Effective date: April 23, 2026 Version: 1.0
This Data Processing Addendum (“DPA”) forms part of the agreement between upcoach LLC (“upcoach”) and the organization accepting this DPA (“Customer”) for Customer’s use of the upcoach platform (“Services”) (the “Agreement”). This DPA applies to the extent upcoach processes Personal Data on behalf of Customer in the course of providing the Services.
Customer accepts this DPA on behalf of itself and, where applicable, on behalf of its authorized affiliates who use the Services under Customer’s subscription. The person accepting this DPA warrants that they have authority to bind Customer.
Capitalized terms not defined in this DPA have the meaning given to them in the Agreement or in Data Protection Law.
“Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (as applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and any equivalent national implementing legislation.
“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority”, and “Personal Data Breach” have the meanings given in Data Protection Law.
“Customer Personal Data” means Personal Data that upcoach processes on behalf of Customer in connection with the Services.
“Sub-processor” means any third party engaged by upcoach to process Customer Personal Data.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
With respect to Customer Personal Data processed under the Agreement:
Where Customer itself acts as a processor on behalf of a further controller (for example, where Customer is a coaching organization processing personal data on behalf of its own enterprise clients), Customer warrants it has the necessary authority from the further controller to engage upcoach as a sub-processor and that this DPA is compatible with Customer’s agreement with the further controller.
upcoach will process Customer Personal Data solely:
The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are set out in Annex I.B.
Customer warrants and represents that:
upcoach will:
Customer grants upcoach general authorization to engage sub-processors to process Customer Personal Data, subject to the conditions in this Section 4.
upcoach maintains a current list of sub-processors at upcoach.com/sub-processors. This list is the authoritative record of upcoach’s sub-processors and is updated when sub-processors change. A changelog at the bottom of that page records material changes.
upcoach does not individually notify customers of sub-processor changes. Customer is responsible for monitoring the sub-processor list for changes that may affect Customer. Material changes are recorded in the changelog on the sub-processor list page.
If Customer has a concern about a specific sub-processor, Customer may raise the concern in good faith by contacting [email protected]. upcoach will work with Customer to address the concern, which may include providing additional information, identifying an alternative workflow, or in exceptional cases discussing termination of the affected portion of the Services.
upcoach will impose on each sub-processor data protection obligations that are no less protective than those in this DPA to the extent applicable to the sub-processor’s services, and will remain liable to Customer for the performance of the sub-processor’s obligations.
Where upcoach processes Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland (“Protected Personal Data”), and such processing involves a transfer outside the jurisdiction of origin to a country not benefiting from an adequacy decision, the transfer is governed by:
Where a sub-processor receives Protected Personal Data in a third country without adequacy, upcoach ensures an appropriate transfer mechanism is in place, typically the SCCs or the EU-US Data Privacy Framework where the sub-processor is DPF-certified.
In the event of a conflict between this DPA and the SCCs, the SCCs prevail. In the event of a conflict between the SCCs and the Agreement, the SCCs prevail. In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Customer Personal Data.
upcoach provides assurance of its compliance with this DPA through documentary evidence. Upon reasonable written request, not more than once per 12-month period (or more often if required to respond to a competent Supervisory Authority or following a confirmed Personal Data Breach affecting Customer), upcoach will provide:
upcoach will respond to such requests within 30 days.
Customer’s audit rights under Data Protection Law are satisfied exclusively by the documentary evidence described in Section 6.1. Physical or on-site audit of upcoach’s facilities, infrastructure, or systems is not permitted under this DPA. This limitation reflects upcoach’s obligation to protect the confidentiality and security of Personal Data belonging to other customers processed on shared infrastructure: physical or system-level access granted to one customer or its auditor would create an unacceptable risk to the security of Personal Data belonging to other customers.
Notwithstanding Section 6.2, upcoach will cooperate with any competent Supervisory Authority conducting an investigation or audit under Data Protection Law, and will provide information directly to the Supervisory Authority as required by law.
upcoach will notify Customer without undue delay, and in any event within 48 hours of upcoach’s confirmed awareness, of any Personal Data Breach affecting Customer Personal Data.
The notification will include, to the extent known at the time of notification:
Where full information is not available at the time of initial notification, upcoach will provide it progressively as it becomes available.
upcoach will reasonably cooperate with Customer’s investigation and response to a Personal Data Breach, including providing information Customer reasonably requires to meet its own notification obligations under Data Protection Law.
“Confirmed awareness” means the point at which upcoach has established with reasonable certainty that a Personal Data Breach has occurred. Investigation of suspicious activity that has not been confirmed as a Personal Data Breach does not trigger the 48-hour clock.
Upon termination of the Agreement or upon Customer’s written request, upcoach will, at Customer’s choice, either delete or return all Customer Personal Data within 30 days, except where retention is required by applicable law or for the purposes described in Section 8.2.
Notwithstanding Section 8.1, upcoach may retain:
Any retained Customer Personal Data remains subject to the confidentiality and security obligations of this DPA.
Customer, as Controller, is primarily responsible for responding to requests from Data Subjects exercising their rights under Data Protection Law.
upcoach will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to such requests. Where upcoach receives a request directly from a Data Subject related to Customer Personal Data, upcoach will:
Where Customer does not respond to a Data Subject’s request routed through upcoach within 30 days, upcoach may act on the request directly as a reasonable assistance measure, to the extent technically feasible.
upcoach’s liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits liability that cannot be limited under applicable law (including, where applicable, statutory compensation rights of Data Subjects under Data Protection Law). No provision of this DPA allocates liability as between upcoach and any Data Subject; this DPA governs only the relationship between upcoach and Customer.
This DPA is governed by the law of the State of Delaware, United States, without regard to its conflict of laws principles. Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the courts of the State of Delaware, United States, subject to Section 11.2.
Where the SCCs govern a transfer, the SCCs’ own governing-law and jurisdiction clauses apply to the SCCs and override Section 11.1 to the extent of any conflict.
This DPA forms part of the Agreement. In the event of a conflict between this DPA and any other part of the Agreement with respect to the processing of Customer Personal Data, this DPA prevails.
upcoach may update this DPA from time to time to reflect changes in Data Protection Law, guidance from Supervisory Authorities, changes to upcoach’s processing operations, or corrections. Material changes will be reflected in a new version number and effective date, and Customer will be notified via email to the organization’s administrative contact or via a prominent notice within the Services. Continued use of the Services after the effective date of a new version constitutes acceptance of the updated DPA.
This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the processing of Customer Personal Data and supersedes any prior agreements, representations, or understandings on that subject matter.
If any provision of this DPA is held to be invalid or unenforceable, the remainder of this DPA continues in full force and effect. The parties will negotiate in good faith to replace the invalid or unenforceable provision with a valid and enforceable provision that achieves, to the greatest extent possible, the economic, legal, and commercial objectives of the original provision.
Questions about this DPA: [email protected]
Name: The Customer that has accepted this DPA. Address: As recorded in Customer’s upcoach account. Contact person: The administrative contact on Customer’s upcoach account, or such other contact as Customer designates in writing. Activities relevant to the data transferred: Use of the upcoach Services to process Personal Data relating to Customer’s users, coaches, coachees, and other Data Subjects in connection with Customer’s coaching activities. Role: Controller.
Name: upcoach LLC Address: 16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex, United States Contact person: [email protected] Activities relevant to the data transferred: Provision of the upcoach Services, including hosting, storage, processing, messaging, support, analytics, and related functionality. Role: Processor.
Personal Data transferred concerns the following categories of Data Subjects:
Personal Data transferred falls into the following categories:
Personal Data transferred may include special-category data (GDPR Article 9) where Customer chooses to process such data using the Services. Coaching content in particular may include data concerning health, mental health, religious or philosophical beliefs, or sexual orientation. Customer is responsible for ensuring a lawful basis under GDPR Article 9(2) exists before uploading such data, as set out in Section 2.3 of the DPA.
Continuous, for the duration of the Agreement.
Hosting, storing, transmitting, displaying, and otherwise processing Customer Personal Data as necessary to provide the Services, including automated processing incidental to platform operation (such as indexing, search, notifications, scheduled jobs, and diagnostic monitoring).
To provide the Services to Customer in accordance with the Agreement.
For the duration of the Agreement, plus the retention periods set out in Section 8 of the DPA.
See upcoach’s current sub-processor list at upcoach.com/sub-processors. Subject matter, nature, and duration of each sub-processor’s processing are described there.
The competent Supervisory Authority is determined by reference to Customer’s own location and Data Protection Law:
Where Customer has no establishment in the EU, UK, or Switzerland but processing of Protected Personal Data is carried out in connection with the Services, the Irish Data Protection Commission acts as competent authority for transfers governed by the SCCs, reflecting the default rule under SCC clause 13.
The following describes the technical and organizational measures implemented by upcoach to ensure the security of Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects.
In transit. All Personal Data transmitted between Customer’s end users and the Services is encrypted using TLS 1.2 or higher. All internal service-to-service communication within upcoach’s infrastructure uses encrypted channels.
At rest. Customer Personal Data stored in upcoach’s primary database (DigitalOcean Managed MySQL) is encrypted at rest by default. Session and cache data stored in DigitalOcean Managed Valkey/Redis is encrypted at rest by default. Customer uploads stored in Cloudflare R2 object storage (the current primary for new uploads) and in DigitalOcean Spaces (legacy uploads and backups) are encrypted at rest by default. Video content stored in Bunny Stream is encrypted at rest.
Principle of least privilege. Access to production systems and Customer Personal Data is granted only to personnel whose role requires it, and only to the extent required.
Authentication. Administrative access to upcoach’s infrastructure requires multi-factor authentication. Production system access is gated by authenticated, role-based controls.
Role-based access within the Services. The Services implement role-based access control so that Customer’s users see only the Customer Personal Data appropriate to their role and organization. Organizational isolation is enforced at the application and data-store layer.
Account lifecycle. Personnel access rights are reviewed on a recurring basis. Access is revoked promptly when personnel leave upcoach or change roles.
upcoach maintains logs of authentication events, security-relevant administrative actions, and application errors. Logs are retained for a period appropriate to operational and compliance needs. Anomalies are reviewed and investigated in line with upcoach’s internal operational practices.
Customer Personal Data is logically segregated from other customers’ data within shared systems by organization and tenant identifiers enforced at the application and data-store layer.
upcoach maintains regular encrypted backups of production data. Backups are retained for a rolling window appropriate to operational recovery needs, currently up to 7 days.
upcoach monitors third-party dependencies and platform components for security advisories and applies security patches in a timely manner appropriate to the severity of the vulnerability. Production errors and anomalies are captured through error-tracking infrastructure and triaged.
Confidentiality. All upcoach personnel with access to Customer Personal Data are bound by confidentiality obligations.
Training. upcoach provides data-protection awareness training to personnel with access to Customer Personal Data, covering at minimum the nature of Personal Data processed at upcoach, appropriate handling of production data, credential hygiene, and incident escalation.
upcoach selects sub-processors based on their ability to provide appropriate protection for Customer Personal Data and imposes on each sub-processor data-protection obligations no less protective than those upcoach owes to Customer under this DPA. See Section 4 of the DPA and the sub-processor list.
upcoach maintains an internal incident response process covering detection, triage, containment, notification, and post-incident review. The 48-hour notification commitment in Section 7 of the DPA is supported by this process.
upcoach does not operate physical premises containing Customer Personal Data. All Customer Personal Data is hosted with sub-processors that operate data centers meeting recognized physical-security standards.
upcoach processes Customer Personal Data only as necessary to provide the Services. Retention and purging of data are handled by automated routines where appropriate, subject to the retention terms set out in Section 8 of the DPA.
upcoach reviews these measures on a recurring basis and updates them as the state of the art evolves, the risk landscape changes, or upcoach’s processing operations change.
Customer authorizes upcoach to engage the sub-processors listed at upcoach.com/sub-processors. That page is incorporated into this DPA by reference and governs the authorized sub-processor list for purposes of SCC Module Two, Clause 9.
Start building better coaching experiences with upcoach today.
Choose which categories of cookies you allow. You can change this any time at /cookie-preferences.
Strictly necessary
Required for the site to work. These run our hosting, remember your consent choice, protect against fraud, and power features you explicitly request (like opening the chat widget or booking a demo). Always on.
Analytics
Helps us understand how visitors use the site so we can improve it. Off by default.
Marketing
Used for advertising and measuring campaign effectiveness. Off by default.
