Updated June 10, 2026

Data Processing Addendum

Learn about Untitled UI’s Data Processing Addendum (DPA), including GDPR and CCPA/CPRA compliance, subprocessors, security measures, international data transfers, and enterprise privacy protections.
Download icon
Download PDF

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement between Sisyphus Ventures Pty Ltd (ACN 655 466 729), trading as Untitled UI® (ABN 65 655 466 729)(“Untitled UI”, “Company”, “Processor”, “we”, “us”, or “our”), and the entity agreeing to this DPA (“Customer”, “Controller”, or “you”).

This DPA applies to the extent Untitled UI Processes Personal Data on behalf of Customer in connection with Customer’s use of:

This DPA supplements and forms part of the applicable Terms & Conditions, License Agreement, Enterprise User License Agreement (EULA), Order Form, or other agreement governing Customer’s use of the Services (the “Agreement”).

By executing an Agreement incorporating this DPA or using the Services, Customer agrees to this DPA.

1. Definitions

For purposes of this Agreement:

“Applicable Data Protection Laws”​​

Means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including where applicable:

  • Regulation (EU) 2016/679 (“GDPR”);
  • The UK GDPR;
  • The Australian Privacy Act 1988 (Cth);
  • The California Consumer Privacy Act (“CCPA”), as amended by the CPRA; and
  • Any successor or related legislation.
“Controller”

Means the entity that determines the purposes and means of Processing Personal Data.

“Processor”

Means the entity that Processes Personal Data on behalf of a Controller.

“Personal Data”

Means any information relating to an identified or identifiable natural person Processed by Untitled UI on behalf of Customer under the Agreement.

“Processing” or “Process”

Shall have the meaning given under Applicable Data Protection Laws.

“Security Incident”

Means any confirmed unauthorized access to, acquisition of, disclosure of, alteration of, or destruction of Personal Data Processed by Untitled UI under this DPA.

“Subprocessor”

Means any third party engaged by Untitled UI to Process Personal Data on behalf of Customer in connection with the Services.

Capitalized terms not otherwise defined in this DPA shall have the meanings given in the Agreement.

2. Scope and Roles of the Parties

2.1 Relationship of the Parties

The parties acknowledge and agree that:

  • Customer acts as a Controller, or a Processor acting on behalf of another Controller; and
  • Untitled UI acts as a Processor solely to the extent it Processes Personal Data on behalf of Customer in connection with the Services.

Customer acknowledges that Untitled UI may also act as an independent Controller with respect to Personal Data processed for:

  • Account administration;
  • Authentication and access management;
  • Customer support;
  • Abuse prevention;
  • Fraud prevention;
  • Analytics;
  • Service improvement;
  • Legal compliance;
  • Security monitoring;
  • Enforcement of contractual rights;
  • Intellectual property enforcement; and
  • Other legitimate business purposes.
2.2 Merchant of Record

Customer acknowledges and agrees that all payment processing activities relating to the Services are handled exclusively by Polar.sh acting as Merchant of Record.

Polar acts as an independent Controller with respect to:

  • Payment processing;
  • Invoicing;
  • Tax collection;
  • VAT/GST compliance;
  • Fraud prevention;
  • Payment authorization;
  • Financial compliance; and
  • Related transaction processing activities.

Untitled UI does not directly collect, process, transmit, or store:

  • Payment card information;
  • Bank account information; or
  • Regulated payment authentication data.

Payment-related Personal Data is governed by Polar’s own privacy policies, legal terms, and data processing documentation, including Polar Data Processing Addendum.

3. Subject Matter and Nature of Processing

3.1 Subject Matter

Untitled UI provides digital design assets, software component libraries, repositories, authentication systems, enterprise access controls, and related infrastructure and support services.

3.2 Nature and Purpose of Processing

Untitled UI may Process Personal Data for purposes including:

  • User authentication;
  • Account administration;
  • Repository access management;
  • Enterprise license provisioning;
  • Customer support;
  • Infrastructure hosting;
  • Analytics and diagnostics;
  • Security monitoring;
  • Logging and auditing;
  • Backup and restoration;
  • Abuse prevention;
  • Anti-piracy and license enforcement; and
  • Operation of the Services.
3.3 Categories of Personal Data

Depending on the nature of the Services provided and Customer’s configuration and usage of the Services, Untitled UI may process the following categories of Personal Data on behalf of Customer:

Account and Authentication Data

Including names, email addresses, organization details, login records, authentication events, and access credentials.

Usage and Audit Log Data

Including account activity, workspace actions, IP addresses, browser and device information, timestamps, feature usage, and related security or operational events.

Support and Communication Data

Including information submitted through customer support requests, onboarding, account management, or other communications with Untitled UI.

Billing and Subscription Metadata

Including subscription status, license tier, transaction references, and related account metadata processed in connection with the Services.

Technical and Diagnostic Data

Including telemetry, performance metrics, error logs, crash reports, API requests, and infrastructure monitoring data used to maintain, secure, and improve the Services.

3.4 Excluded Financial Data

Untitled UI does not directly process or store:

  • Payment card information;
  • Bank account information; or
  • Regulated payment authentication data.

Payment processing is handled by third-party payment providers.

3.5 Customer Responsibility

Customer controls the categories of Personal Data submitted to the Services and is responsible for ensuring that its use of the Services complies with applicable Data Protection Laws.

3.6 Configurable Logging and Data Minimization

Upon written request, Untitled UI may, where technically feasible, limit, minimize, anonymize, modify, or disable certain categories of telemetry, analytics, or audit logging for Customer’s workspace in accordance with Customer’s privacy, security, or compliance requirements.

Certain minimal security, authentication, fraud prevention, abuse prevention, and operational logs may continue to be processed where necessary to maintain the security, integrity, and lawful operation of the Services.

3.7 Categories of Data Subjects

Data subjects may include:

  • Employees;
  • Contractors;
  • Administrators;
  • Authorized users; and
  • Support contacts.
3.8 Restricted Data

Customer shall not submit to the Services any:

  • Special categories of Personal Data under GDPR;
  • Protected health information;
  • Biometric information;
  • Government-issued identification numbers;
  • Payment card data;
  • Banking credentials; or
  • Other highly sensitive regulated information

Unless expressly authorized in writing by Untitled UI.

Customer acknowledges that the Services are not designed for Processing highly sensitive regulated data.

4. Customer Responsibilities

Customer represents, warrants, and agrees that:

  • It has all necessary rights, permissions, consents, and lawful bases to provide Personal Data to Untitled UI;
  • Its instructions comply with Applicable Data Protection Laws;
  • It shall comply with all obligations applicable to Controllers under Applicable Data Protection Laws; and
  • It shall not instruct Untitled UI to Process Personal Data in violation of applicable law.

Customer is solely responsible for:

  • The legality, quality, and accuracy of Personal Data submitted to the Services;
  • Configuring the Services appropriately for its intended use; and
  • Responding to data subject requests unless otherwise required by law.

5. Processing Instructions

Untitled UI shall Process Personal Data only:

  • In accordance with Customer’s documented lawful instructions;
  • As necessary to provide, maintain, support, and secure the Services;
  • As required by applicable law; or
  • As otherwise permitted under the Agreement.

The Agreement, this DPA, and Customer’s use and configuration of the Services constitute Customer’s complete and final instructions to Untitled UI regarding the Processing of Personal Data.

Untitled UI may refuse any instruction that:

  • Violates applicable law;
  • Creates unreasonable security risks; or
  • Materially interferes with the security or operation of the Services.

6. Confidentiality

Untitled UI shall ensure that personnel authorized to Process Personal Data:

  • Are subject to appropriate confidentiality obligations; or
  • Are under an appropriate statutory duty of confidentiality.

Access to Personal Data shall be limited to personnel with a legitimate business need to access such data.

7. Security

7.1 Security Measures

Untitled UI shall implement and maintain commercially reasonable technical, administrative, and organizational safeguards designed to protect Personal Data against accidental or unlawful:

  • Destruction;
  • Loss;
  • Alteration;
  • Unauthorized disclosure; or
  • Unauthorized access.

Such safeguards may include:

  • Restricted production access limited to authorized personnel;
  • Least-privilege access principles (e.g. separation of service-role and user-scoped database access);
  • Row-level security on the application database;
  • Encryption of data in transit (HTTPS/TLS) and at rest;
  • Authentication protections, including hashing of API and provisioning credentials;
  • Infrastructure and application logging, audit trails, and health monitoring;
  • Automated daily database backups with restore capability; and
  • Security-focused operational practices.
7.2 No Absolute Security Guarantee

Customer acknowledges that:

  • No system, infrastructure, or method of electronic transmission or storage can be guaranteed completely secure; and
  • Untitled UI does not warrant or guarantee absolute security of Personal Data.

8. Subprocessors

8.1 Authorization

Customer authorizes Untitled UI to engage Subprocessors in connection with the operation and delivery of the Services.

8.2 Subprocessor List

Untitled UI maintains a current list of Subprocessors at untitledui.com/subprocessors.

The Subprocessor list may be updated from time-to-time to reflect operational, infrastructure, security, or service-related changes.

8.3 Subprocessor Obligations

Untitled UI shall impose data protection obligations on Subprocessors that are materially consistent with the nature and purpose of the Processing they perform.

8.4 Independent Controllers

Customer acknowledges that certain third parties integrated with or related to the Services may act as independent Controllers rather than Subprocessors where they independently determine the purposes and means of Processing Personal Data.

Without limitation, Polar.sh acts as an independent Controller with respect to all payment-related processing activities.

9. International Data Transfers

Customer acknowledges and agrees that Personal Data may be transferred to and processed in countries outside the jurisdiction in which Customer or its users are located.

Where required under Applicable Data Protection Laws, Untitled UI shall implement appropriate safeguards for international transfers, including:

  • the European Commission Standard Contractual Clauses;
  • the UK International Data Transfer Addendum;
  • or other legally recognized transfer mechanisms.

Such transfer mechanisms are incorporated into this DPA by reference where applicable.

10. Security Incidents

10.1 Notification

Untitled UI shall notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Personal Data Processed under this DPA.

10.2 Incident Information

To the extent reasonably available, Untitled UI may provide:

  • The nature of the Security Incident;
  • Categories of affected Personal Data;
  • Known or reasonably suspected consequences; and
  • Remediation measures taken.
10.3 No Admission of Liability

Notification of a Security Incident shall not constitute:

  • An admission of fault or liability; or
  • A determination that a legal breach has occurred.

11. Assistance

Taking into account the nature of the Processing and information available to Untitled UI, Untitled UI shall provide commercially reasonable assistance to Customer regarding:

  • Data subject requests;
  • Data protection impact assessments;
  • Breach notification obligations; and
  • Compliance obligations under Applicable Data Protection Laws,

where required by law.

Untitled UI may charge reasonable fees for excessive, repetitive, or burdensome assistance requests.

12. Retention and Deletion

Upon termination of the Services or Customer’s written request, Untitled UI shall delete or return Personal Data within a commercially reasonable period unless retention is required:

  • By law;
  • For security purposes;
  • Fraud prevention;
  • Backup retention cycles;
  • Dispute resolution;
  • Enforcement of legal rights; or
  • Legitimate business compliance obligations.

Residual backup copies may remain until automatically overwritten in the ordinary course of business.

13. Audits and Information Requests

Customer may request reasonable information regarding Untitled UI’s security practices relevant to this DPA no more than once per calendar year.

Customer acknowledges that Untitled UI is not required to disclose:

  • Source code;
  • Penetration testing reports;
  • Vulnerability reports;
  • Confidential security documentation;
  • Internal security procedures; or
  • Information that could reasonably compromise security or other customers.

Any audit or review:

  • Must occur during normal business hours;
  • Must not unreasonably interfere with operations; and
  • Shall be conducted at Customer’s expense.

14. Limitation of Liability

The liability of each party arising out of or relating to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.

To the maximum extent permitted by law:

  • This DPA does not expand any liability cap contained in the Agreement; and
  • Neither party shall be liable for indirect, incidental, consequential, special, punitive, or exemplary damages arising from this DPA.

15. CCPA / CPRA Terms

To the extent the CCPA or CPRA applies:

  • Untitled UI shall not sell Personal Data Processed on behalf of Customer;
  • Untitled UI shall not share Personal Data for cross-context behavioral advertising; and
  • Untitled UI shall Process Personal Data solely for the purposes described in the Agreement and this DPA.

Untitled UI certifies that it understands and shall comply with restrictions applicable to service providers under applicable California privacy laws.

16. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions set forth in the Agreement.

17. Order of Precedence

In the event of conflict between this DPA and the Agreement:

  • this DPA shall control solely with respect to privacy and data protection matters; and
  • The Agreement shall otherwise control.

18. Execution

Where required by Customer procurement policies, the parties may separately execute this DPA.

Otherwise, Customer’s execution of an Agreement incorporating this DPA, execution of an Order Form, or use of the Services constitutes acceptance of this DPA.

Annex 1 — Processing Details

Controller

Customer using the Services.

Processor

Sisyphus Ventures Pty Ltd (ABN 65 655 466 729)

Subject Matter

Provision of digital products, repositories, authentication systems, enterprise support, infrastructure services, and related offerings.

Nature of Processing

Collection, storage, organization, access management, authentication, transmission, support operations, analytics, logging, security monitoring, and deletion of Personal Data.

Duration

For the duration of the Agreement and any lawful retention period.

Categories of Personal Data
  • Email addresses (account and team members)
  • Organization and team-membership details
  • GitHub usernames (where the repository-access feature is used)
  • Hashed authentication information (API keys and SCIM provisioning tokens)
  • IP addresses and approximate location (in security audit logs)
  • Device and browser metadata (user-agent)
  • Usage logs
  • Audit records
  • Support communications
  • Licensing and account administration metadata
Categories of Data Subjects
  • Employees
  • Contractors
  • Administrators
  • Authorized users
  • Support contacts

Untitled UI

Untitled UI® (ABN 65 655 466 729) is operated by Sisyphus Ventures Pty Ltd (ACN 655 466 729), based in Melbourne, Australia.

If you have any questions regarding this Data Processing Addendum (DPA) or Untitled UI’s privacy and data protection practices, please get in touch with our friendly team via [email protected].

Use of the Services constitutes acceptance of this DPA unless otherwise separately executed in writing.

Download as a PDF

Download a shareable PDF copy of this Data Processing Addendum (DPA) for procurement, vendor review, and compliance:

Download icon
Download PDF

Join our affiliate program

A simple and easy way to make 30% of every sale you refer to Untitled UI. Earn up to $2,699.70 on each sale!
Become an affiliate
Play icon
Untitled UI in 60 seconds
Figma UI mockupFigma UI mockupFigma UI mockupFigma UI mockupFigma UI mockup
Figma UI mockupFigma UI mockupFigma UI mockupFigma UI mockupFigma UI mockup
Figma UI mockupFigma UI mockupFigma UI mockupFigma UI mockupFigma UI mockup