Upfirst, Inc. (known as "Upfirst”) • Upfirst.ai
Contact: privacy@upfirst.ai • (833) 564‑4778
3250 NE 1st Ave, Unit 305, Miami, FL 33137
Last Updated: August 12, 2025
This Data Processing Addendum (“Addendum”) forms part of the Upfirst Privacy Policy and the online Terms of Service (together, the “Agreement”). This Addendum applies to the operation of https://upfirst.ai (the “Site”) and Upfirst’s AI virtual answering platform, related APIs, and support services (collectively, the “Service”), operated on behalf of Upfirst’s business customers (each, a “Client”), with regard to the Processing of Personal Data in accordance with applicable Data Protection Laws.
This Addendum applies where, and only to the extent that, Upfirst processes Client or Customer Data that is subject to Data Protection Laws on behalf of Client as a Data Processor in the course of providing the Service pursuant to the Agreement.
“Account Users” means any individual accessing and/or using the Service through Client’s account as authorized by Client.
“Upfirst” means Upfirst, Inc., doing business as “Upfirst”.
“Customer Data” means any Personal Data that Upfirst processes as a Data Processor on behalf of Client.
“Data Controller” (or “controller”) means the entity which determines the purposes and means of the Processing of Personal Data. Client is the Data Controller with respect to Customer Data.
“Data Processor” (or “processor”) means the entity which Processes Personal Data on behalf of the Data Controller. Upfirst is the Data Processor with respect to Customer Data under EU/UK Data Protection Laws, and a “Service Provider” under the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “CPRA”).
“Data Protection Laws” means EU/UK Data Protection Laws and, to the extent applicable, the data protection or privacy laws of the United States of America and its states, including without limitation the CPRA, or of any other applicable country.
“EU/UK Data Protection Laws” means (i) Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”); (ii) Directive 2002/58/EC (ePrivacy Directive) and applicable national implementations; and (iii) the UK GDPR and the UK Data Protection Act 2018, each as amended, superseded, or replaced from time to time.
“Personal Data” has the meaning given in the applicable Data Protection Laws, provided that, with respect to this Addendum, the reference is to Personal Data Processed in relation to Client’s access to and use of the Service.
“Request” means a written request from a Data Subject to exercise his/her specific data subject rights under the Data Protection Laws with respect to Personal Data.
“Service” means Upfirst’s AI virtual answering platform and related web properties, APIs, and support services.
“Sub‑processor” means any Data Processor engaged by Upfirst to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this Addendum.
The terms “Data Subject,” “Member State,” “Processing,” “Process,” and “Supervisory Authority” shall have the same meaning as in the GDPR, and cognate terms shall be construed accordingly.
The parties acknowledge and agree that, with regard to the Processing of Personal Data, Client is the Data Controller of Customer Data, and Upfirst will Process Customer Data only as a Data Processor acting on the documented instructions of Client.
Client shall (i) comply with the Data Protection Laws and its obligations as a Data Controller under the Data Protection Laws in respect of its use of the Service; (ii) maintain a legally adequate privacy policy and notices for each website, application, device, software application, and/or communication channel owned or controlled by Client that connects to the Service; and (iii) provide notice, respond to individual rights requests, and obtain all legally required rights, releases, and consents to allow Customer Data to be collected, Processed, stored, used, transmitted, and disclosed as contemplated by the Agreement and this Addendum. Client shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Client acquires and uses Customer Data.
Upfirst shall Process Customer Data only on behalf of and in accordance with Client’s instructions, including Processing initiated by Account Users in their use of the Service. Upfirst will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, appropriate to the risk.
(a) Subject matter: Customer Data.
(b) Duration: As between Upfirst and Client, the duration of the Processing under this Addendum is the term of the Agreement, unless otherwise required by applicable law.
(c) Purpose: The provision of the Service to Client and the performance of Upfirst’s obligations under the Agreement (including this Addendum) or as otherwise agreed by the parties.
(d) Nature of the Processing: Ingestion, handling, routing, and management of inbound interactions; where enabled by Client and permitted by law, recording and transcription of calls/voicemails; extraction and formatting of information; storage and retrieval; analytics necessary to provide the Service; and other Processing necessary to provide AI virtual answering functionality.
(e) Categories of Data Subjects: Account Users and individuals who interact with Client via channels integrated with the Service (e.g., callers and other end users) (collectively, “End Users”).
(f) Categories of Customer Data:
Client and Account Users: Account User login credentials; name; role; business name; phone number; email address; website; physical address; payment and billing information (e.g., credit card details processed via payment providers); IP address and device/usage information; and URL or account configuration information.
End Users: To the extent determined by Client based on Client’s configuration and use of the Service, which may include, at Client’s sole discretion: contact information (e.g., name, phone number, email); interaction metadata (e.g., date/time, duration, from/to numbers); audio recordings and voicemails (where enabled); transcripts and summaries generated by the Service; and other content Client elects to capture or provide.
(g) Sources of Customer Data: Provided by Client, Account Users, and End Users; generated by the Service (e.g., transcripts/summaries); and automatically collected via the Service. Customer Data is stored on systems controlled by Upfirst and/or its Sub‑processors.
The Service may provide Client with functions to retrieve, correct, delete, or restrict Customer Data to assist Client with its obligations under Data Protection Laws, including responding to Requests from Data Subjects or supervisory authorities. To the extent Client is unable to independently access the relevant Customer Data within the Service, Upfirst will provide reasonable cooperation to assist Client, at Client’s cost to the extent legally permissible, to respond to such Requests relating to the Processing of Personal Data under the Agreement and this Addendum.
If any such Request is made directly to Upfirst, Upfirst will not respond to the Request without Client’s prior authorization, unless legally compelled to do so. If Upfirst is required to respond to such a Request, Upfirst will promptly notify Client and provide a copy of the Request unless legally prohibited from doing so.
Where a Request is made under U.S. state privacy laws (including the CPRA), the requesting consumer may have rights that include, as applicable, the right to know/access, to delete, to correct, to opt‑out of certain uses, and to non‑discrimination. Upfirst may collect information from the requesting party to verify identity and authority. Upfirst will respond within the time period required by applicable law (currently 45 days under the CPRA, which may be extended where reasonably necessary as permitted by law), and any frequency limits permitted by law may apply.
Upfirst does not “sell” or “share” Customer Data as those terms are defined by the CPRA, and does not disclose Customer Data to third parties except to Sub‑processors and as necessary to provide the Service, comply with law, or with Client’s instructions.
If a law enforcement agency or other government body sends Upfirst a demand for Customer Data (e.g., subpoena or court order), Upfirst will attempt to redirect the requester to seek the data directly from Client. As part of this effort, Upfirst may provide the requester with Client’s basic contact information. If compelled to disclose Customer Data, Upfirst will give Client reasonable notice to allow Client to seek a protective order or other appropriate remedy unless Upfirst is legally prohibited from doing so.
Data Requests may be submitted to Upfirst at privacy@upfirst.ai or by calling (833) 564‑4778. Requests may also be mailed to: Upfirst, Inc., 3250 NE 1st Ave, Unit 305, Miami, FL 33137.
Client acknowledges and agrees that Upfirst may engage third‑party Sub‑processors in connection with the provision of the Service. Upfirst will impose data protection obligations on such Sub‑processors that are at least as protective as those set out in this Addendum. Any such Sub‑processor will be permitted to access Customer Data only to the extent needed to deliver the Service. None of the Customer Data is used for promotional purposes or shared with third parties for their promotional purposes. Upfirst maintains a current list of Sub‑processors and will make it available to Client upon request.
5.1 Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will prevail to the extent of the conflict.
5.2 Claims. Any claims brought under or in connection with this Addendum will be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement. Other than liability that may not be limited under applicable law, each party’s aggregate liability arising out of or related to this Addendum, whether in contract, tort, or under any other theory, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and all addenda together.
5.3 No Third‑Party Beneficiaries. No one other than a party to this Addendum, its successors, and permitted assignees will have any right to enforce any of its terms. Any claims against Upfirst under this Addendum will be brought solely against the Upfirst entity that is a party to the Agreement. Client further agrees that any regulatory penalties or other liability incurred by Upfirst in relation to the Customer Data that arise as a result of, or in connection with, Client’s failure to comply with its obligations under this Addendum or any applicable Data Protection Laws will count toward and reduce Upfirst’s liability under the Agreement as if it were liable to Client under the Agreement.
5.4 Governing Law. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
This Addendum becomes legally binding between Client and Upfirst when agreed to as described in the Agreement.
Upfirst’s Privacy Policy and this Addendum will be kept current and updated at least annually.
