Uptime.com Logo

Uptime.com Data Processing Addendum

Last Updated: March 20, 2026

This Data Processing Addendum (“DPA”) forms part of the Uptime.com Terms of Service available at https://uptime.com/terms-and-conditions (the “Agreement”).

This DPA applies when Uptime.com LLC (“Uptime.com”) processes Personal Data on behalf of a customer (“Customer”) in connection with the Services.

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, its authorized affiliates.

1. Definitions

1.1 Customer.Customer” means the entity that has entered into the Agreement with Uptime.com.

1.2 Uptime.com.Uptime.com” means Uptime.com LLC.

1.3 Personal Data.Personal Data” means any information relating to an identified or identifiable natural person, or any analogous concept of personal information, personal data, or protected data under applicable Data Protection Laws, that is processed by Uptime.com on behalf of Customer in connection with the Services.

1.4 Data Protection Laws.Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, and the processing of Personal Data, including, where applicable:

  • Regulation (EU) 2016/679 (“GDPR”)
  • the UK GDPR
  • the Swiss Federal Act on Data Protection
  • the California Consumer Privacy Act, as amended by the California Privacy Rights Act
  • other applicable U.S. state privacy laws
  • Brazil’s Lei Geral de Proteção de Dados (“LGPD”)
  • South Africa’s Protection of Personal Information Act (“POPIA”)
  • Singapore’s Personal Data Protection Act (“PDPA”)
  • China’s Personal Information Protection Law (“PIPL”)
  • and any other applicable privacy or data protection laws, in each case as amended, replaced, or superseded from time to time

1.5 Processing.Processing” has the meaning given to it under applicable Data Protection Laws and includes any operation or set of operations performed on Personal Data.

1.6 Controller.Controller” means the entity that determines the purposes and means of the Processing of Personal Data, and includes any analogous term such as “business” where relevant under applicable Data Protection Laws.

1.7 Processor.Processor” means the entity that Processes Personal Data on behalf of a Controller, and includes any analogous term such as “service provider” or “contractor” where relevant under applicable Data Protection Laws.

1.8 Subprocessor.Subprocessor” means a third party engaged by Uptime.com to Process Personal Data on behalf of Customer in connection with the Services.

1.9 Personal Data Breach.Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Uptime.com or its Subprocessors.

2. Scope and Roles of the Parties

2.1 Roles. As between the parties, Customer acts as a Controller or Processor of Personal Data, and Uptime.com acts as a Processor or Subprocessor, as applicable.

2.2 Scope. This DPA applies solely to the extent Uptime.com Processes Personal Data on behalf of Customer in connection with the provision of the Services under the Agreement.

2.3 Customer Instructions. Customer instructs Uptime.com to Process Personal Data only:

  • to provide, secure, support, and improve the Services in accordance with the Agreement
  • in accordance with Customer’s documented instructions
  • as otherwise required by applicable law

3. Processing of Personal Data

3.1 Documented Instructions. Uptime.com will Process Personal Data only on Customer’s documented instructions, unless otherwise required by applicable law. In such case, Uptime.com will inform Customer of that legal requirement before Processing, unless prohibited by law.

3.2 Compliance Concerns. If Uptime.com reasonably believes that a Customer instruction infringes applicable Data Protection Laws, Uptime.com may inform Customer and suspend the affected Processing until Customer confirms or modifies its instruction.

3.3 No Sale or Unauthorized Secondary Use. Uptime.com will not sell, share, or otherwise use Customer Personal Data for purposes other than providing the Services, except as permitted by the Agreement, this DPA, or required by applicable law.

3.4 AI / Model Training Restriction. Unless expressly agreed in writing by Customer, Uptime.com will not use Customer Personal Data to train generalized artificial intelligence or machine learning models for the benefit of Uptime.com or third parties.

3.5 GDPR Article 28(3) Requirements. To the extent GDPR or UK GDPR applies, Uptime.com will:

  1. process Personal Data only on documented instructions from Customer;
  2. ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations;
  3. implement appropriate technical and organizational measures in accordance with Article 32;
  4. respect the conditions for engaging Subprocessors set out in this DPA;
  5. assist Customer, taking into account the nature of the Processing, in responding to Data Subject requests;
  6. assist Customer in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Uptime.com;
  7. at Customer’s choice, delete or return Personal Data upon termination of the Services;
  8. make available to Customer all information necessary to demonstrate compliance with this DPA.

4. Customer Responsibilities

Customer represents, warrants, and agrees that:

  • it has provided all notices and obtained all rights, consents, permissions, and lawful bases necessary for Uptime.com to Process Personal Data as contemplated by the Agreement and this DPA
  • it will comply with applicable Data Protection Laws in its use of the Services
  • its instructions to Uptime.com will comply with applicable Data Protection Laws
  • it is responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired the Personal Data

5. Confidentiality of Personnel

Uptime.com will ensure that persons authorized to Process Personal Data:

  • are subject to appropriate confidentiality obligations
  • are informed of the confidential nature of the Personal Data
  • access Personal Data only to the extent necessary to perform their duties

6. Security Measures

6.1 Technical and Organizational Measures. Uptime.com will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

6.2 Security Program. Such measures may include, as appropriate:

  • encryption in transit
  • encryption at rest where appropriate to the risk profile and service architecture
  • role-based access controls
  • logging and monitoring
  • vulnerability management
  • incident response procedures
  • backup and disaster recovery safeguards
  • network and infrastructure security controls

6.3 Ongoing Review. Uptime.com may update its security measures from time to time, provided that such updates do not materially reduce the overall security of the Services.

6.4 Additional Information. Additional details regarding Uptime.com’s security practices are available in the Uptime.com Trust Center and other customer-facing compliance documentation.

7. Subprocessors

7.1 Authorization. Customer generally authorizes Uptime.com to engage Subprocessors in connection with the provision of the Services.

7.2 Subprocessor Obligations. Uptime.com will impose data protection obligations on each Subprocessor that are no less protective, in all material respects, than those set out in this DPA, to the extent applicable to the nature of the services provided by that Subprocessor.

7.3 Responsibility. Uptime.com remains responsible for the performance of its Subprocessors’ obligations to the extent required by applicable law.

7.4 Subprocessor List. A current list of Subprocessors is available at https://uptime.com/subprocessors.

7.5 Changes to Subprocessors. Uptime.com may update its Subprocessors from time to time and will make an updated list available at https://uptime.com/subprocessors or through another reasonable notification mechanism.

Customer may object to a new Subprocessor on reasonable data protection grounds by notifying Uptime.com within a reasonable period after becoming aware of the change. In such case, the parties will work in good faith to address the objection.

8. Assistance with Data Subject Requests

8.1 Assistance. Taking into account the nature of the Processing, Uptime.com will provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, correction, deletion, portability, restriction, and objection, where applicable.

8.2 Direct Requests. If Uptime.com receives a request directly from a Data Subject relating to Customer’s Personal Data, Uptime.com will direct the requester to Customer or notify Customer, unless Uptime.com is legally required to respond.

9. Personal Data Breach

9.1 Notification. Uptime.com will notify Customer without undue delay and, where feasible, within a commercially reasonable timeframe following confirmation of the Personal Data Breach.

9.2 Information. To the extent available, such notification will include information reasonably necessary for Customer to comply with its obligations under applicable Data Protection Laws, such as:

  • the nature of the Personal Data Breach
  • the categories of affected data
  • the likely consequences
  • measures taken or proposed to address the issue

9.3 No Admission. Any notification by Uptime.com of a Personal Data Breach is not an admission of fault or liability.

10. Compliance Assistance

Taking into account the nature of the Processing and the information available to Uptime.com, Uptime.com will provide reasonable assistance to Customer with respect to:

  • data protection impact assessments
  • prior consultations with regulators where required
  • responses to regulatory inquiries related to Uptime.com’s Processing of Personal Data
  • Customer’s compliance with obligations relating to security of Processing and Personal Data Breach notification

11. Audits and Information Rights

11.1 Information. Uptime.com will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

11.2 Standard Audit Materials. Uptime.com may satisfy audit and inspection obligations by providing:

  • SOC 2 reports and other independent audit reports or certifications, where applicable
  • summaries of security controls
  • documentation available through the Trust Center
  • responses to reasonable due diligence questionnaires

11.3 On-Site Audits. To the extent Customer cannot reasonably satisfy its audit rights through the materials described above, and only where required by applicable Data Protection Laws, Customer may request a further audit of relevant Uptime.com controls related to the Processing of Customer Personal Data, subject to:

  • reasonable advance written notice
  • reasonable confidentiality restrictions
  • limits designed to avoid disruption, security risk, or access to other customers’ data or systems
  • no more than one audit in any 12-month period unless required by law or following a confirmed material security incident

12. Retention, Return, and Deletion

Upon termination or expiration of the Services, Uptime.com will, at Customer’s choice and to the extent technically feasible, delete or return Customer Personal Data, unless retention is required by applicable law or for the minimum period necessary for security, backup, fraud prevention, dispute resolution, or legal compliance purposes.

Where retention is required, Uptime.com will continue to protect the retained Personal Data in accordance with this DPA and limit further Processing to the purpose requiring retention.

13. International Data Transfers

13.1 Transfer Safeguards. Where Uptime.com transfers Personal Data across borders in circumstances regulated by Data Protection Laws, Uptime.com will ensure that appropriate safeguards are in place, which may include:

  • the European Commission’s Standard Contractual Clauses
  • the UK International Data Transfer Addendum
  • adequacy decisions
  • other lawful transfer mechanisms recognized under applicable Data Protection Laws

Uptime.com will implement supplementary measures where required and assess the level of protection afforded by applicable transfer mechanisms in accordance with applicable Data Protection Laws.

13.2 SCC Incorporation. To the extent required by GDPR for transfers of Personal Data from the EEA to a third country that does not benefit from an adequacy decision, the EU Standard Contractual Clauses set out in Annex 1 are incorporated into and form part of this DPA.

13.3 UK Transfers. To the extent required for transfers of Personal Data from the United Kingdom to a third country that does not benefit from adequacy regulations under UK law, the UK transfer provisions in Annex 2 apply.

13.4 Swiss Transfers. To the extent required for transfers of Personal Data from Switzerland, the Swiss transfer provisions in Annex 3 apply.

13.5 Government Access Requests. To the extent legally permitted, Uptime.com will promptly notify Customer of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless prohibited by law.

14. Region-Specific Terms

14.1 U.S. State Privacy Laws. To the extent applicable U.S. state privacy laws apply, Uptime.com will act as a Processor, Service Provider, or Contractor, as applicable, and will:

  • Process Personal Data only for the limited and specified purposes described in the Agreement and this DPA
  • not retain, use, or disclose Personal Data outside the direct business relationship between Customer and Uptime.com except as permitted by applicable law
  • not combine Personal Data received from Customer with personal data received from another source except as permitted by applicable law
  • provide the same level of privacy protection required by applicable law

14.2 POPIA, LGPD, PDPA, PIPL, and Other Laws. To the extent these or similar laws apply, the parties agree that this DPA is intended to satisfy the Processor / Operator obligations applicable to Uptime.com under those laws, adapted as necessary to the terminology and requirements of the relevant legal framework.

15. Liability

Except where prohibited by applicable law, each party’s liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

Nothing in this DPA limits either party’s liability to the extent such limitation is prohibited by applicable Data Protection Laws or by the incorporated SCCs where applicable.

16. Updates to this DPA

Uptime.com may update this DPA from time to time to reflect:

  • changes in applicable law
  • regulatory guidance
  • changes to the Services
  • changes to Subprocessors
  • improvements to security or compliance practices

Any such updates will be posted on this page or another appropriate Uptime.com legal page and will not materially reduce Customer’s rights under this DPA.

17. Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA will control with respect to the subject matter of this DPA.

In the event of any conflict between this DPA and the SCCs or other mandatory transfer terms in the annexes, the SCCs or other mandatory transfer terms will control to the extent of that conflict.

Where the parties have entered into a separate written agreement governing the Processing of Personal Data, the terms of such agreement will prevail to the extent of any conflict.

Annex A — Details of Processing

A.1 Subject Matter. The subject matter of the Processing is the provision of uptime monitoring and related services by Uptime.com to Customer.

A.2 Duration. The duration of the Processing is for the term of the Agreement, plus any period during which Uptime.com retains Personal Data in accordance with the Agreement, this DPA, or applicable law.

A.3 Nature and Purpose of Processing. The nature and purpose of the Processing may include:

  • hosting and operating the Services
  • monitoring and service delivery
  • account administration
  • service configuration
  • alerts and notifications
  • customer support
  • security and fraud prevention
  • troubleshooting, maintenance, and related operational purposes

A.4 Categories of Data Subjects. Categories of Data Subjects may include:

  • Customer employees
  • Customer users
  • Customer administrators
  • Customer contacts
  • Customer end users or visitors whose data is submitted to or collected through the Services

A.5 Categories of Personal Data. Categories of Personal Data may include:

  • names
  • email addresses
  • contact details
  • account and authentication data
  • IP addresses
  • service configuration data
  • technical and monitoring metadata
  • support-related information submitted by Customer

A.6 Sensitive Data. Sensitive or special category data is not intentionally required for the ordinary use of the Services, and Customer should not submit such data unless expressly agreed in writing by Uptime.com and subject to appropriate additional safeguards.

Annex B — Security Measures

Uptime.com maintains an information security program that includes administrative, technical, and organizational safeguards appropriate to the nature of the Services and the risks presented by the Processing of Personal Data.

These safeguards may include:

  • access controls based on role and business need
  • authentication and authorization controls
  • network security measures
  • encryption in transit
  • encryption at rest where appropriate
  • centralized logging and monitoring
  • backup and recovery procedures
  • vulnerability scanning and patch management
  • incident response procedures
  • personnel confidentiality and training requirements
  • vendor and Subprocessor oversight controls

Additional details regarding Uptime.com’s security practices are available in the Uptime.com Trust Center or similar compliance documentation.

Annex C — Subprocessors

A current list of Subprocessors is maintained at https://uptime.com/subprocessors.

Annex 1 — EU Standard Contractual Clauses (EEA Transfers)

To the extent GDPR requires an approved transfer mechanism for transfers of Personal Data from the EEA to Uptime.com in a third country not subject to an adequacy decision, the following terms apply:

1. Applicable Module. The parties agree that Module Two (Controller to Processor) of the European Commission Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914, applies where Customer is a Controller.

Where Customer is a Processor and Uptime.com acts as a Subprocessor, the parties agree that Module Three (Processor to Processor) applies as necessary.

2. Clause Selections. For the purposes of the SCCs:

  • Clause 7 (Docking Clause): optional and not included unless expressly agreed
  • Clause 9 (Use of Subprocessors): Option 2, general written authorization, with Subprocessor information made available through the Subprocessors page
  • Clause 11 (Redress): the optional language is not included
  • Clause 17 (Governing Law): the law of Ireland
  • Clause 18 (Choice of Forum and Jurisdiction): the courts of Ireland

3. Appendix I to the SCCs

A. List of Parties

Data Exporter:
Customer, as identified in the Agreement, acting as Controller or Processor as applicable.

Data Importer:
Uptime.com LLC, a United States company providing uptime monitoring and related services.

B. Description of Transfer

Categories of Data Subjects:
As set out in Annex A.

Categories of Personal Data:
As set out in Annex A.

Sensitive Data:
Not intentionally required for normal use of the Services. If transferred, it will be subject to appropriate additional safeguards and only where agreed or required.

Frequency of Transfer:
Continuous for the duration of the Agreement as required to provide the Services.

Nature of the Processing:
As set out in Annex A.

Purpose(s) of the Transfer and Further Processing:
As set out in Annex A.

Retention Period:
For the term of the Agreement and thereafter in accordance with the Agreement, this DPA, and applicable law.

Subprocessors:
As described in Annex C.

C. Competent Supervisory Authority

The competent supervisory authority shall be the supervisory authority of the EU Member State in which the Data Exporter is established, or where required under the SCCs, as otherwise determined in accordance with Clause 13 of the SCCs.

4. Appendix II to the SCCs

The technical and organizational measures are described in Annex B.

5. Appendix III to the SCCs

The list of Subprocessors is described in Annex C.

Annex 2 — UK International Transfers

To the extent UK GDPR requires an approved transfer mechanism for transfers of Personal Data from the United Kingdom to Uptime.com in a third country not subject to UK adequacy regulations, the parties agree that the International Data Transfer Addendum issued by the UK Information Commissioner’s Office applies to the SCCs incorporated by Annex 1, with the following approach:

  • the SCCs in Annex 1 are the Approved EU SCCs
  • Customer is the data exporter
  • Uptime.com is the data importer
  • the tables in the UK Addendum will be deemed completed using the corresponding information set out in this DPA, Annex A, Annex B, Annex C, and Annex 1
  • any conflict between the UK Addendum and the SCCs will be resolved in accordance with the UK Addendum

Annex 3 — Swiss Transfers

To the extent Swiss data protection law requires an approved transfer mechanism for transfers of Personal Data from Switzerland, the SCCs incorporated by Annex 1 will apply with the following modifications as necessary:

  • references to “Member State” include Switzerland where required
  • references to “GDPR” include the Swiss Federal Act on Data Protection to the extent applicable
  • the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner where required by Swiss law
  • Data Subjects in Switzerland may exercise rights under the SCCs in accordance with Swiss law

Contact

Questions regarding this DPA may be directed to:

privacy@uptime.com