Privacy

We operate a comprehensive Data Protection program that applies to all subsidiaries processing personal data. Our program establishes essential business requirements covering transparency, security, data governance, privacy by design, and third‑party supplier management.

To support this, we have dedicated security and risk teams made up of qualified subject matter experts. A privacy by design approach is embedded into our change management processes, ensuring that all new services and changes to existing processes are subject to appropriate review and that risks are addressed on time.

Our personnel play a key role in protecting data. All employees, including contractors, are subject to confidentiality obligations under their contracts. In addition, they receive mandatory data protection training upon hire and on an annual basis thereafter. This training enables staff to identify and manage security and data protection risks in day‑to‑day operations as well as during the design and development of products, systems, and processes.

When transferring personal data outside the European Economic Area, we generally rely on the EU Standard Contractual Clauses (SCCs) where no adequacy decision exists. Data transfers between our group entities are further governed by an intragroup data sharing agreement, which incorporates the EU SCCs and requires implementation of consistent data protection and information security measures across all our entities.

Oversight of these activities is provided by our appointed Data Protection Officer, who ensures compliance with data protection obligations and promotes best practices across the organization.

We act as a data processor or sub-processor on behalf of our customers (or equivalent roles defined differently). This means we only process personal data in accordance with our customers' instructions and applicable data protection regulations.  We do not access or use customer data for our own purposes, and processing is strictly limited to fulfilling our role as a processor or sub-processor.

We are a Controller for the overall PaaS service and our Infrastructure Control Plane when we use information to establish and operate regions, provision services, networks, account management and billing. Please see our Privacy Notice for more information.

Customer data is stored in highly secure data centers hosted by leading providers such as AWS and Azure,GCP. We offer region-specific storage (e.g., EU-only).

If you create a project in a specific region, data from that project never leaves your chosen region unless you intentionally request an additional dedicated cluster in a different location.

Data leaves this storage only when you initiate a backup (to a location where the region itself is) or during disaster recovery backups (which use the same storage principle).

We maintain a current list of subprocessors, including the services they provide and their geographic locations. Customers receive advance notice of changes and may object in accordance with the terms of our DPA.

Upon termination, all data is securely deleted in accordance with our documented retention and deletion policies, unless otherwise agreed in writing.

Upsun provides the project environment and stores the customer content as part of its service offering. The categories of personal data processed by Upsun are determined solely by the customer and are dependent on the data that the Customer uploads, transmits, or otherwise makes available on or through the services. Upsun does not determine the nature, scope, or purpose of the data uploaded by the Customer.

As a Platform as a Service provider, we process personal data primarily in support of our customers' applications. This includes:

• Hosting and storing personal data within customer-deployed applications
• Enabling secure transmission of data between systems
• Logging and monitoring for operational and security purposes 
• Supporting customer requests and debugging issues.

Yes, We undergo an annual ISO 27001, SOC 2 Type ΙΙ and PCI DSS Level audit over Security, Privacy, and Availability.

Upsun is also US Data Privacy Framework self-certified. Our DPF Notice is available here.

We have established a Supplier Management Team to conduct thorough due diligence on all suppliers. Prior to engagement, suppliers undergo both data protection and information security assessments to ensure compliance with our standards. Where appropriate, we enter into Data Processing Agreements with suppliers, and we require them to cascade equivalent obligations to their own third‑party suppliers.

We maintain a comprehensive Incident Response Plan that complies with applicable data protection requirements. In the event of a personal data breach, our internal response team follows a structured protocol to contain the incident, investigate its root cause, assess potential impacts, and carry out any required notifications. Following resolution, we conduct post‑incident reviews to capture lessons learned and implement corrective measures to help prevent recurrence.

We implement technical and organizational measures to support compliance with data protection laws, as those measures described in our DPA, and our security page.

We help our customers address compliance challenges every day by securing the underlying platform and infrastructure. This allows customers to focus on developing and managing their applications, while maintaining responsibility for application-level data protection and user access controls.

We enable customers to select the geographic region (such as a specific country or multi-region area) for storing application data at rest. This ensures that data remains within the desired jurisdiction, helping our customers meet legal and regulatory requirements.

For customers interested in running HIPAA projects, please see our information about HIPAA compliance