Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service (the "Agreement") previously entered into between you ("Customer") and Frame, dba Dockee Technologies, Inc. ("Frame"), regarding the Customer's use of Frame’s services (the "Services"). This DPA reflects the parties’ agreement with respect to the terms governing the processing and security of Customer Data under the Agreement.

1. Definitions

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
• "Controller," "Processor," "Data Subject," and "Processing" shall have the meanings ascribed to them in the GDPR.
• "Customer Data" means any personal data that Frame processes on behalf of the Customer as a data processor in the course of providing Services.
• "Data Protection Laws" means all data protection laws and regulations applicable to a party's processing of Customer Data under the Agreement, including, where applicable, EU Data Protection Law.

"EU Data Protection Law" means all data protection laws and regulations applicable in the European Economic Area (EEA), Switzerland, and the United Kingdom, including the GDPR.

2. Data Processing

2.1 Scope and Roles. This DPA applies to the processing of Customer Data within the scope of the Agreement. In this context, Customer acts as a data controller and Frame as a data processor.

2.2 Customer Obligations. Customer agrees to comply with its obligations as a controller under Data Protection Laws, including its obligations relating to providing any required notices and obtaining any required consents, and for ensuring that its instructions to Frame for the processing of Customer Data comply with such laws.

2.3 Frame’s Processing of Customer Data. Frame shall process Customer Data only for the purpose of providing, improving, and supporting the Services as specified in the Agreement, and in accordance with Customer's lawful instructions. The parties agree that the Agreement sets out the Customer’s complete and final instructions to Frame in relation to the processing of Customer Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.

3. Sub-processors

3.1 Use of Sub-processors. Customer agrees that Frame may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Frame and authorized by Customer are listed in Annex A.

3.2 Sub-processor Obligations. Frame shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Frame to breach any of its obligations under this DPA.

4. Security

4.1 Security Measures. Frame shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of such data, in accordance with Frame’s security standards described in Annex B.

4.2 Security Incident Response. Upon becoming aware of a Security Incident, Frame shall inform Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

5. Data Rights

5.1 Data Subject Requests. Frame shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise the Data Subject's right under Data Protection Laws. Frame shall not respond to any such data subject request without Customer's prior written consent except to confirm that the request relates to Customer.

5.2 Government Access Requests. Frame shall, to the extent legally permitted, promptly notify Customer if it receives a request from any law enforcement agency, regulatory body, or court for access to or disclosure of Customer Data.

6. Audits and Compliance

6.1 Audit Rights. Customer may audit Frame's compliance with the terms of this DPA up to once per year and at Customer's expense. Such audits will be conducted during regular business hours, subject to Frame's policies, and will not unreasonably interfere with Frame's business activities.

6.2 Assistance. Frame shall reasonably cooperate with Customer in the conduct of audits and the implementation of any findings or recommendations made pursuant to such audits.

7. Data transfer

7.1 Data Transfers. Frame shall not transfer Customer Data outside of the European Economic Area, Switzerland, or the United Kingdom without ensuring adequate protections are in place in accordance with applicable legal requirements.

8. Termination

8.1 Return or Deletion of Data. Upon termination of the Agreement, Frame shall, at the choice of Customer, delete or return all Customer Data to Customer, unless there is a legal requirement to retain the Customer Data.

Annex A: List of Sub-processors

• Sub-processor Name and Function
• Location

Annex B: Security Measures

• Description of Technical and Organizational Security Measures implemented by Frame

This DPA is part of the Agreement and is legally binding upon signature by the parties. Any amendment to this DPA shall be made in writing and signed by duly authorized representatives of the parties.

9. Annex A: List of Sub-processors

This Annex A to the Data Processing Agreement includes the Sub-processors currently engaged by Frame to process Customer Data on behalf of the Customer.

Current Sub-processors:

1. Paragonsome text
   • Function: Integration management platform
   • Location: United States
   • Purpose: To facilitate seamless integrations between Frame's services and other third-party services, enhancing functionality and user experience.
2. Amazon Web Services (AWS)some text
   • Function: Cloud services provider
   • Location: Global (Data centers in the EEA, Switzerland, and the UK for Customer Data originating from these regions)
   • Purpose: Hosting infrastructure, data storage, and backup solutions ensuring high availability and resilience of Frame’s services.
3. Google Cloud Platform (GCP)some text
   • Function: Cloud services provider
   • Location: Global (Data centers in the EEA, Switzerland, and the UK for Customer Data originating from these regions)
   • Purpose: Additional hosting infrastructure to support scalability and geographic redundancy.

Future Changes to Sub-processors:

Frame commits to informing the Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days prior through email notification, giving the Customer the opportunity to object to such changes.

Annex B: Security Measures

This Annex B to the Data Processing Agreement details the technical and organizational security measures implemented by Frame to protect Customer Data.

Security Measures:

1. Data Encryption:some text
   • At Rest: All Customer Data stored on servers is encrypted using industry-standard encryption protocols such as AES-256.
   • In Transit: Data transmitted between Frame’s servers and clients is encrypted using TLS 1.2 or higher to protect it against interception, tampering, or unauthorized access.
2. Access Control:some text
   • Authentication: Frame uses strong password policies and two-factor authentication (2FA) for accessing its systems.
   • Authorization: Frame implements the principle of least privilege (PoLP), ensuring individuals have access only to the data necessary for their role.
   • Audit Trails: Frame maintains comprehensive logs of access and changes to Customer Data, which are monitored for suspicious activity.
3. Data Integrity and Availability:some text
   • Backups: Regular backups of Customer Data are performed, ensuring data can be restored promptly in the event of a data loss incident.
   • Data Integrity Checks: Regular integrity checks are conducted to ensure the correctness and reliability of stored Customer Data.
4. Physical Security:some text
   • Data Center Security: Frame’s infrastructure providers employ robust physical security controls to prevent unauthorized access to data centers, including 24/7 surveillance, biometric access controls, and environmental protections.
5. Incident Response and Management:some text
   • Incident Response Plan: Frame has a formal incident response plan that includes notification procedures for affected parties and regulatory authorities where applicable.
   • Regular Testing: Frame conducts regular tests of its incident response procedures to ensure prompt and effective action in the event of a security breach.
6. Employee Training and Awareness:some text
   • Security Training: All employees receive regular training on data protection and security best practices.
   • Confidentiality Agreements: All employees are required to sign confidentiality agreements as a condition of employment.

Frame is committed to maintaining the security of Customer Data through continuous review and updates to its security practices in response to evolving threats and changes in technology.

Contact Us

Frame welcomes comments, questions, concerns, or suggestions. Please send feedback to us by visiting https://support.frame.so/en/