Data Processing Agreement

Fronterio ApS · Version 1 · Effective 2026-04-14

This Data Processing Agreement (“DPA”) forms part of the agreement between Fronterio ApS (“Fronterio”, “Processor”) and the Customer (“Controller”) identified in the Fronterio subscription order. Together, Fronterio and the Customer are “the Parties”.

This DPA reflects the Parties’ agreement with respect to the processing of Personal Data (as defined below) in connection with the Fronterio platform (the “Service”) in accordance with the requirements of Regulation (EU) 2016/679 (“GDPR”).

1. Definitions

Capitalised terms used but not defined in this DPA have the meaning assigned in the GDPR. For convenience:

2. Roles and scope

The Customer is the Controller and Fronterio is the Processor of the Customer Personal Data described in Annex I. Each Party is responsible for its own compliance with the GDPR in its respective role.

3. Processing details (Annex I)

Subject matterProvision of the Fronterio AI adoption platform.
DurationFor the duration of the Customer’s subscription, plus the retention periods set out in section 9.
Nature and purposeStorage, display, analysis, and inference on Customer Personal Data strictly to operate the Service features the Customer has enabled.
Categories of data subjectsCustomer’s employees, contractors, and authorised users.
Categories of Personal DataAccount identifiers (name, corporate email), role, organisation, assessment responses, consultant conversation content, audit log entries, usage telemetry, and any content the Customer chooses to submit.
Special categories (Art. 9)Fronterio does not intentionally process Article 9 special categories. If the Customer submits such data, the Customer warrants it has a valid Article 9 legal basis.
Processing locationsEU primary storage (Supabase Frankfurt). Application hosting on Vercel Stockholm. AI inference via Anthropic (US) under SCCs; see Annex III.

4. Instructions

Fronterio will process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which Fronterio is subject. The Customer’s instructions are given through: (a) the subscription agreement and this DPA; (b) the Customer’s use of the Service’s features and settings; and (c) any additional written instructions agreed between the Parties.

Fronterio will inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

5. Confidentiality

Fronterio will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Security (Art. 32)

Fronterio implements and maintains the technical and organisational measures set out in Annex II, which are designed to ensure a level of security appropriate to the risk. These include:

7. Sub-processors (Art. 28.2 & 28.4)

The Customer provides general written authorisation to Fronterio’s use of Sub-processors. The current list is published at fronterio.com/sub-processors and forms part of this DPA as Annex III.

Fronterio will notify the Customer of any intended additions or replacements of Sub-processors at least 30 days before the change takes effect. The Customer has the right to object to such changes on reasonable grounds; in that case the Parties will cooperate in good faith to find a solution, and the Customer may terminate the affected Service with no penalty if no resolution is reached.

Fronterio remains fully liable to the Customer for the performance of any Sub-processor’s obligations.

8. International transfers (Chapter V)

Where Fronterio transfers Customer Personal Data outside the European Economic Area, the transfer is protected by the Standard Contractual Clauses (Module 2 – controller to processor) incorporated by reference into this DPA, and by supplementary measures documented in Annex IV. For AI inference by Anthropic (US), the EU-US Data Privacy Framework is relied upon in addition to the SCCs.

9. Assistance with data subject rights (Art. 28.3.e)

Taking into account the nature of the processing, Fronterio will assist the Customer by appropriate technical and organisational measures, and to the extent possible, to fulfil obligations to respond to requests for exercising data subject rights. The Service exposes self-service data export (Article 15 + 20) and erasure (Article 17) to every end user, and cookie consent, telemetry opt-out, and MFA enforcement to Controllers.

10. Assistance with Controller obligations (Art. 28.3.f)

Fronterio will assist the Customer with security, breach notifications, data protection impact assessments, and prior consultations with the supervisory authority by providing documentation and making information available upon reasonable request.

11. Personal data breach notification (Art. 33 & 34)

Fronterio will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to mitigate the breach.

12. Return and deletion (Art. 28.3.g)

Upon termination of the Service, Fronterio will, at the Customer’s choice, delete or return all Customer Personal Data and delete existing copies, unless Union or Member State law requires storage. Standard retention schedules applied during the subscription are published at fronterio.com/privacy and enforced by the Fronterio data retention cron.

13. Audit (Art. 28.3.h)

Fronterio will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Fronterio may satisfy this obligation by providing attestations, certifications, and written responses to reasonable questionnaires.

14. Liability and term

Each Party’s liability under this DPA is subject to the limitations of liability set out in the Fronterio subscription agreement. This DPA takes effect on the later of the date Fronterio signs below or the effective date of the Customer’s subscription, and continues for as long as Fronterio processes Customer Personal Data.

15. Order of precedence

In the event of any conflict between this DPA and any other agreement between the Parties (other than the SCCs), this DPA prevails in respect of the processing of Personal Data. The SCCs prevail over this DPA.

Annex II — Technical and organisational measures

See the “Security” section of the Privacy Policy (fronterio.com/privacy) and the security page (fronterio.com/security) for the most recent description of Fronterio’s measures.

Annex III — Authorised sub-processors

The current list of authorised sub-processors, updated whenever it changes, is published at fronterio.com/sub-processors.

Annex IV — Supplementary measures for transfers

Customer (Controller)
Name: ____________________________
Title: ____________________________
Organisation: _____________________
Date: _____________________________
Signature: _______________________
Fronterio ApS (Processor)
Name: Steven
Title: Founder / CEO
Organisation: Fronterio ApS
Date: _____________________________
Signature: _______________________

Questions: dpo@fronterio.com · Document version 1, effective 2026-04-14.