Legal

Data Processing Agreement

Last updated: May 28, 2026

This DPA is available to Business+ customers as part of their subscription. To request a countersigned copy, contact hello@forg.pro.

This Data Processing Agreement ("DPA") forms part of the Agreement between UpgradIQ, Inc. ("Processor") and the Customer ("Controller") and applies to the processing of Personal Data by UpgradIQ in connection with the FORG service.

1. Definitions

"Personal Data," "Data Subject," "Processing," "Controller," and "Processor" have the meanings given in the GDPR. "GDPR" means Regulation (EU) 2016/679. "Applicable Data Protection Law" means the GDPR and any applicable national implementing legislation.

2. Scope and roles

The Customer is the Controller of Personal Data processed through the FORG service. UpgradIQ is the Processor. UpgradIQ processes Personal Data only on documented instructions from the Controller (these Terms and this DPA constitute such instructions).

3. Nature and purpose of processing

UpgradIQ processes the following categories of Personal Data:

  • Account information: email address, name, hashed password
  • Dimension tags in signal data: hashed user identifiers, project identifiers
  • Usage logs: IP addresses, session timestamps

Processing purpose: provision of the FORG AI cost intelligence service. Duration: for the term of the Agreement plus applicable retention periods.

4. Processor obligations

UpgradIQ shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process the Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (Article 32 GDPR)
  • Respect the conditions for engaging sub-processors (Section 6 below)
  • Assist the Controller with data subject rights requests
  • Assist the Controller with security obligations, breach notification, DPIAs, and prior consultation
  • Delete or return Personal Data at the Controller's request at the end of the Agreement
  • Provide all information necessary to demonstrate compliance with this DPA

5. Data subject rights

UpgradIQ will notify the Controller without undue delay of any data subject requests received directly. The Controller is responsible for responding to data subjects. UpgradIQ will provide reasonable assistance to the Controller in fulfilling data subject requests.

6. Sub-processors

The Controller authorizes UpgradIQ to engage sub-processors as listed on the Trust page (forg.pro/trust). UpgradIQ will:

  • Inform the Controller of intended changes (additions or replacements) with 30 days' written notice
  • Impose equivalent data protection obligations on sub-processors
  • Remain liable for sub-processor performance

The Controller may object to a proposed sub-processor addition or replacement by written notice to hello@forg.pro within 30 days of receiving the notification. If the parties cannot resolve the objection within 30 days of the objection notice, either party may terminate the affected processing on 30 days' written notice, and UpgradIQ will provide a pro-rated refund of unused prepaid fees attributable to the terminated processing.

7. International transfers

By default, Personal Data may be processed in the United States. Where EU data residency is elected, signal data remains within EU infrastructure. For any transfers of EU Personal Data to the US, UpgradIQ relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Decision 2021/914), Module 2 (Controller to Processor). A countersigned DPA will include the applicable SCC Annexes (I — processing description and parties; II — technical and organisational security measures; III — sub-processor list).

8. Security measures

UpgradIQ implements the following security measures (Article 32 GDPR):

  • Encryption in transit (TLS 1.2+) and at rest
  • HMAC-authenticated signal payloads
  • OS-native keystore for license bundles
  • Row-Level Security on all database tables
  • Access controls and least-privilege principles
  • Automated dependency security scanning
  • Incident response procedures with 72-hour breach notification

9. Breach notification

UpgradIQ will notify the Controller of a Personal Data breach without undue delay and within 72 hours of becoming aware of it, providing sufficient information for the Controller to meet its own notification obligations.

10. Audit rights

UpgradIQ will make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or a mandated auditor, provided reasonable notice and subject to confidentiality obligations. UpgradIQ may satisfy audit rights by providing third-party certifications (e.g., SOC 2 reports).

11. Term and termination

This DPA is in effect for the duration of the Agreement. Upon termination, UpgradIQ will delete or return Personal Data within 30 days, unless retention is required by law.

12. Governing law

This DPA is governed by the laws applicable to the Agreement, or where the Controller is an EU-based entity, by the laws of Ireland for matters related to EU data protection.

Contact

For DPA execution requests, compliance questionnaires, or data protection inquiries:
hello@forg.pro