Data Processing Agreement
1. The parties
This Data Processing Agreement ("DPA") is entered into between:
- The Customer - the individual or entity identified in the Frameboard account that has accepted the Terms of Service (the "Controller").
- Frameboard Limited, a company registered in England and Wales (company number 17154107), of registered office to be confirmed (the "Processor").
Collectively referred to as the "Parties".
2. Background
The Controller has agreed to use Frameboard (the "Services") under the Terms of Service (the "Principal Agreement"). In providing the Services, the Processor will process personal data on behalf of the Controller. The Parties enter into this DPA to set out the terms governing that processing, as required by Article 28 UK GDPR.
3. Definitions
Terms not defined here have the meanings given in UK GDPR. In particular: "Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Sub-processor", and "Supervisory Authority" all have the meanings given in UK GDPR.
"Customer Personal Data" means personal data processed by the Processor on behalf of the Controller in connection with the Services, as described in Annex 1.
4. Subject matter, duration, nature and purpose
- Subject matter: Processing of Customer Personal Data to provide the Services.
- Duration: For the term of the Principal Agreement plus any post-termination retention required under section 10.
- Nature and purpose: To host, store, display, generate content from, transmit, secure, and back up Customer Personal Data within the Frameboard platform.
- Types of personal data and categories of data subject: See Annex 1.
5. Obligations of the Processor
The Processor will:
- Process Customer Personal Data only on documented instructions from the Controller. The Principal Agreement and the Controller's use of the Services are the initial instructions. Additional written instructions may be given from time to time.
- Ensure persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.
- Implement appropriate technical and organisational measures described in Annex 2.
- Respect the conditions in Articles 28(2) and 28(4) UK GDPR for engaging sub-processors (see section 7).
- Assist the Controller, taking into account the nature of processing, to fulfil its obligation to respond to Data Subject rights requests under Articles 15-22 UK GDPR.
- Assist the Controller in meeting its obligations under Articles 32-36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation).
- At the Controller's choice, delete or return all Customer Personal Data after the end of the Services, except where law requires storage (see section 10).
- Make available to the Controller information necessary to demonstrate compliance with Article 28 UK GDPR and allow for audits as described in section 9.
- Inform the Controller immediately if, in its opinion, an instruction infringes UK GDPR or other applicable data protection law.
6. Obligations of the Controller
The Controller warrants that:
- It has a lawful basis under UK GDPR Article 6 for the processing instructed.
- Where special category data (Article 9) is submitted, it has identified a valid Article 9 condition. Note: Frameboard is not designed for special category data. Customers should not upload health, political, religious, genetic, biometric, or criminal offence data without written confirmation from Frameboard.
- All instructions comply with applicable data protection laws.
- It has provided appropriate privacy notices to Data Subjects (including its clients) covering the Processor's involvement.
7. Sub-processors
The Controller grants the Processor general authorisation to engage sub-processors. A current list is maintained in the Privacy Policy (section 7) and reproduced in Annex 3. The Processor will:
- Impose on each sub-processor data protection obligations substantially equivalent to those in this DPA.
- Remain liable for the acts and omissions of its sub-processors.
- Give the Controller at least 14 days' prior notice of any new or replacement sub-processor that will process Customer Personal Data (by email to the account owner and/or changelog).
- Within that notice period, the Controller may object on reasonable data protection grounds. If the Parties cannot agree a solution, the Controller may terminate the affected Service for convenience with a pro-rata refund of any pre-paid unused period.
8. International transfers
Where Customer Personal Data is transferred outside the UK, the Processor relies on (a) transfers to countries with a UK adequacy decision, (b) the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, or (c) other safeguards permitted by UK GDPR Articles 45-49. Copies of the relevant transfer mechanism are available to the Controller on request.
9. Audit rights
Once per calendar year, and with at least 30 days' written notice, the Controller may audit the Processor's compliance with this DPA. The Processor may satisfy the audit obligation by:
- Providing third-party security certifications or audit reports (e.g. SOC 2, ISO 27001, or Cyber Essentials Plus, once obtained).
- Responding in writing to a reasonable security questionnaire.
- For Enterprise customers, hosting an on-site audit at the Processor's premises during business hours.
Audits must be conducted by the Controller or an independent auditor bound by confidentiality. Costs are borne by the Controller, except where the audit reveals a material breach by the Processor.
10. Deletion and return
On termination of the Principal Agreement, the Controller may, within 30 days, export Customer Personal Data via self-serve export in the app or by writing to support@myframeboard.app. After 30 days, the Processor will delete Customer Personal Data from production systems within 90 days, except for (a) data retained in encrypted backups for up to 35 days (which is then automatically aged out), and (b) data the Processor is required by law to retain (e.g. invoices retained for 6 years under HMRC rules).
11. Personal data breach
The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required by UK GDPR Article 33(3) to the extent known, and will be updated as further information becomes available. The Processor will cooperate with the Controller's reasonable requests to investigate and respond to the breach.
12. Liability
Liability under this DPA is subject to the limitations of liability set out in the Principal Agreement, except that such limitations do not exclude or limit liability to the extent prohibited by law (including where Articles 82-84 UK GDPR impose direct statutory liability on either Party).
13. Conflict
If there is any conflict between this DPA and the Principal Agreement, this DPA prevails in respect of data protection matters.
14. Governing law
This DPA is governed by the laws of England and Wales and the Parties submit to the exclusive jurisdiction of the courts of England and Wales, consistent with the Principal Agreement.
15. Changes to this DPA
The Processor may update this DPA from time to time to reflect changes in law or sub-processors. Material changes will be notified at least 30 days in advance by email to the account owner and via the changelog. Continued use of the Services constitutes acceptance.
| Item | Description |
|---|---|
| Categories of data subject | The Controller's employees, end-clients, end-client contacts, approvers, and project collaborators. |
| Categories of personal data | Name, email, phone number, job title, company, project and proposal content, message content, uploaded files, IP address, browser and device metadata, authentication identifiers. |
| Special categories | None by default. Customers must not upload special category data without written agreement. |
| Frequency of processing | Continuous for the duration of the Services. |
| Retention | For the term of the Principal Agreement plus up to 90 days post-termination, plus up to 35 days in encrypted backups, except where law requires longer retention. |
- TLS 1.2+ for all data in transit
- Salted and hashed passwords (bcrypt); no plaintext passwords stored
- Role-based access control with least-privilege for employee access
- Multi-factor authentication for all employee access to production systems
- Network isolation of production from development environments
- Audit logging of administrative actions and access
- Daily automated backups to separate infrastructure (Netlify Blobs)
- IP allowlisting and SSO (Google OIDC, with SAML roadmap) for Enterprise customers
- Server-side plan-limit enforcement to prevent account-takeover-based abuse
- Incident response plan with 72-hour breach notification commitment
- Annual review of security controls and sub-processors
- Vendor due diligence before engaging any sub-processor
- Secure software development practices including dependency scanning and code review
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd | Payment processing, subscriptions | Ireland / USA |
| Netlify Inc. | Hosting, functions, blob storage | USA |
| Airtable, Inc. | Primary operational data store | USA |
| Resend | Transactional email delivery | USA |
| Anthropic, PBC | AI inference (zero-retention) | USA |
| Mux, Inc. | Video hosting and streaming | USA |
| Plausible Insights OU | Cookieless analytics | Estonia |
| Cloudflare, Inc. | DNS, CDN, DDoS protection via Netlify | USA |
Contact
Questions about this DPA, or Enterprise customers requiring a counter-signed version: privacy@myframeboard.app.