Data processing agreement

Frontify AG, Version: October 2024

1. Preamble

In the course of providing the Frontify Services under the Agreement between Frontify and Customer, Frontify may Process Personal Data on behalf of Customer. The Parties agree to comply with the terms of this Data Processing Agreement including its appendices (altogether referred to as “DPA”), which are incorporated into and form part of the Agreement. In case of any conflict between the terms of this DPA and other terms of the Agreement, the terms of this DPA will govern.

The Parties acknowledge and agree that Customer may qualify as a Controller or Processor in relation to Personal Data of its personnel, providers, customers, and/or other third parties involved by Customer (“Customer Personal Data”). As a result:

• where Customer is a Controller, Frontify shall be a Processor; and
• where Customer is a Processor, Frontify shall be a Sub-Processor.

This DPA reflects the Parties’ commitment to abide by Data Protection Laws with respect to the Processing of Customer Personal Data under the terms of the Agreement. The categories of Personal Data and Data Subjects Processed under this DPA, as well as the subject matter, duration, and nature of the Processing, are further specified in Exhibit A (Subject Matter and Details of Processing Activities).

2. Definitions

Unless otherwise defined in this DPA or the Agreement, all terms listed in this section shall have the meaning indicated herein.

“Effective Date” means the effective date of the Agreement.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity, or otherwise having the power to govern the financial and the operating policies or to appoint the management of the subject entity.

“Agreement” means the Frontify License Agreement, Order form, or other written or electronic agreement concluded between Frontify and Customer for the use of the Frontify Services, including all its attachments, in particular, but not limited to, the Offer, the GTC, the Service Level Agreement and any other additional document governing the contractual relationship between the Parties.

“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer” shall include, for the purposes of this DPA only, and except if indicated otherwise, a customer of Frontify under the Agreement, including such customer’s Affiliates.

“Customer Data” means all data, including Customer Personal Data, submitted, stored, sent, or received via the Frontify Services by Customer, its Affiliates, or Users.

“Customer Notification Email Address” means the email address which is specified in the Agreement as the Customer contact for legal and/or privacy notifications; or, if no email address is specified in the Agreement, the email address of one or more Customer contacts on Frontify’s record.

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement and which may include but are not limited to the GDPR, the laws of the EEA and its member states, Switzerland, the United States of America, and the United Kingdom.

“Data Subject” means the individual to whom Personal Data relates.

“Data Subject Request” is a demand made by a Data Subject who seeks to exercise its Data Subject’s right to access, rectify, erase, transfer, or port Customer Personal Data or to restrict or object to the Processing of Customer Personal Data in accordance with Chapter III GDPR.

“EEA” means the European Economic Area.

“Frontify” means Frontify AG.

“Frontify Notification Email Address” means privacy@frontify.com.

“Frontify Platform” means the software supplied by Frontify to Customer for use via the Internet, namely the all-in-one web-based brand management SaaS solution, the mobile app, and the desktop app offered by Frontify.

“Frontify Services” means the services offered by Frontify and purchased by Customer under the Agreement, both currently and in the future, including the subscription to the Frontify Platform.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information that directly or indirectly identifies a Data Subject under the Data Protection Laws.

“Processing” or “Process” means any operation or set of operations which is performed upon Customer Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

“Adequate Jurisdiction” means (i) where the GDPR applies, a country for which the European Commission has issued an adequacy decision within the meaning of art 45(1), (ii) where the UK GDPR applies, a country for which an adequacy decision has been issued pursuant to Section 17A of the Data Protection Act 2018, and (iii) where the Swiss DPA applies, a country which is listed in Annex 1 of the Federal Data Protection Ordinance (SR 235.11).

“Standard Contractual Clauses” or “SCC” means Commission Implementing Decision (EU) 2021/914 of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Sub-Processor” means any third party engaged by Frontify to provide services necessary to perform the Frontify Services, and that will participate in the Processing of Customer Personal Data.

“Swiss Data Protection Law” means the Federal Act on Data Protection (SR 235.1) and the Federal Data Protection Ordinance (SR 235.11).

“Technical and Organizational Measures” or “TOMs” means a set of rules, guidelines, policies, and procedures designed to ensure that all users, servers, networks, and processes within an organization fulfil the adequate level of security and data protection standards required under Data Protection Laws.

“Term” means the period starting from the Effective Date until the cessation of the provision of the Frontify Services under the Agreement. This includes, if applicable, any period during which the provision of the Frontify Services may be suspended and any period following the termination of the Agreement during which Frontify may continue providing the Frontify Services for transitional purposes.

“Third-Party Products and Services" means independent third-party products and services not licensed directly by Frontify, including but not limited to web-based, mobile, offline, or other software functionalities that interoperate with the Frontify Services. Third-Party Products and Services may be provided by Customer or a third-party and enabled at Customer’s option to extend the experience and functionality of the Frontify Services.

“UK Data Protection Law” means the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation.

“User” means any natural person who is authorized to use the Frontify Services under the Agreement.

3. Execution and duration

3.1. Introduction

This DPA is an integral part of the Agreement and does not need to be executed separately. Either Party enters this DPA on behalf of itself and, to the extent required and/or permitted under Data Protection Laws, in the name and on behalf of its Affiliates.

This DPA shall, as from the Effective Date, become legally binding and replace any terms previously agreed by the parties regarding privacy, data processing, and/or data security. This DPA shall terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms set forth herein.

3.2. Parts of this DPA

This DPA consists of four (4) parts:

• The main body of the DPA;
• Exhibit A (Subject matter and details of Processing activities);
• Exhibit B (Sub-Processor list);
• Exhibit C (Technical and organizational measures)

4. Roles and regulatory compliance

4.1. Controller and processor

In full compliance with their respective roles and responsibilities under the Data Protection Laws, Customer in its quality as Controller or Processor, and Frontify in its quality as Processor or Sub-Processor, acknowledge and agree that:

• the subject matter and details of the Processing are described in Exhibit A;
• each Party will comply with the obligations of the Data Protection Laws with respect to the Processing of Customer Personal Data.

4.2. Authorization by third-party controller

As far as Customer is a Processor, Customer warrants that Customer’s instructions and actions concerning Customer Personal Data, including the appointment of Frontify as a Sub-Processor, have been duly authorized by the relevant Controller.

5. Processing

5.1. Scope of processing

By entering this DPA, the Parties agree that Frontify will only Process Customer Personal Data in connection with the provision of the Frontify Services and/or on Customer’s documented instructions.

The subject matter and details of Processing are specified in Exhibit A and Frontify will solely rely on those, unless further Processing is (a) required by applicable laws, (b) based on Customer’s documented instructions, or (c) otherwise agreed by the Parties in writing. If and to the extent applicable laws require further Processing of Customer Personal Data, Frontify will, as far as legally permitted, promptly inform Customer by email at the Customer Notification Email Address.

Frontify shall notify Customer if it believes that Customer’s documented instructions violate Data Protection Laws and shall be entitled to suspend the execution of the relevant instruction until Customer provides an instruction that complies with Data Protection Laws. If Customer’s documented instructions violate Data Protection Laws, Customer shall indemnify and hold Frontify harmless against all claims, damages and liabilities arising from such instructions.

5.2. Legality of processing

Customer shall, in its use of the Frontify Services and provision of instructions, Process Customer Personal Data in accordance with the requirements of the Data Protection Laws, including but not limited to the obligation to inform the Data Subjects of the use of Frontify as Processor. Customer shall be solely responsible for the accuracy, quality, and legality of Customer Personal Data and the manner in which the Customer Personal Data is collected.

5.3. Deletion or return of customer personal data

During the Term, Frontify will enable Customer and/or Users to delete Customer Data through the functionalities of the Frontify Services. If Customer or a User deletes any Customer Data, this will be removed from the Frontify’ systems in accordance with applicable law.

Following the termination of the Agreement, and upon written request, Frontify will provide Customer with a copy of the Customer Data on a customary data carrier or by electronic transfer in a format agreed to by the Parties. Ninety (90) days after the effective date of termination of the Agreement or, at Customer's request, even earlier, Frontify will delete all Customer Data from its systems, except where legal retention requirements prevent Frontify from doing so.

Frontify may retain Customer Data that is (a) contained in an archived computer system back-up in accordance with security and/or disaster recovery procedures; (b) contained in latent data, including deleted files and other non-logical data types such as memory dumps, swap files, temporary files, printer spool files and metadata that are not generally retrievable or accessible without the use of specialized tools and techniques; (c) prepared for regulatory compliance, archival or record retention purposes in accordance with applicable law; or (d) for purposes of confirming compliance with this DPA, subject in each case to the destruction of such Customer Data in due course and the inaccessibility of such Customer Data by Frontify and its personnel in the ordinary course of business. In each case such Customer Data shall remain subject to the terms and conditions of the DPA.

Customer Personal Data stored in the system backups will be automatically deleted three hundred sixty-five (365) days after the creation of the backup. Upon written request, Frontify shall provide Customer with a statement certifying that Customer Personal Data has been destroyed.

6. Sub-processing

6.1. Engagement of sub-processors

Customer generally agrees that Frontify may use Sub-Processors to fulfil its contractual obligations under the Agreement. Therefore, Customer authorizes the engagement of Frontify’s Affiliates and of third parties as Sub-Processors, to the extent the conditions set forth in this section 6 and in section 10 are complied with.

Frontify will enter into a written agreement with each Sub-Processor including data protection obligations that are substantially equivalent to those agreed in this DPA, considering the nature, scope, context and purposes of the services provided by the Sub-Processor.

Frontify warrants that the Sub-Processor shall access and Process Customer Data only to the extent necessary to perform the obligations subcontracted to it in accordance with the Agreement, including this DPA.

Frontify shall be liable for all obligations subcontracted to the Sub-Processors and for all acts and omissions of the Sub-Processors to the same extent as Frontify would be liable if Frontify directly provided the services of each Sub-Processor in accordance with the terms of this DPA. All limitations of liability set out in the Agreement or this DPA shall apply equally to the acts and omissions of Sub-Processors.

6.2. List of sub-processors and involvement of new sub-processors

Frontify’s current Sub-Processors are listed in Exhibit B (“Sub-Processor List’’). When a new Sub-Processor is engaged, Frontify shall update the Sub-Processor List and notify Customer at the Customer Notification Email Address at least fourteen (14) days prior to giving the new Sub-Processor access to Customer Personal Data.

Customer may object to any new Sub-Processor on reasonable and legitimate grounds (e.g., if the involvement of the new Sub-Processor may violate Data Protection Laws), by giving written notice at the Frontify Notification Email Address within fourteen (14) days of the relevant communication. Customer’s written objection shall outline the Customer’s specific concerns about the new Sub-Processor in order to give Frontify the opportunity to address such concerns. Frontify shall use commercially reasonable efforts to analyze any valid concerns and may, at its sole discretion: (a) decide to not appoint the new Sub-Processor and/or propose an alternative Sub-Processor; (b) take steps to remedy or mitigate Customer’s specific concerns and obtain Customer’s written consent to use the new Sub-Processor; or (c) make available to Customer the Frontify Services without the service or functionality provided by the new Sub-Processor. If Frontify is unable or reasonably determines, that it is commercially unreasonable to do any of the above options, Customer may extraordinarily terminate the affected parts of the Frontify Services by giving written notice within thirty (30) days. Frontify shall refund to Customer the pro-rata amount of any prepaid fees for the remainder of the Term following the effective date of termination with respect to such terminated Frontify Services, without imposing a penalty for such termination on Customer.

7 Rights of Data Subjects

During the Term, Frontify will enable Customer to access, rectify, restrict, delete, and export Customer Personal Data through the functionalities of the Frontify Services.

In the event any Data Subject Request is made directly to Frontify in connection with Frontify’s Processing of Customer Personal Data, Frontify will, to the extent legally permitted, promptly notify Customer and provide details of the same, or will advise the Data Subject to submit the request directly to Customer. Customer will be responsible for responding to a Data Subject Request, including, where necessary, by using the functionalities of the Frontify Services.

Frontify will assist the Customer in fulfilling its obligations under Data Protection Laws, including the obligation to respond to requests from Data Subjects.

8. Security

8.1. Technical and organizational measures (“TOMs”)

Frontify shall comply with the obligations imposed by the Data Protection Laws regarding the security of Customer Personal Data. More specifically, Frontify shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing of Customer Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk in accordance with Art. 32 GDPR. The TOMs form an integral part of the DPA and are attached as Exhibit C.

The TOMs may change or be replaced from time to time. However, Frontify shall ensure that no such change or replacement will ever diminish the appropriate level of security for Customer Personal Data.

8.2. Audit

Upon Customer’s written request and subject to confidentiality obligations, Frontify shall provide Customer (or Customer’s independent third-party auditor) with information regarding Frontify’s compliance with the obligations set forth in the DPA. Frontify shall engage external auditors to verify the adequacy of its security measures. Such audits shall (a) be performed at least annually in the light of the ISO 27001 standards or any alternative standards that are substantially equivalent to ISO 27001; (b) be performed by independent third-party security professionals at Frontify’s selection and expense; and (c) result in the generation of an audit report (“Report”), which shall be considered Frontify’s confidential information. Upon Customer’s written request, Frontify shall provide a copy of the Report.

If, despite the foregoing, Customer intends to perform an additional audit on Frontify’s procedures affecting Customer Personal Data, Customer shall submit a request to Frontify and Frontify may consent to the extent a) such audit is required under Data Protection Laws, and b) a similar audit has not been already conducted less than twelve (12) months prior. However, the above restrictions shall never hinder the performance of such supplementary audit, where there have been indications of data protection violations and/or the audit is requested by a supervisory authority or other competent regulatory authority. The Customer shall reimburse Frontify for the time invested in the audit at Frontify’s current rates, which will be made available to Customer upon request. Before the commencement of such audit, the Parties shall mutually agree upon its scope, timing, and duration, as well as the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, considering the resources invested by Frontify. Customer shall promptly notify Frontify of any non-compliance discovered during an audit, and Frontify shall use commercially reasonable efforts to resolve any non-compliance acknowledged by Frontify. The parties agree to keep the information related to such audit strictly confidential.

8.3. Confidentiality and training

Frontify shall ensure that its employees and contractors who are authorized to Process Customer Data are bound by confidentiality obligations and Frontify shall organize periodic employee training sessions on privacy, confidentiality, and data security.

8.4. Incident management and notification

Frontify shall maintain security incident management policies and procedures. Frontify shall notify the Customer without undue delay and in any event within forty-eight (48) hours of becoming aware of any breach relating to Customer Personal Data that may require notification to a supervisory authority, Data Subject or Customer under Data Protection Laws (“Data Breach”). The notification of a Data Breach will be delivered by email at the Customer Notification Email Address and shall indicate at least the following:

• the nature of the Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• the name and contact details of the data protection officer or other contact point where more information can be obtained;
• the likely consequences of the Data Breach;
• the measures taken or proposed to be taken by Frontify to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

In the event that it is not possible to provide the above information at the same time as the notification, this will be provided in later stages without undue delay.

The Parties agree that Frontify’s notification of a Data Breach shall never be considered an acknowledgement by Frontify of any fault or liability in that regard. Frontify shall, to the extent commercially reasonable cooperate to identify the cause of such Data Breach and, where the remediation is within Frontify’s control, take all reasonable steps to remediate such cause without delay. Except as required by Data Protection Laws, the obligations herein shall not apply to incidents that are caused by Customer, Users, or any Third-Party Products and Services.

9. Limitation of liability

Each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of, or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability set forth in the Agreement.

10. Hosting location and data transfers

10.1. Hosting location

Depending on the Customer’s selection in the Agreement, Customer Personal Data will be hosted on data servers located in the EEA or the USA. Additionally, Customer Personal Data will be Processed at Frontify’s headquarter in Switzerland. A transfer of Customer Personal Data to a country outside an Adequate Jurisdiction shall take place only if it complies with Data Protection Laws and to the extent the conditions set forth in this section 10 are met.

10.2. Data transfers under the GDPR

With regard to Processing activities that involve a transfer of Customer Personal Data to a location outside an Adequate Jurisdiction, the Parties hereby agree that Frontify shall ensure compliance with Chapter V GDPR by adopting the measures required under art. 46(2) GDPR. Such measures may include, without limitation, transferring Customer Personal Data (a) to a Sub-Processor that has achieved binding corporate rules authorization in accordance with art 47 GDPR; or (b) to a Sub-Processor that has executed the Standard Contractual Clauses. The applicable data transfer mechanism for each Sub-Processor is specified in the Sub-Processor List (Exhibit B).

In the event that a decision of the European Commission authorizing the transfer of Personal Data outside the EEA is invalidated or a supervisory authority requires the suspension of the transfer of Personal Data, Frontify will implement an alternative data transfer mechanism that will allow Customer to continue to benefit from the Frontify Services in compliance with Data Protection Laws.

10.3. Data transfer under UK Data Protection Laws

To the extent that UK Data Protection Law applies to Customer Personal Data and insofar as required under UK Data Protection Law, Frontify will only transfer Personal Data to a location outside an Adequate Jurisdiction if the measures required under the UK Data Protection Law and the instructions of the Information Commissioner of the UK have been implemented.

10.4. Data transfer under Swiss Data Protection Laws

To the extent that Swiss Data Protection Law is applies to Customer Personal Data and insofar as required under Swiss Data Protection Law, Frontify will only transfer Personal Data to a location outside an Adequate Jurisdiction if the measures required under the Swiss Data Protection Law and the instructions of the Swiss Federal Data Protection and Information Commissioner have been implemented.

11. Customer assistance and governmental inquiries

Upon request and to the extent required under Data Protection Laws, Frontify shall, taking into account the information available to it and provided that Customer does not otherwise have access to the same, reasonably assist Customer in performing its relevant obligations under Art. 32 to 36 GDPR.

If Frontify is compelled to disclose Customer Personal Data to law enforcement or other governmental authorities, Frontify will, to the extent permitted by law, provide Customer with reasonable notice to enable Customer to seek appropriate remedies against such disclosure orders.

To the extent legally permitted, Customer shall reimburse Frontify for the time invested in Customer assistance at Frontify’s current rates, which shall be made available to Customer upon request.

12. Final provisions

12.1. Severability clause

Should individual provisions of this DPA be invalid or incomplete or should performance be impossible, this shall not affect the validity of the remaining provisions of this DPA. Invalid provisions shall be replaced by a valid and permissible provision that is as close as possible to the content of the original in terms of intent.

12.2. Applicable law and place of jurisdiction

The DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Switzerland.

In the event of any differences of opinion in connection with this DPA or its Exhibits, the Parties shall seek resolution in good faith. If despite the efforts of the Parties, no amicable agreement can be reached, the place of jurisdiction for all disputes, differences of opinion, or claims arising from or in connection with the contractual relationship between Frontify and Customer including their validity, invalidity, violation, or dissolution, shall be St. Gallen, Switzerland.