable data protection regulations

Scope of Processing

Categories of Personal Data

Upcurve may process the following types of personal data:

Donor Information

  • Names and contact details
  • Email addresses and phone numbers
  • Payment information (processed by Stripe)
  • Donation history and preferences
  • Communication preferences

Organization Data

  • Employee and staff information
  • Administrative contacts
  • Organizational preferences and settings
  • Usage analytics and platform interactions

Technical Data

  • IP addresses and device information
  • Browser and operating system details
  • Session data and platform usage patterns
  • Error logs and diagnostic information

Purposes of Processing

Personal data is processed for:

  • Service Delivery: Providing donation management platform functionality
  • Transaction Processing: Facilitating donations and payments
  • Customer Support: Resolving issues and providing assistance
  • Platform Improvement: Analytics and service optimization
  • Legal Compliance: Meeting regulatory and legal requirements

Controller and Processor Obligations

Controller Responsibilities

The Controller (Customer) must:

Legal Basis

  • Ensure lawful basis for processing personal data
  • Obtain necessary consents from data subjects
  • Provide appropriate privacy notices
  • Maintain records of processing activities

Data Quality

  • Ensure accuracy and relevance of personal data
  • Update or correct data as necessary
  • Limit data collection to necessary purposes
  • Implement appropriate retention policies

Data Subject Rights

  • Respond to data subject access requests
  • Facilitate exercise of data subject rights
  • Coordinate with Upcurve on requests involving processed data
  • Maintain audit trails for compliance

Processor Responsibilities

Upcurve (Processor) must:

Processing Instructions

  • Process personal data only on documented instructions from Controller
  • Notify Controller if instructions appear to violate applicable law
  • Not process data for own purposes unless legally required
  • Maintain detailed processing records

Security Measures

  • Implement appropriate technical and organizational measures
  • Ensure ongoing confidentiality, integrity, and availability of data
  • Regularly test and evaluate security effectiveness
  • Promptly notify Controller of security incidents

Staff and Access Control

  • Ensure staff access data only on need-to-know basis
  • Provide regular data protection training
  • Maintain confidentiality agreements with all personnel
  • Implement role-based access controls

Technical and Organizational Measures

Data Security

Upcurve implements the following security measures:

Technical Safeguards

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication and role-based permissions
  • Network Security: Firewalls, intrusion detection, and secure network architecture
  • Regular Updates: Timely security patches and system updates
  • Backup Systems: Secure, encrypted backups with geographic redundancy

Organizational Measures

  • Security Policies: Comprehensive information security policies and procedures
  • Incident Response: Detailed security incident response and notification procedures
  • Employee Training: Regular security awareness and data protection training
  • Vendor Management: Due diligence and security requirements for subprocessors
  • Compliance Monitoring: Regular security audits and compliance assessments

Data Minimization

  • Collect only necessary personal data for specified purposes
  • Implement automated data retention and deletion policies
  • Regular review of data processing needs and purposes
  • Privacy-by-design principles in system development

Subprocessors

Current Subprocessors

Upcurve uses the following subprocessors:

Payment Processing

  • Stripe Inc.: Payment processing and fraud prevention
  • Location: United States
  • Purpose: Secure payment processing and transaction management
  • Safeguards: PCI DSS compliance, data encryption, limited data access

Infrastructure Services

  • Cloud Hosting Providers: Infrastructure and database hosting
  • Location: United States and EU
  • Purpose: Platform hosting, data storage, and system operations
  • Safeguards: SOC 2 compliance, encryption, access controls

Analytics and Support

  • Analytics Providers: Usage analytics and platform optimization
  • Support Tools: Customer support and ticketing systems
  • Safeguards: Data anonymization, limited access, privacy agreements

Subprocessor Management

  • Due Diligence: Comprehensive security and privacy assessments
  • Contractual Requirements: Data protection obligations equivalent to this DPA
  • Ongoing Monitoring: Regular review of subprocessor security practices
  • Change Notification: 30-day advance notice of new or changed subprocessors

Objection Rights

Controllers may object to new subprocessors:

  • Written objection within 30 days of notification
  • Upcurve will work to address concerns or provide alternatives
  • If no resolution, Controller may terminate affected services

International Data Transfers

Transfer Mechanisms

For transfers outside the EEA, Upcurve uses:

Adequacy Decisions

  • Transfers to countries with adequacy decisions from European Commission
  • Regular monitoring of adequacy status changes
  • Alternative safeguards if adequacy withdrawn

Standard Contractual Clauses

  • EU Commission-approved Standard Contractual Clauses (SCCs)
  • Regular review and updates to reflect legal changes
  • Additional safeguards where required by law

Additional Safeguards

  • Technical Measures: Encryption, pseudonymization, access controls
  • Legal Assessments: Regular evaluation of third-country legal frameworks
  • Risk Mitigation: Additional protections for sensitive data categories

Transfer Records

  • Detailed records of all international transfers
  • Documentation of legal basis and safeguards
  • Regular review and update of transfer mechanisms
  • Data mapping and inventory maintenance

Data Subject Rights

Rights Facilitation

Upcurve assists Controllers in fulfilling data subject rights:

Access Rights

  • Provide data subject access to their personal data
  • Export data in structured, commonly used format
  • Assistance with identifying relevant data across systems

Rectification and Erasure

  • Tools for correcting inaccurate personal data
  • Deletion capabilities for exercise of right to erasure
  • Automated and manual data deletion procedures

Restriction and Objection

  • Temporary restriction of data processing when requested
  • Opt-out mechanisms for direct marketing
  • Objection handling for legitimate interest processing

Data Portability

  • Data export in machine-readable formats
  • Secure transfer mechanisms to other processors
  • Assistance with data migration and formatting

Response Procedures

  • Response Time: Assistance provided within 48 hours of Controller request
  • Verification: Identity verification procedures for data subject requests
  • Documentation: Detailed records of actions taken for each request
  • Coordination: Clear communication channels between Controller and Processor

Data Breach Response

Incident Identification

  • 24/7 monitoring and detection systems
  • Clear incident classification and severity levels
  • Immediate containment and impact assessment procedures
  • Forensic investigation capabilities

Notification Requirements

Controller Notification

  • Timeline: Within 24 hours of breach discovery
  • Information: Nature of breach, affected data categories, likely consequences
  • Contact Method: Immediate notification via multiple channels
  • Updates: Regular updates as investigation progresses

Regulatory Notification

  • Assistance with regulatory notifications where required
  • Preparation of breach notification documentation
  • Coordination with legal counsel and authorities
  • Post-incident review and improvement recommendations

Breach Response Process

  1. Detection and Containment: Immediate threat containment and system isolation
  2. Assessment: Evaluation of scope, impact, and risk to data subjects
  3. Notification: Prompt notification to Controller and relevant parties
  4. Investigation: Detailed forensic investigation and root cause analysis
  5. Recovery: System restoration and enhanced security measures
  6. Review: Post-incident analysis and process improvements

Audit and Compliance

Audit Rights

Controllers have the right to:

  • Documentation Review: Access to processing records and compliance documentation
  • On-Site Audits: Reasonable audit access during business hours
  • Third-Party Audits: Use of qualified independent auditors
  • Compliance Reports: Regular compliance and security assessment reports

Compliance Monitoring

  • Regular Assessments: Quarterly compliance reviews and updates
  • Certification Programs: SOC 2, ISO 27001, and other relevant certifications
  • Legal Updates: Monitoring and implementation of regulatory changes
  • Training Programs: Ongoing staff training on data protection requirements

Records and Documentation

  • Detailed processing records as required by applicable law
  • Documentation of technical and organizational measures
  • Records of data subject requests and responses
  • Incident logs and response documentation

Data Retention and Deletion

Retention Policies

  • Service Data: Retained during active service period plus defined retention period
  • Backup Data: Automated deletion from backups within 90 days of primary deletion
  • Log Data: Security and audit logs retained for 2 years unless legally required longer
  • Analytics Data: Aggregated, anonymized data may be retained indefinitely

Deletion Procedures

End of Service

  • Data Return: Secure return of all personal data to Controller within 30 days
  • Deletion Certification: Written confirmation of complete data deletion
  • Backup Purging: Secure deletion from all backup systems
  • Subprocessor Coordination: Ensuring deletion by all subprocessors

On-Demand Deletion

  • Self-service deletion tools for Controllers
  • API-based deletion for automated processes
  • Verification and confirmation of deletion completion
  • Exception handling for legal hold requirements

Liability and Indemnification

Limitation of Liability

  • Upcurve's liability limited to direct damages caused by breach of this DPA
  • No liability for Controller's failure to comply with data protection obligations
  • Liability caps as specified in main service agreement
  • Force majeure exceptions for circumstances beyond reasonable control

Indemnification

  • Mutual Indemnification: Both parties indemnify for their own breaches
  • Third-Party Claims: Protection against claims arising from DPA violations
  • Regulatory Fines: Allocation of responsibility for regulatory penalties
  • Defense Cooperation: Mutual cooperation in defending against claims

Term and Termination

Agreement Term

  • This DPA remains in effect while the main service agreement is active
  • Survives termination for data processing completion and deletion
  • May be updated to reflect legal or regulatory changes
  • Immediate effect of updates unless otherwise specified

Termination Rights

  • Either party may terminate for material breach with 30 days cure period
  • Immediate termination for data security breaches
  • Controller may terminate for objection to new subprocessors
  • Data processing obligations survive termination until completion

Post-Termination Obligations

  • Secure return or deletion of all personal data
  • Destruction of copies held by subprocessors
  • Continued confidentiality obligations
  • Assistance with regulatory inquiries if needed

Contact Information

Data Protection Officer

Email: dpo@upcurve.com
Phone: [DPO Phone Number]
Address: [DPO Mailing Address]

Legal and Compliance

Email: legal@upcurve.com
Emergency Contact: [24/7 Security Hotline]

European Representative

Company: [EU Representative Company]
Address: [EU Address]
Email: [EU Contact Email]

Execution

This Data Processing Agreement is effective as of the date first signed below and forms an integral part of the main service agreement between the parties.

Controller: _____________________ Date: __________

Processor (Upcurve): _____________________ Date: __________