ControlUp MSP Information Security Addendum

This Data Security Addendum (the “Addendum”) is incorporated by reference into the MSP Agreement between MSP and ControlUp (the “MSP Agreement”) and governs the processing, access, security, and confidentiality of MSP Data and Customer Data. Capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement or the DPA. Any reference in this Addendum to “ControlUp” shall mean the ControlUp contracting entity identified in the Agreement or Schedule.

  1. DATA PROCESSING AND SECURITY.

  1. Personal Data Processing.  To the extent MSP communicates any Customer Data to ControlUp that relates to an identified or identifiable individual (“Personal Data”), or ControlUp obtains access to any Personal Data, ControlUp shall only collect, access, use, store, disclose, transfer, or process such Personal Data: (a) to implement and deliver the ControlUp Offering; (b) as expressly permitted by MSP in the Agreement; or (c) as required by applicable law.

  2. Data Processing Agreement.  Processing of Personal Data shall be governed by the Data Processing Addendum, located at  https://www.controlup.com/privacy-policy/dpa/  (the “DPA”), which is incorporated herein by reference.

  3. Security Safeguards.  ControlUp shall implement and maintain administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of MSP Data and Customer Data. Such safeguards shall include, without limitation: (a) employee security training, background checks in accordance with applicable law, and confidentiality obligations; (b) Encryption of Customer Data and MSP Data both at rest and in transit; (c) Incident management and response procedures; and (d) Third-party audits to validate internal controls.

  4. Access to Data.  ControlUp may access MSP Data or Customer Data solely to provide the ControlUp Offering, support MSP or End Customer usage, debug issues, or for information security purposes, in compliance with this Addendum and the DPA.

  5. Usage Data.  “Usage Data” includes configuration, analytic logs, and event data regarding how MSP or End Customers use the ControlUp Offering. ControlUp may use Usage Data to improve the ControlUp Offering, provide support, and perform analytics. Usage Data and Customer Data are confidential and subject to the Confidentiality Section of the Agreement.

  6. Data Export and Deletion.  Upon expiration or termination of all Subscriptions: (a) MSP may request export of Customer Data within thirty (30) days following expiration or termination (the “Data Retrieval Period”). MSP must notify ControlUp of such request within the Data Retrieval Period; (b) After the Data Retrieval Period, ControlUp shall have no obligation to retain such data and shall use commercially reasonable efforts to delete all MSP Data and Customer Data within thirty (30) days, unless prohibited by law.

  7. MSP Data Ownership .  All MSP Data, Customer Data, and information generated in connection with MSP operations (including logs, reports, and account data) are the exclusive property of MSP. ControlUp acquires no rights to MSP Data except as required to perform its obligations under the Agreement.

  8. MSP Responsibility.  MSP is solely responsible for ensuring its and its End Customers’ use of the ControlUp Offering complies with applicable laws and regulations governing Customer Data and Personal Data. MSP is also responsible for making MSP Data accessible to End Customers as required.

  9. Infringement Claims.  If ControlUp receives notice that MSP Data or activities related to MSP Data may infringe third-party rights or violate law, ControlUp may suspend or terminate services related to such data.

  1.  SUBPROCESSORS.

  1. Third-party Service Providers.  ControlUp may engage third-party service providers (“Subprocessors”) to deliver hosting or other services supporting the ControlUp Offering. MSP acknowledges that: (a) Subprocessors operate under their own terms;  (b) ControlUp does not provide warranties regarding Subprocessor services; (c) ControlUp is not required to impose the same terms of this Addendum on Subprocessors, provided that ControlUp maintains contractual arrangements with such Subprocessors that include commercially reasonable confidentiality, data protection, and security obligations consistent with industry standards; and (d) ControlUp shall have no liability for Subprocessor actions, except to the extent caused by ControlUp’s failure to select or monitor Subprocessors in accordance with industry standards.

  1. ARTIFICIAL INTELLIGENCE

  1. Use of Data.  ControlUp and its Affiliates may process MSP Data, and may engage authorized Subprocessors to process such data on their behalf, for the purpose of analyzing and assessing MSP’s usage, inputs, outputs, functionality, and feedback related to the ControlUp Offering. Such processing supports the maintenance, operation, enhancement, and improvement of the performance, security, and functionality of the ControlUp Offering. For any analytics, insights, or artificial-intelligence–related processing, ControlUp shall ensure that all application usage data used for such purposes is anonymized and aggregated so that it cannot reasonably identify any individual or specific MSP instance. ControlUp shall not disclose MSP Data except as permitted under this Agreement, nor use any personal information contained in inputs (such as user names) for such purposes. Nothing in this Section limits ControlUp’s obligations under applicable data-protection or privacy laws or under the Parties’ Data Processing Addendum. For clarity, ControlUp’s processing and use of MSP Data as described herein does not affect MSP’s ownership of MSP Data.

  2. Disclaimer.  MSP acknowledges that, due to the nature of AI technologies, any information, recommendations, insights, or outputs generated by AI-related functionality within the ControlUp Offering are provided “AS IS” , without any representations or warranties of any kind, whether express or implied.

  3. Authorization.  MSP represents and warrants that it possesses all necessary rights, title, interests, consents, and licenses in and to the MSP Data and hereby authorizes ControlUp to process such MSP Data as described in this Section and elsewhere in this Agreement.

  4. MSP Election to Disable AI Functionality.  MSP may elect, by written notice to ControlUp, to disable or opt out of AI functionality within the ControlUp Offering, to the extent such opt-out capability is made available by ControlUp. MSP acknowledges and agrees that opting out may result in limited, degraded, or unavailable features, analytics, insights, or automation capabilities and may negatively affect the performance, operation, or accuracy of the ControlUp Offering. ControlUp shall have no liability for any reduced functionality, performance issues, or inability to access or use certain features resulting from MSP’s election to disable AI functionality.

  1. AUDIT RIGHTS

  1. MSP Audits.  MSP may audit ControlUp once a year during normal business hours, upon reasonable notice, to verify compliance with the Agreement and applicable laws. Audits may include on-site inspections, review of architecture, systems, procedures, and records. Third-party auditors engaged by MSP must sign confidentiality agreements protecting ControlUp’s proprietary information.

  2. Regulatory Audits.  ControlUp shall provide regulators and law enforcement with reasonable notice, access to records relevant to compliance with applicable privacy, security, and regulatory obligations, including data protection requirements.

  3. Record Retention.  ControlUp shall maintain accurate records in accordance with generally accepted accounting principles for twelve (12) months after termination of the Agreement to facilitate audits and regulatory review.

  1. DISASTER RECOVERY AND BUSINESS CONTINUITY

  1. Disaster Recovery Plan.  ControlUp shall maintain a Business Continuity and Disaster Recovery Plan (“DR Plan”) to ensure continuity of services during crises. The DR Plan shall include: (a) infrastructure redundancy and backups; (b) procedures for activation, notification, and communication; (c) disaster recovery strategies and alternate site procedures; and (d) scheduled and unscheduled maintenance procedures.

  2. Testing and Reporting.  The DR Plan shall be tested at least annually. Upon MSP request, ControlUp shall provide an executive summary of test results and consider reasonable suggestions to address deficiencies.

  3. Incident Management .  ControlUp shall notify MSP within forty-eight (48) hours of any event materially impacting MSP Data or the ControlUp Offering. Both Parties shall cooperate to: (a) notify applicable regulatory authorities; (b) assess root causes; and (c) define and implement remediation measures.

  4. Information Security Program.   ControlUp shall implement and maintain an information security program aligned with SOC2 and/or ISO27001 standards. Upon MSP request or termination of the Agreement, ControlUp shall return or securely delete all MSP Data in its possession in accordance with applicable law.

  5. Outsourced Services.  If Services are considered “outsourced services” under applicable law, ControlUp shall implement appropriate internal controls and organizational and technical measures to ensure security, accessibility, integrity, and confidentiality of MSP Data.

  1. PROPRIETARY RIGHTS AND CONFIDENTIALITY

  1. MSP Data.  ControlUp shall not acquire any rights in MSP Data, and MSP Data shall be physically and logically segregated from data of other ControlUp customers. MSP Confidential Information may only be used to perform ControlUp’s obligations under the Agreement.

Last updated as of January 2026