Data Processing Addendum
Effective date: 03.06.2026
This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Use (the "Agreement") between you (the "Client") and Getmany Software LLC ("Getmany," "we," "us," or "our"). It governs the processing of personal data that we carry out on the Client's behalf when the Client uses our Model Context Protocol (MCP) server and related API to search and access Upwork job data (the "Services").
For the purposes of this DPA, and to the extent that we process personal data on the Client's behalf and under the Client's instructions, the Client acts as the "controller" and Getmany acts as the "processor," as those terms are defined under the EU General Data Protection Regulation ("GDPR"). Where there is a conflict between this DPA and the Agreement with respect to data protection, this DPA prevails.
The processing of personal data for which Getmany acts as a controller in its own right (for example, account, billing, and usage data described in our Privacy Policy) is governed by that Privacy Policy and not by this DPA.
1. SUBJECT MATTER AND DURATION
The subject matter of the processing is the provision of the Services to the Client. We process personal data on the Client's behalf for the duration of the Agreement and for as long as we provide the Services to the Client, after which the processing terminates subject to the deletion and return provisions below.
2. NATURE AND PURPOSE OF PROCESSING
We process personal data only as necessary to provide the Services: namely, to operate the MCP server and API that let the Client's AI agents and MCP clients search and access Upwork job postings and related public job data, and to surface that data to the Client through the Services.
3. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA
The personal data processed on the Client's behalf under this DPA is determined by the Client's use of the Services. It typically includes:
- Categories of data subjects: job posters and clients on Upwork and other individuals whose information appears in publicly available Upwork job postings returned through the Services.
- Categories of personal data: business and contact information contained in public Upwork job postings, such as job-poster or client names, business details, job descriptions, and other public job data surfaced through the Services.
We do not require or intend to process special categories of personal data (sensitive data) under Article 9 of the GDPR through the Services.
4. PROCESSOR OBLIGATIONS
When acting as a processor, we will:
- process personal data only on the Client's documented instructions, including as set out in the Agreement and this DPA, unless required to do otherwise by applicable law (in which case we will inform the Client, unless that law prohibits it);
- ensure that persons authorised to process the personal data are bound by appropriate obligations of confidentiality;
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR (see Section 5);
- taking into account the nature of the processing, assist the Client with appropriate measures, insofar as possible, to respond to data-subject requests and to meet the Client's obligations under Articles 32–36 of the GDPR;
- make available to the Client the information necessary to demonstrate compliance with these obligations.
5. SECURITY MEASURES (ARTICLE 32)
We implement and maintain appropriate technical and organisational measures to protect personal data, including:
- encryption of personal data in transit and at rest;
- access controls limiting access to personal data on a need-to-know basis, with authentication and least-privilege principles;
- regular backups and measures to restore the availability of and access to personal data in a timely manner following an incident;
- ongoing measures to ensure the confidentiality, integrity, availability, and resilience of the systems that process personal data.
6. SUB-PROCESSORS
The Client grants Getmany general authorisation to engage the sub-processors listed below to process personal data in connection with the Services. We impose data-protection obligations on each sub-processor that are no less protective than those set out in this DPA, and we remain responsible for the performance of each sub-processor's obligations. We will inform the Client of any intended changes concerning the addition or replacement of sub-processors, giving the Client the opportunity to object.
| Sub-processor | Purpose |
|---|---|
| Google Cloud Platform (Google LLC) | Cloud hosting — database and API/MCP servers |
| Vercel Inc. | Hosting — web app and marketing site |
| Cloudflare, Inc. | DNS, CDN, DDoS protection |
| Stripe (Stripe, Inc. / Stripe Technology Europe, Ltd) | Payment processing |
| Customer.io (Peaberry Software, Inc.) | Transactional email |
| PostHog (PostHog, Inc.) | Product analytics |
| Google LLC | Google OAuth sign-in |
| GitHub, Inc. | GitHub OAuth sign-in |
| Slack Technologies, LLC | Support-chat relay (optional) |
7. INTERNATIONAL TRANSFERS
Where the processing of personal data under this DPA involves a transfer to a country outside the European Economic Area (EEA) that is not subject to an adequacy decision, we ensure that appropriate safeguards are in place, in particular the European Commission's Standard Contractual Clauses (SCCs). Where required for transfers subject to UK data protection law, the SCCs are supplemented by the UK International Data Transfer Addendum issued by the UK Information Commissioner.
8. DATA-SUBJECT REQUESTS
Taking into account the nature of the processing, we will assist the Client by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Client's obligation to respond to requests from data subjects exercising their rights under the GDPR. If we receive such a request directly from a data subject in relation to data we process on the Client's behalf, we will promptly inform the Client and will not respond to the request ourselves except on the Client's documented instructions or as required by law.
9. PERSONAL DATA BREACH NOTIFICATION
We will notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed on the Client's behalf, and will provide the Client with information reasonably available to us to assist the Client in meeting its breach-notification obligations under the GDPR.
10. DELETION OR RETURN OF DATA
Upon termination of the Services, and at the Client's choice, we will delete or return all personal data processed on the Client's behalf and delete existing copies, unless applicable law requires us to retain the personal data.
11. AUDIT RIGHTS
We will make available to the Client the information necessary to demonstrate compliance with the obligations set out in this DPA and will allow for and contribute to audits, including inspections, conducted by the Client or an auditor mandated by the Client, on reasonable prior notice and subject to appropriate confidentiality obligations.
12. CONTACT AND SIGNATURE
For any matter relating to this DPA, including to request its execution or to exercise the rights described above, please contact us at support@getmany.com.ua.
Getmany Software LLC
- Registered in the State of Wyoming, USA, registration number 35-2841890;
- Address: 30 NGOULD ST STE R, SHERIDAN, WY 82801-6317-301;
- Phone: +1 906 680 9581;
- Email: support@getmany.com.ua
- Signed by: Kyrylo Kozak, CEO.