Data Processing addendum.
Effective April 27, 2026 · Last updated April 27, 2026
This Data Processing Addendum (“DPA”) supplements the Master Services Agreement, Statement of Work, or Terms of Use entered into between URCO Studio (URCO LLC) (“URCO,” the “Processor”) and the client (“Customer,” the “Controller”) and applies whenever URCO processes personal data on the Customer’s behalf.
Where URCO processes personal data only as a controller of its own business operations (e.g., visitors to urco.io), our Privacy Policy applies instead.
1. Definitions
Capitalized terms used but not defined here have the meanings given in the GDPR (EU/UK), the CCPA/CPRA, or other applicable data-protection laws (collectively, “Data Protection Laws”). “Personal Data” means any information processed under this DPA that identifies or relates to an identified or identifiable natural person.
2. Roles of the parties
For Personal Data processed under the underlying agreement, the Customer is the Controller (or, where applicable, the Processor on behalf of a third-party controller) and URCO is the Processor (or sub-processor). Each party will comply with its respective obligations under Data Protection Laws.
3. Scope and details of processing
3.1 Subject matter
The provision of website design, accessibility, SEO, analytics, audit, and related services described in the underlying agreement.
3.2 Duration
The term of the underlying agreement, plus any post-termination period required to return or delete Personal Data.
3.3 Nature and purpose
To deliver the agreed services, including hosting, analytics, lead capture, customer support, and continuous improvement of the Customer’s site.
3.4 Categories of data subjects
Visitors to the Customer’s website, the Customer’s prospects and customers, the Customer’s personnel, and any individuals whose data the Customer instructs us to process.
3.5 Categories of Personal Data
- Identifiers (name, email, phone, business name)
- Online identifiers (IP address, device IDs, cookies)
- Internet activity (page views, events, referrer)
- Geolocation (city/region inferred from IP)
- Inquiry content (free-text fields submitted via forms)
We do not knowingly process “special categories” of data (health, race, religion, biometric, etc.). The Customer must not instruct us to process such data unless we agree in writing.
4. Processor obligations
URCO will:
- process Personal Data only on the Customer’s documented instructions, including the underlying agreement;
- ensure persons authorized to process Personal Data are bound by confidentiality;
- implement appropriate technical and organizational measures (Section 7);
- assist the Customer in responding to data-subject requests;
- assist the Customer with security, breach notification, DPIAs, and consultations with supervisory authorities, taking into account the nature of processing;
- at the Customer’s choice, delete or return all Personal Data at the end of services, unless retention is required by law;
- make available all information reasonably necessary to demonstrate compliance with this DPA.
5. Sub-processors
The Customer authorizes URCO to engage the sub-processors listed below and to add or replace them as needed. We will give the Customer notice of new or replacement sub-processors before they begin processing, and the Customer may object on reasonable data-protection grounds. If we cannot accommodate the objection, the Customer may terminate the affected services.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Hosting, edge delivery, Web Vitals (Vercel Analytics + Speed Insights), Vercel Blob storage for audit reports | United States | SCCs / DPF (where applicable) |
| Cloudflare, Inc. | DNS, CDN, security perimeter, Turnstile bot protection | United States | SCCs / DPF |
| PostHog, Inc. | Product analytics (events, funnels, recordings) | United States | SCCs |
| Google LLC | Google Analytics 4 (aggregated traffic measurement) | United States | SCCs / DPF |
| Microsoft Corporation | Microsoft Clarity (heatmaps, session recordings) | United States | SCCs / DPF |
| Meta Platforms, Inc. | Meta Pixel ad measurement (when consented) | United States | SCCs |
| LinkedIn Corporation | LinkedIn Insight Tag ad measurement (when consented) | United States | SCCs |
| Apollo.io | Reverse-IP company identification | United States | SCCs |
| Resend, Inc. | Transactional email delivery | United States | SCCs |
| Attio Limited | CRM for managing leads and audit submissions | United Kingdom / European Economic Area | UK IDTA / SCCs |
| GitHub, Inc. | Source code hosting; no client production data | United States | SCCs / DPF |
DPF = EU–US Data Privacy Framework (and UK Extension). SCCs = Standard Contractual Clauses. UK IDTA = UK International Data Transfer Agreement.
6. International transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on (a) the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), (b) the UK International Data Transfer Addendum or IDTA, (c) the Swiss FDPIC’s recognition of the SCCs, or (d) certification under the EU–US Data Privacy Framework (and UK Extension), as applicable. By entering into this DPA, the parties incorporate the SCCs by reference.
7. Security measures
URCO maintains appropriate technical and organizational measures, including:
- Encryption. TLS 1.2+ in transit; AES-256 (or equivalent) at rest with our hosting and storage processors.
- Access control. Principle of least privilege, MFA for admin accounts, periodic access review.
- Network security. Cloudflare WAF and rate limiting; Turnstile bot protection on public forms.
- Application security. Server-side input validation, signed audit trails, secrets stored in Vercel environment variables (never in source).
- Logging and monitoring. Server-side event logs and Web Vitals monitoring; admin actions are auditable.
- Backups. Versioned storage at our hosting and storage processors.
- Incident response. Internal runbook for triage, containment, and notification.
- Personnel. Confidentiality obligations and security training for everyone with access to Personal Data.
We review these measures periodically and update them as threats and the state of the art evolve.
8. Breach notification
URCO will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting the Customer’s data, with the information reasonably necessary to meet the Customer’s own notification obligations.
9. Data-subject rights
Taking into account the nature of processing, URCO will assist the Customer with appropriate technical and organizational measures so the Customer can fulfill its obligation to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection). If a data subject contacts us directly, we will refer them to the Customer unless legally required to act otherwise.
10. Audits
Once per twelve months (and more often if required by a supervisory authority or following a breach), the Customer may request reasonable information about URCO’s compliance with this DPA. URCO may satisfy this obligation by providing third-party audit reports of its sub-processors (e.g., SOC 2 reports) and a written description of its own controls. On-site audits, if requested, will be conducted at the Customer’s expense, on at least 30 days’ notice, during business hours, and subject to confidentiality.
11. CCPA / CPRA addendum
For Personal Information of California residents processed under the underlying agreement, URCO is a “Service Provider” (and not a third party) and will:
- process Personal Information only for the “business purposes” specified in the underlying agreement;
- not “sell” or “share” Personal Information;
- not retain, use, or disclose Personal Information outside the direct business relationship between the parties;
- not combine Personal Information received from the Customer with Personal Information from any other source, except as permitted by Cal. Civ. Code § 1798.140(ag)(1);
- notify the Customer if it can no longer meet its obligations under the CCPA/CPRA.
12. Liability and term
The liability of each party under this DPA is subject to the limitations of liability in the underlying agreement. This DPA continues for the term of the underlying agreement and any retention period that survives.
13. Governing law
This DPA is governed by the law of the underlying agreement, except that where the underlying agreement is governed by a non-EEA/UK law and Data Protection Laws require a different governing law for processing of EEA or UK Personal Data, that law applies to the affected processing.
14. How to execute this DPA
For most engagements, this DPA is incorporated by reference into the signed Master Services Agreement or Statement of Work. If your organization requires a counter-signed copy, email legal@urco.io with your full legal entity name, signatory, and any required addenda (e.g., HIPAA BAA, FERPA), and we will return a signed PDF.
Contact
Privacy and DPA: privacy@urco.io
Legal: legal@urco.io
Mail: URCO Studio (URCO LLC), Queen Creek, Arizona
This DPA is provided as a working draft. Have it reviewed by counsel before public launch and before signing your first paid engagement that involves processing personal data.