Data processing agreement

Frontify AG, Version: April 2023

1. Preamble

In the course of providing the Frontify Services under the Agreement between Frontify and Customer, Frontify may Process Personal Data on behalf of Customer. The Parties agree to comply with the terms of this Data Processing Agreement including its appendices (altogether referred to as “DPA”), which are incorporated into and forms part of the Agreement. To the extent there is any conflict between the terms of this DPA and the other terms of the Agreement, this DPA will govern.

The Parties acknowledge and agree that Customer may qualify as a Controller or Processor in relation to Personal Data of its personnel, providers, customers, and/or other third parties involved by Customer (“Customer Personal Data”). As a result

  • where Customer is a Controller, Frontify shall be a Processor; and
  • where Customer is a Processor, Frontify shall be a Sub-Processor.

This DPA reflects the Parties’ commitment to abide by Data Protection Laws with respect to the Processing of Customer Personal Data under the terms of the Agreement. The categories of Personal Data and categories of Data Subjects Processed under this DPA, as well as the subject matter, duration, and nature of the Processing, are further specified in Exhibit A (Subject Matter and Details of Processing Activities).

2. Definitions

Unless otherwise defined in this DPA or the Agreement, all terms listed in this section 2 shall have the meaning indicated.

“Effective Date” means the effective date of the Agreement.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity, or otherwise having the power to govern the financial and the operating policies or to appoint the management of the subject entity.

“Agreement” means the Frontify License Agreement, Order form, or other written or electronic agreement concluded between Frontify and Customer for the use of the Frontify Services, including all its attachments, in particular, but not limited to, the Offer, the GTC, the Service Level Agreement and any other additional document governing the contractual relationship between Frontify and Customer.

“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Data” means data, including Customer Personal Data, submitted, stored, sent, or received via the Frontify Services by Customer, its Affiliates, or Users.

“Customer” shall include, for the purposes of this DPA only, and except if indicated otherwise, a customer of Frontify under the Agreement, including such customer’s Affiliates.

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, which may include but is not limited to the GDPR, the laws of the EEA and its member states, Switzerland, the United States of America, and the United Kingdom.

“Data Subject” means the individual to whom Personal Data relates.

“Data Subject Request” is a demand made by a Data Subject that seeks to exercise the Data Subject’s right to access, rectify, erase, transfer, or port Customer Personal Data or to restrict the Processing of Customer Personal Data in accordance with Chapter III GDPR.

“EEA” means the European Economic Area.

“Frontify” means Frontify AG.

“Frontify Platform” means the software supplied by Frontify to Customer for use via the Internet, namely the all-in-one web-based brand management SaaS solution, the mobile app, and the desktop app offered by Frontify.

“Frontify Services” means the services offered by Frontify and purchased by Customer under the Agreement, both currently and in the future, including the subscription to the Frontify Platform.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information that directly or indirectly identifies a Data Subject under the Data Protection Laws.

“Processing” or “Process” means any operation or set of operations which is performed upon Customer Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;

“Standard Contractual Clauses” or “SCC” means Commission Implementing Decision (EU) 2021/914 of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Sub-Processor” means any third party engaged by or on behalf of Frontify that will Process Customer Personal Data as part of the performance of the Frontify Services. This does not include third-party ancillary services, which Frontify uses, for example, as telecommunications services, postal/transport services, and other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data Processing systems. However, Frontify shall be obligated to implement appropriate and legally compliant contractual agreements as well as control measures to ensure the protection and the security of Customer Data also in the case of outsourced ancillary services.

“Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection (SR 235.1).

“Technical and Organizational Measures” or “TOMs” means a set of rules, guidelines, policies, and procedures designed to ensure that all users, servers, networks, and processes within an organization fulfil the adequate level of security and data protection standards under Data Protection Laws.

“Term” means the period starting from the Effective Date until the cessation of the provision of the Frontify Services under the Agreement, including, if applicable, any period during which the provision of the Frontify Services may be suspended and any period following the termination of the Agreement during which Frontify may continue providing the Frontify Services for transitional purposes.

“Third-Party Products and Services” means independent third-party products and services not licensed directly by Frontify, including but not limited to web-based, mobile, offline, or other software functionalities that interoperate with the Frontify Services, that are provided by Customer or a third-party, and that Customer can enable to extend the experience and functionality of the Frontify Services.

“UK Data Protection Laws” means the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation.

“User” means any natural person who is authorized to use the Frontify Services under the Agreement.

3. Execution and duration

3.1. Introduction

This DPA is an integral part of the Agreement (and does not need to be executed separately). Either Party enters into this DPA on behalf of itself and, to the extent required and/or permitted under Data Protection Laws, in the name and on behalf of its Affiliates.

This DPA shall, as from the Effective Date, become legally binding and replace any terms previously agreed by the parties regarding privacy, data processing, and/or data security. This DPA shall terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms set forth herein.

3.2. Parts of this DPA

This DPA consists of four (4) parts:

  • The main body of the DPA;
  • Exhibit A (Subject matter and details of Processing activities);
  • Exhibit B (Sub-Processor list);
  • Exhibit C (Technical and organizational measures)

4. Roles and regulatory compliance

4.1. Controller and processor

In full compliance with their respective roles and responsibilities under the Data Protection Laws, Customer in its quality as Controller or Processor, and Frontify in its quality as Processor or Sub-Processor, acknowledge and agree that:

  1. the subject matter and details of the Processing are described in Exhibit A;
  2. each Party will comply with the obligations of the Data Protection Laws with respect to the Processing of Customer Personal Data.

4.2. Authorization by third-party controller

As far as Customer is a Processor, Customer warrants that Customer’s instructions and actions concerning Customer Personal Data, including the appointment of Frontify as a Sub-Processor, have been duly authorized by the relevant Controller.

5. Processing

5.1. Scope of processing

By entering this DPA, the Parties agree that Frontify will only Process Customer Personal Data in connection with the provision of the Frontify Services and/or on Customer’s documented instructions.

The purposes for Processing are specified in Exhibit A and Frontify will solely rely on those, unless Processing is required by applicable laws or otherwise agreed by both Parties in writing. For clarity, Frontify will not Process Customer Personal Data for advertising purposes. If and to the extent applicable law requires further Processing of Customer Personal Data, Frontify will promptly inform Customer by email at the notification email address specified in the Agreement, and where no email address is specified, to the email address of one or more Customer’s contacts on Frontify’s record, unless Frontify is prevented from doing so under applicable law.

Frontify shall notify Customer if it believes that Customer’s documented instructions violate Data Protection Laws and shall be entitled to suspend the execution of the relevant instruction until Customer provides an instruction that complies with Data Protection Laws. If such instruction violates Data Protection Laws, Customer shall indemnify and keep Frontify harmless.

5.2. Legality of processing

Customer shall, in its use of the Frontify Services and provision of instructions, use and Process Customer Personal Data in accordance with the requirements of the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and how Customer acquired Customer Personal Data.

5.3. Deletion or return of customer personal data

During the Term, Frontify will enable Customer and/or Users to delete Customer Data through the functionalities of the Frontify Services. If Customer or a User deletes any Customer Data, this will constitute an instruction to Frontify to remove the relevant Customer Data from Frontify’s systems in accordance with applicable law.

Following termination of the Agreement, and upon written request, Frontify will provide Customer with a copy of Customer Data on a customary data carrier or by electronic transfer in a format agreed to by the Parties. Ninety (90) days after the effective date of termination of the Agreement or upon Customer's request even prior to this date, Frontify shall delete all Customer Data except where legal retention requirements prevent Frontify from doing so.

Frontify may retain Customer Data that is (a) contained in an archived computer system back-up in accordance with security and/or disaster recovery procedures; (b) contained in latent data, including deleted files and other non-logical data types such as memory dumps, swap files, temporary files, printer spool files and metadata that are not generally retrievable or accessible without the use of specialized tools and techniques; (c) prepared for regulatory compliance, archival or record retention purposes in accordance with applicable law; or (d) for purposes of confirming compliance with this DPA, subject in each case to the destruction of such Customer Data in due course and the inaccessibility of such Customer Data by Frontify and its personnel in the ordinary course of business, and further that in each case such Customer Data shall remain subject to the terms and conditions of the DPA.

6. Sub-processing

6.1. Engagement of sub-processors

Customer generally agrees that Frontify may use Sub-Processors to fulfil its contractual obligations under the Agreement or to provide certain services on its behalf. Therefore, Customer authorizes the engagement of Frontify’s Affiliates and of third parties as Sub-Processors, to the extent the conditions set forth in this section 6 and in section 10 are complied with.

Frontify will enter into a written agreement with the Sub-Processor including data protection obligations that are substantially equivalent to those agreed by the Parties under this DPA, to the extent applicable to the nature of the services provided by the Sub-Processor.

Frontify ensures that the Sub-Processor shall only access and Process Customer Data to the extent required to perform the obligations subcontracted to it in accordance with the Agreement, including this DPA.

Frontify shall remain liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processors to the same extent as Frontify would be liable if performing the services of each Sub-Processor directly under the terms of this DPA, consistent with the limitations of liability set forth in the Agreement or this DPA.

6.2. List of sub-processors and involvement of new sub-processors

Frontify’s current Sub-Processors are listed in Exhibit B (“Sub-Processor List’). When any new Sub-Processor is to be engaged, Frontify will update the Sub-Processor List to include the new Sub-Processor at least fourteen (14) business days prior to giving the Sub-Processor access to Customer Personal Data. In order to give Customer the possibility to be notified via email of such updates to the Sub–Processor List, the Customer can request a subscription to such updates by writing an email to

Customer may object to any new Sub-Processor on reasonable and legitimate grounds (e.g., if the involvement of the new Sub-Processor may violate Data Protection Laws). In the event Customer objects to a new Sub-Processor, Customer shall provide written notification to within 10 business days and outline the Customer’s specific concerns about the new Sub-Processor in order to give Frontify the opportunity to address such concerns. Frontify shall use commercially reasonable efforts to analyze any valid concerns and may, at its sole discretion: (a) decide to not appoint the new Sub-Processor and/or propose an alternative Sub-Processor; (b) take steps to remedy or mitigate Customer’s specific concerns and obtain Customer’s written consent to use the new Sub-Processor; or (c) make available to Customer the Frontify Services without the service or functionality provided by the new Sub-Processor. If Frontify is unable or determines, in its reasonable judgment, that it is commercially unreasonable to do any of the aforementioned options, Customer may extraordinarily terminate the affected parts of the Frontify Services by giving written notice within thirty (30) days.

Frontify shall refund Customer on a pro-rata basis any prepaid fees covering the remainder of the term of the Agreement following the effective date of termination with respect to such terminated Frontify Services, without imposing a penalty for such termination on Customer.

7. Data subjects

7.1. Access to customer personal data

During the applicable Term, Frontify will enable Customer to access, rectify, restrict, delete, and export Customer Personal Data through functionalities of the Frontify Services.

7.2. Data subject requests

In the event any Data Subject Request is made directly to Frontify in connection with Frontify’s Processing of Customer Personal Data, Frontify will either promptly inform Customer and provide details of the same, to the extent legally permitted, or will advise the Data Subject to submit the request directly to Customer. Customer will be responsible for responding to a Data Subject Request, including, where necessary, by using the functionalities of the Frontify Services.

7.3 Assistance by Frontify

Frontify ensures that it takes commercially reasonable efforts to assist Customer in fulfilling any obligation to respond to requests made by Data Subjects, including obligations requiring Customer to respond to Data Subject Requests.

8. Security

8.1. Technical and organizational measures (“TOMs”)

The Processing activities performed by Frontify shall comply with the obligations imposed by the Data Protection Laws regarding the security of Customer Personal Data. More specifically, Frontify shall, taking into account the scope and purpose of the Processing of Customer Personal Data, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, confidentiality and integrity of Customer Personal Data. The TOMs form an integral part of the DPA and are attached as Exhibit C.

The TOMs may change or be replaced from time to time. However, Frontify shall ensure that no such change or replacement will ever diminish the appropriate level of security for Customer Personal Data.

8.2. Audit

Upon Customer’s written request and provided that Customer is bound by confidentiality obligations, Frontify shall provide Customer (or Customer’s independent third-party auditor) with information regarding Frontify’s compliance with the obligations set forth in the DPA. Frontify shall engage external auditors to verify the adequacy of its security measures. Such audits shall (a) be performed at least annually in the light of the ISO 27001 standards or any alternative standards that are substantially equivalent to ISO 27001; (b) be performed by independent third-party security professionals at Frontify’s selection and expense; and (c) result in the generation of an audit report (“Report”), which shall be considered Frontify’s confidential information. Upon Customer’s written request, and provided that Customer is bound by confidentiality obligations, Frontify shall provide a copy of the Report.

If, despite the foregoing, Customer wishes to perform an additional audit on Frontify’s procedures affecting Customer Personal Data, Customer shall notify a request to Frontify and Frontify may consent to the extent a) such audit is required under Data Protection Laws; and b) a similar audit has not been already conducted less than twelve (12) months prior, except where there are indications of non-compliance and/or the audit is requested by a supervisory authority or other similar regulatory authority responsible for the enforcement of applicable law. Customer shall reimburse Frontify for the time expended on any such audit at Frontify’s then-current rates, which shall be made available to Customer upon request. Before the commencement of any such audit, Customer and Frontify shall mutually agree upon the scope, timing, and duration, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, considering the resources expended by Frontify. Customer shall promptly notify Frontify with information regarding any non-compliance discovered during an audit, and Frontify shall use commercially reasonable efforts to address any non-compliance accepted by Frontify. The parties agree to keep the information related to such audit strictly confidential.

8.3. Confidentiality and training

Frontify shall ensure that its employees and contractors who are authorized to Process Customer Data are bound by confidentiality obligations. Additionally, Frontify organizes regular employee training sessions on privacy, confidentiality and data security.

8.4. Incident management and notification

Frontify shall maintain security incident management policies and procedures. Frontify shall notify Customer without undue delay, and in any event within 48 hours of becoming aware, of any breach relating to Customer Personal Data which may require a notification to a supervisory authority, Data Subject or Customer under Data Protection Laws (“Security Incident”). The Notification of a Security Incident will be delivered by email at the email address specified for legal notices in the Agreement, and where no email address is specified, to the email address of one or more Customer’s contacts on Frontify’s record.

The Parties agree that Frontify’s obligation to notify Customer of a Security Incident is not considered an acknowledgement by Frontify of any fault or liability with regard to the Security Incident. Frontify shall provide commercially reasonable cooperation to identify the cause of such Security Incident and, where the remediation is within Frontify’s control, take reasonable steps to remediate such cause. Except as required by Data Protection Laws, the obligations herein shall not apply to incidents that are caused by Customer, Users, or any Third-Party Products and Services.

9. Limitation of liability

Each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of, or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section of the Agreement.

10. Data transfer

10.1. General

Customer Personal Data will be Processed within the EEA or a third country for which the European Commission has issued an adequacy decision within the meaning of art.45(1) GDPR (hereinafter “Safe Third Country”). Where specific Processing activities involve a transfer of Customer Personal Data to a location outside a Safe Third Country, the Parties hereby agree that Frontify shall ensure compliance with Chapter V GDPR by adopting such measures as required under art 46(2) GDPR. Such measures may include, without limitation, transferring Customer Personal Data (a) to a Sub-Processor that has achieved binding corporate rules authorization in accordance with art 47 GDPR; or (b) to a Sub-Processor that has executed the Standard Contractual Clauses. As of the Effective Date, Frontify has executed the applicable module of the Standard Contractual Clauses with all its current Sub-Processors located outside a Safe Third Country.

In the event that a decision of the European Commission authorizing the transfer of Personal Data outside the EEA is invalidated or a supervisory authority requires the suspension of the transfer of Personal Data, including those transfers based on the Standard Contractual Clauses, Frontify will cooperate with Customer to implement an alternative data transfer mechanism that will allow Customer to continue to benefit from the Frontify Services in compliance with Data Protection Laws.

10.2. Transfer under UK data protection laws

To the extent that UK Data Protection Law is applicable to Customer Personal Data and insofar as required under UK Data Protection Law, Frontify will only transfer Personal Data to a location outside a Safe Third Country if the applicable measures are implemented according to UK Data Protection Law and the instructions of the Information Commissioner of the UK.

10.3. Transfer under swiss data protection laws

To the extent that UK Data Protection Law is applicable to Customer Personal Data and insofar required under Swiss Data Protection Law, Frontify will only transfer Personal Data to a location outside a Safe Third Country if the applicable measures are implemented according to Swiss Data Protection Law and the instructions of the Swiss Federal Data Protection and Information Commissioner.

11. Cooperation

11.1. Data protection impact assessment

Upon request and where required byunder Data Protection Laws, Frontify shall, provided that Customer does not otherwise have access to the relevant information, reasonably assist Customer in performing (a) data protection impact assessments; and (b) consultations with supervisory authorities or other competent data protection authorities.

11.2. Governmental inquiries

If Frontify is compelled to disclose Customer Personal Data to law enforcement or other governmental authorities, Frontify will, to the extent permitted by law, provide Customer with reasonable notice to enable Customer to seek appropriate remedies against such orders.

12. Final provisions

12.1. Severability clause

Should individual provisions of this DPA be invalid or incomplete or should performance be impossible, this shall not affect the validity of the remaining provisions of this DPA. Invalid provisions shall be replaced by a valid and permissible provision that is as close as possible to the content of the original in terms of intent.

12.2. Applicable law and place of jurisdiction

The DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Switzerland.

In the event of any differences of opinion in connection with this DPA or its Exhibits, the Parties shall seek resolution in good faith. If despite the efforts of the Parties, no amicable agreement can be reached, the place of jurisdiction for all disputes, differences of opinion, or claims arising from or in connection with the contractual relationship between Frontify and Customer including their validity, invalidity, violation, or dissolution, shall be St. Gallen, Switzerland.

Exhibit A - Subject matter and details of processing

Subject matter. The subject matter is the provision of the Frontify Services and related technical support to Customer.

Duration of the Processing. The Processing activities will be performed during the Term, plus the period from expiry of such Term until deletion of all Customer Personal Data by Frontify in accordance with the DPA.

Nature and purpose of the Processing. Frontify will Process Customer Personal Data submitted, stored, sent, or received by Customer or its Users via the Frontify Services for the purposes of providing the Frontify Services and related technical support to Customer in accordance with this DPA.

Categories of Personal Data. For login purposes, Users need to submit the following categories of Personal Data:

  • Email address

Entirely for the sake of user-friendliness and on a voluntary basis, Users may upload the following categories of Personal Data:

  • Name
  • Profile picture
  • Job title
  • Company

For technical purposes, the IP address of Users may also be Processed from time to time.

Additional categories of Personal Data may be embedded in the files and brand content uploaded to the Frontify Services (e.g., pictures, and videos) by Customer or the Users. The uploading of such data is entirely managed by Customer or the Users, while Frontify does not have any control over such uploaded content. Therefore, a more detailed identification of such Personal Data uploaded in form of brand content is not possible.

Categories of Data Subjects. Customer independently determines which individual shall be granted access to the Frontify Services. Typically, Users can be classified according to the following categories of Data Subjects:

  • Customer’s employees
  • Customer’s contractors

Exhibit B - Sub-Processor list


Provider Legal name of provider Address Country Service description Location of data processing Categories of personal data Categories of data subjects Special categories of personal data Data transfer mechanism
ActiveCampaign (Postmark) AC PM, LLC 1 N Dearborn Street, Suite 500, Chicago, IL 60602 USA Transactional email service USA • Name, Email address, IP address User of Frontify Services No SCC
Amazon Web Services Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L- 1855, Luxembourg Luxembourg Cloud hosting provider Germany or USA (depending on the individual agreement between Frontify and customer) All data that is necessary to execute the Frontify application incl. all database data User of Frontify Services No SCC
Amplitude Amplitude Inc. 201 3rd Street, Suite 200, San Francisco, CA 94103 USA Tool for product intelligence data (e.g. user events) USA • IP address • Event data (usage of specific features) User of Frontify Services No SCC
Ask Nicely Ask Nicely Holdings Inc. 1615 SE 3rd Avenue, Floor 3, Portland, Oregon 97214 USA Conduct NPS- surveys and collects user feedback USA • Name • Email address Selected User of Frontify Services No SCC
Intercom Intercom R&D Unlimited Company 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2 Republic of Ireland In-App support / chat system USA • Name • Email address • IP address • Location • Conversation data User of Frontify Services (in case a user needs support) No SCC


Provider Legal name of provider Address Country Service description Location of data processing Categories of personal data Categories of data subjects Special categories of personal data Data transfer mechanism
Frontify Inc. Frontify Inc. 625 Broadway, Floor 12, New York, NY 10012 USA Support Services USA / Germany • Name • Email address End User of Frontify Services (in case a user needs support) No SCC
Frontify UK Ltd. Frontify UK Ltd. 5 New Street Square, EC4A 3TW London England Support Services England / Germany • Name • Email address End User of Frontify Services (in case a user needs support) No Not applicable
Frontify Deutschland GmbH Frontify Deutschland GmbH Friedrich-Ebert- Anlage 36, 60325 Frankfurt am Main Germany Support Services Support Services • Name • Email address End User of Frontify Services (in case a user needs support) No Not applicable

Exhibit C - Technical and organizational measures (TOMs)

Frontify AG, Version: April 2023

1. Preamble

Frontify’s information security program is designed in accordance with best practice industry standards, such as ISO 27001. Frontify’s security controls are designed to address its posture as a cloud-based software-as-a-service (SaaS) provider. The following concepts apply to Frontify’s software and its provision of the services (hereinafter “Frontify Services”) and are contextually important to understanding Frontify’s security measures.

Frontify has implemented appropriate technical and organizational measures (hereinafter "TOMs") to ensure a level of security appropriate to the risk of the processing activities performed to provide the Frontify Services. The TOMs shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The TOMs are subject to regular improvement and development; therefore, Frontify may review and update this document from time to time. In this respect, Frontify is entitled to implement adequate alternative measures, which shall not materially diminish the overall security level of the measures specified herein.

As Frontify uses the services of an external hosting partner, both for the hosting and processing of data, some measures will be solely implemented in the data center of such hosting partner. Accordingly, the TOMs which only concern the hosting partner are indicated in this document with the addition ("Hosting-Partner").

2. Audits and certifications

Frontify ensures that a yearly audit of the implemented information security program is performed by an external auditor and, upon request, provides its customers with documentation of proof of compliance by making available industry certificates (e.g., ISO 27001 certification, Cyber Essentials certification) and excerpts of audit results, subject to the condition that such customer is bound to confidentiality obligations.

3. Secure cloud hosting

The Frontify Services are performed using the secure server infrastructure of our cloud hosting partner AWS. For more information about the security standards implemented by AWS, please refer to:

4. Information security policy

Frontify has implemented an information security policy that governs all the relevant aspects of its security program and is aligned with best practice industry standards such as ISO 27001 requirements. Frontify's information security policy may be made available to customers upon request, subject to the condition that the customer is bound to confidentiality obligations. Further information on Frontify’s security controls can be accessed at

5. Anonymization and pseudonymization

Anonymization of personal data involves the removal of personal identifiers, the aggregation of data, or the processing of data in such a way that it can no longer be associated with an individual person. Pseudonymization reduces the direct reference to an individual person during the processing in such a way that only the inclusion of additional information allows an assignment to that person.

To the extent technically possible and compatible with the provision of the Frontify Services, Frontify anonymizes personal data. Where anonymization is not possible, Frontify resorts to pseudonymization of personal data. However, in order to provide the Frontify Services, anonymization or pseudonymization of personal data is not always feasible and would be contrary to the purpose of the Frontify Services.

6. Encryption

Encryption is a measure or process that allows to convert information into an illegible, (i.e., not easily interpretable) character string (ciphertext), with the aid of an encryption method (cryptosystem).

6.1. Encryption during transmission (data in transit)

The Frontify Services are only available on pages with HTTPS, and HSTS headers are created for all subdomains. Frontify leverages Transport Layer Security (TLS) 1.2 (or better) for data in transit over any network. Frontify supports full data encryption in transit. No non-encrypted data leaves the data center. All monitoring and backend systems either send local traffic over the VPC (virtual private cloud) or use transport-level encryption when communicating with the rest of the Internet.

6.2. Encryption of resting data (data at rest)

Customer data is stored in encrypted form, in S3 buckets, and it is logically separated. Frontify encrypts data at rest using the Advanced Encryption Standard (AES) 256-bit (or better).

7. Confidentiality

Frontify adopts effective measures to ensure the confidentiality of data and to prevent any unauthorized disclosure of or access to transmitted, stored or otherwise processed data. These measures include physical access control, admission control, access control, and separation control.

7.1. Physical access control

Measures to ensure that unauthorized persons are prevented from gaining access to the data processing infrastructure.

Description of the physical access control:

  • controlled key management
  • door protection (electronic door-opener)
  • monitoring system (alarm system)
  • control system for visitors
  • Hosting-Partner: site security, gatekeeper
  • Hosting-Partner: server room protection

7.2. Admission control

Measures to ensure that unauthorized persons are prevented from accessing the data.

Description of the admission control:

  • Password policy, i.e., personal and individual user log-in when accessing the system (e.g., special characters, minimum length)
  • Automatic locking (e.g., password, pause mode)
  • Creation of a user master record per user
  • Limiting the number of authorized employees
  • Encryption of data storage
  • Access lists
  • Isolation of sensitive systems through separate network areas
  • Authentication procedure (VPN, certificates, multi-factor authentication)
  • Logging of login attempts and interruption of the login process after a defined number of unsuccessful attempts

7.3. Access control

Measures to ensure that those authorized to access a data processing infrastructure can only access the data that is subject to their access authorization. This ensures that data cannot be read, copied, modified, or removed without authorization during processing and storage.

Description of the access control:

  • Concept based on the principle of the least privilege
  • Authorization concepts (differentiated authorizations in profiles, roles, etc.)
  • Encryption of different data storage
  • Logging of accesses and attempted misuse

7.4. Separation control

Measures to ensure that data collected for different purposes are processed separately and kept separate from other data and systems, in order to exclude unplanned use of these data for other purposes.

Description of the separation control:

  • Authorization concepts (differentiated authorizations in profiles, roles, etc.)
  • Encrypted storage of data
  • Multi-tenant environment with logical customer separation
  • Separation of test and production systems

8. Integrity

Measures to maintain integrity of data to prevent data from being modified in an unnoticed, unauthorized, or unintentional manner. These measures include data integrity, transmission control, transport control, and input control.

8.1. Data integrity

Measures to ensure that data is not damaged or altered by malfunctions of the system.

Description of the data integrity control:

  • Implementation of new releases and patches with a release/patch management
  • Operational test during implementation and releases/patches by the IT department
  • Logging
  • Transport processes with individual responsibility

8.2. Transmission control

Measures to ensure that it is possible to verify and determine where data has been or can be transmitted or made available using data transmission facilities.

Description of the transmission control:

  • Logging
  • Transport processes with individual responsibility
  • Hashing

8.3. Transport control

Measures to ensure that the confidentiality and integrity of data is protected during the transmission of data and transport of data carriers.

Description of the transport control:

  • Transmission of data via encrypted data networks or tunnel connections (VPN)
  • Transport processes with individual responsibility
  • Encryption procedures which detect data modifications during transport
  • Comprehensive logging procedures

8.4. Input control

Measures that allow to check and establish whether and by whom the data in the data processing infrastructure have been entered, modified, or removed.

Description of the input control:

  • Logging of all system activities and retention of these logs for at least one year
  • Protocol analysis systems
  • Hashing
  • Digital signatures

9. Vulnerability detection and management

Frontify uses threat detection tools to ensure that suspicious activities, potential malware, viruses, and/or malicious computer codes are detected and reported to Frontify.

By default, Frontify scans all file types for malware (malware scanning) and uses input validation measures to prevent the execution of programs in files uploaded by the user that contain malware. In addition, Frontify enables its customers to add specific file types to a block list.

Frontify has implemented a bug bounty program to ensure continuous vulnerability detection throughout the year.

Vulnerabilities that meet defined risk criteria trigger automatic alerts and are prioritized for remediation based on their potential threat and impact on the Frontify Services.

10. Data neutrality

Frontify does not review the data uploaded by customers to the Frontify Services and processes all data regardless of its nature provided it fits the predefined characteristics for processing. Frontify makes no data-based decisions, but only executes customers' instructions when they upload content to the Frontify Services to achieve the desired results.

11. Administrative controls

Frontify performs criminal background screening on its employees as part of its hiring process, as appropriate given the employee’s role and as permitted under applicable law.

Frontify conducts regular training sessions on data privacy and security. Further, every employee is required to complete an onboarding program.

Frontify employees are bound by confidentiality either under their respective employment contracts or under a separate confidentiality agreement.

Frontify employees are bound to the adherence of information security policies either under their respective employment contracts or under a separate statement of acceptance.

12. Availability and resilience

Measures to ensure the availability and resilience of data processing equipment, to ensure that high loads or high continuous loads are feasible and that access to the data is restored in a timely manner in the event of a physical or technical incident. Such measures include availability control, timely recovery of availability, and reliability.

12.1. Availability control

Measures to ensure that data is protected against accidental destruction or loss.

Description of the availability control system:

  • Hosting-Partner: data backup procedures
  • Hosting-Partner: uninterrupted power supply
  • Hosting-Partner: fire alarm system
  • Hosting-Partner: air conditioning
  • Hosting-Partner: alarm system
  • Hosting-Partner: emergency plans
  • Hosting-Partner: no water-carrying pipes above or next to server rooms

12.2. Ability to recover availability promptly

Measures to ensure that the availability of and access to data is promptly restored in the event of a physical or technical incident.

Description of the timely recovery of availability:

  • Data backup procedures
  • Regular tests of the data recovery
  • Disaster and emergency plans
  • Off-site backup
  • Hosting-Partner: availability zones

12.3. Reliability

Measures to ensure that all functions of the system are available and that any malfunctions are reported.

Description of the reliability:

  • Automatic monitoring with e-mail notification
  • Disaster and emergency plans with responsibilities
  • Regular tests of the data recovery

13. Security incident reporting

If Frontify becomes aware of a security incident that results in the accidental or unlawful destruction, loss, alteration, disclosure, or access of customer personal data, Frontify will promptly notify affected customers in accordance with its contractual obligations and the requirements of applicable data protection laws. In addition, Frontify shall immediately take reasonable measures to contain, investigate and mitigate the security incident.

14. Regular review, assessment, and evaluation

Frontify implemented a procedure for regularly examining, assessing, and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing. This includes an assessment process and a contract control process.

14.1. Assessment process

Measures to ensure that data is processed securely and in accordance with data protection regulations.

Description of the assessment process:

  • Data protection management
  • Formalized processes for data protection incidents
  • Documentation of customers’ instructions
  • Formalized order management
  • Service level agreements

14.2. Contract control

Contract control process Measures to ensure that data is processed according to the instructions of the customer.

  • Description of the contract controls:
  • Clear contract drafting
  • Documentation of customers’ instructions
  • Formalized order management