The short version
In plain English: When you use Umbrella, your customers give us their names, emails, order details, and sometimes photos of broken products. We process that information only to run your warranty program — nothing else.
We don't sell it. We don't use it to train models. We don't share it beyond the vendors we need to deliver the service. And if something goes wrong, we'll tell you within 72 hours.
This page is Umbrella's Data Processing Addendum (DPA). It forms part of your agreement with Umbrella and governs how we handle personal data on your behalf. It's binding whether you sign a copy or accept it through our Terms of Service.
The top of this page — Part One — explains what's in the DPA in normal language. The rest — Part Two and the schedules — is the full legal text, written to satisfy enterprise procurement teams, EU regulators, and California's privacy statute.
What we do with your customers' data
We collect names, email addresses, shipping addresses, phone numbers, order details, and — when a claim is filed — photos and descriptions of the problem. We use all of it for one purpose: to run your warranty program. That means issuing policies, processing claims, sending status updates to your customers, and keeping the records that warranty and insurance law requires us to keep.
What we don't do
We don't sell your customers' data. We don't share it to anyone outside the sub-processors listed below. We don't use it to train AI models. We don't combine it with data from other sources to build profiles. We don't ask for payment card numbers — those flow through your payment processor, not us.
How we keep it safe
Everything is encrypted in transit (TLS) and at rest (AES-256). Access inside Umbrella is role-based and requires multi-factor authentication. Our infrastructure runs on SOC 2 / ISO 27001-certified cloud providers. Schedule 2 lists every control in detail.
Your customers' rights
If a customer asks you to access, correct, delete, or export their data, we'll help you respond. If they come to us directly, we'll send them back to you — you're the controller of the relationship, and those requests are yours to honor.
The text below is the binding Data Processing Addendum. Capitalized terms are defined in Section 1.
This Data Processing Addendum ("DPA") forms part of, and is subject to, the Umbrella Terms of Service or other written or electronic agreement between Umbrella and Customer governing Customer's access to and use of the Services (the "Agreement"). It reflects the parties' agreement regarding the Processing of Personal Data by Umbrella on behalf of Customer in connection with the Services.
This DPA is entered into between Umbrella, operating the platform at myumbrella.ai ("Umbrella" or "Processor"), and Customer, the merchant or business entity identified in the Agreement ("Customer" or "Controller"), each a "Party" and together the "Parties."
Section 1 — Definitions
Capitalized terms not defined here have the meanings given in the Agreement.
- Applicable Data Protection Laws
- All laws and regulations applicable to the Processing of Personal Data under the Agreement, including (as applicable): (a) Regulation (EU) 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 (together, "UK GDPR"); (c) the Swiss Federal Act on Data Protection; and (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA"), together with any other U.S. state privacy laws applicable to the Processing.
- Business
- Has the meaning given in the CCPA/CPRA.
- Controller
- The entity that determines the purposes and means of Processing of Personal Data, including a "Business" under the CCPA/CPRA.
- Customer Personal Data
- Personal Data contained within Customer Data that Umbrella Processes on behalf of Customer in connection with the Services.
- Data Subject
- The identified or identifiable natural person to whom Personal Data relates, including a "Consumer" under the CCPA/CPRA.
- EEA
- The European Economic Area.
- EU SCCs
- The Standard Contractual Clauses approved by the European Commission in Decision 2021/914 of 4 June 2021, as amended or superseded from time to time.
- Personal Data
- Any information relating to an identified or identifiable natural person that constitutes "personal data," "personal information," or an equivalent term under Applicable Data Protection Laws.
- Processing
- (and its cognates Process, Processed, and Processes) Any operation or set of operations performed on Personal Data, whether or not by automated means.
- Processor
- The entity that Processes Personal Data on behalf of the Controller, including a "Service Provider" under the CCPA/CPRA.
- Restricted Transfer
- A transfer of Personal Data from the EEA, United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection under Applicable Data Protection Laws.
- Security Incident
- Any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by Umbrella or its Sub-processors.
- Services
- The products and services provided by Umbrella to Customer under the Agreement, including the warranty and protection plan platform, claims administration, policy issuance, and related functionality.
- Sub-processor
- Any third party engaged by Umbrella or its Affiliates to Process Customer Personal Data on behalf of Customer.
- UK IDTA
- The International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018.
Section 2 — Roles & Scope of Processing
2.1 Roles of the Parties. With respect to Customer Personal Data, the Parties agree that Customer is the Controller (and, where applicable, a Business), Umbrella is the Processor (and, where applicable, a Service Provider), and Umbrella will engage Sub-processors in accordance with Section 6. Where Customer is itself a Processor acting on behalf of a third-party Controller, Umbrella will act as the Sub-processor of that Controller.
2.2 Customer Instructions. Umbrella will Process Customer Personal Data only (a) in accordance with Customer's documented lawful instructions as set forth in the Agreement and this DPA, (b) as necessary to provide and support the Services, (c) as required to comply with applicable law, or (d) as otherwise agreed in writing. The Agreement, including this DPA, constitutes Customer's complete and final documented instructions to Umbrella. Additional instructions outside the scope of the Agreement require prior written agreement and may be subject to additional fees.
2.3 Subject Matter and Details of Processing. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Schedule 1.
2.4 Customer Responsibilities. Customer represents and warrants that (a) it has complied and will continue to comply with its obligations under Applicable Data Protection Laws, including providing all required notices and obtaining all required consents; (b) its instructions to Umbrella comply with Applicable Data Protection Laws; and (c) Customer Personal Data has been collected and transferred to Umbrella lawfully.
2.5 Unlawful Instructions. Umbrella will inform Customer if, in Umbrella's opinion, an instruction infringes Applicable Data Protection Laws. Umbrella may suspend performance of such instruction (without liability) until the instruction is confirmed, modified, or withdrawn.
Section 3 — CCPA / CPRA Service Provider Obligations
3.1 Service Provider Status. To the extent Umbrella Processes Personal Data subject to the CCPA/CPRA, the Parties acknowledge that Customer discloses such Personal Data to Umbrella solely for the limited and specified business purposes described in Schedule 1, and Umbrella acts as a Service Provider.
3.2 Restrictions. Umbrella shall not (a) sell or share Personal Data, as those terms are defined under the CCPA/CPRA; (b) retain, use, or disclose Personal Data outside of the direct business relationship with Customer or for any purpose other than the business purposes specified in the Agreement and Schedule 1; or (c) combine Personal Data received from or on behalf of Customer with Personal Data received from or on behalf of any other person, except as permitted by the CCPA/CPRA.
3.3 Certification. Umbrella certifies that it understands the restrictions in this Section 3 and will comply with them.
3.4 Cooperation. Umbrella will reasonably cooperate with Customer to enable Customer to comply with its obligations under the CCPA/CPRA, including requests from Data Subjects to know, delete, correct, limit use of sensitive Personal Data, or opt out of sale or sharing.
3.5 Notice of Non-Compliance. Umbrella will notify Customer promptly if it determines it can no longer meet its obligations under the CCPA/CPRA, and Customer may take reasonable and appropriate steps to stop and remediate unauthorized Processing.
Section 4 — Confidentiality & Security
4.1 Confidentiality of Personnel. Umbrella will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and have received appropriate training.
4.2 Security Measures. Umbrella will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against Security Incidents, as described in Schedule 2. Umbrella may update such measures from time to time provided the overall level of protection is not materially diminished.
4.3 Security Incidents. Umbrella will notify Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a confirmed Security Incident affecting Customer Personal Data. Notification will include, to the extent known: (a) the nature of the Security Incident, (b) the categories and approximate number of Data Subjects and records concerned, (c) likely consequences, and (d) measures taken or proposed. Umbrella will cooperate with Customer to meet Customer's notification obligations. Umbrella's notification is not an acknowledgment of fault or liability.
Section 5 — Data Subject Rights & Assistance
5.1 Data Subject Requests. Taking into account the nature of the Processing, Umbrella will provide reasonable assistance to Customer, by appropriate technical and organizational measures and insofar as possible, to enable Customer to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection).
5.2 Redirected Requests. If Umbrella receives a request directly from a Data Subject relating to Customer Personal Data, Umbrella will promptly inform the Data Subject that the request should be directed to Customer, and will not otherwise respond except as legally required or as instructed by Customer.
5.3 DPIAs and Prior Consultation. Umbrella will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, solely in relation to Umbrella's Processing and taking into account the information available to Umbrella.
5.4 Costs. To the extent permitted by Applicable Data Protection Laws, Umbrella may charge a reasonable fee for assistance that is disproportionate or outside the ordinary scope of the Services.
Section 6 — Sub-processors
6.1 General Authorization. Customer grants Umbrella general written authorization to engage Sub-processors. A current list is maintained in Schedule 3 and at myumbrella.ai/subprocessors.
6.2 Notice of New Sub-processors. Umbrella will provide notice of any intended addition or replacement of Sub-processors at least fifteen (15) days in advance, via email, in-app notice, or update to the Sub-processors page.
6.3 Objection Right. Customer may object in writing within fifteen (15) days of notice, on reasonable, documented grounds relating to the Sub-processor's ability to comply with Applicable Data Protection Laws. The Parties will work together in good faith to resolve the objection. If no resolution is reached, Customer's sole remedy is to terminate the affected Services without penalty by written notice to Umbrella; termination will be effective at the end of the then-current billing period.
6.4 Sub-processor Obligations. Umbrella will enter into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA to the extent applicable. Umbrella remains liable for the acts and omissions of its Sub-processors to the same extent Umbrella would be liable if performing the services directly under this DPA.
Section 7 — International Data Transfers
7.1 Transfer Mechanisms. To the extent Customer's use of the Services involves a Restricted Transfer, such transfer is subject to an appropriate transfer mechanism under Applicable Data Protection Laws. The Parties will rely, in order of precedence, on (a) an applicable adequacy decision, (b) the EU SCCs, (c) the UK IDTA, or (d) any other lawful mechanism.
7.2 EU SCCs. The EU SCCs are incorporated into this DPA by reference and apply to Restricted Transfers from the EEA. For purposes of the EU SCCs: (a) Module Two (Controller to Processor) applies where Customer is a Controller; (b) Module Three (Processor to Processor) applies where Customer is itself a Processor; (c) Clause 7 (docking clause) is included; (d) in Clause 9, Option 2 (general written authorization) is selected with the notice period in Section 6.2; (e) in Clause 11, the optional independent dispute resolution mechanism is not selected; (f) in Clause 17, the governing law is the law of Ireland; (g) in Clause 18, the courts of Ireland will resolve disputes; and (h) Annexes I, II, and III are completed by reference to Schedules 1, 2, and 3 respectively.
7.3 UK Transfers. Restricted Transfers from the United Kingdom are governed by the UK IDTA, which is incorporated by reference. Schedules 1, 2, and 3 complete the relevant tables of the UK IDTA.
7.4 Swiss Transfers. Restricted Transfers from Switzerland are governed by the EU SCCs as modified to apply to such transfers (including by reading references to the GDPR as references to the Swiss Federal Act on Data Protection and replacing the competent supervisory authority with the Swiss FDPIC).
7.5 Conflict. In the event of any conflict between this DPA and the EU SCCs or UK IDTA, the EU SCCs or UK IDTA (as applicable) will prevail.
Section 8 — Audits & Compliance
8.1 Audit Reports. Umbrella will make available to Customer, upon written request and subject to confidentiality obligations, information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audit reports, penetration test summaries, or independent certifications (e.g., SOC 2, ISO 27001) to the extent Umbrella holds them.
8.2 On-Site Audits. Where information under Section 8.1 is insufficient to demonstrate compliance with Applicable Data Protection Laws, Customer may, upon at least thirty (30) days' prior written notice and no more than once per twelve (12) month period (except where required by a supervisory authority or following a Security Incident), conduct an audit of Umbrella's data protection practices. Audits will: (a) be during regular business hours, (b) be subject to Umbrella's reasonable confidentiality and security requirements, (c) not unreasonably interfere with Umbrella's business, (d) not involve access to any other customer's data or Umbrella's unrelated proprietary information, and (e) be at Customer's sole cost, except where the audit reveals a material breach by Umbrella.
8.3 SCC Audits. This Section 8 does not modify or limit Customer's audit rights under the EU SCCs where applicable.
Section 9 — Return & Deletion of Personal Data
9.1 Deletion on Termination. Upon termination or expiration of the Agreement, Umbrella will, at Customer's choice, delete or return all Customer Personal Data (including existing copies) in its possession, unless applicable law requires further storage. Customer may request return or deletion by written notice within thirty (30) days of termination; afterwards, Umbrella may delete Customer Personal Data in the ordinary course.
9.2 Retention for Legal Obligations. Notwithstanding Section 9.1, Umbrella may retain Customer Personal Data to the extent required by applicable law, including for defending or asserting legal claims or complying with warranty or insurance-related recordkeeping obligations, provided such retained data remains subject to this DPA's confidentiality and security obligations.
9.3 Certification. Upon written request, Umbrella will certify in writing that it has complied with its deletion obligations under this Section 9.
Section 10 — General Provisions
10.1 Liability. Each Party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement. Any reference in the Agreement to the liability of a Party means the aggregate liability under the Agreement and this DPA together.
10.2 Order of Precedence. In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Customer Personal Data. In the event of any conflict between this DPA and the EU SCCs or UK IDTA, the EU SCCs or UK IDTA prevail.
10.3 Updates. Umbrella may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or Umbrella's Services, provided updates do not materially reduce the protections afforded to Customer Personal Data.
10.4 Severability. If any provision is held invalid or unenforceable, the remaining provisions remain in full force and effect.
10.5 Governing Law. This DPA is governed by the governing law of the Agreement, except that the EU SCCs and UK IDTA are governed as set forth in Section 7 and the instruments themselves.
10.6 Entire Agreement. This DPA, together with the Agreement and its Schedules, constitutes the entire agreement between the Parties regarding the Processing of Customer Personal Data.
Details of Processing
This Schedule forms part of the DPA and, where applicable, completes Annex I of the EU SCCs.
A. List of Parties
Data exporter: Customer, as identified in the Agreement. Role: Controller (or Processor, where applicable). Activities relevant to the transfer: receipt of the Services from Umbrella.
Data importer: Umbrella, operator of the warranty and protection plan platform at myumbrella.ai. Role: Processor (or Sub-processor, where applicable). Activities relevant to the transfer: provision of the Services.
B. Description of Transfer & Processing
| Category | Details |
|---|---|
| Subject matter | Provision of the Umbrella warranty and protection plan platform, including policy issuance, claims administration, customer support, and related SaaS functionality. |
| Duration | The term of the Agreement, plus any period required for return or deletion under Section 9. |
| Nature & purpose | Collection, storage, hosting, retrieval, analysis, disclosure to Sub-processors, and other Processing operations necessary to provide the Services, administer warranty policies and claims, communicate with Data Subjects, and comply with legal obligations. |
| Categories of Data Subjects | End customers of Customer who purchase or are offered warranty or protection plan products; claimants and their authorized representatives; Customer's personnel and authorized users of the Services. |
| Categories of Personal Data | Identification and contact data (name, email, postal address, phone); transaction data (order ID, product, date, price, plan); warranty claim data (issue description, photos or documents, claim status, resolution); device and session data (IP address, device identifier, browser, cookies); communication data (support and claim correspondence); and authorized user account credentials. Umbrella does not request or require payment card numbers. |
| Special categories | None requested or required. Data Subjects may voluntarily submit information as part of a claim that could in limited cases include sensitive or health-related information (e.g., in a product-caused injury claim). Customer is responsible for the lawful collection of any such information. |
| Frequency | Continuous for the term of the Agreement. |
| Retention | Customer Personal Data is retained for the term of the Agreement and thereafter in accordance with Section 9 and any legal obligations applicable to warranty and insurance records. |
C. Competent Supervisory Authority
For Restricted Transfers subject to the EU SCCs, the competent supervisory authority is the Irish Data Protection Commission. For UK Restricted Transfers, the competent supervisory authority is the UK Information Commissioner's Office.
Technical & Organizational Measures
This Schedule forms part of the DPA and, where applicable, completes Annex II of the EU SCCs. Measures describe the technical and organizational security measures implemented by Umbrella, taking into account the state of the art, cost of implementation, nature and purposes of Processing, and risks to Data Subjects.
| Area | Measures |
|---|---|
| Access control | Role-based access control with least privilege; unique user accounts; multi-factor authentication for administrative access; annual access reviews; prompt revocation on role change or termination. |
| Authentication | Strong password requirements; multi-factor authentication for production and administrative systems; SSO support for Customer users where applicable; secure credential storage using industry-standard hashing. |
| Encryption in transit | TLS 1.2 or higher for all Customer Personal Data transmitted over public networks, including browser traffic, APIs, and webhooks. |
| Encryption at rest | AES-256 (or equivalent) encryption for databases, backups, and object storage, using keys managed by a reputable cloud KMS. |
| Network security | Firewall and security group configurations; segregation of production and non-production environments; DDoS protection from the underlying cloud infrastructure; intrusion detection and logging. |
| Application security | Secure SDLC with peer code review, dependency monitoring, and automated vulnerability scanning; mitigation of OWASP Top 10; periodic third-party penetration testing. |
| Logging & monitoring | Centralized audit logging of access to production systems and Customer Personal Data; tamper-resistant log storage; automated alerting; defined retention periods. |
| Physical security | Umbrella does not operate its own data centers. Production systems are hosted in SOC 2 / ISO 27001-certified cloud facilities with physical access controls, environmental safeguards, and redundancy. |
| Data segregation | Logical separation of Customer data within shared multi-tenant infrastructure using tenant identifiers and application-layer access control. |
| Backups & resilience | Automated, encrypted backups with defined retention; periodic restore testing; documented business continuity and disaster recovery procedures with defined recovery objectives. |
| Personnel security | Background checks (where permitted by law); written confidentiality obligations; mandatory security and privacy training at onboarding and annually. |
| Vendor management | Risk-based due diligence on Sub-processors; written data protection obligations; periodic compliance review. |
| Incident response | Documented incident response plan with defined roles, escalation, investigation, and notification workflows; periodic tabletop exercises; post-incident reviews. |
| Data deletion | Defined processes for deletion of Customer Personal Data upon termination or request, across primary databases, backups (within backup retention lifecycle), and logs (within log retention lifecycle). |
| Governance | Designated personnel responsible for information security and data protection; documented policies reviewed annually; privacy-by-design and security-by-design integrated into product development. |
Umbrella may update these measures from time to time to reflect the state of the art, provided the overall level of protection is not materially diminished.
Sub-processors
This Schedule forms part of the DPA and, where applicable, completes Annex III of the EU SCCs. The table below describes the categories of Sub-processors engaged by Umbrella to Process Customer Personal Data as of the Effective Date. The current, up-to-date list (including specific entity names and addresses) is maintained at myumbrella.ai/subprocessors.
| Sub-processor Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure (e.g., AWS, Google Cloud) | Hosting of production application, databases, object storage, and backups. | United States |
| Database & data platform | Managed database and caching services supporting the Services. | United States |
| Transactional email | Delivery of transactional emails to Data Subjects and Customers (policy confirmations, claim updates, support). | United States |
| Error monitoring & logging | Application performance monitoring, error tracking, and log aggregation. | United States |
| Analytics & product telemetry | In-product usage analytics to operate and improve the Services. | United States |
| Customer support platform | Receipt and management of support and claim correspondence. | United States |
| Payment processor | Processing of premium or fee payments where applicable; payment card data is handled directly by the processor and is not accessible to Umbrella. | United States |
| Claims administration partners | Administration, adjudication, and fulfillment of warranty claims, where engaged. | United States |
| Underwriting / insurance partners | Underwriting of protection plans where applicable. | United States |
Customer may subscribe to notifications of changes to the Sub-processor list at the URL above. Umbrella remains liable for the acts and omissions of its Sub-processors in accordance with Section 6.4.
Questions
Email privacy@myumbrella.ai for any data protection question — DSARs, security incidents, enterprise DPA negotiation, or just clarification.
