Last updated: March 23, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you and UCP Guard. It governs the processing of personal data by UCP Guard on your behalf in accordance with GDPR Article 28.
In this Data Processing Agreement ("DPA"): • "Controller" means you, the customer who determines the purposes and means of processing personal data. • "Processor" means UCP Guard, which processes personal data on behalf of the Controller. • "Personal Data" means any information relating to an identified or identifiable natural person. • "Processing" means any operation performed on personal data, including collection, storage, and deletion. • "Sub-processor" means any third party engaged by the Processor to process personal data. • "Data Subject" means the individual to whom personal data relates. • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
This DPA applies when UCP Guard processes personal data on your behalf in connection with the UCP Guard monitoring service. The purpose of processing is to provide uptime monitoring and compliance checking for Universal Commerce Protocol endpoints. Categories of data processed include: store URLs, UCP endpoint configurations, monitoring results, alert delivery records, and user account information necessary for service operation.
UCP Guard, as the Processor, agrees to: • Process personal data only on documented instructions from the Controller, unless required by law. • Ensure that persons authorized to process personal data are bound by confidentiality obligations. • Implement appropriate technical and organizational security measures (see Section 6). • Not engage another processor without prior written authorization from the Controller. • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability). • Assist the Controller with data protection impact assessments where required. • Delete or return all personal data upon termination of services, unless retention is required by law. • Make available all information necessary to demonstrate compliance with these obligations. • Allow for and contribute to audits conducted by the Controller or an authorized auditor.
The Controller agrees to: • Ensure that processing instructions comply with applicable data protection laws. • Have a lawful basis for processing personal data shared with the Processor. • Inform the Processor of any data protection requirements that may affect processing. • Respond to data subject requests within the timeframes required by law. • Notify the Processor of any changes to processing instructions.
UCP Guard uses the following sub-processors to deliver the service: • Supabase Inc. (USA) - Database hosting and authentication • Stripe Inc. (USA) - Payment processing • Resend Inc. (USA) - Email delivery for alerts and notifications • Vercel Inc. (USA) - Application hosting and edge delivery • PostHog Inc. (USA) - Product analytics (with user consent only) • Sentry Inc. (USA) - Error tracking and monitoring (with user consent only) All sub-processors are bound by data processing agreements that impose equivalent data protection obligations. The Controller authorizes the use of these sub-processors. UCP Guard will notify the Controller of any intended changes to sub-processors, providing an opportunity to object.
UCP Guard implements the following technical and organizational measures: • Encryption: AES-256 encryption at rest, TLS 1.3 for data in transit. • Access Control: Role-based access control, row-level security in the database. • Authentication: Secure password hashing, session management with secure cookies. • Infrastructure: Hosted on Vercel and Supabase with SOC 2 Type II certified infrastructure. • Monitoring: Continuous security monitoring and logging. • Backups: Daily automated backups with 30-day retention, encrypted at rest. • Personnel: Staff with access to personal data are bound by confidentiality agreements. • Incident Response: Documented incident response procedures (see Section 7).
In the event of a personal data breach, UCP Guard will: • Notify the Controller without undue delay, and within 72 hours of becoming aware of the breach. • Provide all available information about the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach. • Cooperate with the Controller in investigating and mitigating the breach. • Document all breaches, including facts, effects, and remedial actions taken.
Personal data may be transferred to and processed in the United States by UCP Guard and its sub-processors. These transfers are protected by: • Standard Contractual Clauses (SCCs) approved by the European Commission. • Sub-processor agreements that include equivalent data protection commitments. • Technical measures including encryption in transit and at rest. The Controller authorizes these transfers as necessary for service provision.
UCP Guard will assist the Controller in responding to requests from data subjects to exercise their rights under GDPR: • Right of access (Article 15) • Right to rectification (Article 16) • Right to erasure (Article 17) • Right to restriction of processing (Article 18) • Right to data portability (Article 20) • Right to object (Article 21) The Controller can use the account settings to delete data, export data, and manage processing preferences. For requests that cannot be handled through self-service, contact privacy@ucpguard.com.
This DPA remains in effect for the duration of the service agreement. Upon termination: • UCP Guard will delete all personal data within 30 days, unless retention is required by law. • The Controller may request a copy of their data before deletion using the export feature. • Backup data will be deleted according to the standard backup retention schedule (30 days). • UCP Guard will provide confirmation of deletion upon request.
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. UCP Guard is liable for damages caused by processing that violates this DPA or GDPR. The Processor is not liable for damages caused by processing in compliance with the Controller's instructions.
This DPA is governed by the laws of the State of Delaware, USA, without regard to conflict of law principles. For data subjects in the European Economic Area, this does not affect any mandatory consumer protection rights under local law.
For questions about this DPA or to exercise your rights, contact: UCP Guard Privacy Team Email: privacy@ucpguard.com For enterprise customers requiring a signed DPA, please contact sales@ucpguard.com.