Data Processing Agreement
Effective date: May 1, 2025
THIS DATA PROCESSING AGREEMENT (“DPA”) SUPPLEMENTS LEVELUP’S TERMS OF SERVICE (“TOS”) ENTERED INTO BY AND BETWEEN CUSTOMER AND LEVELUP. BY EXECUTING THE TOS, CUSTOMER ENTERS INTO THIS DPA ON BEHALF OF ITSELF AND, TO THE EXTENT REQUIRED UNDER APPLICABLE DATA PROTECTION LAWS, IN THE NAME AND ON BEHALF OF ITS AFFILIATES, IF ANY. THIS DPA INCORPORATES THE TERMS OF THE TOS, AND ANY TERMS NOT DEFINED IN THIS DPA SHALL HAVE THE MEANING SET FORTH IN THE TOS.
REMEMBER THAT YOUR USE OF LEVELUP'S SERVICE IS AT ALL TIMES SUBJECT TO OUR TERMS OF SERVICE (“TOS”). UNLESS OTHERWISE DEFINED HEREIN, ALL CAPITALIZED TERMS SHALL HAVE THE MEANINGS ASSIGNED TO THEM IN EXHIBIT A. GLOSSARY IN THE TOS.
1. Relationship of the Parties; Processing of Data
1.1. Roles and Responsibilities of the Parties
The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer may act either as a Controller or Processor and, except as expressly set forth in this DPA or the TOS, Levelup is a Processor. Customer shall, in its use of the Services, process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the Processing of Personal Data in accordance with Customer’s instructions will not cause Levelup to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of:
I. the Personal Data provided to Levelup by or on behalf of Customer;
II. the means by which Customer acquired any such Personal Data; and
III. the instructions it provides to Levelup regarding the Processing of such Personal Data.
Customer shall not provide or make available to Levelup any Personal Data in violation of the TOS or otherwise inappropriate for the nature of the Service, and shall indemnify Levelup from all claims and losses in connection therewith. In the event any claim arises out of Sub‑Processor actions, the notice and defense procedures set forth in the TOS shall apply. Notwithstanding the foregoing, for Personal Data provided by Customer (including data of its employees, Users, or other individuals whose Personal Data is provided by Customer), Customer shall be deemed the Controller and Levelup shall process such data solely as a Processor. For aggregated or anonymized Customer Usage Data collected for internal purposes, Levelup acts as a Controller.
1.2. Limitations and Instructions for Processing
Levelup shall not process Personal Data:
I. for purposes other than those set forth in the TOS and/or Exhibit A;
II. in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Supervisory Authority to which Levelup is subject; in such a case, Levelup shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest; or
III. in violation of Data Protection Laws.
Customer hereby instructs Levelup to process Personal Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of the Service.
1.3. Scope of Processing
The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.
1.4. Return or Deletion of Personal Data
I. Return or Deletion at Completion of Services or Upon Request
Following completion of the Service or upon the earlier of:
A. expiration or termination of the TOS; or
B. Customer’s written request;
Levelup shall, at Customer’s election, either return or securely delete all Personal Data processed under this DPA, typically within thirty (30) days, unless applicable law or a legitimate interest requires retention of certain data for a longer period.
II. Further Storage if Required or Authorized by Law If return or destruction is impracticable or prohibited by law, rule, or regulation, Levelup shall take measures to block such Personal Data from any further Processing (except to the extent necessary for continued hosting or Processing required by law, rule, or regulation) and shall continue to appropriately protect any Personal Data remaining in its possession, custody, or control.
III. Backup Systems and Protections Levelup may retain Personal Data in backup systems or as otherwise required by law or regulation, provided that such Personal Data remains subject to confidentiality, security, and other protections in this DPA until deleted or returned as described above.
IV. Certification of Deletion If Customer does not make an election regarding return or destruction, Levelup shall delete Personal Data within the timeframes stated above. Upon Customer’s request, Levelup will certify in writing that it has fully complied with this Section 1.4. Return or Deletion of Personal Data. If Levelup transfers Personal Data outside the European Union under the Standard Contractual Clauses as described in Section 4. Transfers of Personal Data, the Parties agree that the certification of deletion required by Clause 12(1) of the UK SCCs and Clause 8.1(d) / 8.5 of the EU SCCs (as applicable) shall be provided by Levelup to Customer only upon Customer’s request in accordance with this subsection.
1.5. CCPA Service Provider Obligations
Except with respect to Customer Account Data and Customer Usage Data, the Parties acknowledge and agree that Levelup is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information from Customer in order to provide the Service pursuant to the TOS, which constitutes a business purpose. Levelup shall not sell any such personal information. Levelup shall not retain, use or disclose any personal information provided by Customer pursuant to the TOS except as necessary for the specific purpose of performing the Service for Customer pursuant to the TOS, or otherwise as set forth in the TOS or as permitted by the CCPA. The terms “Personal Information,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA. Levelup certifies that it understands the restrictions of this Section 1.5. CCPA Service Provider Obligations.
1.6. Aggregated Data
For the avoidance of doubt, nothing in this DPA restricts Levelup’s ability to create, use, or disclose Aggregated Data, provided that such data is irreversibly anonymized and does not directly or indirectly identify any natural person. Once any Personal Data is aggregated and anonymized such that it no longer constitutes “Personal Data” under Data Protection Laws, it shall no longer be subject to the restrictions of this DPA, and Levelup may use it in accordance with the TOS.
The creation and use of Aggregated Data by Levelup shall be governed by the TOS, which is incorporated by reference into this DPA.
2. Sub-Processors
2.1. General Authorization for Sub-Processors
Customer acknowledges and agrees that Levelup may:
I. engage its Affiliates and the Sub-Processors listed in Exhibit B (the “List”) to this DPA to access and process Personal Data in connection with the Service; and
II. from time to time engage additional third parties for the purpose of providing the Service, including without limitation the Processing of Personal Data.
By way of this DPA, Customer provides general written authorization to Levelup to engage Sub-Processors as necessary to perform the Service.
2.2. Updates, Notifications, and Objections
The List may be updated by Levelup from time to time. Levelup may provide a mechanism to subscribe to notifications of new Sub-Processors here https://levelup.ai/levelup/settings/account/notifications. Customer agrees to subscribe to such notifications if available. At least thirty (30) days before enabling any new Sub-Processor other than existing Sub-Processors to access or participate in the Processing of Personal Data, Levelup will add such new Sub-Processor to the List and notify Customer via email to the address(es) specified in Customer's Account. Customer may object to such an engagement by informing Levelup within thirty (30) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain Sub-Processors are essential to providing the Service and that objecting to the use of a Sub-Processor may prevent Levelup from offering the Service to Customer.
2.3. Discontinuation of Service
If Customer reasonably objects to an engagement in accordance with Section 4.2. EU Standard Contractual Clauses (Ex-EEA Transfers), and Levelup cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Levelup. Discontinuation shall not relieve Customer of any Fees owed to Levelup under the TOS.
2.4. Default Acceptance of New Sub-Processors
If Customer does not object to the engagement of a third party in accordance with Section 2.2. Updates, Notifications, and Objections within thirty (30) days of notice by Levelup, that third party will be deemed an authorized Sub-Processor for the purposes of this DPA.
2.5. Sub-Processor Agreements and Levelup’s Liability
Levelup will enter into a written agreement with the Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on Levelup under this DPA with respect to the protection of Personal Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with Levelup, Levelup will remain liable to Customer for the performance of the Sub-Processor’s obligations under such agreement.
2.6. Standard Contractual Clauses and Required Consents
If Customer and Levelup have entered into Standard Contractual Clauses as described in Section 4. Transfers of Personal Data,
I. the above authorizations will constitute Customer’s prior written consent to the subcontracting by Levelup of the Processing of Personal Data if such consent is required under the Standard Contractual Clauses; and
II. the Parties agree that the copies of the agreements with Sub-Processors that must be provided by Levelup to Customer pursuant to Clause 5(j) of the UK SCCs or Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Levelup beforehand, and that such copies will be provided by Levelup only upon request by Customer.
3. Security of Personal Data
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Levelup shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data. Exhibit C sets forth additional information about Levelup’s technical and organizational security measures.
4. Transfers of Personal Data
4.1. General Framework for International Transfers
The Parties agree that Levelup may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Service. Customer acknowledges that Levelup’s primary Processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Service to Customer. If Levelup transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Levelup will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
4.2. EU Standard Contractual Clauses (Ex-EEA Transfers)
The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
I. Module One (Controller to Controller) of the EU SCCs apply when Levelup is Processing Personal Data as a Controller pursuant to Section 7. Levelup’s Role as a Controller of this DPA.
II. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a Controller and Levelup is Processing Personal Data for Customer as a Processor pursuant to Section 1. Relationship of the Parties; Processing of Data of this DPA.
III. Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a Processor and Levelup is Processing Personal Data on behalf of Customer as a Sub-Processor.
IV. Module Four (Processor to Controller) of the EU SCCs apply when Customer is a Processor of Customer Usage Data and Levelup processes Customer Usage Data as a Controller.
4.3. Terms Applicable to EU SCC Modules
For each module, where applicable the following applies:
I. The optional docking clause in Clause 7 does not apply.
II. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Sub-Processor changes shall be as set forth in Section 2.2. Updates, Notifications, and Objections of this DPA;
III. In Clause 11, the optional language does not apply;
IV. All square brackets in Clause 13 are hereby removed;
V. In Clause 17 (Option 1), the EU SCCs will be governed by Irishlaw;
VI. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
VII. Exhibit B to this DPA contains the information required in Annex I of the EU SCCs;
VIII. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
IX. By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
4.4. UK Standard Contractual Clauses (Ex-UK Transfers)
I. Applicability: The terms of this Section 4.4. UK Standard Contractual Clauses (Ex-UK Transfers) shall apply to any transfer of Personal Data governed by the UK GDPR from the Data Exporter to the Data Importer in a country not recognized as providing an adequate level of protection for Personal Data under UK Data Protection Laws (an "ex-UK Transfer").
II. Transfer Mechanism: The Parties agree that ex-UK Transfers are made pursuant to the EU SCCs as incorporated into this DPA in Sections 4.2 and 4.3, which are hereby further amended and supplemented by the UK Addendum, which is also incorporated by reference into this DPA.
III. Completion of the UK Addendum: For the purposes of the UK Addendum:
A. In Table 1, the "Parties" details shall be the Parties and their information as set forth in Exhibit B, Part 1 of this DPA.
B. In Table 2, the "Selected SCCs" shall be the EU SCCs as incorporated into this DPA in Sections 4.2 and 4.3, including the selected Modules and Clauses specified therein.
C. In Table 3, the "Appendix Information" shall refer to the information set forth in Exhibit A ("Details of Processing") and Exhibit C ("Description of the Technical and Organisational Security Measures") of this DPA, which correspond to Annex I and Annex II of the EU SCCs, respectively
D. In Table 4, both the Importer and the Exporter may end the UK Addendum in accordance with the terms specified in Section 19 of the UK Addendum.
IV. Conflict: In the event of any conflict or inconsistency between the terms of the UK Addendum and the EU SCCs as incorporated herein, the terms of the UK Addendum shall prevail in respect of ex-UK Transfers.
V. Continuing Effect: The Parties acknowledge and agree that entering into this DPA shall satisfy the requirement for the Parties to execute the UK Addendum as a separate document.
4.5. Supplementary Measures
In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
I. As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”);
II. If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Levelup shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Levelup may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Levelup shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Levelup is legally prohibited from doing so. Levelup shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of the such Government Agency Requests; and
III. The Data Exporter and Data Importer will meet regularly to consider whether:
A. the protection afforded by the laws of the country of the Data Importer to Data Subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
B. additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
C. it is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the Parties, together with guidance provided by the supervisory authorities.
IV. If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws.
V. If either:
A. any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this DPA cease to be valid; or
B. any Supervisory Authority requires transfers of Personal Data pursuant to those means to be suspended.
Then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.
5. Rights of Data Subjects
5.1. Handling Data Subject Requests
Levelup shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of Consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Levelup receives a Data Subject Request in relation to Customer’s data, Levelup will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Service. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of Processing, or withdrawal of Consent to Processing of any Personal Data are communicated to Levelup, and, if applicable, for ensuring that a record of Consent to Processing is maintained with respect to each Data Subject.
5.2. Assistance with Data Subject Requests
Levelup shall, at the request of the Customer, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that:
I. Customer is itself unable to respond without Levelup’s assistance and
II. Levelup is able to do so in accordance with all applicable laws, rules, and regulations.
Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Levelup.
6. Actions and Access Requests; Audits
6.1. Assistance with Data Protection Impact Assessments
Levelup shall, taking into account the nature of the Processing and the information available to Levelup, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a Data Protection Impact Assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Levelup.
6.2. Cooperation with Supervisory Authorities
Levelup shall, taking into account the nature of the Processing and the information available to Levelup, provide Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Levelup.
6.3. Record-Keeping Requirements
Levelup shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA, and retain such records for a period of three (3) years after the termination of the TOS. Customer shall, with reasonable notice to Levelup, have the right to review, audit and copy such records at Levelup’s offices during regular business hours.
6.4. Audits and Inspections
Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Levelup shall, either:
I. make available for Customer’s review copies of certifications or reports demonstrating Levelup’s compliance with prevailing data security standards applicable to the Processing of Customer’s Personal Data, or
II. if the provision of reports or certifications pursuant to (I) is not reasonably sufficient under Data Protection Laws, allow Customer’s independent third party representative to conduct an audit or inspection of Levelup’s data security infrastructure and procedures that is sufficient to demonstrate Levelup’s compliance with its obligations under Data Protection Laws, provided that:
A. Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Levelup’s business;
B. such audit shall only be performed during business hours and occur no more than once per calendar year; and
C. such audit shall be restricted to data relevant to Customer.
Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Levelup for any time expended for on-site audits. If Customer and Levelup have entered into Standard Contractual Clauses as described in Section 4. Transfers of Personal Data, the Parties agree that the audits described in Clause 5(f) and Clause 12(2) of the UK SCCs and Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section 6.4. Audits and Inspections.
6.5. Notification of Infringing Instructions
Levelup shall immediately notify Customer if an instruction, in Levelup’s opinion, infringes the Data Protection Laws or Supervisory Authority.
6.6. Prompt Notification of Personal Data Breach
In the event of a Personal Data Breach, Levelup shall, without undue delay and, in any event, no later than seventy-two (72) hours after becoming aware of the Personal Data Breach, inform Customer of the Personal Data Breach and take such steps as Levelup in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Levelup’s reasonable control).
6.7. Cooperation Following a Data Breach
In the event of a Personal Data Breach, Levelup shall, taking into account the nature of the Processing and the information available to Levelup, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying:
I. the relevant Supervisory Authority; and
II. Data Subjects affected by such Personal Data Breach without undue delay.
6.8. Exceptions and No Admission of Fault
The obligations described in Section 6.5. Notification of Infringing Instructions and Section 6.6. Prompt Notification of Personal Data Breach shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Levelup’s obligation to report or respond to a Personal Data Breach under Section 6.5. Notification of Infringing Instructions and Section 6.6. Prompt Notification of Personal Data Breach will not be construed as an acknowledgement by Levelup of any fault or liability with respect to the Personal Data Breach.
7. Levelup’s Role as a Controller
The Parties acknowledge and agree that with respect to Customer Account Data and Customer Usage Data, Levelup is an independent Controller, not a joint Controller with Customer. Levelup will process Customer Account Data and Customer Usage Data as a Controller:
I. to manage the relationship with Customer;
II. to carry out Levelup’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes;
III. to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Service, and to prevent harm to Customer;
IV. for identity verification purposes;
V. to comply with legal or regulatory obligations applicable to the Processing and retention of Personal Data to which Levelup is subject; and
VI. as otherwise permitted under Data Protection Laws and in accordance with this DPA and the TOS.
Levelup may also process Customer Usage Data as a Controller to provide, optimize, and maintain the Service, to the extent permitted by Data Protection Laws. Any Processing by Levelup as a Controller of Customer Usage Data is processed for Contractual Necessity, meaning that Levelup needs to process such data to perform under the TOS, which enables Levelup to provide and improve the Service, or in furtherance of the legitimate interests of Levelup or third parties. Levelup may also de-identify or anonymize Personal Data to further Levelup’s legitimate interests. When Levelup processes data due to Contractual Necessity, failure to provide such data, even Personal Data will result in Customer’s inability to use some or all portions of the Service that require such data. From time to time Levelup may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of Customer or other Data Subjects, or if it is necessary for a task carried out in the public interest.
8. Conflict
In the event of any conflict or inconsistency among the following documents, the order of precedence will be:
I. the applicable terms in the Standard Contractual Clauses;
II. the terms of this DPA;
III. the TOS; and
IV. any other written agreement executed by the Parties.
Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the TOS.
9. Liability; Exclusions and Limitations
9.1. Applicability of TOS Caps and Disclaimers
To the extent permitted by applicable law, the disclaimers, exclusions, and limitations of liability set forth in the TOS shall fully apply to any claims arising under or in connection with this DPA, including, without limitation, for any Personal Data Breach or alleged violation of Data Protection Laws.
9.2. Regulatory Fines and Third-Party Claims
Except to the extent caused by Levelup’s proven breach of its obligations under this DPA, Levelup shall have no liability for any regulatory fines, penalties, or third-party damages arising out of or relating to Customer’s breach of this DPA, Data Protection Laws, or Customer’s misconfiguration or misuse of the Service. If the Standard Contractual Clauses or other mandatory law requires liability for any damages caused solely by Levelup’s acts or omissions, such liability shall be subject to the same disclaimers and liability caps outlined in the TOS, to the maximum extent allowed by law.
9.3. No Liability for Customer-Caused Breach
Levelup shall not be liable for any unauthorized access, use, or disclosure of Personal Data caused by:
I. Customer’s own configuration or misuse of the Service,
II. Customer’s failure to maintain the security of its authentication credentials,
III. any action or omission by a third party not acting on behalf of or under the direct control of Levelup, or
IV. Levelup’s compliance with Customer’s instructions that violate Data Protection Laws.
9.4. Mandatory Limitations
Nothing in this DPA shall limit or exclude liability that cannot be limited or excluded under Data Protection Laws or the Standard Contractual Clauses (if applicable). In the event of a conflict between the liability provisions in the TOS and a mandatory provision of Data Protection Laws or the SCCs, the mandatory provision(s) shall prevail to the extent of the conflict.
10. Changes to this Data Processing Agreement
Levelup reserves the right to modify or update this DPA to reflect changes in applicable law, business practices, or regulatory requirements. When this occurs, Levelup will announce any material amendments by posting an update on Levelup’s website at levelup.ai/dpa and/or may send Customer an email at least thirty (30) days prior to the effective date of such changes. Continued use of the Service after the effective date of any modifications constitutes acceptance of the updated DPA.
Exhibit A
Details of Processing
1. Nature and Purpose of Processing
Levelup will process Customer’s Personal Data as necessary to provide the Service under the TOS, for the purposes specified in the TOS and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.
2. Duration of Processing
Levelup will process Customer’s Personal Data as long as required:
I. to provide the Service to Customer under the TOS;
II. for Levelup’s legitimate business needs; or
III. by applicable law or regulation.
Customer Account Data and Customer Usage Data will be processed and stored as set forth in the TOS and this DPA.
3. Categories of Data Subjects
Data Subjects may include Customer's Users (such as employees and End Clients) and other individuals whose Personal Data is submitted to the Service by or on behalf of Customer.
4. Categories of Personal Data
Levelup processes Personal Data contained in Customer Account Data, Customer Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its clients or other individuals, and processes through its use of the Service) or collected by Levelup in order to provide the Service or as otherwise set forth in the TOS or this DPA. Categories of Personal Data include name, location, email address, date of birth, physical address, unique identifiers such as passwords.
5. Sensitive Data or Special Categories of Data
Levelup does not intend to collect or process any Sensitive Data (as specifically defined in Article 9–10 of the GDPR) under this DPA. For clarity, financial data (including accounting and banking information) collected for financial reporting purposes, while confidential, does not typically fall under GDPR's specific definition of Special Categories of Data or Sensitive Data (Article 9). Unless expressly stated in the TOS or in a separate written agreement signed by both Parties, Customer shall refrain from uploading or otherwise making available any GDPR Article 9 Sensitive Data. Any incidental or unauthorized submission of such specific Sensitive Data is outside the scope of Levelup’s normal Processing activities, and Levelup shall have no liability in connection therewith.
Summary of Data Processing Roles
| Data Category | Description | Levelup’s Role | Customer’s Role |
|---|---|---|---|
| User Information | Data provided by Customer and its Users for account access (e.g., name, email, IP address, login credentials). | Processor (Levelup processes on Customer’s instructions) | Controller (Customer owns and is responsible for its accuracy and security) |
| User Submissions | Content or materials submitted by Customer or its Users via the Service. | Processor (Levelup processes as necessary to provide and improve the Service) | Controller (Customer retains ownership of its submissions) |
| Service Usage Data | Data generated by interactions with the Service (e.g., logs, performance metrics) before Processing. | Processor (processed in its raw form per Customer instructions) | Controller (Customer is responsible for the underlying data) |
| Aggregated Data | Service Usage Data that has been aggregated and anonymized so that no personal identifying information remains. | Controller (Levelup owns and may use Aggregated Data freely for analytics, research, etc.) | Not applicable (data is de‑identified and no longer attributable to Customer) |
Exhibit B
The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.
1. The Parties
1. Data Exporter(s)
I. Name: Customer (as defined in the Agreement).
II. Address: Customer’s address as provided in Customer’s Account or the applicable Order.
III. Contact person’s name, position and contact details: The contact details associated with Customer’s Account or as otherwise provided in writing to the Data Importer.
IV. Activities relevant to the data transferred under these Clauses: Receiving the Services provided by the Data Importer as described in the Agreement and this DPA (including Exhibit A).
V. Signature and date: The Agreement (including this DPA incorporating the SCCs and UK Addendum) is deemed executed by the Data Exporter upon its acceptance of the Terms of Service.
VI. Role (Controller/Processor): The Data Exporter’s role is determined by the specific processing activity and the applicable Module of the EU SCCs as set forth in Section 4.2. EU Standard Contractual Clauses (Ex-EEA Transfers) of this DPA.
2. Data Importer(s)
I. Name: Levelup Intelligence, Inc.
II. Address: 412 W. Rivers Edge Dr., #32, Provo, UT 84604, USA
III. Contact person’s name, position and contact details: security@levelup.ai (ATTN: Legal)
IV. Activities relevant to the data transferred under these Clauses: Processing Personal Data in connection with providing the Services to the Data Exporter, as described in the Agreement and this DPA (including Exhibit A).
V. Signature and date: The Agreement (including this DPA incorporating the SCCs and UK Addendum) is deemed executed by the Data Importer upon its acceptance of the Terms of Service by the Data Exporter.
VI. Role (Controller/Processor): The Data Importer’s role is determined by the specific processing activity and the applicable Module of the EU SCCs as set forth in Section 4.2. EU Standard Contractual Clauses (Ex-EEA Transfers) of this DPA.
2. Description of the Transfer
| Data Subjects | Processing Details |
|---|---|
| Categories of Personal Data | Refer to TOS |
| Special Category Personal Data (if applicable) | Refer to TOS |
| Nature of the Processing | Refer to TOS |
| Purposes of Processing | In order for Levelup to provide the Service to Customer as stated under the TOS. |
| Duration of Processing and Retention (or the criteria to determine such period) | For as long as Customer is using the Service. |
| Frequency of the transfer | As requested or initiated by Customer during the course of the TOS. |
| Recipients of Personal Data Transferred to the Data Importer | Levelup will maintain and provide a list of its Sub-Processors upon request. |
3. Competent Supervisory Authority
The Supervisory Authority shall be the Supervisory Authority of the Data Exporter, as determined in accordance with Clause 13.
4. List of Sub-Processors
| Company | Description | Location |
|---|---|---|
| Anthropic, PBC | Artificial Intelligence | United States |
| Braintrust Data, Inc. | Artificial Intelligence | United States |
| OpenAI, LLC | Artificial Intelligence | United States |
| Stripe, Inc. | Billing & Payments | United States |
| Amazon Web Services, Inc. | Cloud Services, Email Delivery | United States |
| Cloudflare, Inc. | Cloud Services | United States |
| Slack Technologies, LLC | Community | United States |
| Enterpret, Inc. | Customer Feedback Intelligence | United States |
| Sutro Labs, Inc. (dba Census) | Data | United States |
| Equals Technologies, Inc. | Data Analysis | United States |
| Pocus, Inc. | Data-driven Sales | United States |
| Hevo Data, Inc. | Data Services | United States |
| MongoDB, Inc. | Data Services | United States |
| Snowflake | Data Services & Product Analysis | United States |
| Turbopuffer, Inc. | Data Storage | United States |
| Elasticsearch BV | Document Search | United States |
| Plus Five Five, Inc. (dba Resend) | Email Delivery, Email Marketing | United States |
| Astrodon Corporation (dba Loops) | Email Marketing | United States |
| FrontApp, Inc. | Email Support | United States |
| Functional Software, Inc. (dba Sentry) | Error Monitoring | United States |
| Google, LLC | Cloud Services, Hosting | United States |
| Linear Orbit, Inc | Issue Tracking | United States |
| Common Room, Inc. | Marketing Automation | United States |
| Retool, Inc. | Product Analytics | United States |
| Posthog, Inc. | Product Analytics | United States |
| Gong.io, Inc. | Sales Conversation Analytics | United States |
| Folk, Inc. | Sales CRM | United States |
| Datadog, Inc. | Service Monitoring | United States |
Exhibit C
Description of the Technical and Organisational (“TechOrg”) Security Measures implemented by the Data Importer
The following includes the information required by Annex II of the EU SCCs and Appendix 2 of the UK SCCs.
| TechOrg Security Measure | Details |
|---|---|
| Measures of pseudonymisation and encryption of Personal Data | Customer Data is stored in a multi-tenant application with logical separation between Customer instances. Sensitive authentication information is encrypted on logical database level, and the database is encrypted at rest. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and Service | Levelup has policies and procedures in place to ensure confidentiality, integrity and resilience of Processing systems and Service. These include an Access Control Policy, Business Continuity and Disaster Recovery Policy, and a Secure Development Policy. Levelup will maintain and provide policies upon request. |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | All database-stored Customer Data is backed up daily using Google Cloud SQL offered tooling which also provides restoring capabilities. Backups and restore capabilities are tested on an annual cadence. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing | Levelup regularly monitors and tests controls to ensure they are operating as intended and updated as needed. Levelup uses the software service Drata, Inc. to automate several of these controls, including employee activity and adherence to Levelup policies and procedures, infrastructure monitoring, and development procedures. Levelup leadership monitors these controls regularly, and is notified immediately when a control is at risk so that prompt action can be taken. Levelup has completed its SOC2 Type II certification. Please reach out to security@levelup.ai for a copy of the report. |
| Measures for User identification and authorization | Levelup maintains an Access Control Policy, which can be provided upon request. Measures for access control and authorization include formally documented roles and Permissions, encrypted connection to production systems and networks, strong passwords stored within a password manager, and single-sign on or 2FA where available. Levelup Access Control Policy applies to all Levelup employees and to all external parties with access to Levelup engineering networks and system resources. |
| Measures for the protection of data during transmission | All data outside the Levelup’s private network is encrypted with HTTPS/SSL. All measures are outlined in the Levelup’s Data Management Policy, which can be provided upon request. |
| Measures for the protection of data during storage | Database is encrypted at rest and managed by Google Cloud Platform. |
| Measures for ensuring physical security of locations at which Personal Data are processed | Levelup does not operate physical servers or other infrastructure. For employer-provided computers: All Levelup employees are required to complete physical security training, and all employees and contractors are required to enable a screen lock when the work computer is left unattended. |
| Measures for ensuring events logging | Levelup has detailed event logging with automated alerts in case no events are tracked. |
| Measures for ensuring system configuration, including default configuration | Security governance and management is outlined in Levelup security policies, including the Information Security Roles and Responsibilities Policy, which all employees must review and agree to prior to joining Levelup. Policy can be provided upon request. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation. |
| Measures for certification/assurance of processes and products | Levelup has completed its SOC2 Type II certification. Please reach out to security@levelup.ai for a copy of the report. |
| Measures for ensuring data minimisation | Data is collected to serve commercial or business purposes, such as providing, customizing and improving Service, marketing and selling the Service, corresponding with Customers about Service, and meeting legal requirements. Levelup will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing Customer notice. More information about the data Levelup collects and opting-out can be found in earlier sections of this DPA. |
| Measures for ensuring data quality | All data collection is instrumented by the Levelup’s software engineering team and all data collection changes are peer reviewed. Data is tested during development and verified after deployment. |
| Measures for ensuring limited data retention | Levelup retains data as long as the Levelup has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it is securely disposed of or archived. Levelup, in consultation with legal counsel, may determine retention periods for data. Retention periods shall be documented in the Levelup Data Management Policy, which can be provided upon request. |
| Measures for ensuring accountability | Levelup employees are required to review and acknowledge Levelup security practices and policies, complete security training, and go through a security walkthrough with a senior member of the engineering organization. Levelup conducts background checks on all new employees and requires all employees to sign a non-disclosure agreement before gaining access to Levelup information. |
| Measures for allowing data portability and ensuring erasure | Customer can ask for a copy of its Personal Data in a machine-readable format. Customer can also request that Levelup transmit the data to another Controller where technically feasible. The Service allows ability to export relevant application data in a standard CSV format. Additional export capabilities for all the Customer Data is available through an API. In the case that a Customer wishes to exercise portability or erasure rights, the Levelup has measures of retrieving securely stored data and has a process in place to ensure access is restricted only to those who have a business justification for accessing data during the copy, transfer, or erasure. |
| Technical and organizational measures of Sub-Processors | Levelup collects and reviews the most recent security assessments from Sub-Processors on an annual basis. |