Last Updated: Nov 22, 2025
This Data Processing Addendum, including its schedules and the Standard Contractual Clauses (collectively, the “DPA”), forms part of and is governed by the UprootSecurity Terms of Service (the “Agreement”) between the UprootSecurity contracting entity named in the Agreement (“UprootSecurity”) and the customer identified in the Agreement (“Customer”) under which UprootSecurity provides Services to Customer.
All capitalized terms not defined in this DPA have the meanings assigned in the Agreement. This DPA supplements the Agreement and defines the roles, responsibilities, and obligations that apply when UprootSecurity Processes Personal Data on behalf of Customer in connection with Services subject to Applicable Data Protection Law.
By executing the Agreement, Customer agrees to this DPA and the applicable Standard Contractual Clauses on its own behalf and, where required under Applicable Data Protection Law, on behalf of its permitted Affiliates using the Services. For purposes of this DPA, and unless expressly stated otherwise, “Customer” includes Customer and such Affiliates.
The parties agree as follows:
1. Definitions
1.1. “Affiliates” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with another entity. “Control” means holding an ownership, voting, or equivalent interest representing fifty percent (50%) or more of the total interests (on a fully diluted basis) of the relevant entity. “Controlled” shall be interpreted accordingly.
1.2. “Applicable Data Protection Law” means all data protection and privacy laws that apply generally to UprootSecurity’s provision of the Services, including European Data Protection Law and US Data Protection Law, irrespective of Customer’s specific use of the Services.
1.3. “Controller” means any entity that determines, alone or jointly with others, the purposes and means of Processing Personal Data. For this DPA, “Controller” also includes a “business” under US Data Protection Law or any similar designation under Applicable Data Protection Law.
1.4. “Customer Data” means all Personal Data Processed by UprootSecurity under Section 2.1 of this DPA in connection with the Services, as further described in Schedules 1 and 2 (as applicable).
1.5. “Europe” means the European Economic Area (EEA), Switzerland, and the United Kingdom (UK).
1.6. “European Data Protection Law” means:
(i) the EU General Data Protection Regulation (EU GDPR);
(ii) the UK GDPR and the UK Data Protection Act 2018;
(iii) the Swiss Federal Data Protection Act and related ordinances;
(iv) the EU e-Privacy Directive; and
(v) any national laws implementing, supplementing, or replacing the foregoing, in each case as amended or replaced over time.
1.7. “Personal Data” means any information relating to an identified or identifiable natural person or consumer (“Data Subject”), including any information classified as “personal data,” “personally identifiable information,” or “personal information” under Applicable Data Protection Law.
1.8. “Process,” “Processes,” “Processing,” or “Processed” means any operation or set of operations performed on Personal Data, whether automated or not, including collection, recording, storage, alteration, retrieval, use, disclosure, transmission, restriction, deletion, destruction, or any comparable activity.
1.9. “Processor” means any entity that Processes Personal Data on behalf of a Controller in accordance with the Controller’s instructions. For this DPA, “Processor” also includes a “service provider” under US Data Protection Law or any analogous designation.
1.10. “Restricted Transfer” means:
(i) under the GDPR, a transfer of Personal Data from the EEA to a country lacking an adequacy decision;
(ii) under the UK GDPR, a transfer of Personal Data from the UK to a country lacking adequacy regulations; and
(iii) under the Swiss DPA, a transfer of Personal Data to a country not deemed adequate by the Swiss FDPIC.
1.11. “Security Incident” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data Processed by UprootSecurity. “Security Incident” excludes unsuccessful attempts that do not compromise Personal Data, such as failed login attempts, port scans, pings, or similar events.
1.12. “Standard Contractual Clauses” or “SCCs” means the European Commission’s standard contractual clauses adopted in Implementing Decision (EU) 2021/914 of 4 June 2021.
1.13. “Sub-processor” means any third party engaged by UprootSecurity or its Affiliates that Processes Customer Data to support the Services. Sub-processors may include third parties or UprootSecurity Affiliates but exclude UprootSecurity employees, contractors, and consultants.
1.14. “Supervisory Authority” means any regulatory, governmental, or oversight authority with jurisdiction to enforce Applicable Data Protection Law, including Attorneys General in the United States.
1.15. “UK Addendum” means the “UK Addendum to the EU Standard Contractual Clauses” issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018.
1.16. “US Data Protection Law” means US federal, state, and local privacy laws applicable to the Processing of Personal Data, including the CCPA/CPRA, and, where applicable, the CDPA, CPA, UCPA, and CTDPA, in each case as amended or superseded from time to time.
2. Scope and Relationship of the Parties
This DPA applies to the extent UprootSecurity Processes Customer Data subject to Applicable Data Protection Law when providing the Services under the Agreement, as follows:
2.1.1. Where Customer acts as a Controller of Customer Data covered by this DPA, UprootSecurity shall act as a Processor on Customer’s behalf, and this DPA shall govern such Processing.
2.1.2. Where UprootSecurity or any relevant UprootSecurity Affiliate Processes Customer Data as a Controller, UprootSecurity shall Process such data in accordance with Applicable Data Protection Law and the UprootSecurity Privacy Policy available at https://www.uprootsecurity.com/legal/privacy-policy.
As a Processor, UprootSecurity shall Process Customer Data solely for the purposes set out in Schedules 1 and 2 (the “Business Purposes”) and only in accordance with Customer’s documented and lawful instructions, unless otherwise required by Applicable Data Protection Law. The parties agree that the Agreement and this DPA constitute Customer’s complete and final instructions to UprootSecurity regarding the Processing of Customer Data and, where applicable, incorporate all third-party Controller instructions. Any Processing outside these instructions requires Customer’s prior written approval.
Unless prohibited by Applicable Data Protection Law, UprootSecurity shall notify Customer in writing if it becomes aware that a Customer instruction violates Applicable Data Protection Law. Where applicable, Customer is responsible for any communications, approvals, or obligations relating to a third-party Controller.
Customer is responsible for ensuring the lawful Processing of Customer Data under the Agreement. Customer represents and warrants that:
(i) it has provided all notices and obtained all consents, permissions, and rights necessary under Applicable Data Protection Law for UprootSecurity to Process Customer Data for the purposes described in the Agreement;
(ii) it has complied, and will continue to comply, with its obligations as a Controller under Applicable Data Protection Law for the collection and provision of Customer Data to UprootSecurity and its Sub-processors; and
(iii) its instructions to UprootSecurity comply with Applicable Data Protection Law, and Processing by UprootSecurity in accordance with those instructions will not cause UprootSecurity to violate Applicable Data Protection Law.
Notwithstanding anything in the Agreement, Customer acknowledges that UprootSecurity and its Affiliates may create and use anonymized, de-identified, or aggregated information (as defined under Applicable Data Protection Law) for their own legitimate business purposes.
3.1 Where both parties act as separate Controllers, each party is independently responsible for complying with its respective obligations under Applicable Data Protection Law. Neither party is responsible for the other party’s compliance.
Customer grants UprootSecurity a general authorization to engage Sub-processors to Process Customer Data on Customer’s behalf (in UprootSecurity’s capacity as a Processor). The Sub-processors engaged by UprootSecurity depend on the Services purchased and are listed at the bottom of this page
4.2. Notice.
UprootSecurity shall notify Customer of any new Sub-processor at least ten (10) days before engagement by sending notice to the email address designated by Customer for such notifications.
5. Security and Audits
UprootSecurity shall implement and maintain appropriate technical and organizational measures to protect Customer Data against Security Incidents and ensure its security and confidentiality. At minimum, such measures shall include those in Schedule 3 (“Security Measures”). UprootSecurity shall ensure all personnel authorized to Process Customer Data are bound by confidentiality obligations.
Customer acknowledges that Security Measures may evolve. UprootSecurity may update or modify them provided such changes do not materially reduce the overall security of the Services.
Customer remains responsible for securing its use of the Services, including managing authentication credentials, securing Customer Data in transit to and from the Services, and implementing appropriate safeguards (such as encryption and backups) for Customer Data under its control.
Upon becoming aware of a Security Incident, UprootSecurity shall notify Customer without undue delay and provide relevant information as it becomes available or as reasonably requested. Notification or response is not an admission of fault or liability.
Upon written request, UprootSecurity shall provide written responses (including audit summaries or similar documentation) to reasonable Customer inquiries necessary to verify UprootSecurity’s compliance with this DPA. Customer may exercise this right no more than once per rolling 12-month period, except where required by a supervisory authority, following a Security Incident, or under comparable circumstances. UprootSecurity is not required to disclose:
(i) trade secrets or proprietary information;
(ii) information subject to confidentiality, contractual restrictions, or applicable law; or
(iii) information that would compromise or risk the security or integrity of UprootSecurity’s systems or data.
Customer acknowledges that UprootSecurity and its Sub-processors may Process Customer Data, including via Restricted Transfers, in the United States or other jurisdictions where they operate. All such transfers shall comply with Applicable Data Protection Law and this DPA.
Upon expiration or termination of the Agreement, and upon Customer’s request, UprootSecurity shall delete all Customer Data it Processes as a Processor, including copies, unless retention is required by applicable law or contained in encrypted backups subject to secure isolation until deleted in accordance with UprootSecurity’s deletion practices. Customer Data Processed by UprootSecurity as a Controller will be retained or deleted in accordance with the UprootSecurity Privacy Statement.
Where Customer cannot independently access the relevant Customer Data in the Services, UprootSecurity shall provide reasonable assistance (at Customer’s expense and considering the nature of Processing) to support Customer’s response to data subject or regulatory requests. If such a request is made directly to UprootSecurity and UprootSecurity can reasonably identify the request as relating to Customer, UprootSecurity shall not respond without Customer’s authorization unless legally compelled. If legally required to respond, UprootSecurity shall notify Customer and provide a copy of the request unless prohibited by law.
Where Customer Data is subject to European Data Protection Law, the following apply in addition to the rest of this DPA:
UprootSecurity shall:
(i) enter into a written agreement with each Sub-processor requiring protections consistent with European Data Protection Law and this DPA; and
(ii) remain responsible for its obligations under this DPA and liable for any Sub-processor acts or omissions that cause UprootSecurity to breach this DPA.
UprootSecurity shall use reasonable efforts to provide relevant portions of its Sub-processor agreements upon Customer’s request.
Customer may object to a new Sub-processor on reasonable data protection grounds by notifying UprootSecurity within five (5) calendar days of the Section 4.1 notice. The objection must state those grounds. The parties shall discuss in good faith to resolve the concern. If no resolution is reached, UprootSecurity may either refrain from using the Sub-processor or allow Customer to suspend or terminate the affected Services per the Agreement, without liability (but without refund of prior fees). If Customer does not object within the 5-day period, the Sub-processor is deemed approved.
Where a transfer of Personal Data from Customer (“data exporter”) to UprootSecurity (“data importer”) constitutes a Restricted Transfer, the Standard Contractual Clauses apply automatically and form part of this DPA as follows:
For Customer Data subject to the EU GDPR and Processed in accordance with Section 2.1.1 of this DPA, the SCCs shall apply and be completed as follows:
i. Module Two applies;
ii. Clause 7 (Docking Clause) applies;
iii. Clause 9 (Option 2) applies, with the Sub-processor notice period set out in Section 4;
iv. Clause 11 optional language does not apply;
v. Clause 17 (Option 1) applies, and the governing law shall be that of the EU Member State where the data exporter is established, or if none, Ireland;
vi. Under Clause 18(b), disputes shall be resolved before the courts of the Member State where the data exporter is established, or if none, Ireland;
vii. Annex I to the SCCs is completed using the information in Schedule 1 of this DPA;
viii. Subject to Sections 5.1 and 5.2, Annex II to the SCCs is completed using Schedule 3 of this DPA.
For Customer Data subject to the EU GDPR and Processed in accordance with Section 2.1.2 of this DPA, the SCCs shall apply and be completed as follows:
i. Module One applies;
ii. Clause 7 (Docking Clause) applies;
iii. Clause 11 optional language does not apply;
iv. Clause 17 (Option 1) applies, and the governing law shall be that of the EU Member State where the data exporter is established, or if none, Ireland;
v. Under Clause 18(b), disputes shall be resolved before the courts of the Member State where the data exporter is established, or if none, Ireland;
vi. Annex I to the SCCs is completed using the information in Schedule 2 of this DPA;
vii. Subject to Sections 5.1 and 5.2, Annex II to the SCCs is completed using Schedule 3 of this DPA.
For Customer Data subject to the UK GDPR:
i. the SCCs apply as completed under Sections A and B above; and
ii. the SCCs are deemed amended by the UK Addendum in Schedule 4, which is deemed executed by both parties and forms part of this DPA.
If any conflict exists between the SCCs and the UK Addendum, it shall be resolved in accordance with Sections 10 and 11 of the UK Addendum.
For Customer Data subject to the Swiss DPA, the SCCs (as completed under Sections A and B) apply with the following modifications:
i. references to “Regulation (EU) 2016/679” refer to the Swiss DPA;
ii. references to GDPR Articles refer to their equivalent provisions under the Swiss DPA;
iii. references to “EU,” “Union,” “Member State,” and “Member State law” refer to “Switzerland” or “Swiss law”;
iv. “Member State” shall not be interpreted to exclude Swiss data subjects from bringing claims in Switzerland;
v. Clause 13(a) and Annex I, Part C do not apply, and the “competent supervisory authority” is the Swiss FDPIC;
vi. references to “competent supervisory authority” and “competent courts” refer to the Swiss FDPIC and Swiss courts;
vii. Clause 17 is governed by Swiss law;
viii. Clause 18(b) provides that disputes shall be resolved before the courts of Switzerland;
ix. the SCCs also protect legal-entity data until the revised Swiss DPA takes effect.
The parties do not intend to contradict or restrict the SCCs. If and to the extent any term of the Agreement (including this DPA) conflicts with the SCCs, the SCCs shall prevail.
If UprootSecurity implements an approved alternative transfer mechanism (e.g., Binding Corporate Rules, updated SCCs, or any successor framework) that satisfies Applicable European Data Protection Law, such mechanism shall replace the transfer mechanisms described in this DPA to the extent it applies to the relevant transfers. Customer shall execute any additional documents reasonably required to give effect to that mechanism.
If a competent court or Supervisory Authority determines that the transfer measures in this DPA cannot lawfully support transfers to a non-adequate jurisdiction, the parties shall cooperate in good faith to implement additional safeguards or replacement mechanisms (“Alternative Transfer Arrangements”) to ensure continued lawful transfers.
To the extent required by European Data Protection Law, UprootSecurity shall provide reasonably requested information about its Processing of Customer Data to support Customer’s data protection impact assessments or consultations with Supervisory Authorities.
UprootSecurity shall comply with applicable US Data Protection Laws. Capitalized terms not defined in this Section have the meaning assigned under those laws. The parties agree that Customer is the “business” and UprootSecurity is the “service provider,” and that the transfer of Customer Data to UprootSecurity does not constitute a “sale” or “sharing.”
UprootSecurity shall Process Customer Data only for the Business Purposes.
As a service provider, UprootSecurity shall not:
a) sell or share Customer Data;
b) retain, use, or disclose Customer Data for any purpose other than the Business Purposes, or as permitted by US Data Protection Laws;
c) retain, use, or disclose Customer Data outside the direct business relationship with Customer;
d) combine Customer Data with personal information from other sources, except as permitted under US Data Protection Laws (e.g., to perform a Business Purpose or detect security incidents).
UprootSecurity shall:
a) provide reasonable assistance for required risk assessments, cybersecurity audits, or regulatory consultations;
b) permit Customer to take reasonable steps to verify UprootSecurity’s Processing complies with US Data Protection Laws;
c) notify Customer if UprootSecurity determines it can no longer meet its obligations;
d) allow Customer, with reasonable notice, to take appropriate steps to stop and remediate unauthorized Processing.
Where required by US Data Protection Law, Customer shall notify UprootSecurity of relevant consumer requests and provide the information needed for UprootSecurity to comply.
Customer acknowledges that UprootSecurity may disclose this DPA (including the SCCs) and relevant privacy terms to regulatory authorities upon request.
UprootSecurity may modify this DPA where required to:
(i) comply with a Supervisory Authority request;
(ii) comply with Applicable Data Protection Law; or
(iii) implement approved contractual mechanisms, codes of conduct, certifications, or similar compliance frameworks.
Supplemental terms may be added as an Annex for jurisdiction-specific requirements. Notice of changes shall be provided to Customer, and the revised DPA shall take effect in accordance with the Agreement or UprootSecurity’s published terms.
Except as modified by this DPA, the Agreement remains unchanged. In the event of conflict, this DPA controls; where this DPA conflicts with the SCCs, the SCCs control.
All claims under this DPA are subject to the limitations and exclusions in the Agreement. Liability of a party includes its Affiliates collectively under the Agreement and this DPA. Nothing limits liability relating to data subject rights or regulatory obligations under this DPA.
If any provision of this DPA is held invalid or unenforceable, that provision shall be deemed deleted without affecting the rest of the DPA.
This DPA is governed by the jurisdiction and governing law specified in the Agreement, except where Applicable Data Protection Law or the SCCs require otherwise.
Description of the Processing Activities / Transfer
(Controller → Processor Module Two)
Annex I(A): List of Parties
| Field | Details |
|---|---|
| Name | The party identified as the "Customer" in the Agreement and this DPA |
| Address | As set out in the Agreement |
| Contact Details | The contact details specified in the Agreement, this DPA, or otherwise associated with Customer's account |
| Activities Relevant to the Transfer | See Annex I(B) |
| Role | Controller |
| Field | Details |
|---|---|
| Name | UprootSecurity, Inc. (“UprootSecurity”) |
| Address | 16192, Coastal Highway, Lewes, DE 19958 |
| Contact Details | Legal Department — [email protected] |
| Activities Relevant to the Transfer | See Annex I(B) |
| Role | Processor |
| Description Element | Details |
|---|---|
| Categories of Data Subjects | - Customer employees- Customer end-users- Individuals whose personal data is submitted to the Services as part of Customer Data |
| Categories of Personal Data | Depending on the Services purchased:• Name• Username• Email address• Job title• Employment status (employee/contractor; start/end dates)• Organization name• IP address and online identifiers• Device IDs• Device OS/version/configuration (e.g., screen lock, encryption, antivirus)• Geolocation (IP-based)• Any additional personal data submitted to the Services as Customer Data |
| Sensitive Data | None. Customer must not submit Sensitive Data. |
| Frequency of Transfer | Continuous and as determined by Customer’s lawful instructions under Section 2.2 of the DPA. |
| Nature of Processing | Processing as required to provide the Services in accordance with the Agreement and this DPA. |
| Purpose of Processing | Provision of the Services to Customer. |
| Retention Period | As described in Section 7.1 of the DPA. |
| Element | Details |
|---|---|
| Supervisory Authority | Determined in accordance with European Data Protection Law (based on the Data Exporter's establishment). |
Description of Processing Activities / Transfer
(Controller → Controller — Module One)
| Field | Details |
|---|---|
| Name | The party identified as the “Customer” in the Agreement and this DPA |
| Address | As set out in the Agreement |
| Contact Details | The contact details specified in the Agreement, this DPA, or associated with Customer’s account |
| Activities Relevant to the Transfer | See Annex I(B) |
| Role | Controller |
Data Importer (Controller)
| Field | Details |
|---|---|
| Name | UprootSecurity, Inc. (“UprootSecurity”) |
| Address | 16192 Coastal Highway, Lewes, DE 19958, USA |
| Contact Details | Legal Department — [email protected] |
| Activities Relevant to the Transfer | See Annex I(B) |
| Role | Controller |
| Description Element | Details |
|---|---|
| Categories of Data Subjects | • Customer employees• Customer end-users• Individuals whose personal data is submitted to the Services as part of Customer Data |
| Categories of Personal Data | Personal data may include:• Account registration & profile data (name, company, geographic area, job title, contact details, password)• Billing data• Customer communication & support data (contact details, message content)• Service usage data (performance metrics, feedback, logs, product utilization data, security-related data) |
| Sensitive Data | None. |
| Frequency of Transfer | Variable; depends on Customer’s use of the Services. |
| Nature of Processing | Automated security and compliance operations as described in the Agreement. |
| Purpose of Processing | UprootSecurity will process personal data for:1. Account registration & management2. Order and purchase-related activities3. Customer communications and support4. Operating and improving UprootSecurity’s offerings5. Preventing, detecting, investigating security incidents6. Responding to malicious, deceptive, fraudulent, or illegal actions |
| Retention Period | As described in UprootSecurity’s applicable Privacy Policy. |
| Element | Details |
|---|---|
| Supervisory Authority | Determined in accordance with European Data Protection Law based on the Data Exporter’s establishment. |
The following technical and organizational measures apply across the Services to protect personal data processed by UprootSecurity.
| Measure | Description |
|---|---|
| Pseudonymisation and Encryption | UprootSecurity applies encryption at rest and encryption in transit for all personal data. |
| Confidentiality, Integrity, Availability & Resilience | UprootSecurity maintains SOC 2 and ISO 27001 compliance, implementing controls that protect system confidentiality, integrity, and availability. |
| Restoration & Incident Recovery | Routine backups are performed and retained for an appropriate duration to enable timely restoration after physical or technical incidents. |
| Regular Testing & Evaluation | Internal and external audits are conducted at least annually to assess the effectiveness of security measures. |
| User Identification & Authorization | Customer access is authenticated via Google Workspace or Microsoft 365. Customers control user identity and authorization. |
| Data Protection During Transmission | Encryption in transit is enforced for all data. |
| Data Protection During Storage | Encryption at rest is used to protect stored data. |
| Physical Security of Processing Locations | Services and data are hosted in AWS facilities in the United States. Physical access is restricted to authorized personnel under AWS security protocols. |
| Event Logging | Logging and monitoring systems capture relevant security and operational events. |
| System Configuration Management | UprootSecurity monitors system configurations to detect and address configuration drift. |
| Internal IT & Security Governance | SOC 2 and ISO 27001 frameworks guide governance and security management practices. |
| Certification & Assurance | The organization maintains SOC 2 and ISO 27001 certifications. |
| Data Minimisation | Only data strictly required to deliver the Services is collected and stored. |
| Data Quality Assurance | Customers control data submitted to the platform, and UprootSecurity ensures the validity of the data received. |
| Limited Retention | Data is retained only for the duration of the customer relationship and is deleted upon request. |
| Accountability Measures | UprootSecurity adheres to internal data protection and processing policies to ensure accountability. |
| Data Portability & Erasure | Standard data portability and deletion mechanisms are followed. |
This UK Addendum forms part of the DPA and applies as described in Section 9.1.3(C) (Transfers relating to the UK).
Start Date
| Field | Details |
|---|---|
| Start Date | The date of the Agreement. |
| Field | Details |
|---|---|
| Name | The entity identified as the Customer in the Agreement and this DPA |
| Address | The address associated with the Customer’s account or as specified in the Agreement/DPA |
| Contact Details | As specified in the Agreement, this DPA, or Customer’s account |
| Field | Details |
|---|---|
| Name | UprootSecurity, Inc. (“UprootSecurity”) |
| Address | 16192 Coastal Highway, Lewes, DE 19958, USA |
| Contact Details | Legal Department — [email protected] |
| Element | Details |
|---|---|
| Approved SCCs | The Approved SCCs, including all applicable Appendix Information. Only the modules, clauses, and optional provisions listed in Section 9.1.3(C) of the DPA apply. |
| Element | Details |
|---|---|
| Schedules Used | Schedule 1 and Schedule 2 form the Appendix Information for the Approved SCCs. |
| Element | Details |
|---|---|
| Termination Due to Revisions | Neither Party elects to terminate upon changes to the Approved Addendum. |
| Element | Details |
|---|---|
| Mandatory Clauses Incorporated | Part 2: Mandatory Clauses of the UK Addendum, including any revisions made under Section 18 of those Clauses. |
| Name | Service provided | Purpose | Data Centers |
|---|---|---|---|
| AWS | Servers | Providing infrastructure Services | United States |
| OpenAI | AI Models | Agentic capabilities within the product, like Dynamic risk generation. | United States |
| Axiom | Centralised log storage | Application logging | United States |
Please note that this list does not include tools or platforms that are deployed solely as self-hosted software solutions (e.g.,Matomo), where no personal data is transferred to or accessed by any third party. Such tools are operated entirely within SurveySparrow’s Cloud infrastructure, and therefore do not qualify as Sub-Processors under applicable data protection regulations. Further details regarding the use of such tools are available in our Privacy Policy or upon request.