Upcroft hello@upcroft.ai

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Upcroft Works Pty Ltd (ACN 696 443 133) (“Upcroft”, “Processor”) and the entity agreeing to these terms (“Client”, “Controller”) for the provision of Upcroft’s platform services (the “Agreement”).

This DPA applies to the extent that Upcroft processes Personal Data on behalf of the Client in the course of providing the services.

1. Definitions

  • “Applicable Data Protection Law” means all laws and regulations relating to the processing of Personal Data that apply to the processing under this DPA, including the GDPR, UK GDPR, Australian Privacy Act 1988, and the CCPA, as applicable.
  • “Controller” means the entity that determines the purposes and means of processing Personal Data — the Client.
  • “Data Subject” means the identified or identifiable individual to whom Personal Data relates.
  • “GDPR” means Regulation (EU) 2016/679.
  • “Personal Data” means any information relating to a Data Subject that is processed by Upcroft on behalf of the Client under this DPA.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller — Upcroft.
  • “Sub-processor” means a third party engaged by Upcroft to process Personal Data on behalf of the Client.
  • “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
  • “SCCs” means the Standard Contractual Clauses approved by the European Commission for the transfer of Personal Data to third countries.

2. Scope and roles

The Client is the Controller. Upcroft is the Processor. Upcroft processes Personal Data solely on behalf of and in accordance with the Client’s documented instructions as described in this DPA and the Agreement.

3. Processing details

3.1 Categories of Data Subjects

  • Customers of the Client
  • End users who interact with the Client’s support channels

3.2 Categories of Personal Data

  • Customer names and email addresses
  • Phone numbers
  • Order details and transaction metadata
  • Support conversation history and ticket content
  • Pseudonymised identifiers (e.g. hashed email addresses for cross-referencing)

Upcroft does not process payment card numbers (platform APIs return masked data only), health information, or other special categories of Personal Data.

3.3 Purpose of processing

Upcroft processes Personal Data to provide its platform services to the Client, including:

  • Ingesting data from the Client’s business platforms via API
  • Transforming, structuring, and cross-referencing data for support workflows
  • Making customer information available to AI agents and human operators handling support enquiries
  • Generating reports and analytics for the Client

3.4 Duration of processing

Upcroft processes Personal Data for the duration of the Agreement. On termination, Upcroft will delete Personal Data in accordance with Section 8.

3.5 Data Minimisation

The Client shall ensure that Personal Data provided to Upcroft is limited to what is necessary for the purposes of the Services and complies with Applicable Data Protection Law. The Client remains responsible for the accuracy, quality, and lawfulness of the Personal Data it provides.

4. Upcroft’s obligations

4.1 Instructions

Upcroft will process Personal Data only on the Client’s documented instructions, unless required to do so by applicable law. Documented instructions include: (a) the terms of this DPA and the Agreement; (b) configuration and settings within the Upcroft platform; and (c) any written instructions provided by the Client (including by email). If Upcroft becomes aware that an instruction infringes Applicable Data Protection Law, it will promptly notify the Client. In the event of any conflict, this DPA and the Agreement prevail over any other form of instruction, including email or platform configuration.

4.2 Confidentiality

Upcroft ensures that personnel authorised to process Personal Data are subject to appropriate obligations of confidentiality.

4.3 Security

Upcroft implements appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Platform credentials encrypted and isolated — never exposed to human operators
  • Role-based access controls with least-privilege principles
  • Regular review of access permissions
  • Encrypted database backups

4.4 Data Subject requests

Upcroft will promptly notify the Client if it receives a request from a Data Subject to exercise their rights under Applicable Data Protection Law. Upcroft will assist the Client in responding to such requests, taking into account the nature of the processing.

4.5 Data breach notification

Upcroft will notify the Client without undue delay (and in any event within 72 hours) after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA.

The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

4.6 Assistance

Upcroft will assist the Client in ensuring compliance with its obligations under Applicable Data Protection Law, including:

  • Data protection impact assessments
  • Consultation with supervisory authorities
  • Responding to Data Subject requests

4.7 Aggregated statistics

Upcroft may aggregate and de-identify Personal Data using reasonable technical measures, such that the resulting data is not reasonably likely to identify the Client or any individual. Upcroft may use such data to improve and enhance its services, develop new features and functionality, and for internal analytics and benchmarking. This right survives termination of this DPA.

4.8 Use of Personal Data for Model Training

Upcroft does not use Personal Data processed under this DPA to train models for use across multiple clients.

5. Sub-processors

5.1 Authorised Sub-processors

The Client provides general authorisation for Upcroft to engage Sub-processors. A current list of Sub-processors is available at upcroft.ai/legal/sub-processors.

5.2 Notification of changes

Upcroft will notify the Client at least 30 days before adding or replacing a Sub-processor. The Client may raise reasonable objections on data protection grounds within that period. The parties will work in good faith to resolve such concerns. If the parties are unable to resolve the objection, the Client may terminate the affected Services in accordance with the Agreement.

5.3 Sub-processor obligations

Upcroft ensures that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. International data transfers

Personal Data processed by Upcroft is stored in the United States.

Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States, Upcroft relies on the Standard Contractual Clauses (SCCs) as the legal mechanism for the transfer. Specifically, the SCCs approved by European Commission Implementing Decision (EU) 2021/914, Module Two (controller to processor), are incorporated into this DPA by reference and are deemed executed between the Client (as data exporter) and Upcroft (as data importer). The Annexes to the SCCs are populated by the processing details in Section 3 and the security measures in Section 4.3 of this DPA.

For transfers subject to the UK GDPR, the UK International Data Transfer Addendum applies. For transfers subject to Swiss data protection law, the SCCs apply with the modifications required by Swiss law.

Upcroft may also rely on any other lawful transfer mechanism recognised under Applicable Data Protection Law where appropriate.

7. Authorised service providers

Authorised personnel from the Client and the Client’s service providers (such as support operations partners) may access Personal Data through Upcroft’s platform in the course of delivering support services. The Client is responsible for ensuring that such access is lawful and that its service providers are bound by appropriate data protection obligations.

8. Data retention, return, and deletion

Upcroft retains Personal Data for the duration of the Agreement. On termination of the Agreement:

  • On written request, Upcroft will provide the Client with a copy of all Personal Data in a commonly used, machine-readable format.
  • Upcroft will delete all Personal Data within 90 days of termination, unless required by law to retain it.
  • On request, Upcroft will provide written confirmation that Personal Data has been deleted.

9. Audit

On reasonable notice and no more than once per year, the Client may request that Upcroft provide information necessary to demonstrate compliance with this DPA. Upcroft will respond by completing a written security questionnaire of reasonable scope or by providing relevant compliance documentation, certifications, or audit summaries where available. All such information is Upcroft’s Confidential Information. The Client shall not have a right to conduct on-site audits of Upcroft’s systems unless required by Applicable Data Protection Law.

10. CCPA provisions

To the extent the CCPA applies to the processing of Personal Data under this DPA:

  • Upcroft is a “service provider” as defined by the CCPA.
  • Upcroft will not sell or share Personal Data.
  • Upcroft will not retain, use, or disclose Personal Data for any purpose other than providing the services specified in the Agreement, or as otherwise permitted by the CCPA.
  • Upcroft will not combine Personal Data received from the Client with Personal Data received from other sources, except as permitted by the CCPA.

11. Term and termination

This DPA takes effect when the Client enters into the Agreement and remains in effect for as long as Upcroft processes Personal Data on behalf of the Client. The obligations in Sections 4.5, 8, and 9 survive termination.

12. Liability

Each Party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

Nothing in this DPA expands or increases a Party’s liability beyond what is set out in the Agreement.

13. Contact

For questions about this DPA:

Email: privacy@upcroft.ai

Upcroft Works Pty Ltd ACN 696 443 133 Level 2, 65 Dover Street Cremorne VIC 3121 Australia

Effective date: 2026-04-09
Version: UP-AU-DPA-v1