Privacy FAQs

Yes, Frontify processes personal data, which may qualify it as a data processor or a data controller according to the specific circumstances.

In the context of the services provided to our customers, Frontify qualifies as a data processor, and as such, it complies with the customers’ documented instructions as well as the terms of the applicable data processing agreement. As part of the purchased services, every customer receives a dedicated Frontify environment, to which only users who are invited by the customer themselves may have access. In such circumstances, the customer qualifies as the data controller and is primarily responsible for the lawful processing of its authorized users’ data. A description of the processing activities performed by Frontify as a data processor is provided in Exhibit A of the Frontify DPA.

Frontify may also carry out processing activities to which it qualifies as a data controller. This applies to cases where Frontify independently determines the purpose and means for processing personal data. Sections 5.2 to 5.19 of our Privacy Notice cover all processing activities that Frontify performs as a data controller.

Frontify processes the following categories of platform user personal data:

a) mandatory information:

• Name
• Email address

This information is required for users to log in and use the Frontify platform and all its functionalities.

b) optional information:

• Profile picture
• Job title
• Company name

This information is not required to use the Frontify platform and related services, however, users may provide this voluntarily.

c) platform usage data:

• IP address
• geographical location inferred from IP address (regional level)
• browser type and version
• referral source
• language preference
• length of visits
• conversation data with support
• interactions with functionalities of the platform (e.g., pages viewed, download and upload history)

This information relates to platform users’ interaction with the Frontify platform and may be processed by us for the following purposes:
i) Frontify platform operation, maintenance, and security;
ii) improving the Frontify platform quality, design, and performance;
iii) notifying users of new features, services, training, help articles, webinars, and other events; and
iv) inviting users to participate in surveys.

The platform usage data is generally processed in a pseudonymized or aggregated form; however, in some cases, Frontify may de-pseudonymize such information for any of the above purposes. In those circumstances, Frontify ensures that access to such de-pseudonymized information will be strictly limited to Frontify employees who have a specific need to know to fulfill a required task.

d) content data

This information includes additional personal data that may be embedded in the assets, data, and brand content (e.g., pictures, videos, texts, etc.) that customers or users upload to the Frontify platform. The uploading of content data is exclusively managed by the customer and the platform users and is not under the direct control of Frontify.

Frontify does not process sensitive personal data or special categories of personal data within the meaning of Art. 9 of the EU GDPR, except where sensitive data is included in the content uploaded to the platform by customers or users voluntarily. Customers have full autonomy in deciding what material is uploaded to the Frontify platform and Frontify does not review it.

Frontify processes platform users' personal data to provide them with the services and related support under the agreement. This also includes processing personal data to improve the platform's performance and providing customers and users with relevant insights into how they use our platform. The data processing activities that Frontify conducts on behalf of our customers are regulated by the Frontify DPA, which forms an integral part of the main agreement, and also by the Frontify Privacy Notice.

For a detailed description of processing activities carried out by Frontify as a data processor, please refer to Exhibit A of the Frontify DPA

‍

Customers’ data, including personal data, are hosted in secure AWS data centers, either in the EEA (Germany) or the United States, depending on the customer’s preference. In the absence of a customer’s preference, data of customers based in Europe are stored in Germany, while data of customers based outside Europe are stored in the United States.

Frontify support services are provided from Switzerland, France, Germany, the United Kingdom, and the United States.

No, Frontify does not rely on any decision-making based on automated processing, including profiling.

In general, all processing activities that Frontify performs on platform users’ personal data are based on documented instructions from the customers. In this constellation, Frontify acts as the data processor, and the customer acts as the data controller. Our customers control the data submitted and contained in the assets uploaded to the platform and are responsible for ensuring the lawful processing of the same. In cases, where Frontify decides upon the purpose and the means for processing such personal data, Frontify acts as the data controller. Sections 5.2 to 5.19 of our Privacy Notice describe all processing activities that Frontify performs as a data controller.

No. Frontify does not sell any customers’ personal data to third parties.

Yes, Frontify uses subprocessors to provide services necessary to deliver the Frontify services under the agreement. All our subprocessors are subject to extensive vetting before being selected, including financial, security, and legal assessments. We engage only with sub-processors that comply with applicable data protection regulations (such as EU-GDPR, UK-GDPR, Swiss FADP, and CCPA).

For the list of current subprocessors, including details on data processing, please refer to Exhibit B of Frontify’s DPA.

The list of our current sub-processors, including details on data processing, is incorporated in Exhibit B of the Frontify DPA.

Please find below a short description of the services each sub-processor provides to Frontify:

Active Campaign (Postmark)

Legal entity: AC PM, LLC
Address: 1 N Dearborn Street, Suite 500, Chicago, IL 60602, USA
Service: Transactional email service
Description: We use Postmark services to handle transactional email delivery for our platform. Transactional emails are essential for ensuring seamless communication and functionality for our users. Specifically, Postmark is used to send invitation emails (to invite users to join the platform), password reset emails (to facilitate secure and efficient account recovery processes), activity notifications (to keep users informed about updates within their projects), and other types of transactional emails. Postmark's reliable infrastructure ensures that these emails are delivered in a timely and secure manner, enhancing the user experience and maintaining consistent communication.
Categories of data subjects: Platform user
Categories of personal data: Email address, IP address, geographical location inferred from IP address (regional level) / opening status
Data retention: 45 days
Data processing location: USA
Data transfer mechanism: Adequate jurisdiction (sub-processor is certified under the Data Privacy Framework)

Amazon Web Services (AWS)

Legal entity: Amazon Web Services EMEA SARL
Address: 38 Avenue John F. Kennedy, L-1855, Luxembourg, Luxembourg
Service: Cloud service provider
Description: We use AWS services to ensure the secure, reliable, and scalable operation of our platform. Specifically, these include:

• Data Storage: AWS provides a secure and high-availability environment for storing customer data. This ensures the integrity, protection, and accessibility of data at all times.
• Scalability: AWS allows us to scale resources dynamically based on usage, ensuring seamless performance even during peak demand.
• Security: AWS adheres to robust security standards and compliance requirements, helping us safeguard customer data and comply with industry-specific regulations.
• Business Continuity: Through AWS's global infrastructure and backup solutions, we ensure high system availability and disaster recovery capabilities to minimize downtime.

Categories of data subjects: Platform user
Categories of personal data: All data that is necessary to run the Frontify platform, incl. all database data
Business Continuity: Through AWS's global infrastructure and backup solutions, we ensure high system availability and disaster recovery capabilities to minimize downtime.
Business Continuity: Through AWS's global infrastructure and backup solutions, we ensure high system availability and disaster recovery capabilities to minimize downtime.
Data retention: Data will be stored for the duration of the customer agreement.
Data processing location: Germany or USA (depending on the individual agreement between Frontify and the customer)
Data transfer mechanism: Adequate jurisdiction (sub-processor is certified under the Data Privacy Framework)

Amplitude

Legal entity: Amplitude Inc.
Address: 201 3rd Street, Suite 200, San Francisco, CA 94103, USA
Service: Anonymized product analytics
Description: We use Amplitude services to analyze the usage of the Frontify platform. This data is essential for our product development team to refine and enhance features and ultimately improve the quality and experience of the Frontify platform. The data is also necessary in specific cases to investigate security-related events. The platform usage data collected is anonymized for Amplitude, as we remove all personal identifiers and only leave the User ID (a random string of numbers for Amplitude). The platform user’s IP Address is deleted within a logical second since data collection.
Categories of data subjects: Platform user
Categories of personal data: IP address, platform usage data (anonymized)
Description: We use Amplitude services to analyze the usage of the Frontify platform. This data is essential for our product development team to refine and enhance features and ultimately improve the quality and experience of the Frontify platform. The data is also necessary in specific cases to investigate security-related events. The platform usage data collected is anonymized for Amplitude, as we remove all personal identifiers and only leave the User ID (a random string of numbers for Amplitude). The platform user’s IP Address is deleted within a logical second since data collection.
Data retention: Data will be anonymized within a logical second since data collection. Data processing location: Germany
Data transfer mechanism: Adequate jurisdiction (sub-processor is certified under the Data Privacy Framework)

Intercom

Legal entity: Intercom R&D Unlimited Company
Address: 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland
Service: In-app support / User onboarding / Feedback collection / Product updates / Knowledge base.
Description: We use Intercom services on our platform for the following purposes:

• In-app support: Intercom allows our customer support team to provide real-time customer support in case of users’ requests. Additionally, Intercom's automation allows for initial triaging, ensuring users are quickly directed to the right support resources.
• User onboarding: Through Intercom, we set up automated messages that guide users through our platform’s key features and setup processes. This helps users learn more quickly how to use the platform effectively and improves user satisfaction.
• Feedback collection: We use Intercom to collect feedback from our users regarding their experience and satisfaction (e.g. NPS survey) with Frontify. By triggering surveys or using the chat feature to ask for opinions, we gather actionable insights directly from users. This data is crucial for our product development team to refine and enhance features based on the actual user needs.
• Product updates: Through Intercom’s messaging system, we update the users about new platform features and share other relevant content to optimize the user experience.
• Knowledge base: We use Intercom to connect users directly with our knowledge base, hosted on Intercom. Customers can easily search for articles or help guides related to specific issues via the chat feature, providing them with instant access to resources. This self-service model accelerates issue resolution.

Categories of data subjects: Platform user
Categories of personal data: Name, email address, platform usage data
Data retention: Data will be stored for the duration of the customer contract.
Data processing location: USA
Data transfer mechanism: Adequate jurisdiction (sub-processor is listed in the Data Privacy Framework)

Datadog

Legal entity: Datadog Inc.
Address: 620 8th Avenue, 45th Floor, New York, NY 10018-1741, USA
Service: Monitoring and observability of the Frontify platform
Description: We use Datadog for the following:

• Logging: Datadog centralizes logs from multiple applications, AWS infrastructure components, and services. These logs help debug production issues quickly and offer insights into trends, errors, and unusual patterns, significantly reducing the mean time to resolution.
• Monitoring: The tool continuously monitors key metrics such as system health, application performance, and infrastructure stability. Alerts and dashboards provide real-time feedback, enabling teams to identify and address performance bottlenecks and system failures proactively.
• Observability: Datadog correlates logs, metrics, and traces, offering a holistic view of system performance.
• Application Performance Monitoring (APM): APM is occasionally used to track the application performance, helping teams pinpoint and resolve latency issues or bottlenecks in the application code.
• Security event logging: Security events are logged with Datadog and forwarded to Splunk (SIEM tool).

We use the collected data in aggregated form without the need to identify the platform user. Only in case of a security event, we need to identify the platform user via its email address or IP address, which is also forwarded to Splunk (SIEM tool).
Categories of data subjects: Platform user
Categories of personal data: Email address, IP address, platform usage data
Data retention: 30 days
Data processing location: Germany
Data transfer mechanism: Adequate jurisdiction (sub-processor is listed in the Data Privacy Framework)

Splunk

Legal entity: Splunk LLC
Address: 250 Brannan Street, San Francisco, CA 94107, USA
Service: Security Information and Event Management tool (SIEM)
Description: With Splunk, we gather logs from our infrastructure and the Frontify platform. These logs are then used to analyze security incidents, enabling us to see the overall health of our infrastructure, see and block potential attacks, and investigate issues like malware on endpoints. Splunk is used on the Frontify platform for the following:

• Security Network Management: We use Splunk to detect and respond to security threats and monitor network performance.
• Log Management: It is used for centralized logging, and troubleshooting operational issues.
• User Activity Monitoring: The tool detects suspicious user behavior to defend the integrity of the Frontify platform and strengthen access control. It also ensures compliance with access management policies.
• Incident Response and Forensics: The tool is needed to investigate security incidents (e.g., malware outbreaks) and document evidence for legal, privacy, and/or compliance needs. It also supports SOC operations in incident resolution and root cause analysis.
• System Performance Monitoring: Splunk ensures optimal system performance and detects and remediates performance bottlenecks. It maintains system availability, reduces downtime, and supports SOC operations.

Categories of data subjects: Platform user
Categories of personal data: Email address, IP address, platform usage data
Incident Response and Forensics: The tool is needed to investigate security incidents (e.g., malware outbreaks) and document evidence for legal, privacy, and/or compliance needs. It also supports SOC operations in incident resolution and root cause analysis.
Data retention: 365 days
Data processing location: Germany
Data transfer mechanism: Adequate jurisdiction (sub-processor is listed in the Data Privacy Framework)

Frontify subsidiaries

Legal entities: Frontify Inc. / Frontify UK Ltd. / Frontify Deutschland GmbH / TwicPics SAS Addresses: 625 Broadway, Floor 12, New York, NY 10012, USA / 5 New Street Square, EC4A 3TW London, UK / Friedrich-Ebert-Anlage 36, 60325 Frankfurt am Main, Germany / 10, rue de Penthievre, 75008 Paris, France
Service: Support services
Description: We leverage the expertise of our subsidiaries’ employees to deliver support services to our customers. Frontify's customer support team operates from our hubs in Switzerland, the USA, the UK, Germany, and France. As a global SaaS provider, we prioritize promptly addressing customer inquiries, ensuring seamless assistance across all time zones.
Categories of data subjects: Platform user
Categories of personal data: Name, email address, platform usage data
Data retention: Data will be stored for the duration of the customer agreement.
Data processing locations: USA / UK / Germany / France
Data transfer mechanisms: SCC / Adequate jurisdiction / Adequate jurisdiction / Adequate jurisdiction

All services provided by our sub-processors are necessary to ensure that our customers can access and use our platform in all its functionality. Disabling any sub-processors' service would impact the overall customer experience, and Frontify disclaims any responsibility in this regard.

Prior to selection, each sub-processor is evaluated against financial, security, and legal requirements. We keep a record of this initial assessment and update it regularly during the term of the contract. We have agreements in place with sub-processors that include Frontify’s right to audit the sub-processor's compliance measures and the right to terminate if noncompliance is determined. In the event of developments in the applicable law or court decisions that change or add new requirements concerning our business relationship with a sub-processor, we would immediately contact the sub-processors to agree on necessary compliance measures.

We sign data processing agreements with each sub-processor, that include obligations which are substantially equivalent to those binding upon us, considering the nature, scope, context, and purposes of the services provided by the sub-processor.

Our agreements with sub-processors require strict adherence to high standards of security and data protection and also include the right to regularly audit their compliance practices. We also perform periodic assessments through our privacy management tool, to be able to keep track of data flows across different tools and geographic locations, as well as to map all the relevant processing activities related to each sub-processor.

When a new sub-processor is involved, or an existing one is replaced, Frontify updates the list of current sub-processors and notifies the customer’s privacy contact at least fourteen (14) days before giving the new subprocessor access to the customer’s personal data.

Yes, customers may object to the involvement of any new sub-processor on reasonable and legitimate grounds (e.g., if the involvement of the new sub-processor would entail an infringement of data protection laws), by notifying the objection at privacy@frontify.com within fourteen (14) days of the relevant communication. The objection should describe the customer’s specific concerns about the new sub-processor in order to allow Frontify to address such concerns.

Yes, our customers’ personal data may be transferred to sub-processors located outside Switzerland, the EEA, and the United Kingdom. Frontify ensures that transfers of customers’ personal data to third countries take place in accordance with the applicable data protection laws.

For further details about data transfers, please refer to the section “Compliance with data protection laws”.

Frontify retains customers’ personal data for the duration of the service agreement until complete deletion within 90 days of contract termination. After deletion, Frontify may still retain customers’ data for legal retention obligations or contained in system backups. In that case, Frontify will handle customers’ data in accordance with the terms of the applicable DPA.

Customers' data contained in system backups will be automatically deleted three hundred sixty-five (365) days after the backup is created. Upon written request, Frontify provides the Customer with a statement certifying that the customer’s personal data has been destroyed.

Yes, our platform allows customers to manage their content and user accounts independently with the features offered. Data remains stored in the platform until they are deleted, and the retention period is, therefore, primarily determined by the customer. Platform users with administrative rights can delete selected users’ accounts, which results in the permanent deletion of all personal data associated with that account.

Every platform user can adjust their personal information using the “edit profile” functionality. If a platform user wants to have their account completely deleted, they need to contact the customer's respective account admin.

Frontify has taken several steps to ensure ongoing privacy compliance, which include, without limitation: a) the assignment of clear roles and responsibilities for the implementation and maintenance of our privacy program; b) the purchase of a privacy management tool to perform regular assessments of our processing activities and data repositories to always have a clear overview of data flows across tools and geographic locations; c) the regular monitoring of developments in the area of global data privacy to be able to detect new legal requirements in a timely manner and adapt our policies and processes accordingly.

If customers’ personal data subject to the EU regulation are transferred to a third country that does not have an adequacy decision, Frontify adopts appropriate safeguards, under Art 46 GDPR, to ensure adequate protection of personal data in that country. Currently, all transfers of personal data outside the EEA involve third countries that have received an adequacy decision from the EU Commission. With regard to our US-based sub-processors, we rely on the EU Commission's adequacy decision for the EU-US Data Privacy Framework (DPF), as these sub-processors are all certified to the DPF. For the transfer of data to Frontify’s US subsidiary (Frontify Inc.), we rely on the EU SCC version June 2021 (module Processor to Processor) and conducted a Transfer Impact Assessment. The assessment did not reveal the need for additional safeguards beyond the standard contractual clauses.

For details on the transfer mechanisms adopted, please refer to Exhibit B of the Frontify DPA.

If customers’ personal data subject to the Swiss data protection laws are transferred to a third country that does not have an adequacy decision, Frontify adopts appropriate safeguards, under Art 16 DSG, to ensure adequate protection of personal data in that country. Currently, all transfers of personal data outside Switzerland involve third countries that have received an adequacy decision from the Federal Council. With regard to our US-based sub-processors, we can rely on the Federal Council's adequacy decision for the Swiss-US Data Privacy Framework, as these sub-processors are all certified to the Swiss-US DPF. For the transfer of data to Frontify’s US subsidiary (Frontify Inc) we rely on the EU SCC version June 2021 (module Processor to Processor), including the required Swiss legal adjustments, and conducted a Transfer Impacted Assessment. The assessment did not reveal the need for additional safeguards beyond the standard contractual clauses.

For details on the transfer mechanisms adopted, please refer to Exhibit B of the Frontify DPA.

If customers’ personal data subject to the UK data protection laws are transferred to a third country that does not have an adequacy decision, Frontify adopts appropriate safeguards, under art. 46 UK GDPR, to ensure adequate protection of personal data in that country. Currently, all transfers of personal data outside the UK involve third countries that have received an adequacy decision from the UK Secretary of State. With regard to our US-based sub-processors, we rely on the adequacy decision of the UK Secretary of State for the UK Extension to the EU-U.S. Data Privacy Framework, as these sub-processors are all certified to the UK extension. For the transfer of data to Frontify’s US subsidiary (Frontify Inc), we rely on the EU SCC version June 2021 (module Processor to Processor), including the required UK Addendum, and conducted a Transfer Impact Assessment. The assessment did not reveal the need for additional safeguards beyond the standard contractual clauses.

For details on the transfer mechanisms adopted, please refer to Exhibit B of the Frontify DPA.

Yes, we conducted a TIA on data transfers to third countries that do not benefit from an adequacy decision under the EU data protection framework. Today all our sub-processors based in the USA are certified to the EU-US DPF, Swiss-US DPF, and the UK Extension to the EU-US DPF; therefore, the TIA is required only for transfers of EU/ Swiss/ UK data to our subsidiary (Frontify Inc.) in the USA. In this case, the assessment revealed that there is no objective ground to believe that the laws and practices of the country of destination would prevent Frontify Inc. from fulfilling its obligations under the SCC.

Our Privacy Notice provides all the relevant information about data privacy that we may be required to disclose under the CCPA (e.g. categories of personal data collected, purposes for collecting personal data, whether data is sold to or shared with third parties, etc). It also includes a section addressing California residents that describes what additional rights California residents are entitled to under the CCPA and how they can exercise them. As clearly stated in the Privacy Notice, Frontify does not sell any Personal data in its possession to third parties.

Frontify adheres to the highest data privacy standards, such as the EU-GDPR. The definition of data protection laws in our DPA is intentionally broad and also includes the requirements of the CCPA.

Frontify regularly monitors developments in privacy laws and regulations globally and adapts its policies and contracts accordingly. In addition, as we strive to always adhere to the highest data privacy standards, such as those set by the EU GDPR, as a result, we also comply with most privacy standards in other jurisdictions. The definition of data protection laws in our DPA is intentionally broad to allow us to consider all privacy laws that may apply to our processing operations globally. We also discuss any specific adjustment that our customers may request on a case-by-case basis.

During the term of the agreement, if Frontify receives the data subject’s requests to access, rectify, erase, transfer, port, or restrict the processing of personal data, we will promptly notify our customer and provide details of the same or will advise the data subject to submit the request directly to the customer. The customer will be responsible for responding to a data subject request, including, where necessary, using the functionalities of the Frontify Services.

Questions 2.22 and 2.23 provide more information about how platform users can amend or delete their personal information.

Neither Frontify nor its sub-processors fall within the scope of FISA 702 and/or EO 12333, and there is no indication that Frontify or any of its sub-processors may be subject to these laws. These laws serve the purpose of giving US intelligence agencies specific rights in case of high concern for the country's national security. There is no objective reason to believe that the US intelligence agencies would seek to collect data from companies like Frontify or its sub-processors that handle ordinary commercial information.

Yes, by signing the agreement with Frontify to use the Frontify services, Frontify’s DPA is automatically incorporated and is part of the Agreement. In addition, if required for compliance purposes, customers can request a signed version of Frontify’s DPA by contacting our privacy team at privacy@frontify.com.

The Standard Contractual Clauses are not part of Frontify's DPA because Frontify is based in Switzerland. Switzerland is considered a country with an adequate level of protection under the EU and the UK privacy framework. For this reason, the enforcement of the SCCs is neither necessary nor possible.

Frontify is generally willing to provide customers with the necessary information to demonstrate compliance with the applicable DPA. For that purpose, customers can request the report of the security audit that Frontify performs annually in light of the ISO 27001 standard and which will be provided free of charge. Such a report is considered Frontify’s confidential information and is therefore subject to the confidentiality agreement between the parties. If, despite the report, customers intend to request an additional audit, Frontify will accept only to the extent the audit is required by law, and no similar audit has been conducted in the previous 12 months. The scope, timing and manner for conducting the audit must be agreed in advance, and the related costs must be borne by the customer in full.

Yes, we use cookies on our Platform to provide services to our customers. Our Cookie Policy (please see section “Cookies used on our Platform”) provides more details about the specific cookies that are active on the platform.

Yes, Frontify offers the possibility of enabling a cookie consent tab on the platform. Customers interested in enabling the cookie consent solution should contact the dedicated Customer Success Manager. This help article summarises all the relevant information.

Yes, we enable our customers to customize the login page, link its privacy policy, and implement other functionalities, such as an opt-in feature. It is also possible to provide further information with a customizable text or by adding a disclaimer.

Furthermore, customers can additionally link their privacy policy and other necessary information in the footer of the platform.

For more information about how to implement these functionalities, you can always contact our support team or your dedicated customer success manager.

Privacy and data protection considerations are included in every phase of a new project or practice development. This allows us to identify any potential risks to an individual’s privacy and promptly adopt measures to minimize them. In parallel, we adhere to the principle of data minimization, so we only collect personal data that is necessary for a specific purpose. We provide full transparency to individuals about how we collect their data and how we use it and also allow them to exercise their privacy rights. In some cases. They can do that using the functionality of the platform, in others by contacting our privacy team at privacy@frontify.com. In addition, all our employees receive training on privacy and data protection principles, so that they understand how to handle personal data in compliance with the law and respecting individuals’ rights.

Frontify has appointed a Chief Information Security Officer (CISO) to be responsible for the overall IT security at Frontify. Below is the relevant contact details:

CISO
Peter Davida
security@frontify.com

Our privacy management tool allows us to trace data flows across tools used within the organization and understand the reason for such data transit. Based on the information employees provide in responding to our privacy assessments regarding their use of the tool and the personal data collected, our privacy management tools enable us to build workflows that show data transit from one tool to another and also the geographical location of the processing.

Yes, Frontify holds the following certifications:

• Frontify has been officially ISO 27001 certified since 2021. We perform annual internal and external audits in accordance with this certification.
• Frontify is certified to the TISAX standard, a standard for information security specifically relevant to the automotive industry. The ENX Association (an association of European vehicle manufacturers, suppliers, and organizations) operates and manages it.
• Frontify obtained the Cyber Essentials certification in 2022. Cyber Essentials is a globally recognized IT security standard developed by the UK’s National Cyber Security Centre. It ensures that IT software and processes are secure and organizations are protected from data breaches and leaks.

In addition, Frontify is officially compliant with Microsoft’s SSPA and is independently audited against the DPR on a yearly basis. The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft’s baseline data processing instructions to suppliers in the form of the Microsoft Supplier Data Protection Requirements (DPR). At the core of Microsoft’s SSPA Program are strong privacy and security practices, which are aligned with industry-wide standards such as ISO 27701 (privacy) and ISO 27001 (security).

For more information regarding the Frontify security standards, please refer to Frontify’s Security Controls.

At Frontify, we protect our customers' data through best-in-class technical and organizational measures. We regularly reassess the implemented measures and adapt them to the latest technical and regulatory developments.

Our TOMs are integrated by default in the Frontify DPA as Exhibit C.

Yes, customer data is encrypted in transit and at rest.

For more information about encryption, please refer to Frontify's security controls or the Frontify TOMs (Exhibit C of the Frontify DPA).

To the extent technically possible and compatible with providing Frontify Services, Frontify anonymizes personal data. Where anonymization is not possible, Frontify relies on pseudonymization of personal data. However, in order to provide the Frontify Services, anonymization or pseudonymization of personal data is not always feasible and would be contrary to the purpose of the Frontify Services.

Frontify performs daily backups of customer data to support customers in emergencies and restore data in a timely manner. Such backups are stored for 365 days and automatically deleted afterward. The implemented technical and organizational measures and the provisions of the DPA also apply to customer data stored in a backup.

Frontify notifies customers without undue delay, and in any event, within 48 hours of becoming aware of any breach relating to customer personal data that may require notification to a supervisory authority or data subject under applicable data protection laws.

For more information, please refer to clause 8.4 of the Frontify DPA.

At Frontify, access to customer data is strictly limited to individual roles. Frontify personnel get only access to customer data if the information is necessary for the performance of their task (principle of least privilege) and only if they are bound by confidentiality obligations.

Frontify employees are bound by confidentiality obligations and are familiar with the legal obligations, requirements, and consequences of applicable data protection laws. Each employee is onboarded regarding confidentiality, security, and data protection, and Frontify maintains a documented awareness and training program on a regular basis.

Yes. All questions concerning privacy can be addressed to privacy@frontify.com.