Data Processing Addendum
Optional Non-PHI Personal Data Addendum for Enterprise Customers
This Data Processing Addendum ("DPA") is entered into as of May 6, 2026 by and between UPStandards LLC ("UPStandards") and the customer identified in the applicable Order Form ("Customer"). This DPA supplements the Master Subscription Agreement or other services agreement between the Parties (the "Agreement").
This DPA is a framework for enterprise customers or future expansion. UPStandards is U.S.-only at launch and does not currently target EU or UK customers. This DPA applies only when an Order Form, written agreement, or applicable law makes it applicable. This DPA does not replace the HIPAA BAA for PHI. Where data is PHI processed by UPStandards as business associate, the BAA controls.
1. Purpose and Scope
This DPA governs processing of Personal Data by UPStandards on behalf of Customer in connection with the Services, other than PHI governed by the BAA. It is intended to support requests from enterprise customers, state privacy law service-provider terms, and future GDPR/UK GDPR expansion if activated by the Parties.
2. Definitions
"Personal Data" means information relating to an identified or identifiable individual that is processed by UPStandards on behalf of Customer and subject to applicable privacy law. "Process" and "Processing" mean any operation performed on Personal Data. "Controller," "Processor," "Business," "Service Provider," "Contractor," "Consumer," "Subprocessor," and similar terms have the meanings under applicable Data Protection Laws. "Data Protection Laws" means privacy, data protection, and data security laws applicable to the processing at issue, which may include U.S. state privacy laws, the CCPA/CPRA, GDPR, UK GDPR, or other laws identified in an Order Form.
3. Roles of the Parties
Customer is the controller, business, or similar decision-making party for Personal Data processed through the Services. UPStandards is a processor, service provider, contractor, or similar restricted processing party with respect to Personal Data it processes on behalf of Customer. For PHI, UPStandards acts as business associate under the BAA rather than as a consumer privacy service provider except to the extent state law requires additional terms.
4. Customer Instructions
UPStandards will process Personal Data only to provide, secure, support, maintain, and improve the Services; comply with the Agreement, Order Forms, Documentation, and Customer configuration; comply with law; and as otherwise instructed by Customer in writing. Customer instructions include the Agreement, Order Forms, this DPA, the BAA where applicable, Documentation, platform configuration, support requests, and written instructions accepted by UPStandards.
5. Compliance Responsibilities
Customer is responsible for determining the lawful basis or legal authority for processing, providing required notices, obtaining consents where required, responding to individual rights requests, maintaining records of processing where required, and ensuring its instructions are lawful. UPStandards is responsible for processing Personal Data according to Customer lawful instructions and this DPA.
6. CCPA/CPRA Service Provider and Contractor Terms
To the extent UPStandards processes Personal Information for Customer under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, UPStandards shall act as a service provider and/or contractor. UPStandards shall not sell or share Personal Information; retain, use, or disclose Personal Information outside the direct business relationship except as permitted by law; retain, use, or disclose Personal Information for a commercial purpose other than the business purposes specified in the Agreement; or combine Personal Information with personal information received from other sources except as permitted by CCPA regulations. UPStandards certifies that it understands and will comply with these restrictions.
7. Business Purposes
The business purposes for processing include providing SaaS access, account administration, authentication, storage, database operations, compliance workflow features, reporting, support, security, incident response, billing administration, communications, analytics, product improvement, legal compliance, and de-identified or aggregated data creation where permitted.
8. Confidentiality
UPStandards shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and process Personal Data only as necessary to provide the Services or comply with this DPA.
9. Security Measures
UPStandards shall maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, alteration, or disclosure. Measures may include access controls, authentication, role-based permissions, encryption in transit, encryption at rest where supported, logging, backup, vendor review, vulnerability management, incident response, workforce confidentiality, and least-privilege access.
10. Security Incidents
UPStandards shall notify Customer without undue delay after becoming aware of a confirmed security breach affecting Personal Data processed under this DPA. The notice will include information reasonably available to UPStandards, including the nature of the incident, affected data categories, likely consequences, measures taken or proposed, and a contact point. Notification is not an admission of fault or liability.
11. Subprocessors
Customer authorizes UPStandards to engage subprocessors to provide the Services. UPStandards shall impose written obligations on subprocessors that are at least as protective as those required by this DPA for the services they perform. UPStandards remains responsible for subprocessors performance of their data-protection obligations to the extent required by applicable law. Current expected vendors are listed in Schedule 3.
12. Individual Rights Assistance
Taking into account the nature of the processing and information available to UPStandards, UPStandards will reasonably assist Customer in responding to requests from individuals to exercise access, deletion, correction, portability, opt-out, restriction, objection, or similar rights. If UPStandards receives a request directly, it may direct the requester to Customer unless legally required to respond.
13. Assessments and Audits
UPStandards will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and operational limits. Audits must be reasonable, non-disruptive, limited to systems relevant to Customer Personal Data, and may be satisfied by security summaries, questionnaires, third-party reports, certifications, or other documentation where appropriate. On-site audits require prior written agreement and may be subject to fees and security restrictions.
14. Return and Deletion
Upon termination or expiration of the Services, UPStandards will return, export, delete, or de-identify Personal Data according to the Agreement, Documentation, and applicable law. Backup copies may persist for a limited period according to backup cycles, provided they remain protected and are not used for other purposes.
15. De-Identified and Aggregated Data
UPStandards may create and use de-identified or aggregated information where permitted by applicable law and the Agreement. UPStandards will not attempt to re-identify de-identified data except to test whether de-identification is effective or as permitted by law.
16. International Transfers
UPStandards does not target EU or UK customers at launch. If GDPR, UK GDPR, Swiss law, or other international transfer rules apply, the Parties must complete Schedule 4 or another transfer module before that processing begins. Customer shall not submit EU/UK personal data unless the applicable transfer terms and subprocessors have been reviewed and activated.
17. Sensitive Data
Customer shall not submit sensitive Personal Data unless supported by the Services, authorized by the Agreement, and lawful. PHI is governed by the BAA. Part 2 Records are governed by the BAA and Part 2 Addendum. Customer remains responsible for determining whether data is sensitive under applicable law and for implementing appropriate user-level restrictions.
18. Conflict
If this DPA conflicts with the BAA regarding PHI, the BAA controls. If this DPA conflicts with the Agreement regarding non-PHI Personal Data subject to this DPA, this DPA controls for that subject matter. Order Forms may include additional customer-specific data-protection terms if expressly stated.
19. Term
This DPA remains in effect for as long as UPStandards processes Personal Data on behalf of Customer under the Agreement. Obligations that by their nature survive termination will survive for as long as UPStandards retains Personal Data.
20. Execution
20.1 Authority. Each person accepting or signing this DPA represents that the person has authority to bind the party on whose behalf the person acts.
20.2 Counterparts and electronic acceptance. This DPA may be accepted by written signature, electronic signature, click acceptance, incorporation into an Order Form, or other legally valid method of assent. Counterparts and electronic records are treated as originals.
20.3 Incorporation. If this DPA is incorporated into an Order Form, MSA, or other customer agreement, the parties may rely on the execution of that agreement rather than signing this DPA separately.
20.4 No expansion of services. Signing or incorporating this DPA does not require UPStandards to process data categories, jurisdictions, integrations, or international transfers not supported by the applicable Order Form, BAA, Documentation, or written implementation plan.
| UPSTANDARDS LLC | CUSTOMER |
|---|---|
| By: ______________________________ | By: ______________________________ |
| Name: ____________________________ | Name: ____________________________ |
| Title: _____________________________ | Title: _____________________________ |
| Date: _____________________________ | Date: _____________________________ |
Schedule 1 - Details of Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the UPStandards accreditation, safety-observation, facility-rounds, chart-audit, policy-management, and compliance workflow SaaS platform. |
| Duration | Subscription Term plus applicable export, backup, deletion, and legal-retention periods under the Agreement, BAA, and DPA. |
| Nature and purpose | Hosting, storing, securing, displaying, processing, reporting, analyzing, and supporting Customer Data for accreditation readiness, compliance administration, audit workflows, facility rounds, Q15 observation workflows, restraint/seclusion documentation workflows, policy library management, risk scoring, and customer support. |
| Categories of individuals | Customer workforce users; treating clinicians and staff identified in workflows; patients/clients whose identifiers or limited information are included in supported compliance workflows; customer business contacts; and other individuals reflected in Customer Data. |
| Categories of Personal Data | Business contact details, account credentials, role/permission data, usage/security logs, subscription metadata, customer configuration data, policy content, audit/compliance workflow data, named-patient identifiers where required for specific workflows, Q15 logs, restraint/seclusion workflow fields, chart-audit fields, dates, reviewer notes, and related reporting outputs. |
| Sensitive data | PHI where governed by the BAA; potential Part 2 Records where customer is a Part 2 program and the Part 2 schedule applies; California medical information where CMIA applies; other sensitive data only if supported by the Services and customer instructions. |
| Customer instructions | Provide, secure, support, maintain, troubleshoot, and improve the Services; process Customer Data according to the Agreement, Order Form, BAA, DPA, Documentation, customer configuration, and written instructions accepted by UPStandards. |
| Transfers | U.S.-based launch posture. EU/UK or other international transfer module inactive unless separately activated. |
| Retention / return / deletion | Standard 30-day post-termination export window for self-serve accounts; enterprise Order Forms may specify 60-90 days; backup retention according to standard backup cycles; deletion, de-identification, or retention as required by law and agreements. |
Schedule 2 - Technical and Organizational Measures
Access controls and role-based permissions for Authorized Users.
Authentication controls and account administration workflows.
Encryption in transit for supported communications.
Encryption at rest where supported by infrastructure providers.
Logging and monitoring of relevant account, security, and system activity.
Backup and recovery processes appropriate for SaaS operations.
Vendor/subprocessor review and appropriate contractual obligations.
Workforce confidentiality obligations and least-privilege principles.
Incident response, containment, investigation, and customer notification procedures.
Data minimization through product design and customer-facing instructions limiting unnecessary PHI entry.
Schedule 3 - Subprocessors
| Subprocessor | Service | Location / Notes |
|---|---|---|
| Supabase | Managed Postgres database, authentication, storage, and backend infrastructure | HIPAA-tier infrastructure; BAA required/in progress before production PHI use; expected to host the platform PHI database and related access/authentication components. |
| Postmark | Transactional email delivery only | No PHI in email content. No BAA expected or relied on under Path A architecture. Product and operational controls should prevent patient identifiers, chart/audit details, Part 2 information, or other PHI from being placed in transactional emails. |
| Stripe | Payments, invoices, and subscription billing | No PHI in payment flow. Should receive billing/account metadata only, not patient, clinical, audit, or accreditation-record details. |
| Netlify | Frontend hosting/CDN for static HTML/JS assets | No PHI stored on frontend servers. Avoid embedding PHI in URLs, query strings, static files, logs, or client-side telemetry. |
| Anthropic | AI-assisted policy drafting and report refinement | Aggregate/de-identified inputs only. No PHI, patient identifiers, Part 2 Records, named-patient logs, or identifiable audit findings should be transmitted. |
Schedule 4 - Optional GDPR / UK GDPR Module
This Schedule 4 is inactive unless expressly incorporated in an Order Form or signed addendum. Before activation, the Parties should confirm EU/UK customer targeting, data categories, lawful basis, representative obligations if any, transfer mechanism, subprocessors, hosting locations, data subject rights workflow, and security documentation.
Roles: Customer as controller and UPStandards as processor, unless otherwise stated.
Processor obligations: process only on documented instructions; confidentiality; security; subprocessors; assistance with rights requests; breach assistance; deletion or return; audit support.
International transfers: incorporate Standard Contractual Clauses or other valid transfer mechanism if personal data is transferred outside the EEA, UK, or Switzerland in a manner requiring such mechanism.
Special category data: no processing unless lawful basis, Article 9 condition, and customer instructions are documented.
No patient-facing launch into EU/UK markets until the privacy notice, cookie controls, DPA, transfer impact assessment, subprocessors, and support processes are updated.