Frenlo is still in early beta. This is a draft version of our DPA.
Please let us know if you have questions or concerns.

Data Processing Addendum

This Frenlo Data Processing Addendum (“DPA”) is part of the Terms of Service and Privacy Policy (“Agreements”), as updated from time to time, or any other written or electronic agreements with Frenlo, PBC and their affiliates and/or subsidiaries (“Frenlo”) and Customer for the purchase and/or use of online services from Frenlo ("Services") to the extent that Frenlo acts as Your processor of any personal data or as Your service provider (collectively, “Your Data”).

Frenlo and Customer agree to comply with the following provisions with respect to any of Your Data, each acting reasonably and in good faith.

1. Definitions

Words and expressions used in this DPA but not defined herein shall have the meanings given to such words and expressions in (i) the General Data Protection Regulation (2016/679) (“GDPR”), including any European Economic Area or Member State law made under or pursuant to the GDPR, (ii) the Brazilian General Data Protection Law (Federal Law 13.709/2018) (“LGPD”), and (iii) the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. (“CCPA”), (collectively, “Applicable Data Protection Law”).

References to the GDPR shall be deemed to include the GDPR as incorporated into UK law (i.e., the “UK GDPR”) once European Union law ceases to apply to the United Kingdom.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Processing" means any operation or set of operations performed upon Your Data, whether or not by automatic means. This may include: collection, recording, organization, structuring, storage, erasure, or destruction.

“You” refers to the controller or business who has agreed to this DPA with Frenlo.

2. Details of the Processing Operations

The subject matter of the processing, including the processing operations carried out by Frenlo on your behalf, the instructions from You to Frenlo, and the security measures deployed by Frenlo, are described in the relevant Agreements between You and Frenlo. Frenlo acts as a data processor and service provider for, and on behalf of, You and conducts its processing operations in accordance with Your instructions.

3. Your Obligations

3.1 You determine the purposes for and means by which Your Data is being or will be processed, and the manner in which they are or will be processed.

3.2 You represent, warrant and agree that with respect to Your Data provided to Frenlo pursuant to this DPA, You:

3.2.1 comply with personal data security and other obligations prescribed by Applicable Data Protection Law for controllers or businesses; and

3.2.2 confirm that the provision of Your Data to Frenlo complies with Applicable Data Protection Law; and

3.2.3 process Your Data in accordance with the requirements of Applicable Data Protection Law; and

3.2.4 ensure that security and confidentiality measures implemented are suitable for protection of Your Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access; and

3.2.5 take reasonable steps to ensure compliance with the provisions of this DPA by any person accessing or using Your Data on Your behalf.

4. Obligations of Frenlo.

4.1 Frenlo carries out the processing of Your Data on your behalf.

4.2 Accordingly, Frenlo agrees that it will:

4.2.1 process Your Data only on Your behalf and in compliance with Your instructions (including relating to international data transfers), including instructions in this DPA and all Agreements between You and Frenlo, unless otherwise required by EU or Member State law (where GDPR applies) or any other applicable law (in all other cases) to which Frenlo is subject; and

4.2.2 immediately inform You if in Frenlo’s opinion an instruction from You infringes Applicable Data Protection Law; and

4.2.3 implement appropriate technical and organizational security measures as provided for in Your Agreements with Frenlo prior to the commencement of the processing activities for Your Data, maintain such security measures (or better security measures) for the duration of this DPA, and provide You with reasonable evidence of its privacy and security policies; and

4.2.4 take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Your Data are aware of and comply with this DPA; and

4.2.5 comply with confidentiality obligations in respect of Your Data as detailed in all Agreements and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Your Data, including after the end of their employment, contract or at the end of their assignment; and

4.2.6 inform You of:

4.2.6.1 any legally binding request for disclosure of Your Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities, and you acknowledge that Frenlo may disclose Your Data to comply with such a legally binding disclosure request; and

4.2.6.2 any personal data breach or security incident (or analogous concept) under Applicable Data Protection Law relating to Your Data (“Security Incident”); and

4.2.6.3 any relevant notice, inquiry or investigation by a supervisory authority relating to Your Data; and

4.2.7 provide reasonable co-operation and assistance to You in respect of Your obligations regarding:

4.2.7.1 exercise of Your data protection rights under Applicable Data Protection Law with respect to Your Data; and

4.2.7.2 the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security
Incident; and

4.2.7.3 the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority, in each case where and to the extent required by Applicable Data Protection Law; and

4.2.7.4 the security of Your Data, including by implementing the technical and organizational security measures detailed in Your Agreements with Frenlo; and

4.2.8 if Frenlo is required by law to process Your Data, take reasonable steps to inform You of this requirement in advance of any processing, unless Frenlo is prohibited from informing You on grounds of important public interest; and

4.2.9 upon reasonable request, make available to You all information necessary to demonstrate compliance with the obligations in this Clause 4.2. Frenlo will further comply with its audit responsibilities set out in Clause 4.4 below.

4.3 Pursuant to the CCPA, Frenlo agrees that:

4.3.1 Frenlo is acting solely as a service provider with respect to Your Data; and

4.3.2 Frenlo shall not retain, use or disclose Your Data for any purpose other than for the specific purpose of performing the services specified in this DPA or any other Agreement between You and Frenlo; and

4.3.3 Frenlo may deidentify or aggregate Your Data as part of performing the services specified in this DPA and any other Agreement between You and Frenlo for limited reasons specified in the Privacy Policy; and

4.3.4 Frenlo certifies that it understands and will comply with the requirements and restrictions set forth in this Section 4.3 of this DPA.

4.4 Frenlo will, upon Your request (not to exceed one request per calendar year unless required by Applicable Data Protection Law) by email to [email protected], certify compliance with Sections 4-6 of this DPA in writing. Frenlo will also provide to you each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the data processing services under the Agreements (each such report, a “Report”). If a Report does not provide, in Your reasonable judgment, sufficient information to confirm Frenlo’s compliance with the terms of this DPA, then You or an accredited third-party audit firm agreed to by both You and Frenlo may audit Frenlo’s compliance with the terms of this DPA during regular business hours in a manner that is not disruptive to Frenlo’s business, upon reasonable advance notice to Frenlo of no less than 60 days and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Frenlo expends for any such audit, in addition to the rates for support services performed by Frenlo and any expenses incurred by Frenlo in complying with this Clause 4.4 and Clause 4.2.7. Before the commencement of any such audit, You and Frenlo will mutually agree upon the timing, duration and scope of the audit, which will not involve physical access to the servers from which the data processing services are provided in order to maintain the security of Frenlo’s systems and to preserve the confidentiality of other customers’ data. You will promptly notify Frenlo of information regarding any non-compliance discovered during the course of an audit. You may not audit Frenlo more than once annually.

4.5 If (i) Your Data includes any personal data that is protected under the GDPR (such data being “EEA/UK Personal Data”); (ii) Frenlo processes the EEA/UK Personal Data outside of the European Economic Area and the United Kingdom; and (iii) such processing takes place in a country that the European Commission (or competent UK authority, as applicable) has not declared “adequate,” then Frenlo shall be deemed to have entered into the Controller to Processor Standard Contractual Clauses 2010 (Commission Decision 2010/87/EC) (“C2P SCCs”) with You, the terms of which (excluding any optional clauses) are hereby incorporated into this Agreement by reference, on the following basis:

4.5.1. You are the data exporter and Frenlo is the data importer;

4.5.2. The governing law of the C2P SCCs is Irish law;

4.5.3. For the purpose of Annex 1 to the C2P SCCs (i) the data subjects are those individuals whose personal data is contained in the data provided to Frenlo in accordance with your Agreements with Frenlo; (ii) categories of data are personal data as more particularly set out in your Agreements with Frenlo; (iii) there are no categories of sensitive data; (iv) the basic processing activities are the uses of data by Frenlo as set forth in the Agreements with Frenlo;

4.5.4. For the purpose of Annex 2 to the C2P SCCs the technical and organizational security measures implemented by the data importer in accordance are physical and technical access controls, password controls, security and activity logging, hashing and encryption of personal data, data classification policies, transport layer security for endpoints; and

4.5.5. To the extent the terms of the C2P SCCs conflict with this Data Processing Addendum or any other terms of your Agreements with Frenlo, the terms of the C2P SCCs will control.

5. Transfer, Disclosure and Third Parties

5.1 You acknowledge and agree that (a) Frenlo’s affiliates may be retained as sub-processors and (b) Frenlo and Frenlo’s affiliates may engage third parties in connection with the provision of the data processing services. Frenlo or a Frenlo affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this Clause 5, You hereby authorize Frenlo to engage sub-processors required to assist Frenlo for the purposes of providing the data processing services under the Agreements.

5.2 A current list of sub-processors for the data processing services is accessible here. We will provide reasonable notice to You before we engage a new sub-processor of Your Data, including the date on which the new sub-processor will begin processing Your Data (the “Sub-Processor Effective Date”). You may object to Frenlo’s engagement of a new sub-processor by ceasing to use the applicable product, program or feature prior to the Sub-Processor Effective Date. Your continued use of the applicable product, program or feature on or after the Sub-Processor Effective Date constitutes your acceptance of the new sub-processor.

6. Post-termination obligations

You and Frenlo agree that on the termination of any of the data processing services, Frenlo and any sub-processors shall, subject to the limitations described in any relevant Agreements, return all of Your Data relating to such data processing services and copies of such data to You or securely destroy them and demonstrate to Your satisfaction that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Your Data. In such case, Frenlo or sub-processor agree to preserve the confidentiality of Your Data retained by it and that it will only actively process Your Data after such date in order to comply with the laws to which it is subject.

8. Conflicts

In the event of any conflict between the terms of this DPA and any other terms between You and Frenlo, including but not limited to the terms of any Agreements, the terms in this DPA will prevail. This agreement is written in English and may be translated into other languages and made available by Frenlo. The version in English will prevail over versions translated into other languages, which are for mere reference.