Upswitch
For SellersFor AdvisorsMultiplesPricingAboutFAQ
Log in
Log in

Data Processing Agreement (DPA)

Bundle 2026.2 · Last updated: April 9, 2026

DATA PROCESSING AGREEMENT (Annex — Article 28 GDPR)
Upswitch BV — 2026.2 / DPA 1.0 — April 9, 2026

PARTIES

1. The Client ("Controller") — the legal entity using the Platform (subscription customer).
2. Upswitch BV ("Processor")
   Ghent, Belgium — Company number: BE 1033.441.760 — Email: hello@upswitch.app

The Controller enters into this Annex together with the Upswitch Terms of Service (version 1.6 or later). Where the Controller processes personal data via the Platform on documented instructions (e.g. data about the Controller's clients, contacts, or staff), Upswitch processes such data as Processor on behalf of the Controller.

1. SUBJECT MATTER AND DURATION
1.1 Subject matter: processing of personal data necessary to provide the SaaS (valuations, reporting, integrations, account management, support) as described in the Privacy Policy and this Annex.
1.2 Duration: for the term of the subscription agreement and until deletion/return in accordance with section 10.

2. NATURE AND PURPOSE OF PROCESSING
2.1 Processing includes hosting, storage, display, calculation, logging, backup, support-related access strictly as needed, and technical delivery of integrations (API/OAuth/import) initiated by the Controller.
2.2 Upswitch does not use Controller data to train public AI models or for unrelated profiling.

3. TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
3.1 As further described in Annex A (Privacy Policy): business and financial data that may identify natural persons; account and contact details; technical and integration metadata where it relates to identifiable persons.
3.2 The Controller warrants it has a valid legal basis to provide the data to Upswitch.

4. CONTROLLER INSTRUCTIONS
4.1 Upswitch processes personal data only on the Controller's instructions via use of the Platform (including configuration and imports), unless EU/Member State law requires otherwise (in which case Upswitch informs the Controller unless prohibited).
4.2 The Controller is responsible for accuracy, lawfulness, and minimisation of data entered or connected.

5. CONFIDENTIALITY AND ACCESS
5.1 Upswitch ensures that persons authorised to process personal data are bound by confidentiality or statutory duties of confidentiality.
5.2 Routine access to specific valuation or client workspace content by Upswitch staff is limited to what is strictly necessary for security, compliance, or support at the Controller's request. Support access follows least-privilege policies.

6. SECURITY OF PROCESSING
6.1 Upswitch implements appropriate technical and organisational measures (Article 32 GDPR), including encryption in transit, access controls, monitoring of infrastructure and application security, incident processes, and vendor due diligence.
6.2 Further detail is described in the Security page and Privacy Policy; measures may evolve provided the level of protection remains appropriate.

7. SUB-PROCESSORS
7.1 The Controller authorises the engagement of sub-processors listed in the Privacy Policy (sub-processors page). Upswitch remains fully liable for sub-processor performance.
7.2 Upswitch will give at least 30 days' notice of a new sub-processor via email to account holders; the Controller may object on reasonable data-protection grounds within 14 days.

8. DATA SUBJECT RIGHTS AND ASSISTANCE
8.1 Upswitch assists the Controller, by appropriate technical and organisational measures, in fulfilling requests to exercise GDPR rights, taking into account the nature of processing.
8.2 Where a data subject contacts Upswitch directly, Upswitch will redirect the request to the Controller unless Upswitch is required to respond as controller for its own account/billing data.

9. PERSONAL DATA BREACH
9.1 Upswitch notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with information available per Article 33(3) GDPR where feasible.

10. DELETION AND RETURN
10.1 After the end of the subscription, the Controller may request an export for 90 days. Upswitch then deletes or anonymizes personal data in line with the Privacy Policy retention rules and the Controller's account settings (default up to 24 months after last activity), unless law requires storage.

11. AUDIT AND INFORMATION
11.1 Upswitch makes available information necessary to demonstrate compliance with Article 28 GDPR and allows audits mandated by the Controller, subject to reasonable notice, confidentiality, and security rules (including allowing an independent auditor or inspection summaries where raw production access is disproportionate).

12. INTERNATIONAL TRANSFERS
12.1 Data is primarily processed in the EEA. Where processing involves transfers outside the EEA, Upswitch ensures appropriate safeguards (e.g. SCCs, adequacy decisions, or DPF where applicable) as described in the Privacy Policy.

13. ENTERPRISE
13.1 Enterprise customers requiring a separately countersigned DPA may contact hello@upswitch.app.

ANNEX A — Processing details (summary)
See Privacy Policy sections on categories of data, purposes, retention, and sub-processors.

---

Digital acceptance: By subscribing to a paid plan via the Platform checkout, the Controller accepts this Annex as incorporated in the Terms of Service.

For questions: hello@upswitch.app
Upswitch

Defensible SME valuations in minutes, not months.

Log in·Sign up free

Upswitch BV — Zetel: Tuinwijk ter Heide 69, 9050 Gentbrugge, België — Ondernemingsnr.: 1033.441.760 — BTW: BE 1033.441.760 — RPR Ondernemingsrechtbank Gent — hello@upswitch.app

© 2026 Upswitch

·

Made within Ghent, Belgium

Companies·European SME multiples·Blog·Pricing·Valuation methods·Multiples database·Security·Privacy·Terms·