Data Processing Agreement
Last updated: 30 March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Vision Software Solutions Limited, a company registered in England and Wales with its registered office at C/O Benison Solvers Limited, 1000 Great West Road, Brentford, United Kingdom, TW8 9DW ("Uptrue", "Processor", "we", "us", or "our"), and the customer ("Controller", "you", or "your") who has agreed to the Uptrue Terms of Service.
This DPA sets out the terms under which Uptrue processes personal data on behalf of the Controller in connection with the provision of the Uptrue monitoring platform (the "Service"). This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and, where applicable, Article 28 of the EU General Data Protection Regulation (EU GDPR).
This DPA applies automatically to all customers. By using the Service, you agree to the terms of this DPA.
1. Definitions
In this DPA, unless the context requires otherwise:
- "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the EU GDPR, the Privacy and Electronic Communications Regulations 2003 (PECR), and all other applicable data protection and privacy legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Uptrue on behalf of the Controller in connection with the Service.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Sub-processor" means any third party engaged by Uptrue to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
2. Scope and Purpose of Processing
2.1 Subject Matter
Uptrue processes Personal Data on behalf of the Controller solely for the purpose of providing the Service, which includes website and infrastructure monitoring, alerting, status page hosting, incident management, and report generation.
2.2 Categories of Data Subjects
The Personal Data processed under this DPA may relate to the following categories of Data Subjects:
- The Controller's employees, contractors, and authorised users of the Service
- The Controller's clients and end users (in the case of Agency accounts)
- Individuals whose contact information is provided for alert delivery (email recipients, phone number holders)
2.3 Types of Personal Data
The types of Personal Data processed may include:
- Name and email address (account information)
- Phone number (for SMS, WhatsApp, and voice call alerts)
- IP addresses (from access logs and audit records)
- Organisation name and role assignments
- Monitor configuration data (URLs, endpoints)
- Billing and transaction data (processed by Stripe; Uptrue does not store payment card details)
2.4 Duration
Processing shall continue for the duration of the Controller's use of the Service and for the retention periods specified in the Privacy Policy, unless earlier termination or deletion is requested.
3. Processor Obligations
Uptrue, as the Processor, shall:
- Process Personal Data only on the documented instructions of the Controller, including with respect to transfers of Personal Data outside the UK or EU, unless required to do so by applicable law, in which case Uptrue shall inform the Controller of that legal requirement before processing (unless prohibited from doing so by law).
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 5.
- Respect the conditions for engaging Sub-processors, as described in Section 4.
- Assist the Controller, taking into account the nature of processing, in fulfilling the Controller's obligations to respond to Data Subject requests, as described in Section 7.
- Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless retention is required by applicable law, as described in Section 8.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR / EU GDPR and allow for and contribute to audits, including inspections, as described in Section 9.
- Immediately inform the Controller if, in Uptrue's opinion, an instruction from the Controller infringes Data Protection Laws.
4. Sub-processors
4.1 Authorised Sub-processors
The Controller provides general written authorisation for Uptrue to engage Sub-processors. The following Sub-processors are currently authorised:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, real-time services | Account data, monitoring data, check results, authentication tokens | EU (Frankfurt, Germany) |
| Stripe Inc. | Payment processing, subscription management, Connect payouts | Billing name, address, payment method details, transaction records | EU / US (SCCs in place) |
| Vercel Inc. | Application hosting, edge functions, cron job execution | IP addresses, HTTP request metadata | Global edge (EU-primary, SCCs in place) |
| Resend Inc. | Transactional email delivery | Email addresses, email subject and body content | US (SCCs in place) |
| Anthropic PBC | AI-powered report generation and analysis (Claude API) | Aggregated, anonymised monitoring metrics and performance data | US (SCCs in place) |
| Twilio Inc. | SMS, WhatsApp, and voice call alert delivery | Phone numbers, alert message content | US (SCCs in place) |
4.2 Changes to Sub-processors
Uptrue shall notify the Controller by email at least 30 days before adding or replacing a Sub-processor, providing the Controller with the opportunity to object to the change. If the Controller objects on reasonable data protection grounds and the parties cannot resolve the objection within 30 days, the Controller may terminate the Service agreement with immediate effect.
4.3 Sub-processor Agreements
Uptrue shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Uptrue remains fully liable to the Controller for the performance of each Sub-processor's obligations.
5. Security Measures
Uptrue implements and maintains the following technical and organisational measures to protect Personal Data:
5.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- Sensitive data at rest is encrypted using AES-256
- API keys are hashed using bcrypt on creation and never stored in plain text
- Webhook payloads are signed using HMAC-SHA256
5.2 Access Controls
- Row-level security (RLS) enforced at the database level to ensure strict data isolation between organisations
- All database queries are additionally scoped by organisation ID at the application level
- Principle of least privilege applied to all system and database accounts
- Multi-factor authentication available for user accounts
- Admin access restricted to whitelisted email addresses with Google OAuth
5.3 Audit Logging
- Immutable audit logs of all authentication events, admin actions, and security-relevant operations
- Audit logs include timestamp, user ID, action, resource type, resource ID, and IP address
- Audit logs do not contain passwords, tokens, or personal data content
- Audit logs are retained for one year
5.4 Infrastructure Security
- Application hosted on Vercel with automatic security patching
- Database hosted on Supabase (AWS Frankfurt) with managed security
- Automated dependency vulnerability scanning via npm audit in CI/CD pipeline
- GitHub Actions secret scanner to prevent accidental credential exposure
- Error tracking and monitoring via Sentry
5.5 Organisational Measures
- Confidentiality obligations for all personnel with access to Personal Data
- Regular access reviews
- Incident response procedures documented and tested
- Data protection awareness for all team members
6. Data Breach Notification
6.1 Notification to Controller
Uptrue shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.
6.2 Content of Notification
The notification shall include, to the extent available:
- A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and records affected
- The name and contact details of the point of contact for further information
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects
6.3 Cooperation
Uptrue shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach. Uptrue shall also assist the Controller in meeting its obligations to notify the relevant supervisory authority and affected Data Subjects, as applicable.
7. Data Subject Requests
Uptrue shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
If Uptrue receives a request directly from a Data Subject, Uptrue shall promptly notify the Controller and shall not respond to the request directly unless instructed to do so by the Controller or required to do so by applicable law.
The Service provides self-service data export functionality (JSON and CSV formats) that Controllers can use to fulfil access and portability requests. Erasure requests can be fulfilled via the account deletion feature or by contacting support@uptrue.io.
8. Data Deletion and Return
8.1 Upon Termination
Upon termination of the Service agreement, at the Controller's choice, Uptrue shall:
- Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV); or
- Delete all Personal Data and confirm deletion in writing.
The Controller has 30 days from the date of termination to request return of data. After this period, Uptrue shall securely delete all Personal Data, unless retention is required by applicable law.
8.2 Retention Exceptions
Uptrue may retain Personal Data beyond the termination date solely to the extent required by applicable law (e.g., financial and tax records for 7 years under UK law). Such retained data will continue to be protected in accordance with this DPA and will be deleted as soon as the legal retention period expires.
9. Audit Rights
9.1 Information
Uptrue shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and in Article 28 of the UK GDPR / EU GDPR.
9.2 Audits
The Controller, or an independent third-party auditor mandated by the Controller, may conduct an audit of Uptrue's processing activities and compliance with this DPA, subject to the following conditions:
- The Controller shall provide at least 30 days' written notice of any audit request.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt Uptrue's operations.
- The Controller shall bear the costs of the audit, unless the audit reveals a material breach by Uptrue, in which case Uptrue shall bear the reasonable costs.
- The Controller may conduct no more than one audit per 12-month period, unless a Data Breach has occurred or a supervisory authority requires an additional audit.
- All information obtained during the audit shall be treated as Confidential Information.
9.3 Alternative Assurance
Where Uptrue has obtained a relevant third-party certification or audit report (such as SOC 2 Type II or ISO 27001), Uptrue may provide such report to the Controller as an alternative to an on-site audit, provided the report is current and covers the relevant processing activities.
10. International Data Transfers
10.1 Primary Storage
Personal Data is primarily stored within the European Union (Supabase, Frankfurt, Germany).
10.2 Transfers Outside the EU/UK
Where Personal Data is transferred to Sub-processors located outside the EU/UK (as identified in Section 4.1), Uptrue ensures that appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), incorporated into agreements with each relevant Sub-processor.
- UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner, where transfers originate from the UK.
10.3 Transfer Impact Assessments
Uptrue conducts transfer impact assessments for each international data transfer to evaluate whether the laws of the destination country provide an adequate level of protection and whether supplementary measures are required.
11. Duration and Termination
This DPA comes into effect when the Controller begins using the Service and remains in effect for the duration of the processing. Upon termination of the Service agreement, the provisions of this DPA shall continue to apply to any Personal Data retained by Uptrue until such data is securely deleted.
12. Liability
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Each party shall be liable for damage caused by processing that infringes Data Protection Laws, in accordance with Article 82 of the UK GDPR / EU GDPR.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales. Any dispute arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to the rights of Data Subjects to lodge complaints with supervisory authorities or to seek judicial remedies in their Member State of habitual residence.
14. Contact
For questions about this Data Processing Agreement, please contact:
- Data Protection Officer: privacy@uptrue.io
- General Support: support@uptrue.io
- Post: Data Protection Officer, Vision Software Solutions Limited, C/O Benison Solvers Limited, 1000 Great West Road, Brentford, United Kingdom, TW8 9DW