Skip to main content

Data Processing Addendum

Effective Date: April 1, 2026 Last Updated: April 1, 2026 This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between [NOME_FANTASIA] (“Upmetr”, “Processor”) and the entity agreeing to the Terms of Service (“Customer”, “Controller”). This DPA applies to the extent that Upmetr processes Personal Data on behalf of the Customer in the course of providing the Service.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (LGPD, GDPR)
  • “Controller” means the Customer, who determines the purposes and means of processing Personal Data
  • “Processor” means Upmetr, who processes Personal Data on behalf of the Controller
  • “Sub-processor” means a third party engaged by Upmetr to process Personal Data
  • “Data Subject” means the individual to whom Personal Data relates
  • “Applicable Data Protection Laws” means LGPD (Brazil), GDPR (EU/EEA), CCPA (California), and any other applicable privacy legislation

2. Scope and Roles

RolePartyDescription
ControllerCustomerDetermines what data is uploaded to Upmetr and for what purpose
ProcessorUpmetrProcesses data solely to provide the monitoring Service
The Customer is responsible for ensuring that:
  • They have a lawful basis for processing the Personal Data
  • Data subjects have been informed about the processing
  • Any data uploaded to Upmetr is done in compliance with applicable laws
  • They have authority to share the data with Upmetr for processing

3. Processing Instructions

Upmetr will process Personal Data only:
  • As necessary to provide the Service as described in the Agreement
  • In accordance with the Customer’s documented instructions
  • In compliance with applicable data protection laws
Upmetr will not process Personal Data for any other purpose, including marketing, profiling, or sale to third parties.

Categories of Data Processed

CategoryExamples
Account dataName, email, organization name
Authentication dataPassword hashes, MFA secrets (encrypted), session tokens
Cloud credentialsAPI keys, service account JSON, access tokens (encrypted)
Infrastructure dataResource metadata, metrics, uptime results, cost data
Audit dataUser actions, timestamps, IP addresses

4. Security Measures

Upmetr implements the following technical and organizational measures to protect Personal Data:

Technical Measures

  • Encryption at rest: Fernet encryption (AES-128-CBC + HMAC-SHA256) for all sensitive credentials
  • Password hashing: bcrypt with salt
  • Token hashing: SHA-256 for API tokens and agent tokens
  • Encryption in transit: TLS 1.2/1.3 with ECDHE forward secrecy
  • Key management: Encryption keys stored in AWS Systems Manager Parameter Store, separated from the database
  • Database isolation: PostgreSQL Row-Level Security (RLS) ensures strict tenant data separation

Organizational Measures

  • Access control: Role-based access (Viewer, Admin, Superadmin) within each organization
  • Audit logging: All sensitive operations are logged with user, timestamp, and action
  • Credential handling: API responses never return decrypted credentials; administrative interfaces do not expose customer secrets
  • Incident response: Defined notification procedures (see Section 7)

5. Sub-processors

Upmetr uses the following sub-processors:
Sub-processorPurposeLocationData Processed
Amazon Web Services (AWS)Cloud infrastructure hostingUS (us-east-1)All service data
Stripe, Inc.Payment processingUSName, email, billing data
Resend, Inc. (via AWS SES)Transactional email deliveryUSEmail address, name

Changes to Sub-processors

We will notify you at least 30 days before engaging a new sub-processor. If you object to a new sub-processor, you may terminate the Agreement by providing written notice within that 30-day period. All sub-processors are bound by data processing agreements with obligations no less protective than those in this DPA.

6. Data Subject Requests

If Upmetr receives a request from a data subject regarding their Personal Data, we will:
  1. Notify the Customer promptly (within 5 business days)
  2. Not respond to the data subject directly, unless legally required
  3. Assist the Customer in fulfilling their obligations to respond to such requests
The Customer is responsible for responding to data subject requests. Upmetr provides tools for data export and account deletion to facilitate this.

7. Breach Notification

In the event of a Personal Data breach, Upmetr will:
  1. Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach
  2. Provide the following information:
    • Nature of the breach
    • Categories and approximate number of data subjects affected
    • Likely consequences of the breach
    • Measures taken or proposed to mitigate the breach
  3. Cooperate with the Customer in investigating and remediating the breach
  4. Document all breaches, including those not requiring notification
The Customer is responsible for notifying the relevant supervisory authority and affected data subjects as required by applicable law.

8. Data Deletion and Return

Upon termination of the Agreement:
  1. The Customer may request a data export within 30 days of termination
  2. After the 30-day export period, Upmetr will delete all Customer Personal Data within 30 days
  3. Upmetr may retain data where required by applicable law (e.g., billing records)
  4. Deletion includes all backups within the normal backup rotation cycle
Upmetr will provide written confirmation of deletion upon request.

9. International Data Transfers

Transfers from Brazil

International transfers of Personal Data originating from Brazil are conducted in compliance with LGPD Chapter V, incorporating the Standard Contractual Clauses approved by the ANPD (Resolution CD/ANPD No. 19/2024).

Transfers from the EEA/UK

International transfers of Personal Data originating from the European Economic Area or the United Kingdom are conducted under the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), which are incorporated by reference into this DPA.

Transfer Impact Assessment

Upmetr maintains appropriate supplementary measures (encryption, access controls, audit logging) to ensure that Personal Data transferred internationally receives an equivalent level of protection.

10. Audit Rights

The Customer may, upon reasonable written request and no more than once per year:
  1. Request documentation demonstrating Upmetr’s compliance with this DPA
  2. Request a summary of security measures and certifications
  3. Request evidence of sub-processor compliance
Upmetr will respond to audit requests within 30 days. On-site audits may be arranged at the Customer’s expense, with reasonable advance notice and during normal business hours.

11. Liability

Each party’s liability under this DPA is subject to the limitations set forth in the Agreement (Terms of Service, Section 8 — Limitation of Liability).

12. Term

This DPA remains in effect for the duration of the Agreement and for as long as Upmetr processes Personal Data on behalf of the Customer. Upon termination of the Agreement, the provisions of this DPA that by their nature should survive (including Sections 7, 8, 9, and 10) will continue to apply.

13. Conflict

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

14. Contact

For questions about this DPA or data processing: