English US Deutsch English GB Français
Request a demo
BetterUp
Request a demo
Last updated: December 19, 2024
Current version:
Data Processing Addendum (Dec 2024)

Data Processing Addendum 

This Data Processing Addendum with its appendices (together the “DPA”) supplements and forms part of any agreement between Company and BetterUp, Inc. (“BetterUp”) related to the Processing of Personal Data (each an “Agreement”) and is incorporated by reference.

1. Definitions

Controller” means the entity that determines the purposes and means of Processing Personal Data. Controller is synonymous with “Business” as defined under the CCPA and similar laws or regulations.

Data Protection Laws” means all directly applicable laws and regulations related to the Processing of Personal Data under the Agreement, which may include, but not limited to, the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

Data Subject” means the individual to whom Personal Data relates.

Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

Process” or “Processing” mean any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor” means the entity that Processes Personal Data on behalf of a Controller. Processor is synonymous with “Service Provider” as defined under the CCPA and similar laws or regulations. 

Security Breach” means a breach of security involving the BetterUp Platform or Services resulting in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data Processed on the BetterUp Platform or through the Services.

Standard Contractual Clauses” or “SCCs” mean the standard contractual clauses for international transfers annexed to the European Commission’s commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, available at: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32021D0914.

Subprocessor” means any Processor engaged by BetterUp to Process Personal Data on BetterUp’s behalf while providing the Services. 

Party” means either Company or BetterUp, as applicable; “Parties” means both Company and BetterUp, collectively.

All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement.

2. Roles and purpose of Processing

2.1 In connection with the BetterUp Platform and Services outlined in the Agreement, BetterUp will Process certain Personal Data to enable the provision of these Services to Company. The specifics of the Processing activities are detailed in Appendix A of this DPA.

2.2. The Parties acknowledge that BetterUp may act either as a Processor or an independent Controller, depending on the nature of the Personal Data and the Processing activities:

  1. Company is the Controller and BetterUp is the Processor for Personal Data used to validate eligibility for the Services, facilitate billing, provide support and maintenance, and for additional Company Processing requests such as analytics via automated integrations (collectively, “Company Data”).

  2. BetterUp is a Controller for all Personal Data collected from Data Subjects through their interactions with the BetterUp Services (collectively, “User Data”). 

3. Controller responsibilities 

3.1 Each Party will comply with Data Protection Laws in its performance under this DPA. When acting as independent Controllers, each Party is responsible for meeting its respective legal obligations regarding the Processing of Personal Data. 

3.2 In its role as Controller, Company will ensure that any Personal Data shared with BetterUp under this Agreement has been lawfully collected and transparently disclosed to the Data Subject.

3.3 BetterUp will respond to data subject rights requests it receives for User Data as an independent Controller, in accordance with its obligations under Data Protection Laws. For requests related to Company Data, BetterUp will promptly notify Company and provide reasonable assistance to enable Company to fulfill its obligations to the Data Subject as Controller.

3.4 BetterUp will not sell or share Personal Data, even when acting as a Controller. For the purposes of this subsection, “share” is defined as outlined in the CCPA, specifically referring to the disclosure of Personal Data to third parties for cross-context behavioral advertising or other targeted advertising purposes.

4. Processor responsibilities: As Processor, BetterUp will:

  1. Process Company Data solely for the purpose of providing the BetterUp Services to Company as specified in the Agreement.

  2. Limit the Processing of Company Data to what is necessary for performing the Services. BetterUp will not sell Company Data or Process it beyond the scope of its business relationship with Company, except as required by law. If compelled by law, BetterUp will inform Company prior to compliance, unless prohibited from doing so.

  3. Ensure that all BetterUp personnel authorized to Process Company Data are bound by confidentiality obligations and appropriate training.

  4. Maintain a Subprocessor list, including their activities and locations, at https://trust.betterup.com/ (the “Subprocessor List”). Company consents to the use of these Subprocessors for the Services and authorizes BetterUp to engage Subprocessors as needed, with general consent from Company. The Subprocessor list includes a mechanism for Company to subscribe to receive notifications of updates to the list. If Company subscribes, BetterUp will provide Company at least 30 days’ notice before engaging any new Subprocessors. Company may object to a new Subprocessor on reasonable data protection grounds by submitting a written objection within 30 days of receiving the notice. BetterUp will work in good faith to resolve the objection by offering a commercially reasonable change to the Services or configuration. If no resolution is reached within 60 days, Company may terminate the impacted Services and receive a refund for any prepaid fees covering the remainder of the term. If Company does not provide a timely objection notice, Company will be deemed to have authorized BetterUp’s use of the Subprocessor and to have waived its right to object. BetterUp will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. BetterUp will remain liable for the actions and omissions of its Subprocessors as if performing the Services directly.

  5. Reasonably assist Company in fulfilling its obligations under Data Protection Laws. Upon written request, BetterUp will provide information necessary to demonstrate compliance with this DPA. BetterUp will avoid any Processing that could lead to Company’s non-compliance and will promptly notify Company if it considers an instruction to infringe upon Data Protection Laws.

5. Security breach response and notification

5.1 In the event of a Security Breach, BetterUp will: notify Company; investigate, mitigate, and remediate the breach; and cooperate with Company in any related litigation or regulatory actions. BetterUp’s breach notification and response will not constitute an admission of fault or liability. These obligations exclude Security Breaches caused by Company.

5.2 Upon discovering a Security Breach, BetterUp will notify Company without undue delay. The notification will include, if known: (a) the nature of the breach, including the categories and approximate number of affected Data Subjects and Personal Data records; (b) measures taken or planned to mitigate the breach; (c) any recommended actions for Company; and (d) BetterUp’s designated contact for breach-related communications. If BetterUp cannot provide all details initially, it will share additional information as it becomes available.

5.3 Notices regarding Security Breaches or other obligations under this DPA should be directed to the legal contact specified in the signature block of this DPA.

6. Data transfers

6.1 The Parties acknowledge that transfers of Personal Data to countries or territories deemed adequate by relevant data protection authorities do not require a separate transfer mechanism. For any transfers of Personal Data from a jurisdiction requiring a valid transfer mechanism to a country not subject to an adequacy decision ("Restricted Transfers"), the SCCs will apply as outlined below.

6.2. Transfers from the European Economic Area (“EEA”). When a Restricted Transfer is made from the EEA, the SCCs are incorporated into this DPA and apply as follows:

  1. Module One applies where both Parties are Controllers, and Module Two applies where Company is a Controller and BetterUp is a Processor.

  2. In Clause 7, the optional docking clause will not apply.

  3. In Clause 9(a) of Modules One and Two, Option 2 will apply, and the period for prior notice of Subprocessor changes is specified in Section 4.4 of this DPA.

  4. In Clause 11(a), the optional language will not apply.

  5. In Clause 17, Option 1 will apply, and the governing law will be the law of the Netherlands.

  6. In Clause 18(b), disputes will be resolved before the courts of the Netherlands.

  7. Annex I of the SCCs is completed using the information provided in Appendix A of this DPA.

  8. Annex II is completed with the security measures outlined in Appendix B of this DPA.

6.3. Transfers from Switzerland. For Restricted Transfers from Switzerland, the SCCs will apply with the following modifications:

  1. References to the GDPR will be understood as references to the Swiss Federal Act on Data Protection ("FADP"). References to specific provisions of the GDPR are to be understood as references to the equivalent provisions of the FADP.

  2. References to "Member State" will be interpreted to include Switzerland, and references to the "competent supervisory authority" will refer to the Swiss Federal Data Protection and Information Commissioner.

  3. For data transfers governed by Swiss Data Protection Laws, the SCCs also apply to the transfer of information relating to an identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

  4. Data Subjects in Switzerland will have the right to enforce the SCCs and seek remedies in Switzerland.

6.4. Transfers from the United Kingdom. When Restricted Transfers are made from the United Kingdom, the International Data Transfer Addendum issued by the UK Information Commissioner's Office ("UK Addendum") is incorporated into this DPA and will apply as follows:

  1. Table 1: The Parties’ details and key contact information are as set out in Appendix A of this DPA.

  2. Table 2: The selected SCCs are the Standard Contractual Clauses, including the modules and clauses selected and as amended by Section 6.2.

  3. Table 3: The Appendices and Annexes are those set out in Appendix A and B of this DPA.

  4. Table 4: Neither Party may terminate the UK Addendum as set out in Section 19 of the UK Addendum.

  5. The governing law will be the laws of England and Wales, and any disputes will be resolved before the courts of England and Wales.

6.5 Data Privacy Framework Certification. BetterUp is certified under the EU-U.S. Data Privacy Framework (“DPF”), the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework. BetterUp complies with the DPF Principles for the transfer of Personal Data from the EEA, Switzerland, and the United Kingdom to the United States. This certification serves as an adequate legal basis for such transfers under Data Protection Laws. BetterUp will maintain its DPF certification and adhere to the DPF Principles throughout the duration of the Agreement, unless the framework is invalidated or becomes unavailable.

6.6. General Terms Applicable to Data Transfers. The following terms apply to all Restricted Transfers covered by Section 6:

  1. BetterUp may engage Subprocessors as outlined in Section 4.4 of this DPA.

  2. Neither Party will engage in any onward transfer of Personal Data to a third party located outside the EEA, Switzerland, or the UK unless it complies with the terms of the SCCs or another valid transfer mechanism recognized under Data Protection Laws.

7. Liability and indemnity

7.1 Neither Party will be liable for any liabilities, claims, or amounts resulting from the other Party’s acts or omissions. Each Party agrees to indemnify, defend, and hold harmless the other Party from all liabilities, claims, and amounts arising from its own breach of this DPA or Data Protection Laws, provided that the indemnifying Party may elect to assume control of the defense of any claim without admitting fault. In such cases, the indemnifying Party may choose to cover the defense costs while reserving the right to seek reimbursement or reallocate liability and costs after a final determination of fault. If a determination of fault is reached and liability is found to rest with the other Party, the indemnifying Party will have the right to recover reasonable costs and expenses proportional to the other Party’s fault.

7.2 Each Party’s aggregate liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitation of liability provisions in the Agreement. In the absence of an agreed liability cap in the Agreement, each Party’s total liability will not exceed the total fees paid by Company under the Agreement in the 12 months preceding the event giving rise to the claim.

8. Term and termination

8.1 This DPA is effective as of the effective date of the Agreement. The DPA will remain in effect for the duration of the Agreement and will automatically expire upon termination of the Agreement or upon the deletion of all Personal Data as described in this DPA, whichever occurs later.

8.2 Where BetterUp is a Data Processor, BetterUp will delete or return Personal Data to Company upon request and delete all existing copies thereof, except where retention is required under Data Protection Laws.

9. Conflict. In the event of any conflict or inconsistency between the terms of the Agreement, this DPA, and the SCCs, the order of precedence will be as follows: first, the SCCs; second, this DPA; and third, the Agreement.

***

In witness whereof, the authorized representatives of the Parties hereto have executed and delivered this DPA.

COMPANY: 

By: 

Name: 

Title:

Date: 

Email for Notices: 

BETTERUP, INC.

By: 

Name: 

Title:

Date: 

Email for Notices: compliance@betterup.co

***

Appendix A: Description of Processing

1. List of Parties

  Data Exporter and Importer Data Exporter and Importer
Name BetterUp, Inc. Company
Address 3100 E 5th Street, Suite 350
Austin, Texas 78792, USA		 As set forth in the Agreement
Contact Details Meredith Speece, Head of Legal and Privacy compliance@betterup.co Contact details for Data Importer are specified in this DPA’s signature block. 

 

2. Data Processing Details

  Details
Roles
Company: Controller 
BetterUp: Processor and Controller
Nature and Purpose of Processing
BetterUp processes data to provide, support, and improve the Services for the benefit of the User and to provide analytics and additional reporting to Company
Categories of Data Subjects 
Employees and other personnel of Company
Types of Personal Data 
Company Data and User Data
Optional data shared by Users: details that a User may elect to share
Sensitive Data 
BetterUp as Processor: None transferred
BetterUp as Controller: User Data may include sensitive information, such as well-being or health-related details, along with other content provided by the User (e.g., free-text entries or interactions that enable personalized services). This data is strictly for User-related services and is not shared with the Company.
Frequency of Transfer 
Continuous
Duration of Processing 
BetterUp as Processor: Duration of the Agreement
BetterUp as Controller: Duration of the Agreement, subject to BetterUp’s data retention policies
Purpose of Transfers
BetterUp as Processor: Provide Services per the Agreement 
BetterUp as Controller: Deliver Services directly to Users and provide analytics to Company
Transfers to Subprocessors
BetterUp may engage Subprocessors as outlined in Section 4.4 of the DPA
Competent Supervisory Authority 
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

***

Appendix B: Technical and organizational measures

BetterUp’s technical and organizational measures include the following.

1. Access controls

Access to systems and network devices is granted based on a documented and approved request process, adhering to the principle of least privilege. Permissions are granted based on documented business needs and role-based access.

  1. Remote access to platform servers and management systems requires single sign-on and multi-factor authentication.

  2. User access rights are reviewed periodically, including quarterly revalidation, to confirm that access permissions align with job responsibilities. Any exceptions identified are promptly remediated.

  3. User access is revoked upon termination of employment.

2. Personnel controls 

BetterUp enforces personnel security through established policies and procedures.

  1. Employees undergo background checks and screenings prior to employment.

  2. Confidentiality agreements are signed at the start of employment.

  3. Security training courses are completed upon hire and annually thereafter.

  4. Sensitive tasks are subject to separation of duties, ensuring no single individual has full control over critical actions.

  5. System access is revoked upon termination of employment.

  6. Industry-standard password policies are followed to ensure system and data security.

3. Audit

BetterUp undergoes annual SOC 2 Type 2 and ISO 27001 assessments conducted by independent auditors. These reports, along with other security documentation, are available to Company security personnel and auditors to provide assurance of the security measures in place. Current audit reports and security documents can be requested and accessed through the BetterUp Customer Trust Portal at https://trust.betterup.com/.

4. Data security

BetterUp maintains administrative, technical, and physical safeguards to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

  1. Policies, procedures, and relevant tooling are in place for managing encryption mechanisms, keys, and cryptographic operations.

  2. Industry-standard encryption is employed for data at rest (AES-256 or better) and in transit (TLS 1.2 or better) across public networks.

  3. Company’s Personal Data is logically segregated in the production environment.

5. Change management

BetterUp maintains policies and procedures for implementing changes to the Services that support agile development principles, including underlying infrastructure, code, and system components.

  1. Changes undergo a review and approval process per BetterUp’s Change management policy.

  2. A separate environment for testing and development is maintained, distinct from the production environment.

  3. Version control software is used to manage and track source code versions for the BetterUp Platform.

6. Threat and vulnerability management

BetterUp implements policies and procedures to identify, assess, prioritize, and mitigate security threats and vulnerabilities in its systems.

  1. Regular vulnerability scans are performed and issues are addressed according to BetterUp’s Threat and Vulnerability management policy.

  2. Annual penetration tests are conducted and identified vulnerabilities are remediated according to BetterUp’s Threat and Vulnerability management policy.

  3. Security patches are applied according to a regular patching schedule. 

7. Business continuity

BetterUp maintains business continuity, backup, and disaster recovery plans to minimize service disruptions. These plans are tested annually. Data replication and backup services are provided by AWS, BetterUp’s cloud IaaS provider. Authorized personnel have access to backup services, scheduling utilities, and regions. Where applicable, data stored within AWS is replicated across geographically separate availability zones.

8. Monitoring

A real-time monitoring utility and service suite tracks changes to resources and services used within the production environment. 

  1. Intrusion detection and prevention systems are implemented to continuously monitor public-facing assets.

  2. BetterUp monitors the health of its laptops, office networks, and systems to ensure operational security.

  3. Alerts generated by the monitoring utility are promptly investigated and potential security issues are handled according to defined incident response procedures.