Privacy & Terms

Data Processing Agreement

Last updated: March 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between UOVA, Inc. ("Processor" or "UOVA") and the entity agreeing to these terms ("Controller" or "Customer") and applies to the processing of Personal Data by UOVA on behalf of the Customer in connection with the provision of the UOVA Services.

This DPA is entered into to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and any other applicable data protection legislation (collectively, "Data Protection Laws").

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

"Controller" — means the entity that determines the purposes and means of the processing of Personal Data, i.e., the Customer.

"Processor" — means the entity that processes Personal Data on behalf of the Controller, i.e., UOVA.

"Sub-processor" — means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Personal Data" — means any information relating to an identified or identifiable natural person as defined in applicable Data Protection Laws.

"Data Subject" — means the identified or identifiable natural person to whom Personal Data relates.

"Processing" — means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, erasure, or destruction.

"Personal Data Breach" — means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Standard Contractual Clauses" or "SCCs" — means the standard contractual clauses approved by the European Commission for international transfers of Personal Data.

2. Scope and Nature of Processing

UOVA will process Personal Data on behalf of the Customer only as necessary to provide the Services described in the Agreement. The details of the processing are as follows:

Subject Matter — Provision of website building, AI content generation, hosting, and collaboration services.

Duration — For the duration of the Agreement, plus any retention period required by applicable law.

Nature and Purpose — Storage, retrieval, display, and transmission of Customer's content and end-user data as necessary to operate the Service; processing of AI prompts for content generation; hosting and serving published websites.

Categories of Data Subjects — Customer's employees, team members, contractors, end-users, and website visitors.

Types of Personal Data — Names, email addresses, IP addresses, browser/device information, user-generated content, AI prompts and outputs, website analytics data, and any other Personal Data uploaded or collected through the Customer's use of the Services.

3. Processor Obligations

UOVA, as the Processor, shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, UOVA shall inform the Controller of that legal requirement before processing, unless prohibited by law.
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller.
Assist the Controller, taking into account the nature of processing, in fulfilling the Controller's obligation to respond to requests for exercising Data Subjects' rights.
Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller.

4. Sub-processors

The Controller provides general authorization for UOVA to engage Sub-processors for the processing of Personal Data, subject to the following conditions:

UOVA shall maintain a current list of Sub-processors, which is provided below and updated periodically.
UOVA shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within fourteen (14) days of notification.
Where UOVA engages a Sub-processor, UOVA shall impose on that Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA.
UOVA shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

Current list of Sub-processors:

Sub-processor	Service	Location	Data Processed
Supabase, Inc.	Authentication, database, storage	United States (AWS)	Account data, user content, project data
Stripe, Inc.	Payment processing	United States	Payment information, transaction records
Vercel, Inc.	Hosting, CDN, edge functions	Global (edge network)	Published website content, request logs
OpenAI, Inc.	AI image generation	United States	AI prompts, generation metadata
Replicate, Inc.	AI image and video generation	United States	AI prompts, generation metadata
Cloudflare, Inc.	CDN, DNS, DDoS protection	Global (edge network)	IP addresses, request metadata
Crisp IM SARL	Customer support chat	France (EU)	Chat messages, email addresses
Google LLC	Analytics	United States	Anonymized usage data, device info
Functional Software (Sentry)	Error tracking	United States	Technical error data, device info

To subscribe to Sub-processor update notifications, please email dpo@uova.io with the subject line "Sub-processor Notifications."

5. Data Subject Rights

UOVA shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including but not limited to:

Right of access — UOVA shall provide the Controller with the ability to export Personal Data in a machine-readable format.
Right to rectification — UOVA shall enable the Controller to correct Personal Data through the Service interface or upon request.
Right to erasure — UOVA shall delete Personal Data upon the Controller's instruction, subject to applicable legal retention requirements.
Right to data portability — UOVA shall provide data export functionality in standard formats (JSON, CSV).
Right to restriction of processing — UOVA shall restrict processing upon the Controller's instruction.

If UOVA receives a request directly from a Data Subject, UOVA shall promptly redirect the Data Subject to the Controller and shall not respond to the request directly without the Controller's authorization, unless required by applicable law.

6. Security Measures

UOVA implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, and against accidental loss, destruction, damage, theft, or disclosure. These measures include:

Encryption — All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption.

Access Controls — Role-based access control (RBAC) for all internal systems. Multi-factor authentication required for all employees accessing production systems. Principle of least privilege enforced.

Network Security — Web application firewalls (WAF), DDoS protection via Cloudflare, intrusion detection systems, and network segmentation.

Application Security — Regular code reviews, automated vulnerability scanning, dependency monitoring, and secure development lifecycle practices.

Physical Security — All infrastructure is hosted in SOC 2 Type II certified data centers (AWS, Vercel). UOVA does not maintain its own physical data centers.

Employee Security — Background checks for employees with access to production systems. Annual security awareness training. Confidentiality agreements for all employees and contractors.

Monitoring — 24/7 monitoring of production systems. Automated alerting for anomalous activity. Regular log review and analysis.

Business Continuity — Automated daily backups with geographic redundancy. Disaster recovery plan tested annually. Recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 1 hour for critical systems.

7. Personal Data Breach Notification

In the event of a Personal Data Breach, UOVA shall:

Notify the Controller without undue delay and in any event within forty-eight (48) hours after becoming aware of the breach.
Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the breach under applicable Data Protection Laws.
Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
Not inform any third party of a Personal Data Breach without first obtaining the Controller's written consent, unless required by applicable law.

The notification shall include, to the extent reasonably available:

A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
The name and contact details of UOVA's data protection officer or other point of contact.
A description of the likely consequences of the Personal Data Breach.
A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, UOVA shall ensure that appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): UOVA incorporates the SCCs (Module Two: Controller to Processor and Module Three: Processor to Processor, as applicable) into its agreements with Sub-processors. The SCCs are deemed incorporated into this DPA by reference.
EU-U.S. Data Privacy Framework (DPF): Where applicable, UOVA relies on Sub-processors' certifications under the EU-U.S. Data Privacy Framework.
Transfer Impact Assessments: UOVA conducts transfer impact assessments for international data transfers and implements supplementary measures where necessary.

Upon request, UOVA shall provide the Controller with copies of the relevant transfer mechanism documentation.

9. Audits and Inspections

UOVA shall make available to the Controller, upon reasonable request and at the Controller's expense, all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Audits are subject to the following conditions:

The Controller shall provide at least thirty (30) days' prior written notice of any audit.
Audits shall be conducted during normal business hours and shall not unreasonably disrupt UOVA's operations.
The Controller (or its auditor) shall execute a non-disclosure agreement before any audit.
UOVA may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2 Type II reports) or certifications, where available.
Audits shall be limited to once per year, unless required by a supervisory authority or in the event of a Personal Data Breach.

10. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, UOVA shall, at the Controller's choice:

Return all Personal Data to the Controller in a commonly used, machine-readable format within thirty (30) days of the termination date; or
Delete all Personal Data within thirty (30) days of the termination date, and provide written confirmation of such deletion.

Notwithstanding the above, UOVA may retain Personal Data to the extent required by applicable law, provided that UOVA shall ensure the confidentiality of such Personal Data and shall not process it for any purpose other than compliance with such legal requirements.

The obligations of UOVA under this DPA shall continue for as long as UOVA processes Personal Data on behalf of the Controller.

11. Liability

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability with respect to any rights that Data Subjects may have under applicable Data Protection Laws.

Where UOVA is held liable for damage caused by processing that infringes applicable Data Protection Laws, UOVA shall be liable only to the extent that the processing does not comply with the obligations of this DPA or where UOVA has acted outside of or contrary to the Controller's lawful instructions.

12. Contact Information

For questions about this DPA or to exercise rights under this agreement, please contact:

Data Protection Officer: dpo@uova.io
Legal inquiries: legal@uova.io
Mailing address: UOVA, Inc., 548 Market St #36879, San Francisco, CA 94104, United States