GDPR compliance
UpBoard complies with the General Data Protection Regulation. DPA available, subprocessors listed, hosting entirely within the European Union.
Our role#
For data you entrust to us (extracted from your Odoo), UpBoard acts as processor under GDPR Article 4. You remain controller for your customers', suppliers', and employees' data.
For data we collect directly about you (UpBoard account, billing, support), we are controller.
Legal basis#
Processing of your data by UpBoard relies on performance of the service contract (GDPR Article 6.1(b)). No other basis is used.
Data processed#
To provide the service we access the following categories via your Odoo:
- Contract and financial data: quotes, invoices, payments, receivables
- Operational data: products, stock movements, BOMs
- Contact data: names, emails, phones of your customers, suppliers, and staff (limited to what recommendations require)
- Aggregated behavioural data: history of actions in Odoo
We never process: health data, political, religious, or trade-union opinions, biometric data, or data on minors.
Subprocessors#
To provide the service UpBoard uses the subprocessors below. All are located in the EU or benefit from adequate safeguards (standard contractual clauses).
| Subprocessor | Role | Location |
|---|---|---|
| Infomaniak | Primary infrastructure hosting | Switzerland (adequacy) + Belgium (EU) |
| Anthropic | LLM models (Claude Sonnet, Claude Haiku) | United States, under DPF + standard clauses, no training on your data |
| Stripe | Subscription billing | Ireland (EU) |
| Sentry | Error monitoring (anonymised) | EU |
| Cloudflare | CDN, anti-DDoS | EU / global |
The up-to-date list is in your DPA. You are notified 30 days before any change.
Your rights#
As an UpBoard customer, you (or data subjects for whom you are controller) can exercise the following rights by writing to dpo@upboard.ai:
- Access to processed data
- Rectification of inaccurate data
- Erasure (except where law requires retention)
- Restriction of processing
- Portability: full export in JSON or CSV within seven days
- Objection to processing
For your customers or suppliers exercising their rights, contact us and we coordinate with you on the request.
Data retention#
| Data type | Duration |
|---|---|
| Operational Odoo data (UpBoard cache) | Contract term + 30 days after termination |
| Audit logs | 90 days hot + 24 months cold archive |
| Billing data | 10 years (accounting obligation) |
| Agent contextual memory | Erased with operational data |
| UpBoard account data | Erased 90 days after termination |
DPA (Data Processing Agreement)#
A standard Data Processing Agreement compliant with GDPR Article 28 can be signed from the UpBoard UI or requested at dpo@upboard.ai. It covers:
- Scope and nature of processing
- List of onward subprocessors
- Technical and organisational security measures
- Incident notification procedure
- Audit conditions
- Data return and destruction modalities
Our DPO#
For any GDPR question: dpo@upboard.ai
UpBoard.ai is a brand operated by Organize'IT, a Belgian company (BE 0XXX.XXX.XXX, Brussels registry).
À lire ensuite
See UpBoard working on your Odoo data
30-minute live demo. Free. No commitment. € numbers visible from first connection.