Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between Fronterio ApS (“Fronterio”, “Processor”) and the Customer (“Controller”) identified in the Fronterio subscription order. Together, Fronterio and the Customer are “the Parties”.
This DPA reflects the Parties’ agreement with respect to the processing of Personal Data (as defined below) in connection with the Fronterio platform (the “Service”) in accordance with the requirements of Regulation (EU) 2016/679 (“GDPR”).
1. Definitions
Capitalised terms used but not defined in this DPA have the meaning assigned in the GDPR. For convenience:
- Personal Data, processing, controller, processor, data subject, personal data breach — as defined in GDPR Article 4.
- Customer Personal Data means Personal Data processed by Fronterio on behalf of the Customer under the Service.
- SCCs means the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914.
2. Roles and scope
The Customer is the Controller and Fronterio is the Processor of the Customer Personal Data described in Annex I. Each Party is responsible for its own compliance with the GDPR in its respective role.
3. Processing details (Annex I)
| Subject matter | Provision of the Fronterio AI adoption platform. |
|---|---|
| Duration | For the duration of the Customer’s subscription, plus the retention periods set out in section 9. |
| Nature and purpose | Storage, display, analysis, and inference on Customer Personal Data strictly to operate the Service features the Customer has enabled. |
| Categories of data subjects | Customer’s employees, contractors, and authorised users. |
| Categories of Personal Data | Account identifiers (name, corporate email), role, organisation, assessment responses, consultant conversation content, audit log entries, usage telemetry, and any content the Customer chooses to submit. |
| Special categories (Art. 9) | Fronterio does not intentionally process Article 9 special categories. If the Customer submits such data, the Customer warrants it has a valid Article 9 legal basis. |
| Processing locations | EU primary storage (Supabase Frankfurt). Application hosting on Vercel Stockholm. AI inference via Anthropic (US) under SCCs; see Annex III. |
4. Instructions
Fronterio will process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which Fronterio is subject. The Customer’s instructions are given through: (a) the subscription agreement and this DPA; (b) the Customer’s use of the Service’s features and settings; and (c) any additional written instructions agreed between the Parties.
Fronterio will inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
5. Confidentiality
Fronterio will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. Security (Art. 32)
Fronterio implements and maintains the technical and organisational measures set out in Annex II, which are designed to ensure a level of security appropriate to the risk. These include:
- Encryption of data in transit (TLS 1.2+) and at rest.
- AES-256-GCM encryption of integration credentials.
- Row-Level Security enforced by the database for every tenant table.
- Role-based access control, least-privilege admin access, audit logging.
- Regular backup and restoration testing.
- Vulnerability management and secure development practices.
- Incident response process with a 72-hour regulator notification workflow.
7. Sub-processors (Art. 28.2 & 28.4)
The Customer provides general written authorisation to Fronterio’s use of Sub-processors. The current list is published at fronterio.com/sub-processors and forms part of this DPA as Annex III.
Fronterio will notify the Customer of any intended additions or replacements of Sub-processors at least 30 days before the change takes effect. The Customer has the right to object to such changes on reasonable grounds; in that case the Parties will cooperate in good faith to find a solution, and the Customer may terminate the affected Service with no penalty if no resolution is reached.
Fronterio remains fully liable to the Customer for the performance of any Sub-processor’s obligations.
8. International transfers (Chapter V)
Where Fronterio transfers Customer Personal Data outside the European Economic Area, the transfer is protected by the Standard Contractual Clauses (Module 2 – controller to processor) incorporated by reference into this DPA, and by supplementary measures documented in Annex IV. For AI inference by Anthropic (US), the EU-US Data Privacy Framework is relied upon in addition to the SCCs.
9. Assistance with data subject rights (Art. 28.3.e)
Taking into account the nature of the processing, Fronterio will assist the Customer by appropriate technical and organisational measures, and to the extent possible, to fulfil obligations to respond to requests for exercising data subject rights. The Service exposes self-service data export (Article 15 + 20) and erasure (Article 17) to every end user, and cookie consent, telemetry opt-out, and MFA enforcement to Controllers.
10. Assistance with Controller obligations (Art. 28.3.f)
Fronterio will assist the Customer with security, breach notifications, data protection impact assessments, and prior consultations with the supervisory authority by providing documentation and making information available upon reasonable request.
11. Personal data breach notification (Art. 33 & 34)
Fronterio will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to mitigate the breach.
12. Return and deletion (Art. 28.3.g)
Upon termination of the Service, Fronterio will, at the Customer’s choice, delete or return all Customer Personal Data and delete existing copies, unless Union or Member State law requires storage. Standard retention schedules applied during the subscription are published at fronterio.com/privacy and enforced by the Fronterio data retention cron.
13. Audit (Art. 28.3.h)
Fronterio will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Fronterio may satisfy this obligation by providing attestations, certifications, and written responses to reasonable questionnaires.
14. Liability and term
Each Party’s liability under this DPA is subject to the limitations of liability set out in the Fronterio subscription agreement. This DPA takes effect on the later of the date Fronterio signs below or the effective date of the Customer’s subscription, and continues for as long as Fronterio processes Customer Personal Data.
15. Order of precedence
In the event of any conflict between this DPA and any other agreement between the Parties (other than the SCCs), this DPA prevails in respect of the processing of Personal Data. The SCCs prevail over this DPA.
Annex II — Technical and organisational measures
See the “Security” section of the Privacy Policy (fronterio.com/privacy) and the security page (fronterio.com/security) for the most recent description of Fronterio’s measures.
Annex III — Authorised sub-processors
The current list of authorised sub-processors, updated whenever it changes, is published at fronterio.com/sub-processors.
Annex IV — Supplementary measures for transfers
- Contractual: SCCs Module 2 incorporated by reference.
- Technical: transport encryption, minimisation of Personal Data sent to non-EU processors (only user-typed content reaches Anthropic; no employee names, emails, or other PII are included in AI context aggregation).
- Organisational: audit logging of all exports and cross-org reads; annual review of sub-processors with regard to changes in data transfer law; contractually binding sub-processors to SCCs or equivalent.
Title: ____________________________
Organisation: _____________________
Date: _____________________________
Signature: _______________________
Title: Founder / CEO
Organisation: Fronterio ApS
Date: _____________________________
Signature: _______________________