Data Processing Addendum

1. Definitions

“Customer” means the business entity using the Service. “Customer Personal Data” means any personal data processed by Framelance on behalf of Customer within the Service. “UK GDPR” includes the UK GDPR as incorporated under the UK Data Protection Act 2018.

2. Roles

For Customer Personal Data stored or processed within the workspace (including deal information, proposal inputs, and saved outputs), Customer acts as the Data Controller and Framelance acts as the Data Processor.

Framelance acts as a Data Controller separately for account administration, billing, and platform usage data as described in the Privacy Policy.

3. Scope of Processing (UK GDPR Art. 28)

The details of processing are set out below:

• Subject matter: processing of Customer Personal Data within the Service.
• Duration: for the term of Customer’s subscription and as otherwise required for backups, security, and legal compliance.
• Nature & purpose: providing the Service, including AI-assisted drafting features requested by Customer, account security, support, and system reliability.
• Categories of data subjects: Customer’s users, and individuals referenced in Customer content (e.g., client contacts) where Customer chooses to include such data.
• Categories of personal data: names, emails, message/content data submitted by Customer, and usage/security metadata as needed to run the Service.

Where Customer uses AI-assisted features, relevant Customer Personal Data included in prompts or workspace content may be processed by Framelance and its authorised sub-processors solely for the purpose of generating the requested output.

4. Purpose & Instructions

Framelance will process Customer Personal Data only to provide the Service as described in the Terms of Service and only in accordance with Customer’s documented instructions. Customer’s use of the Service constitutes instructions to process Customer Personal Data for these purposes.

Framelance will not process Customer Personal Data for other purposes unless required by law. If legally required, Framelance will (where permitted) inform Customer of that requirement.

5. Confidentiality

Framelance ensures that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations (contractual or statutory) and access is limited to what is necessary for service delivery and support.

6. Sub-Processors

Customer provides general authorisation for Framelance to engage sub-processors to support delivery of the Service (e.g., hosting, database, authentication, AI processing, and payments).

Current sub-processors and categories are described in our Privacy Policy. Framelance will update this information when material changes occur, for example by website update or email notice. Customer may object on reasonable grounds related to data protection.

If Customer objects on reasonable data protection grounds and the parties cannot resolve the issue, Customer may discontinue the affected Service in accordance with the Terms of Service.

7. Security Measures

Framelance implements reasonable technical and organisational measures designed to protect Customer Personal Data against unauthorised access, loss, alteration, or disclosure, appropriate to the nature and sensitivity of the data processed.

Measures may include: access controls, encryption in transit, least-privilege principles, monitoring, and security updates.

8. Assistance

Taking into account the nature of processing and information available, Framelance will provide reasonable assistance to Customer with:

• responding to data subject requests (see section 9)
• security and breach notifications (see section 10)
• providing information reasonably necessary for DPIAs or regulator inquiries, where applicable

9. Data Subject Rights

If Framelance receives a data subject request relating to Customer Personal Data, Framelance will promptly notify Customer and provide reasonable assistance. Customer is responsible for responding to such requests as Data Controller.

10. Personal Data Breach

In the event of a confirmed personal data breach affecting Customer Personal Data, Framelance will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Notification will include (where available): the nature of the breach, categories and approximate volume of data affected, likely consequences, and steps taken or proposed to address it.

11. Audit Rights

Upon reasonable written request (no more than once per calendar year absent specific cause), Framelance will make available information reasonably necessary to demonstrate compliance with this DPA.

On-site audits may be conducted subject to prior written agreement, reasonable notice, scope limitations, and at Customer’s expense, provided such audits do not unreasonably interfere with Framelance’s operations or compromise other customers’ security/confidentiality.

12. Deletion / Return on Termination

Upon termination or expiry of Customer’s subscription, Framelance will delete or anonymise Customer Personal Data within a reasonable period, except to the extent retention is required by applicable law (e.g., tax/financial records) or for legitimate security backups for a limited time.

Residual copies in secure backups may remain for a limited period until overwritten in the ordinary course of business, subject to appropriate safeguards.

Where the Service provides export functionality, Customer may export content prior to termination. Customer may request written confirmation of deletion by contacting support@framelance.com

13. International Data Transfers

Where Customer Personal Data is processed outside the UK or EEA, Framelance will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), the UK IDTA / UK Addendum, or other lawful transfer mechanisms, in accordance with applicable data protection law.

14. Governing Law

This DPA is governed by the laws of England and Wales and shall be interpreted in accordance with UK GDPR requirements.