DPA — for agencies, wholesalers, and carriers.
Last updated: April 22, 2026If your compliance team needs a DPA on file before you can share data with me, this is that document. It covers how UpFront Risk Solutions, LLC ("Processor") handles personal data on behalf of you ("Controller") when you use the RiskWritr platform. Countersignature available on request.
1. Roles
For personal data that you submit about your clients, employees, or other third parties, you are the Controller and I am the Processor. I process that data only on your documented instructions — which, in practice, are the workflows you trigger: demo, risk review, quote, proposal, placement.
For personal data about youpersonally (your contact info, your agency profile), I'm an independent Controller for my own operational purposes — see the Privacy Policy.
2. Scope of processing
| Subject matter | Insurance intake, enrichment, narrative, appetite matching, proposal, and CRM functions provided by RiskWritr. |
|---|---|
| Duration | For the term of our engagement plus the retention window in the Retention Policy. |
| Nature & purpose | Storage, hosting, transmission, processing, analysis, enrichment, and generation of insurance documents on your instruction. |
| Data categories | Contact data, business/firmographic data, insurance exposure data (premiums, losses, schedules), policy data, document metadata. May include limited special-category data where present in source documents (e.g., workers-comp injury descriptions). |
| Data subjects | Your employees, your clients / insureds and their employees, drivers, tenants, named parties, beneficiaries. |
3. My obligations as Processor
I will:
- Process personal data only on your documented instructions.
- Ensure anyone with access is bound by confidentiality obligations.
- Implement appropriate technical and organizational measures — see the Security page for specifics.
- Assist you, as reasonably necessary, with data subject requests.
- Assist you with security notifications, DPIAs, and regulator inquiries.
- On termination or your written request, delete or return all personal data processed on your behalf, subject to retention requirements described in Section 7.
- Make available information necessary to demonstrate compliance.
4. Sub-processors
You authorize me to use the sub-processors below. I remain fully liable for their performance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Managed Postgres + object storage for uploads | AWS us-east-1 |
| Vercel, Inc. | Application hosting and edge delivery | US |
| Copper CRM, Inc. | Submission metadata in CRM (Leads, Contacts, Opportunities) | US |
| GitHub, Inc. | Source control (no customer data stored in code) | US |
| Transactional email provider | Notifications to me when you submit | US |
I'll give you 30 days' notice before adding a new sub-processor that processes Controller personal data. If you object with a reasonable, data-protection-grounded reason, we'll work in good faith to resolve it. If we can't, you can terminate without penalty.
5. International transfers
Data is stored and processed in the United States. For transfers from the EEA, UK, or Switzerland, the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendumare incorporated by reference and, where applicable, form part of this DPA, with me as data importer and you as data exporter. Module 2 applies where you are the Controller. Where required, I'll execute the SCCs on signature request.
6. Security incidents
If I become aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller personal data, I will notify you without undue delay, and in any case within 72 hoursof becoming aware. I'll include the facts I have, likely consequences, and mitigation steps. You remain responsible for any notification to regulators and data subjects, and I'll reasonably assist.
7. Return or deletion on termination
On termination or at your written request, I'll delete or return all Controller personal data within 30 days, except where law or regulation requires retention (e.g., insurance record-keeping, tax, litigation hold). See the Retention Policy for specifics.
8. Audits
On reasonable prior written notice, and no more than once per 12-month period (except following a security incident), I'll respond to a written audit questionnaire and, where necessary, support a remote audit call. Audits must be scoped to confirm compliance with this DPA, and can't disrupt the operations or security of other customers.
9. Data subject requests
If I receive a request from a data subject whose personal data I process on your behalf, I'll forward it to you within 5 business days and won't respond on the merits unless you direct me to. I'll assist you with the response as reasonably required.
10. Liability and order of precedence
This DPA supplements the Terms of Use. Where there's a conflict, this DPA controls for the handling of personal data. Liability for a breach of this DPA is governed by the liability provisions of the Terms of Use.
11. Countersignature
To get a countersigned PDF on your company paper, email scott@upfrontrisk.io with your entity name and authorized signatory. Turnaround is normally the same business day.