Ultralytics Data Processing Agreement

Last updated:Mar 26, 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of (i) the Ultralytics Terms of Service and/or (ii) any applicable order form, enterprise agreement, or other written agreement referencing this DPA (each, the "Agreement") between the customer ("Customer", "you") and Ultralytics, Inc. ("Ultralytics", "Company", "we").

This DPA reflects the parties' agreement with respect to:

(A) Controller-to-Processor terms: Ultralytics' Processing of Customer Personal Data as a Processor (or sub-processor where Customer is a Processor) on Customer's behalf in connection with the Services; and
(B) Controller-to-Controller terms: each party's Processing of Controller Personal Data as an independent Controller, solely to the extent described in Section 10.

This DPA remains in effect for the term of the Agreement and for so long as Ultralytics Processes Customer Personal Data on Customer's behalf.

This DPA applies solely to the Processing of Customer Personal Data by Ultralytics within the Ultralytics Platform. For the avoidance of doubt, this DPA does not apply to Customer's use, deployment, or operation of Ultralytics YOLO open-source models outside the Ultralytics Platform, which is conducted under Customer's sole responsibility.

Ultralytics may update this DPA from time to time to reflect changes in law, regulatory guidance, or the Services, effective as of the date posted, provided that updates do not materially reduce the privacy protections for Customer Personal Data without Customer's agreement (except where required by applicable law).

1. Definitions

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means ownership of more than 50% of voting interests.

"Appropriate Safeguards" means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under the applicable Data Protection Laws, especially but not limited to Article 46 GDPR.

"Sub-Processor" means any Processor engaged by Ultralytics or its Affiliates to Process Customer Personal Data on Ultralytics' behalf in connection with the Services.

"Company Account Data" means personal data that relates to Company's relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer's account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.

"Company Usage Data" means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

"Customer Data" means any data, content, materials, files, or information (including datasets, images, video, annotations, labels, metadata, model inputs and outputs, and other content) that Customer or its authorized users upload to, submit through, transmit to, or otherwise make available for Processing in connection with the Services, including any data generated for Customer through Customer's use of the Services.

"Customer Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data Processed by Ultralytics or its Sub-Processors in connection with the Services. Customer Personal Data Breach does not include unsuccessful attempts or activities that do not compromise Customer Personal Data (e.g., unsuccessful log-in attempts, port scans, denial-of-service attacks, or other attacks on firewalls or networked systems).

"Data Protection Laws" means all applicable laws relating to privacy and data protection that apply to a party's Processing of Personal Data under the Agreement, including (as applicable) the GDPR, UK GDPR, Swiss FADP, ePrivacy/PECR, CCPA/CPRA and other applicable US state privacy laws.

"GDPR" means Regulation (EU) 2016/679; "UK GDPR" means the GDPR as incorporated into UK law; "Swiss FADP" means the Swiss Federal Act on Data Protection (as revised). "Instructions" means Customer's documented instructions to Ultralytics regarding Processing of Customer Personal Data, as described in Section 2.2.

"SCCs" means the EU standard contractual clauses (Decision 2021/914); "UK Addendum" means the ICO International Data Transfer Addendum. Other capitalised terms have the meanings given in Data Protection Laws and/or the Agreement.

"Services" means the services and functionalities made available by Ultralytics to Customer under the Agreement, including the Ultralytics Platform and any related support, administration, and documentation, as further described in the Agreement.

"Ultralytics Platform" means Ultralytics' cloud-based software-as-a-service environment through which Customers may upload, manage, annotate, and version datasets; train, evaluate, compare, export, and deploy computer vision models; manage projects and users; and access related features and support, and through which Ultralytics Processes Customer Personal Data on Customer's behalf in accordance with this DPA.

"Ultralytics YOLO Open-Source Models" mean the open-source computer vision models and related source code made available by Ultralytics under applicable open-source licences, which Customers may download, deploy, host, and operate independently in their own environments. For clarity, where Customers deploy or use Ultralytics YOLO Open-Source Models outside the Ultralytics Platform, Ultralytics does not Process Personal Data on Customer's behalf under this DPA.

2. Customer Responsibilities

2.1 Compliance with Laws. Customer is responsible for complying with Data Protection Laws in connection with its Processing of Personal Data and its use of the Services, including providing required notices and obtaining any required consents and authorizations.

2.2 Instructions. The Agreement (including this DPA), together with Customer's configuration and use of the Services in accordance with the Agreement, constitute Customer's complete Instructions to Ultralytics for Processing Customer Personal Data. Customer may provide additional Instructions during the term, provided they are consistent with the Agreement and the Services. If Ultralytics reasonably believes additional Instructions require material changes or burden, the parties will discuss in good faith.

2.3 Prohibited Data. Unless expressly agreed in writing by the parties (including agreement on additional safeguards required by applicable Data Protection Laws), Customer shall not provide to, submit through, or otherwise make available to Ultralytics any Special Categories of Personal Data under Article 9 GDPR (or equivalent), or data relating to criminal convictions or offences under Article 10 GDPR.

By way of illustration and without limitation, Prohibited Data includes:

government-issued identification numbers (such as passport numbers, national ID numbers, or social security numbers);
health or medical information, including biometric identifiers used for the purpose of uniquely identifying a natural person;
information concerning an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
genetic data or biometric data processed for the purpose of uniquely identifying a natural person;
personal data relating to children, where restricted by applicable Data Protection Laws;
and data relating to criminal convictions, alleged criminal conduct, or law enforcement activities.

Additionally, the Services are also not intended to process other data requiring heightened protection under applicable Data Protection Laws, such as payment card data, bank account numbers, or precise geolocation. Customer is solely responsible for ensuring that datasets, images, video, annotations, labels, metadata, or other content uploaded to or processed through the Services do not include Prohibited Data. Any Processing of Prohibited Data in breach of this Section constitutes a material breach of this DPA.

2.4 Inappropriate Data; Indemnity. Customer is solely responsible for the legality of Customer Personal Data provided to Ultralytics and for ensuring it is appropriate for the Services. Customer will defend and indemnify Ultralytics from and against any third-party claims arising from Customer's provision of Personal Data to the Services in breach of the Agreement, this DPA, or applicable Data Protection Laws.

3. Ultralytics Obligations as Processor

3.1 Purpose Limitation. Ultralytics will Process Customer Personal Data only (a) to provide the Services in accordance with the Agreement and Exhibit A, (b) in accordance with Customer's Instructions, and (c) as required by applicable law. Ultralytics will not use Customer Personal Data or Customer Data to train, improve, or develop Ultralytics' general or commercially available models, except where expressly instructed by Customer in writing or through the Services.

3.2 Conflict of Laws. If Ultralytics becomes aware it cannot Process Customer Personal Data in accordance with Instructions due to a legal requirement, Ultralytics will (to the extent permitted by law) notify Customer and, where necessary, suspend the affected Processing (other than secure storage) until Customer issues compliant Instructions.

3.3 Personnel Confidentiality. Ultralytics will ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations. Customer agrees Ultralytics may disclose Customer Personal Data to its professional advisers and auditors as reasonably required in connection with performance of the Agreement/DPA, subject to confidentiality obligations.

3.4 Sub-processing. Ultralytics may engage Sub-Processors in accordance with Section 5 and remains responsible for their performance of equivalent obligations.

3.5 Deletion / Return. Upon termination of the Services, Ultralytics will delete or return Customer Personal Data in accordance with the Agreement and Exhibit A, unless retention is required by law. Deletion certification under SCCs will be provided upon Customer's request.

4. Data Subject (or Consumer) Rights

4.1 Data Subject (or Consumer) Request. Ultralytics shall, to the extent legally permitted, notify Customer at the primary contact in the account without undue delay if Ultralytics receives a request from a Data Subject (or Consumer) to exercise the Data Subject's (or Consumer's) right of access (or disclosure), right to rectification, restriction of Processing, erasure (or deletion or the "right to be forgotten"), data portability, object to the Processing, or its right not to be subject to an automated individual decision making ("Data Subject (or Consumer) Request").

4.2 Assistance. Taking into account the nature of Processing, Ultralytics will provide reasonable assistance to Customer to respond to requests to exercise Data Subject rights under Data Protection Laws, to the extent Customer cannot fulfil the request using available Service functionality.

4.3 DPIA; Prior Consultation. Taking into account the nature of Processing and the information available to Ultralytics, Ultralytics will provide reasonable assistance to Customer with (i) data protection impact assessments and (ii) Customer's consultation and/or cooperation with supervisory authorities, in each case where required by Data Protection Laws and where Customer does not otherwise have access to relevant information. Except where required by Data Protection Laws or in connection with a Customer Personal Data Breach, Customer shall not request such assistance more than once in any twelve (12) month period. Customer will reimburse Ultralytics' reasonable costs and expenses incurred in providing such assistance, where permitted by law.

5. Sub-Processors

5.1 General Authorization. Customer grants Ultralytics a general written authorization to engage Sub-Processors to Process Customer Personal Data for the Services.

5.2 List and Notice. A list of current Sub-Processors is available at https://trust.ultralytics.com/subprocessors (the "List"). Ultralytics will provide a mechanism to subscribe to notifications of updates to the List and will provide notice of new Sub-Processors at least ten (10) days before authorizing them to Process Customer Personal Data. Customer is responsible for subscribing to such notifications where available; if Customer does not subscribe, Customer acknowledges it may not receive prior notice via that mechanism. In all cases, updates to the List shall constitute notice of changes to Sub-Processors. Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Company from offering the Services to Customer.

For clarity, Ultralytics Affiliates involved in the provision of the Services, including Ultralytics Ltd (UK) and Ultralytics AI Spain, S.L., may act as intra-group Sub-Processors where they Process Customer Personal Data on behalf of Ultralytics Inc. in connection with the Services.

5.3 Objection to New Sub-Processors. Customer may object in writing to the engagement of a new Sub-processor on reasonable data protection grounds according to Section 5.2. If Ultralytics cannot reasonably address Customer's objection, Customer may discontinue the affected Service by written notice, without relieving Customer of any fees accrued prior to such discontinuation.

5.4 Flow-down. Ultralytics will engage Sub-Processors only after conducting reasonable, risk-based due diligence to assess whether the Sub-processor is capable of providing an appropriate level of protection for Customer Personal Data in accordance with applicable Data Protection Laws, and will periodically monitor Sub-Processors as part of its vendor management program. Ultralytics will ensure that its Sub-Processors are subject to data protection obligations that are materially equivalent to, or more protective than, those set out in this DPA. Upon Customer's request, Ultralytics will provide copies (which may be redacted for confidentiality) of relevant Sub-processor data protection terms as required under the SCCs.

6. Security

6.1 Measures. Taking into account the state of the art, the nature, scope, context and purposes of the Processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ultralytics shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to such risk, in accordance with applicable Data Protection Laws, including Article 32 of the GDPR. These measures are described in Exhibit C, which Ultralytics may update from time to time, provided that any such update does not materially reduce the overall level of protection for Customer Personal Data.

6.2 Customer Responsibilities. Notwithstanding the foregoing, Customer acknowledges that, except as expressly provided in this DPA, Customer is responsible for its secure use of the Services, including safeguarding its account authentication credentials, configuring access controls appropriately, and ensuring that its users access and use the Services in a manner consistent with applicable Data Protection Laws and the security features made available by Ultralytics.

7. Customer Audits and Demonstration of Compliance

7.1 Documentation. Upon reasonable request, Ultralytics will make available information reasonably necessary to demonstrate compliance with this DPA (including current third-party audit reports or certifications, where available). Ultralytics will maintain records sufficient to demonstrate compliance with this DPA and retain such records for a reasonable period following termination (e.g., three (3) years), unless a longer period is required by law.

7.2 Audit. Where Data Protection Laws require and documentation is insufficient, Customer may, upon reasonable prior written notice and at Customer's expense, request an audit or inspection of Ultralytics' relevant systems and processes. Any such audit or inspection shall be conducted only following mutual written agreement between the parties on the scope, timing, and duration of the audit, as well as any reasonable reimbursement rate for Ultralytics' time and resources expended in connection with the audit. Any audit conducted pursuant to this Section shall:

(a) occur no more than once in any twelve (12) month period;
(b) take place during Ultralytics' normal business hours;
(c) be subject to reasonable confidentiality, security, and safety controls; and
(d) be limited to systems and records reasonably relevant to the Processing of Customer Personal Data.

Customer shall promptly notify Ultralytics of any material non-compliance identified during an audit to allow Ultralytics a reasonable opportunity to address such findings.

8. Personal Data Breaches

8.1 Notice. Ultralytics will notify Customer without undue delay but no later than 72 hours after becoming aware of a Customer Personal Data Breach.

8.2 Assistance. Ultralytics will provide reasonable assistance for Customer's required notifications to regulators and affected Data Subjects, taking into account the information available to Ultralytics.

8.3 No Admission. Breach notification does not constitute an admission of fault or liability. The breach-notification obligation does not apply to the extent a Customer Personal Data Breach is caused by Customer's or its users' actions or omissions.

9. Transfers (EU/UK/Switzerland)

9.1 International Transfers. Customer acknowledges that Ultralytics' primary processing operations may occur in the United States and other locations as necessary to provide the Services.

For clarity, Customer Personal Data may also be transferred between Ultralytics Inc. and its Affiliates (including Ultralytics Ltd (UK) and Ultralytics AI Spain, S.L.) where such Affiliates act as Sub-Processors in connection with the Services. Where such transfers qualify as international transfers under applicable Data Protection Laws, they shall be subject to Appropriate Safeguards, including the SCCs (Module 3, where applicable) or other valid transfer mechanisms.

Where the transfer of Customer Personal Data to a country that has not been recognized as providing an adequate level of data protection is required, such transfers will be made subject to Appropriate Safeguards in accordance with applicable Data Protection Laws, including, where applicable, the SCCs and the UK Addendum as incorporated into this DPA.

9.2 EU SCCs. For transfers of Customer Personal Data subject to GDPR to a third country without adequacy, the parties incorporate the EU SCCs. Module Two (Controller→Processor) applies where Customer is a Controller; Module Three (Processor→Sub-Processor) applies where Customer is a Processor. The SCC annexes are completed using Exhibit B (Annex I/III) and Exhibit C (Annex II).

9.3 UK Addendum. For transfers subject to UK GDPR, the parties incorporate the UK Addendum, completed by reference to Exhibit B/C and the applicable transfer mechanism selection.

9.4 Switzerland. For Swiss transfers, the EU SCCs apply with the standard Swiss modifications (references to GDPR include Swiss FADP; FDPIC as competent authority, etc.), completed by reference to Exhibits.

9.5 Government Access Requests. Ultralytics will handle legally binding requests for Customer Personal Data consistent with applicable law and the SCCs, including (where legally permitted) notice to Customer and reasonable cooperation.

10. Controller-to-Controller Terms (Ultralytics Account / Usage / Security Ops)

10.1 Scope. This Section applies to Processing of Controller Personal Data by each party as an independent Controller (not joint controllers), including Ultralytics' Processing of Company Account Data and Company Usage Data.

10.2 Independent Controller Obligations. Each party will:

(a) Process Controller Personal Data in compliance with Data Protection Laws;
(b) implement appropriate security; and
(c) respond to regulatory communications relating to its own Processing.

10.3 Ultralytics Controller Processing. Ultralytics Processes Company Account Data and Company Usage Data as a Controller for: account administration, billing, security monitoring and abuse prevention, identity verification, legal compliance, audits/accounting, and service operations (including performance and reliability). Such Processing is described in the Ultralytics Privacy Policy. Nothing in this DPA shall be construed as creating a joint controller relationship between the parties.

For the avoidance of doubt, Ultralytics and its Affiliates may process limited business contact data (such as names, corporate email addresses, and professional contact details) in the context of commercial outreach, demonstrations, partnerships, and customer relationship management activities as independent Controllers.

11. California Terms (CCPA/CPRA)

11.1 Service Provider / Processor. To the extent CCPA/CPRA applies and Ultralytics Processes Customer Personal Data on Customer's behalf, Ultralytics acts as a "service provider" and/or "processor", and will not "sell" or "share" such personal information.

11.2 Limited Use. Ultralytics will not retain, use, or disclose Customer Personal Data outside the direct business purpose of providing the Services except as permitted by CCPA/CPRA.

11.3 Discrimination. The Parties must not discriminate against a Consumer because they exercised their rights.

12. General Provisions

12.1 Limitation of Liability. The limitations and exclusions in the Agreement apply to this DPA, except as prohibited by law or the SCCs/UK Addendum.

12.2 Severability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

12.3 Execution of this DPA. This DPA is incorporated into and forms part of the Agreement. Customer enters into this DPA (including, where applicable, the EU SCCs and the UK Addendum) by:

(a) accepting or agreeing to be bound by the Agreement (including by clicking "I agree" or similar mechanism to the Terms of Service),
(b) executing an order form, statement of work, or other written agreement that incorporates or references the Agreement, or
(c) using or continuing to use the Services after this DPA is made available by Company.

Customer represents and warrants that the individual accepting the Agreement and/or using the Services on Customer's behalf has authority to bind Customer and, where applicable, its Affiliates.

12.4 Contact. Privacy requests: privacy@ultralytics.com; DPO: dpo@ultralytics.com; legal notices: legal@ultralytics.com.

13. Parties; Affiliates

Customer enters into this DPA on behalf of itself and its Affiliates that are authorized users of the Services under the Agreement and are Controllers/Processors of Customer Personal Data ("Permitted Affiliates"). Customer represents it has authority to bind Permitted Affiliates.

Exhibit A: Details of Personal Data Processing

Nature: Ultralytics provides a cloud-based software and related services that enable Customers to access and use Ultralytics products and features, including model training, inference, dataset management, deployment workflows, and related support and administration ("Services"), as described in the Agreement.

For clarity, the Services include the Ultralytics Platform, through which Ultralytics Processes Customer Personal Data on Customer's behalf in accordance with this DPA. Separately, Ultralytics also makes available Ultralytics YOLO open-source models, which Customers may deploy and operate independently in their own environments. Where Customers deploy or use Ultralytics YOLO models outside the Ultralytics Platform, Ultralytics does not Process Personal Data on Customer's behalf, and Customers are solely responsible for implementing appropriate technical and organizational measures, determining purposes and means of Processing, and ensuring compliance with applicable Data Protection Laws in connection with such deployment and use.

Purpose: Ultralytics Processes Customer Personal Data on behalf of Customer for the following purposes:

to provide, operate, secure, and support the Services in accordance with the Agreement and Customer's documented Instructions;
to comply with other documented reasonable instructions provided by Customer, where such instructions are consistent with the Agreement and this DPA;
to respond to requests initiated by Customer or its authorized users in their use of the Services (including customer support requests);
to monitor, prevent, and detect security incidents, fraud, abuse, and service misuse; and
to comply with applicable legal obligations.

Ultralytics will not use Customer Personal Data to train or improve Ultralytics' general models except as expressly instructed by Customer in writing or via the Services. For clarity, Ultralytics may use Company Usage Data and aggregated or de-identified data (where permitted) to operate, secure, and improve the Services.

Where Customer elects to share datasets, models, or other content via community or public features of the Services, such sharing constitutes Customer's documented instruction. Customer remains solely responsible for ensuring it has all necessary rights and lawful bases to make such data available to other users.

Duration of Processing: Ultralytics will Process Customer Personal Data for the duration of the Agreement and for as long as necessary to provide the Services in accordance with Customer's Instructions. Following termination or expiration of the Agreement, Ultralytics will delete or return Customer Personal Data in accordance with the Agreement and this DPA, unless further retention is required by applicable law. For clarity, where Ultralytics Processes Controller Personal Data (including Company Account Data and Company Usage Data) as an independent Controller under Section 10, such Processing will occur for the periods set forth in the Ultralytics Privacy Policy.

Categories of Data Subjects: Customer Personal Data may relate to the following categories of Data Subjects, as determined and controlled by Customer:

Customer's employees, contractors, agents, and representatives;
Customer's authorized users and administrators;
and Customer's end users, customers, or other individuals whose Personal Data Customer chooses to submit to the Services.

Categories of Personal Data: Customer Personal Data may include the following categories of Personal Data, to the extent submitted to or otherwise made available through the Services by or on behalf of Customer:

Account and user identity data, such as name, email address, username/user ID, organization name, and user role/permissions (e.g., admin/user).
Usage and device/technical data, such as IP address, device identifiers and system attributes (e.g., device type, operating system, browser type), log files, timestamps, authentication events, access history, and (where applicable) installed applications or configuration details collected as part of enterprise device or security workflows.
Customer-provided content and inputs, such as user-generated prompts, comments, annotations, dataset metadata or labels, and any other content Customer uploads or submits through the Services (including images/video/audio or other files), but only to the extent such content contains Personal Data.
Support and communications data, such as customer support communications, issue reports, troubleshooting information, and administrative contact details.

The categories of Personal Data processed may further include those described in the Ultralytics Privacy Policy.

Sensitive Data or Special Categories of Data: The Services are not designed or intended to Process Special Categories of Personal Data (as defined in Article 9 GDPR or equivalent under applicable Data Protection Laws) or Personal Data relating to criminal convictions and offences (Article 10 GDPR), and Customer is prohibited from providing such data unless expressly agreed in writing with Ultralytics and subject to additional safeguards.

Exhibit B: Annex I and Annex III Information (EU SCCs and UK Addendum)

The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.

1. The Parties

Data exporter(s):

Name: Customer legal entity name
Trading Name (if different): [Optional]
Address: Customer registered address
Official Registration Number (if any): [Optional]
Contact person's name, position and contact details: Name, Title, Email
Activities relevant to the data transferred under these Clauses: Use of the Services under the Agreement, including transfer of Customer Personal Data to Ultralytics for Processing in connection with the Services, as described in the Agreement, this DPA, and Exhibit A.
Signature and date: By execution/acceptance of the Agreement/DPA
Role (controller/processor): Controller

Data importer(s):

Name: Ultralytics Inc.
Trading Name (if different): N/A
Address and contact information: 5001 Judicial Way, Frederick, MD, 21703, United States; privacy@ultralytics.com
Official Registration Number (if any): 6755919
Activities relevant to the data transferred under these Clauses: Processing Customer Personal Data on behalf of Customer to provide, operate, secure, maintain, and support the Services, and as otherwise described in the Agreement, this DPA, and Exhibit A.
Signature and date: By execution/acceptance of the Agreement/DPA
Role (controller/processor): As described in Section 3 of the DPA.

2. Description of the Transfer

Field	Details
Data Subjects	As described in Exhibit A of the DPA
Categories of Personal Data	As described in Exhibit A of the DPA
Special Category Personal Data (if applicable)	As described in Exhibit A of the DPA
Nature of the Processing	As described in Exhibit A of the DPA
Purposes of Processing	As described in Exhibit A of the DPA
Duration of Processing and Retention (or the criteria to determine such period)	As described in Exhibit A of the DPA
Frequency of the transfer	As necessary to provide and perform all obligations and rights with respect to Personal Data as provided in the Agreement or DPA
Recipients of Personal Data Transferred to the Data Importer	Company will maintain a list of Sub-Processors at: https://trust.ultralytics.com/subprocessors Intra-group Sub-Processors: Ultralytics Ltd (United Kingdom) - engineering support, customer support, onboarding assistance, and commercial interactions (including demonstrations and partnerships) Ultralytics AI Spain, S.L. (Spain) - engineering support, commercial interactions and customer-facing activities, involving limited processing of business contact data

3. Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The supervisory authority for the purposes of the UK Addendum shall be the UK Information Commissioner's Office.

Exhibit C: Technical and Organizational Security Measures

The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum.

Technical and Organizational Security Measure	Details
Measures of pseudonymization and encryption of personal data	Customer Personal Data is protected through encryption in transit using industry-standard secure connections (TLS) between platform components and external endpoints. Data stored in cloud services benefits from cloud-provider-managed encryption at rest and secure key management controls.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Ultralytics maintains Security, Confidentiality, and Availability commitments for its Services, including system configuration designed to restrict unauthorised access, intrusion detection and monitoring, vulnerability scanning and penetration testing, encryption in transit and at rest, and data retention/disposal controls. The Ultralytics Platform operates using managed cloud services with availability. Our infrastructure-as-a-service (IaaS) providers support database resiliency through replication and high availability. Ultralytics also ensures that downstream Sub-Processors' technical & organizational measures (TOMs) meet or exceed the standards set out in this agreement.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Customer data within the Ultralytics Platform is backed up using cloud-provider-native services. Backups are monitored and exceptions are investigated and remediated. Backup data is encrypted at rest and in transit and access is restricted to authorized personnel. Business continuity and disaster recovery planning includes recovery point objectives (RPOs), recovery time objectives (RTOs) and defined roles & responsibilities.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Ultralytics performs regular vulnerability scans over the system and network and penetration tests over the production environment. Vulnerability management includes dependency scanning and secure development practices integrated into CI/CD pipelines, and identified vulnerabilities are prioritized and remediated based on severity and risk. Additionally, Ultralytics conducts annual risk assessment, and Management Review as part of the standard ISMS practice.
Measures for user identification and authorization	The Ultralytics Platform uses an authentication and identity provider, supporting user authentication and session management. Access to engineering systems (including source code repositories) is restricted to authorized personnel and governed by role-based permissions, branch protections, and required reviews. Internal access follows a least-privilege model and role-based access controls.
Measures for the protection of data during transmission	Network ingress to the Ultralytics Platform is restricted to secure HTTPS (TLS) connections through designated frontend endpoints. Internal communications between platform components and storage services are encrypted in transit using TLS.
Measures for the protection of data during storage	For the Ultralytics Platform, Customer data is stored in encrypted, managed cloud services with redundancy and backup support. The managed cloud services provide built-in encryption, automated backups, redundant storage, and high availability. Cloud-provider-managed encryption is applied to data at rest.
Measures for ensuring physical security of locations at which personal data are processed	The Ultralytics Platform is hosted using third-party cloud service providers. Physical and environmental protections for the hosting data centers are operated by the relevant Sub-Processor organizations. Ultralytics reviews Sub-Processor organization attestation reports and performs risk analysis on at least an annual basis.
Measures for ensuring events logging	Ultralytics leverages cloud-native logging for monitoring, troubleshooting, and incident investigations. Platform availability and security-related alerts are communicated internally via internal communications and email, and externally via a hosted status page. Additionally, Ultralytics regularly reviews access to applications, tools, and resources that process or store Customer Data.
Measures for ensuring system configuration, including default configuration	Ultralytics maintains documented change management processes governing changes to the Ultralytics Platform and the Ultralytics YOLO model codebase, including change initiation, documentation, development standards, testing, review, and approval prior to release or deployment. Changes are tracked in version control with peer review and CI/CD pipeline validation.
Measures for internal IT and IT security governance and management	Ultralytics maintains security policies and procedures aligned to service commitments and internal compliance requirements, with annual review of key policies and procedures. Employees must acknowledge policies through a dedicated Governance, Risk, Compliance (GRC) tool and are required to complete annual security awareness training and privacy training, with secure coding training for engineering roles. Risks are documented in a centralized risk register and formally reviewed at least annually.
Measures for certification/assurance of processes and products	Ultralytics relies on third-party managed services (including subservice organizations) and reviews their SOC 2 reports annually as part of monitoring controls. Vendor due diligence is risk-based, and vendors are classified into tiers (Critical/High/Medium/Low), with contractual safeguards and periodic reassessments.
Measures for ensuring data minimization	Ultralytics processes Customer data in accordance with customer agreements and applicable data protection requirements, and limits Processing to what is necessary to deliver and support the Services (including dataset management, annotation, model training, evaluation, and related platform functionality). Ultralytics YOLO open-source usage is customer-managed and Ultralytics does not process inference workloads for customers in that context.
Measures for ensuring data quality	Ultralytics uses controlled development and deployment practices designed to support integrity and reliability, including peer review, automated testing, CI/CD workflows, and controlled change management for the Platform and open-source code releases.
Measures for ensuring limited data retention	Ultralytics applies data retention and data disposal commitments as part of its service commitments. Customer data for the Platform is backed up using managed services, and deletion/return is handled in accordance with customer agreements and applicable law.
Measures for ensuring accountability	Ultralytics maintains an incident response plan and documented procedures for identifying, reporting, managing, and tracking security and privacy incidents, including communications for external vulnerability reporting via security@ultralytics.com. Incidents are documented and handled with involvement from Engineering, Legal, and executive management as required by severity.
Measures for allowing data portability and ensuring erasure	Customer Personal Data submitted to Ultralytics Platform may be deleted by the Customer and/or upon Customer's request, in accordance with the Agreement and this DPA. Where deletion is required, Ultralytics will act according to Customer instructions and applicable legal requirements. (Portability is supported insofar as Customer can export or retrieve its Customer Data from the Services as applicable.) Ultralytics YOLO open-source models are deployed by the Customer within their dedicated environment ensuring full data governance control.
Technical and organizational measures of Sub-Processors	Ultralytics uses a risk-based vendor management program for onboarding and monitoring third-party service providers, including review of compliance attestations and contractual security and data protection requirements. Ultralytics also monitors Subservice Organizations and reviews their SOC 2 reports annually. Ultralytics also enters into Data Processing Agreements with its Sub-Processors with data protection obligations substantially similar to those contained in this DPA.

Exhibit D: UK Addendum

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

Field	Exporter	Importer
Start Date	This UK Addendum shall have the same effective date as the DPA
Parties' Details	Customer	Company
Key Contact	See Exhibit B of this DPA	See Exhibit B of this DPA

Table 2: Selected SCCs, Modules and Selected Clauses

Field	Details
EU SCCs	The Version of the Approved EU SCCs which this UK Addendum is appended to as defined in the DPA and completed by Section 6.2 and 6.3 of the DPA.

Table 3: Appendix Information

"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:

Annex	Reference
Annex 1A: List of Parties	As per Table 1 above
Annex 2B: Description of Transfer	See Exhibit B of this DPA
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data	See Exhibit C of this DPA
Annex III: List of Sub-Processors (Modules 2 and 3 only)	See Exhibit B of this DPA

Table 4: Ending this UK Addendum when the Approved UK Addendum Changes

Note: This provision permits the selected party (if any) to terminate the UK Addendum if the ICO changes the approved UK Addendum which directly results in a substantial, disproportionate, and demonstrable increase in (a) its direct costs of performing its obligations under the UK Addendum or (b) its risk under the UK Addendum.

Field	Selection
Ending this UK Addendum when the Approved UK Addendum changes	x Importer x Exporter ☐ Neither Party

Entering into this UK Addendum

Each party agrees to be bound by the terms and conditions set out in this UK Addendum, in exchange for the other party also agreeing to be bound by this UK Addendum.

Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making ex-UK Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this UK Addendum

Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Term	Definition
UK Addendum	means this International Data Transfer Addendum incorporating the EU SCCs, attached to the DPA as Exhibit D.
EU SCCs	means the version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information
Appendix Information	shall be as set out in Table 3
Appropriate Safeguards	means the standard of protection over the personal data and of data subjects' rights, which is required by UK Data Protection Laws when you are making an ex-UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved UK Addendum	means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as may be revised under Section 18 of the UK Addendum.
Approved EU SCCs	means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
ICO	means the Information Commissioner's Office.
ex-UK Transfer	shall have the same definition as set forth in the DPA.
UK	means the United Kingdom of Great Britain and Northern Ireland
UK Data Protection Laws	means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR	shall have the definition set forth in the DPA.

The UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties' obligation to provide the Appropriate Safeguards.

If the provisions included in the UK Addendum amend the Approved EU SCCs in any way which is not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendment(s) will not be incorporated in the UK Addendum and the equivalent provision of the Approved EU SCCs will take their place.

If there is any inconsistency or conflict between UK Data Protection Laws and the UK Addendum, UK Data Protection Laws will apply.

If the meaning of the UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after the UK Addendum has been entered into.

Hierarchy

Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for ex-UK Transfers, the hierarchy in Section 10 below will prevail.

Where there is any inconsistency or conflict between the Approved UK Addendum and the EU SCCs (as applicable), the Approved UK Addendum overrides the EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved UK Addendum.

Where this UK Addendum incorporates EU SCCs which have been entered into to protect ex-EU Transfers subject to the GDPR, then the parties acknowledge that nothing in the UK Addendum impacts those EU SCCs.

Incorporation and Changes to the EU SCCs

This UK Addendum incorporates the EU SCCs which are amended to the extent necessary so that:

together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter's processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
Sections 9 to 11 above override Clause 5 (Hierarchy) of the EU SCCs; and
the UK Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales.

Unless the parties have agreed alternative amendments which meet the requirements of Section 12 of this UK Addendum, the provisions of Section 15 of this UK Addendum will apply.

No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 of this UK Addendum may be made.

The following amendments to the EU SCCs (for the purpose of Section 12 of this UK Addendum) are made:

References to the "Clauses" means this UK Addendum, incorporating the EU SCCs;
In Clause 2, delete the words: "and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";
Clause 6 (Description of the transfer(s)) is replaced with: "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.";
Clause 8.7(i) of Module 1 is replaced with: "it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";
Clause 8.8(i) of Modules 2 and 3 is replaced with: "the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;"
References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
References to Regulation (EU) 2018/1725 are removed;
References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all replaced with the "UK";
The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module one, is replaced with "Clause 11(c)(i)";
Clause 13(a) and Part C of Annex I are not used;
The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";
In Clause 16(e), subsection (i) is replaced with: "the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";
Clause 17 is replaced with: "These Clauses are governed by the laws of England and Wales";
Clause 18 is replaced with: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales." A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts."; and
The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to the UK Addendum

The parties may agree to change Clauses 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

If the parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

From time to time, the ICO may issue a revised Approved UK Addendum which:

makes reasonable and proportionate changes to the Approved UK Addendum, including correcting errors in the Approved UK Addendum; and/or
reflects changes to UK Data Protection Laws.

The revised Approved UK Addendum will specify the start date from which the changes to the Approved UK Addendum are effective and whether the parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified.

If the ICO issues a revised Approved UK Addendum under Section 18 of this UK Addendum, if a party will as a direct result of the changes in the Approved UK Addendum have a substantial, disproportionate and demonstrable increase in:

its direct costs of performing its obligations under the UK Addendum; and/or
its risk under the UK Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other party before the start date of the revised Approved UK Addendum.

The parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.