DATA PROCESSING AGREEMENT (DPA)
Last updated: March 2026
This Data Processing Agreement applies when Up Network Maroc processes personal data on behalf of its clients.
| 🗂 What This Page Is For
When Up Network Maroc provides services that involve processing personal data on behalf of a client — such as managing advertising campaigns, building websites, or implementing analytics — we act as a Data Processor under GDPR and Moroccan Loi n° 09-08. This page explains our data processing commitments, lists the sub-processors we use, and tells you how to request our full Data Processing Agreement (DPA) for signature. A signed DPA is required whenever we process personal data on your behalf. Our DPA template is available on request and can be adapted to your specific engagement. |
1. Our Role as Data Processor
In many of our client engagements, Up Network Maroc acts as a Data Processor, meaning we process personal data strictly on your instructions and on your behalf. You, as the client, remain the Data Controller and are responsible for determining the purposes and means of processing.
This arrangement is governed by a written Data Processing Agreement (DPA) executed between Up Network Maroc and each client before any processing of personal data begins. The DPA is compliant with:
- Article 28 of Regulation (EU) 2016/679 (GDPR)
- Moroccan Loi n° 09-08 relative à la protection des données à caractère personnel
- Decree n° 2-09-165 implementing Loi n° 09-08
If you are a client whose services involve personal data processing and you do not yet have a signed DPA with us, please contact us at privacy@upnetworkmaroc.com.
2. Our Core Data Processing Commitments
As your Data Processor, Up Network Maroc commits to the following standards in every engagement involving personal data:
| ✓ Instructions Only
We process personal data only on your documented instructions. We will never use your clients’ data for our own purposes. |
✓ Confidentiality
All staff and contractors with access to personal data are bound by strict, enforceable confidentiality obligations. |
| ✓ Security Measures
We implement technical and organisational security measures (TOMs) appropriate to the risk, including encryption, access controls, and regular security reviews. |
✓ Breach Notification
If a personal data breach affects your data, we will notify you within 48 hours of becoming aware, giving you time to meet your own 72-hour regulatory obligation. |
| ✓ Data Subject Rights
We assist you in responding to data subject rights requests (access, deletion, portability, etc.) within agreed timeframes. |
✓ Deletion on Termination
At the end of a service engagement, we securely delete or return all personal data within 30 days and provide written confirmation. |
| ✓ Sub-processor Transparency
We maintain a public list of all sub-processors (see Section 3). You are notified 14 days before any new sub-processor is added. |
✓ Audit Rights
We support your right to audit our compliance with the DPA, including providing security documentation and facilitating inspections with reasonable notice. |
3. Sub-processor Register
In the course of providing our services, Up Network Maroc may engage the following third-party sub-processors. All sub-processors are bound by data processing agreements and must meet standards equivalent to our own. This list is kept current and updated whenever changes are made.
Last updated: March 2026
| Sub-processor | Service Provided | Data Processed | Location | Transfer Safeguard |
| Cloudflare, Inc. | CDN, DDoS protection, Web Application Firewall | IP addresses, HTTP request metadata | United States | Standard Contractual Clauses (SCCs) |
| Matomo | Privacy-focused web analytics | Anonymised / pseudonymised usage data | EU / Self-hosted | DPA / No transfer if self-hosted |
| WordPress / Automattic | Content Management System (CMS) | Session data, user account data | USA / EU | SCCs where applicable |
| WooCommerce | E-commerce and order management | Order data, transactional records | USA / EU | SCCs where applicable |
| Email Service Provider | Transactional and marketing email delivery | Email address, name | EU (or SCCs) | DPA + SCCs |
| Payment Processor | Payment gateway (PCI-DSS certified) | Transaction reference only (no raw card data) | Per provider | PCI-DSS + DPA |
We will notify all clients with active DPAs at least 14 calendar days before adding or replacing any sub-processor, giving you the opportunity to object.
4. International Data Transfers
Some of the sub-processors listed above are located outside Morocco and the European Economic Area (EEA), notably Cloudflare in the United States. Where personal data is transferred internationally, Up Network Maroc ensures that appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into our sub-processor agreements
- Adequacy decisions recognised by the CNDP (Morocco) or the European Commission where applicable
- Transfer Impact Assessments (TIAs) conducted where required by applicable law
No personal data is transferred to a third country without an adequate legal mechanism in place.
5. Services That May Involve Data Processing
A DPA is required when Up Network Maroc provides any of the following services on your behalf:
| Service | Typical Personal Data Involved |
| Digital marketing & ad campaign management | Audience data, email lists, customer identifiers, cookie/pixel data |
| Social media management | Social profile data, engagement data, ad audience segments |
| Website development & administration | User account data, contact form submissions, session data |
| Analytics implementation | Anonymised visitor data, IP addresses, behavioural data |
| Email marketing services | Email addresses, names, engagement metrics, preferences |
| E-commerce operations | Customer names, addresses, order history, payment references |
| IT consulting & system integration | Depends on systems involved — specified in Annex I of the DPA |
If you are unsure whether your engagement requires a DPA, contact us at privacy@upnetworkmaroc.com and we will advise you.
6. How to Request and Sign a DPA
Our Data Processing Agreement is a bilateral contract tailored to each client engagement. The process is straightforward:
| Step | Action | Details |
| 1 | Contact us | Email privacy@upnetworkmaroc.com with the subject line “DPA Request” and a brief description of the services you require |
| 2 | Receive the DPA template | We will send you our standard DPA template within 3 business days, pre-populated with Up Network Maroc’s details |
| 3 | Complete Annex I | You complete the processing description in Annex I, specifying the data categories, data subjects, and purposes relevant to your engagement |
| 4 | Review and negotiate | You may review the DPA with your legal counsel. We are open to reasonable amendments where required by your compliance framework |
| 5 | Sign and return | Both parties sign the DPA. The signed DPA becomes effective immediately and is stored securely by both parties |
| 6 | Annual review | We recommend reviewing the DPA annually or whenever the scope of processing materially changes |
7. Security at a Glance
The following is a summary of the key technical and organisational security measures (TOMs) Up Network Maroc maintains. Full details are provided in Annex II of the signed DPA.
| Security Area | Measure in Place |
| Data in transit | TLS 1.2 / 1.3 (HTTPS) enforced on all endpoints; HSTS enabled |
| Data at rest | Encryption or equivalent protection where technically feasible |
| Access control | Role-based access (RBAC); least privilege; MFA on admin systems |
| Network protection | Cloudflare WAF, DDoS mitigation, firewall rules |
| Backup & recovery | Automated daily backups with tested recovery procedures |
| Incident response | Documented breach response procedure; 48-hour client notification |
| Staff | Confidentiality agreements; annual data protection training |
| Vendor management | DPA required before sub-processor engagement; security review |
8. Contact
For all DPA requests, data protection queries, or questions about how we process personal data on your behalf:
| Up Network Maroc — Data Protection
DPA Requests & Data Protection: privacy@upnetworkmaroc.com Subject line: “DPA Request” or “Data Protection Enquiry” General Enquiries: contact@upnetworkmaroc.com Website: www.upnetworkmaroc.com We aim to respond to all DPA requests within 3 business days. |
Related Legal Documents
Privacy Policy • Cookie Policy • Terms and Conditions • Legal Notice • Acceptable Use Policy