Legal
Upstream Data Processing Addendum
Version: 1.0
Effective date: 2026-07-10
Last updated: 2026-07-11
This Data Processing Addendum ("DPA") is between ByteWorthy LLC, a Texas limited liability company offering the Upstream service ("Upstream" or "Processor"), and the organization that owns or controls the Upstream workspace governed by the Terms of Service or another Services Agreement ("Customer" or "Controller"). It applies when Upstream processes non-PHI Personal Data for Customer. It is incorporated into the Upstream Terms of Service version 1.1 effective July 11, 2026, and any order form that incorporates those Terms.
Protected Health Information is governed by the Business Associate Agreement ("BAA"), not this DPA, to the extent the same information is subject to HIPAA. If both documents apply, the BAA controls for PHI and this DPA applies to the remaining Personal Data.
1. Definitions
"Applicable Data Protection Law" means privacy and data-protection law that applies to the processing covered by this DPA. "Controller," "Data Subject," "Personal Data," "Process," "Processor," and "Supervisory Authority" have the meanings in Applicable Data Protection Law. "Subprocessor" means a third party Upstream engages to process Personal Data for Customer. "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed for Customer.
2. Roles, Scope, and Instructions
Customer is Controller and Upstream is Processor for Personal Data Upstream processes on Customer's documented instructions. Each party is independently responsible for processing for which it determines the purposes and means, including its account administration, security, billing, and legal-compliance records.
The Services Agreement, Customer's configuration and approved actions, and lawful written instructions are Customer's documented instructions. Upstream will process Personal Data only on those instructions unless law requires otherwise. If legally permitted, Upstream will notify Customer before processing required by law. Upstream will promptly inform Customer if it reasonably believes an instruction violates Applicable Data Protection Law and may suspend the affected processing while the Parties resolve it.
Customer is responsible for the lawfulness, accuracy, and transparency of its instructions and for providing required notices and obtaining required rights or consents.
3. Processing Details
3.1 Subject Matter and Duration
The processing supports the Service, including account and workspace administration, payer and healthcare operations workflows, integrations, evidence and document workflows, approvals, transmissions, status tracking, outcome analysis, security, and support. Processing continues for the term of the Services Agreement and the limited return, deletion, backup, audit, or legal-hold period described there and in this DPA.
3.2 Nature and Purpose
Processing may include collecting, receiving, organizing, structuring, storing, retrieving, consulting, analyzing, de-identifying, transmitting, restricting, returning, and deleting Personal Data to provide, secure, support, and improve the Service as permitted by the Services Agreement.
3.3 Categories of Data Subjects
Data Subjects may include Customer's workforce and contractors, prospective authorized users, business contacts, payer and provider contacts, and individuals represented in Customer's non-PHI healthcare operations data. Patient or member information that is PHI remains governed by the BAA.
3.4 Categories of Personal Data
Personal Data may include names, work contact details, organization and role information, account identifiers, authentication and security records, device and usage information, support communications, provider and payer business information, workflow and approval metadata, and non-PHI content Customer directs Upstream to process. Payment-card data is handled through Stripe-hosted checkout and billing portal surfaces. Upstream receives only Stripe customer and tokenized payment references, not payment-card data.
3.5 Sensitive Data
Customer must not provide sensitive data except where the Service is designed and contractually authorized to process it. PHI is subject to the BAA. Credentials and authentication secrets are subject to the Service's designated secret-handling controls.
4. Confidentiality and Personnel
Upstream will limit Personal Data access to personnel who need it to provide, secure, or support the Service. Authorized personnel are bound by confidentiality duties and receive security and privacy training appropriate to their roles. Upstream remains responsible for their compliance with this DPA.
5. Security
Upstream will maintain technical and organizational measures appropriate to the risk, including as applicable:
- encryption in transit and designated sensitive-field encryption at rest;
- tenant scoping, role-based access, authentication, and least privilege;
- audit and security logging designed to exclude PHI and secrets from unprotected logs;
- vulnerability, dependency, change-management, backup, and recovery controls;
- incident detection, response, mitigation, and notification procedures;
- secret management and restrictions on production access; and
- vendor review and written protections for Subprocessors.
Upstream may update measures as technology and risk change, but will not materially reduce the overall level of protection during a paid term.
6. Security Incidents
Upstream will notify Customer without undue delay after confirming a Security Incident affecting Personal Data processed for Customer. The notice will include available information about the nature of the incident, affected data and people, likely consequences, mitigation, and a contact for follow-up. Upstream may provide information in phases and will take reasonable steps to contain, investigate, mitigate, and remediate the incident.
Notification is not an admission of fault. Unsuccessful attempts that do not compromise Personal Data are not Security Incidents under this DPA.
7. Subprocessors
Customer grants general authorization for the Subprocessors in the canonical Subprocessor List, version 1.0 effective July 10, 2026. Upstream will:
- contractually require each Subprocessor to protect Personal Data to a standard materially consistent with this DPA;
- remain responsible for the Subprocessor's processing to the extent required by Applicable Data Protection Law and the Services Agreement;
- maintain the Subprocessor List with the provider's function and data scope; and
- provide reasonable advance notice before a new Subprocessor begins materially different processing of Customer Personal Data.
Customer may object on reasonable data-protection grounds by notifying privacy@upstream.cx during the notice period. The Parties will work in good faith on a reasonable alternative. If none is commercially reasonable, either party may terminate the affected Service without penalty for the unused prepaid period.
8. Data Subject Requests
Taking into account the nature of processing, Upstream will provide reasonable assistance for Customer to respond to requests to access, correct, delete, restrict, object to processing of, or port Personal Data. If Upstream receives a request concerning Personal Data it processes only for Customer, it will refer the requester to Customer unless law prohibits doing so. Customer is responsible for deciding and communicating the response.
9. Compliance Assistance
Taking into account the nature of processing and information available to Upstream, Upstream will provide reasonable assistance with Customer's obligations concerning security, breach response, data-protection impact assessments, and consultation with a Supervisory Authority. Assistance beyond standard documentation or support may be subject to reasonable fees agreed in advance.
10. Demonstrating Compliance and Audits
Upstream will make available information reasonably necessary to demonstrate compliance with this DPA. Customer may first use current independent reports, certifications, summaries, policies, and questionnaire responses. If those are insufficient for a specific, documented concern, Customer may request one audit per year on reasonable advance notice, during normal business hours, and in a manner that protects other customers, security, and confidentiality.
Additional audits are permitted after a Security Incident affecting Customer or where a Supervisory Authority requires one. Customer bears its audit costs unless the audit identifies a material breach by Upstream. No audit permits access to another customer's data, credentials, vulnerability details that would create material risk, or information Upstream is legally prohibited from disclosing.
11. Return and Deletion
At termination or Customer's lawful instruction, Upstream will return or delete Personal Data processed for Customer unless law requires retention. Customer may request an available export during the export period in the Services Agreement. Protected backups may retain data until their documented lifecycle expires, provided the data remains protected, is isolated from ordinary use, and is not restored except for disaster recovery or legal necessity.
If law requires retention, Upstream will retain only the necessary Personal Data, protect it under this DPA, and use it only for the legally required purpose.
12. International Transfers
This DPA does not by itself create an international data-transfer mechanism. Customer must not transfer Personal Data to Upstream where Applicable Data Protection Law requires Standard Contractual Clauses, a United Kingdom transfer addendum, or another transfer mechanism until the Parties execute or validly incorporate that mechanism and complete any required transfer assessment.
If the Parties later execute a transfer addendum, it will control over this DPA solely for the covered transfer.
13. Liability, Priority, and Term
The liability limitations, governing law, and dispute provisions in the Services Agreement apply to this DPA to the maximum extent permitted by Applicable Data Protection Law. This DPA controls over conflicting Services Agreement terms regarding Processor obligations for non-PHI Personal Data. The BAA controls for PHI.
This DPA begins when incorporated into the Services Agreement and continues while Upstream processes Personal Data for Customer. Provisions that by their nature govern retained data, confidentiality, audits, liability, or deletion survive termination.
14. Contact
Privacy and DPA notices: privacy@upstream.cx
Legal notices: legal@upstream.cx
ByteWorthy LLC
220 Town Park Avenue
Princeton, TX 75407-9846
United States
End of Data Processing Addendum version 1.0.