unLAP

Last updated: March 8, 2026

Data Processing Addendum

Last updated: March 8, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Unlap Corporation (“Unlap,” “we,” “us,” or “our”) and the customer entity that enters into the applicable agreement for the Services (“Customer”). The applicable agreement may include our Terms of Service, an order form, a master services agreement, or another written agreement governing the Services (collectively, the “Agreement”).

This DPA applies only to Customer Personal Data processed by Unlap on behalf of Customer in connection with the Services when it is signed by the parties or otherwise expressly incorporated into the Agreement. If the parties have entered into a separate written data processing agreement covering the Services, that agreement will control to the extent it conflicts with this DPA.

1. Definitions

For purposes of this DPA:

  • Applicable Data Protection Law means any law or regulation applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss data protection law, and applicable U.S. state privacy laws.
  • Customer Personal Data means personal data included in Customer Content that Unlap processes on behalf of Customer in connection with the Services.
  • Customer Content has the meaning given in the Agreement.
  • Controller, processor, business, service provider, contractor, personal data, process, and similar terms have the meanings given in Applicable Data Protection Law.
  • Security Incident means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Unlap on behalf of Customer. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as routine scans, pings, or failed login attempts.

2. Roles of the Parties

Customer is responsible for determining the purposes and legal basis for processing Customer Personal Data under the Agreement and, where applicable, acts as the controller or business.

Unlap processes Customer Personal Data on behalf of Customer and, where applicable, acts as Customer’s processor, service provider, or contractor.

This DPA does not apply to data for which Unlap acts as a controller, including account, billing, support, security, service telemetry, diagnostic, performance, and aggregated or de-identified usage data that Unlap processes in accordance with the Agreement and our Privacy Policy.

Customer is responsible for:

  • providing any notices and obtaining any consents required under Applicable Data Protection Law
  • ensuring it has the right to provide Customer Personal Data to Unlap for processing under the Agreement
  • ensuring its instructions to Unlap comply with Applicable Data Protection Law

3. Scope and Customer Instructions

Unlap will process Customer Personal Data only:

  • to provide, maintain, support, and secure the Services as described in the Agreement
  • on Customer’s documented instructions, including instructions reflected in the Agreement, Customer’s use of the Services, and Customer’s written directions consistent with the Agreement
  • as required by applicable law, in which case Unlap will inform Customer of that legal requirement before processing unless prohibited by law

If Unlap believes that an instruction from Customer violates Applicable Data Protection Law, Unlap will inform Customer without undue delay to the extent permitted by law.

4. Confidentiality

Unlap will ensure that persons authorized to process Customer Personal Data are subject to appropriate obligations of confidentiality.

5. Security Measures

Taking into account the nature of the processing, the state of the art, implementation costs, and the risks presented by the processing, Unlap will implement and maintain reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized access, use, alteration, or disclosure.

These measures may include, as appropriate:

  • access controls and authentication measures
  • encryption in transit and, where appropriate, at rest
  • logging and monitoring of relevant systems
  • vulnerability management and security patching
  • backup, recovery, and business continuity measures
  • incident detection and response processes

6. Subprocessors

Customer authorizes Unlap to engage subprocessors to process Customer Personal Data on Customer’s behalf in connection with the Services.

Unlap will impose data protection obligations on subprocessors that are no less protective of Customer Personal Data than the obligations imposed on Unlap under this DPA, to the extent applicable to the services performed by the subprocessor.

Unlap remains responsible for the acts and omissions of its subprocessors to the extent required by Applicable Data Protection Law.

A current list of our relevant subprocessors is available at https://unlap.ai/subprocessors or any successor page we identify for that purpose. If we add or replace a subprocessor in a manner that materially affects the processing of Customer Personal Data, we will provide notice by updating that page and by email, through the Services, or by another reasonable notice method, where reasonably practicable in advance of the change.

If Customer has a reasonable data protection objection to a new subprocessor, Customer must notify Unlap in writing within a reasonable period after notice. The parties will work in good faith to address the objection. If the objection cannot be resolved reasonably, Customer may stop using the affected portion of the Services or terminate the affected Services in accordance with the Agreement.

7. Assistance with Data Subject Requests and Compliance

Taking into account the nature of the processing, Unlap will provide reasonable assistance to Customer to enable Customer to respond to requests from data subjects to exercise their rights under Applicable Data Protection Law.

If Unlap receives a request directly from a data subject relating to Customer Personal Data, Unlap may direct the requester to Customer or notify Customer, unless prohibited by law.

Taking into account the nature of the processing and the information available to Unlap, Unlap will provide reasonable assistance to Customer with:

  • security of processing obligations
  • personal data breach notifications, where applicable
  • data protection impact assessments, where applicable
  • consultations with supervisory authorities, where applicable

8. Security Incidents

Unlap will notify Customer without undue delay after becoming aware of a Security Incident involving Customer Personal Data.

To the extent available, Unlap’s notice will include information reasonably necessary for Customer to understand the nature of the Security Incident, the categories of affected data, and the steps Unlap is taking in response.

9. Deletion and Return

Unless a separate agreement or service configuration provides otherwise, Unlap will retain Customer Personal Data only for as long as needed to provide the Services and in accordance with the Agreement.

At the end of the provision of the Services relating to processing, Customer may require Unlap to delete Customer Personal Data or, where reasonably feasible using standard Service functionality or otherwise agreed in writing, return Customer Personal Data. Unlap will comply with Customer’s choice and delete existing copies unless Applicable Data Protection Law requires storage.

To the extent Customer Personal Data is stored in routine backups and cannot be deleted immediately, Unlap will continue to protect that Customer Personal Data in accordance with this DPA and will delete or overwrite it in the ordinary course of backup rotation. Unlap will not use Customer Personal Data retained in backups for any purpose other than maintaining the security and integrity of those backups or complying with Applicable Data Protection Law.

10. Audits and Information

Unlap will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

To the extent required by Applicable Data Protection Law, Unlap may satisfy its audit obligations by providing information reasonably sufficient to demonstrate compliance with this DPA, such as security documentation, summaries of third-party assessments, completed security questionnaires, or other reasonably available materials.

If those materials are insufficient under Applicable Data Protection Law, Unlap will allow and contribute to reasonable audits or inspections by Customer or an independent auditor mandated by Customer, subject to reasonable confidentiality obligations, advance notice, scope limitations, security requirements, and measures to avoid unreasonable disruption to Unlap’s business.

Unless otherwise required by Applicable Data Protection Law or a separate agreement:

  • audits will be conducted no more than once in any twelve (12) month period
  • Customer will bear its own audit costs
  • Customer will ensure that any auditor is not a competitor of Unlap and is bound by appropriate confidentiality obligations

11. International Transfers

Customer acknowledges that Unlap and its subprocessors may process Customer Personal Data in multiple jurisdictions as described in our Privacy Policy.

To the extent Customer Personal Data subject to Applicable Data Protection Law is transferred to a country that does not provide an adequate level of protection under that law, the parties agree that the applicable transfer mechanism is incorporated into this DPA by reference, including, where applicable:

  • the European Commission’s Standard Contractual Clauses
  • the UK International Data Transfer Addendum
  • any other lawful transfer mechanism recognized under Applicable Data Protection Law

For purposes of those transfer mechanisms:

  • Customer is the data exporter and Unlap is the data importer, unless Applicable Data Protection Law requires another allocation of roles
  • Section 13 of this DPA, together with our Security Overview and Subprocessors page, supplies the relevant details of processing, technical and organizational measures, and subprocessor information for purposes of the relevant annex information
  • the parties will cooperate in good faith to complete any additional details reasonably required to make the applicable transfer mechanism effective

If a specific transfer requires additional annex, module, or addendum details beyond those supplied by the Agreement, this DPA, Section 13, our Security Overview, and our Subprocessors page, the parties will complete those details in a written transfer rider or other written amendment reasonably requested to support the applicable transfer mechanism.

To the extent Swiss data protection law applies, references to the GDPR, EU member states, and supervisory authorities will be interpreted as including the equivalent concepts under Swiss law, where required.

12. U.S. State Privacy Terms

To the extent applicable U.S. state privacy laws apply to Customer Personal Data and Unlap acts as Customer’s service provider or contractor, Unlap will:

  • process Customer Personal Data only for the business purposes and limited purposes described in the Agreement and this DPA
  • not sell or share Customer Personal Data
  • not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by applicable law
  • not combine Customer Personal Data with personal information received from another source except as permitted by applicable law
  • comply with obligations applicable to service providers or contractors under applicable law

Unlap will provide the same level of privacy protection for Customer Personal Data as required by applicable U.S. state privacy laws.

Unlap certifies that it understands the restrictions in this Section 12 and will comply with them.

If Unlap determines that it can no longer meet its obligations under this Section 12, Unlap will notify Customer without undue delay.

If Customer reasonably believes that Unlap’s processing of Customer Personal Data is inconsistent with this Section 12, the parties will work together in good faith to remediate the issue. If the issue cannot be remedied reasonably, Unlap will stop processing the affected Customer Personal Data upon Customer’s written instruction to the extent required by applicable law.

13. Details of Processing

The subject matter, duration, nature, and purpose of the processing under this DPA are as follows:

  • Subject matter: Customer Personal Data included in Customer Content processed through the Services
  • Duration: for the term of the Agreement and any limited retention period permitted under the Agreement, this DPA, or Applicable Data Protection Law
  • Nature and purpose: hosting, storage, transmission, analysis, support, security, AI-assisted automation, and other processing necessary to provide, maintain, support, and secure the Services in accordance with Customer’s instructions and the Agreement
  • Categories of data subjects: Customer’s employees, contractors, end users, business contacts, and other individuals whose personal data is included in Customer Content
  • Categories of personal data: personal data Customer chooses to submit to the Services or direct the Services to access, which may include identifiers, contact details, business profile information, account-related information, usage-related data contained in Customer Content, and other personal data included in Customer Content by Customer

14. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA will control with respect to the processing of Customer Personal Data to the extent of the conflict.

15. Contact

If you have questions about this DPA, subprocessors, or data protection matters relating to the Services, contact privacy@unlap.ai.

If you need to send a formal legal notice relating to this DPA, contact legal@unlap.ai.