Data Processing Agreement
1. Definitions
- "Controller" means the business customer who determines the purposes and means of processing personal data.
- "Processor" means uxply.app, which processes personal data on behalf of the Controller.
- "Personal Data" has the meaning given in GDPR Art. 4(1) and equivalent applicable data protection laws.
- "Processing" has the meaning given in GDPR Art. 4(2).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means the identified or identifiable natural person whose Personal Data is being processed.
2. Scope and nature of processing
2.1 Subject matter
The Processor will process Personal Data solely to provide the UX analysis service as described in the Terms of Service, and as further instructed by the Controller.
2.2 Duration
Processing will continue for the duration of the Terms of Service, unless terminated earlier. Upon termination, the Processor will delete or return Personal Data as specified in section 8.
2.3 Categories of data
| Category | Examples | Retention |
|---|---|---|
| Interface screenshots | UI images uploaded for analysis (may incidentally contain personal data visible in the interface) | Deleted immediately after analysis |
| Analysis context | Text descriptions of screen goals, user audience, metrics | Retained in reports until account deletion |
| Account data | Email addresses of the Controller's authorized users | Until account deletion + 30 days |
2.4 Data subjects
The categories of data subjects whose Personal Data may be processed include: the Controller's employees, contractors, and authorized users of the Service.
3. Controller's obligations
The Controller represents and warrants that:
- it has a valid legal basis under applicable law for providing Personal Data to the Processor;
- it has provided all required notices and obtained all necessary consents from Data Subjects;
- the instructions it provides to the Processor comply with applicable data protection laws;
- it will not instruct the Processor to process Personal Data in a manner that would violate applicable law.
4. Processor's obligations
The Processor will:
- process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor will notify the Controller before processing, if permitted by law);
- ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see section 6);
- not engage sub-processors without prior written authorization from the Controller, or as set out in section 5;
- assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to Data Subject requests;
- assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation);
- at the choice of the Controller, delete or return all Personal Data upon termination of the DPA, and delete existing copies unless EU law requires otherwise;
- make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits.
5. Sub-processors
The Controller grants the Processor general written authorization to engage the following categories of sub-processors:
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure providers | Hosting, storage, compute | EU/EEA or countries with adequacy decision |
| AI analysis service providers | Automated UX analysis processing | Bound by SCCs or equivalent safeguards |
| Email delivery providers | Transactional notifications | Bound by SCCs or equivalent safeguards |
The Processor will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to changes on reasonable grounds related to data protection. All sub-processors are bound by data processing agreements that impose the same data protection obligations as this DPA.
6. Security
The Processor implements appropriate technical and organizational measures, including:
- encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256);
- pseudonymization where applicable;
- access controls on a least-privilege basis;
- regular security testing and assessment;
- procedures for regularly testing, assessing, and evaluating the effectiveness of security measures.
7. Personal data breaches
The Processor will notify the Controller without undue delay, and no later than 72 hours, after becoming aware of a Personal Data breach affecting the Controller's data. The notification will include:
- a description of the nature of the breach;
- categories and approximate number of Data Subjects and records affected;
- likely consequences of the breach;
- measures taken or proposed to address the breach.
Breach notifications should be reported to: security@uxply.app
8. Data return and deletion
Upon expiry or termination of the Terms of Service, the Processor will, at the Controller's election:
- delete all Personal Data and certify such deletion in writing; or
- return all Personal Data to the Controller in a commonly used machine-readable format.
Notwithstanding the above, the Processor may retain Personal Data to the extent required by applicable law, for the minimum period required and subject to appropriate confidentiality safeguards.
9. International transfers
Where Personal Data is transferred outside the EEA or UK, the Processor will ensure that appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) adopted by the European Commission;
- UK International Data Transfer Agreements (IDTAs);
- Adequacy decisions where applicable.
10. Audits
The Controller may, at reasonable intervals and upon reasonable notice, request an audit of the Processor's data processing activities. The Processor will cooperate with such audits and provide all necessary information. Audit costs are borne by the Controller unless the audit reveals a material breach of this DPA.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law. Nothing in this DPA limits liability for GDPR fines attributable to the breaching party.
12. Contact and requests
To exercise rights under this DPA or to submit data subject access requests on behalf of your users, contact:
Email: privacy@uxply.app
Security incidents: security@uxply.app
This document is for informational purposes only and does not constitute legal advice. For specific jurisdictions or enterprise agreements, consultation with a qualified attorney is recommended.