Data Processing Addendum

    Effective: 2026-05-20

    This page explains Unshift LLC's ("Unshift", "we", "us", "our") Data Processing Addendum (the "DPA") and how to obtain a countersigned copy. It supplements our Privacy Policy, our Terms of Service, and our Subprocessor List.

    When the DPA applies

    Most people who use Unshift are the controllers of any personal data they collect through the websites they build (for example, the contact details an end user submits through a form on a published site). In that situation, Unshift acts as a processor on your behalf. Under Article 28 of the GDPR, Article 28 of the UK GDPR, and equivalent laws, a written data processing agreement is required between a controller and its processor.

    The DPA governs that relationship. Where you act as a controller and we process personal data on your behalf, the DPA forms part of your Terms of Service with us, whether you are on the Free, Pro, or Business plan. You do not need to be a Business customer for the DPA to apply to your use of the Service.

    What the DPA covers

    • Roles and scope. It identifies you as the controller and Unshift as the processor, and describes the subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects.
    • Processing only on your instructions. We process customer personal data only to provide the Service and on your documented instructions, except where law requires otherwise.
    • Confidentiality. Our personnel who access customer personal data are bound by confidentiality obligations.
    • Security. We maintain the technical and organizational measures described in our Privacy Policy, including encryption in transit and at rest, role-based access control, and access logging.
    • Subprocessors. We use the subprocessors listed at /subprocessors and require each to be bound by data-protection terms no less protective than the DPA. We give notice before adding or replacing a subprocessor that processes customer personal data, and you may object on reasonable data-protection grounds.
    • International transfers. Where customer personal data is transferred out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the DPA incorporates the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.
    • Data subject requests. We assist you, taking into account the nature of the processing, in responding to data subject requests (access, deletion, rectification, portability, and others).
    • Personal data breaches. We notify you without undue delay after becoming aware of a personal data breach affecting customer personal data, and assist you with your own notification obligations.
    • Return and deletion. On termination, we delete or return customer personal data in accordance with the retention periods in our Privacy Policy.
    • Audit. We make available the information reasonably necessary to demonstrate compliance and allow for audits consistent with the SCCs and applicable law.

    How to request a countersigned copy

    If you require a signed DPA for your records (for example, for your own compliance file or a vendor-onboarding process), email privacy@unshift.ai with your account email and your legal entity name. We will return a countersigned copy. Business customers with bespoke procurement requirements can raise specific terms during contracting.

    Contact

    • DPA and data-protection requests: privacy@unshift.ai
    • Subprocessor questions or objections: privacy@unshift.ai
    • Postal address: Unshift LLC, 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, United States