Data processing agreement

Frontify AG, Version: April 2023

1. Preamble

In the course of providing the Frontify Services under the Agreement between Frontify and Customer, Frontify may Process Personal Data on behalf of Customer. The Parties agree to comply with the terms of this Data Processing Agreement including its appendices (altogether referred to as “DPA”), which are incorporated into and forms part of the Agreement. To the extent there is any conflict between the terms of this DPA and the other terms of the Agreement, this DPA will govern.

The Parties acknowledge and agree that Customer may qualify as a Controller or Processor in relation to Personal Data of its personnel, providers, customers, and/or other third parties involved by Customer (“Customer Personal Data”). As a result

• where Customer is a Controller, Frontify shall be a Processor; and
• where Customer is a Processor, Frontify shall be a Sub-Processor.

This DPA reflects the Parties’ commitment to abide by Data Protection Laws with respect to the Processing of Customer Personal Data under the terms of the Agreement. The categories of Personal Data and categories of Data Subjects Processed under this DPA, as well as the subject matter, duration, and nature of the Processing, are further specified in Exhibit A (Subject Matter and Details of Processing Activities).

2. Definitions

Unless otherwise defined in this DPA or the Agreement, all terms listed in this section 2 shall have the meaning indicated.

“Effective Date” means the effective date of the Agreement.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity, or otherwise having the power to govern the financial and the operating policies or to appoint the management of the subject entity.

“Agreement” means the Frontify License Agreement, Order form, or other written or electronic agreement concluded between Frontify and Customer for the use of the Frontify Services, including all its attachments, in particular, but not limited to, the Offer, the GTC, the Service Level Agreement and any other additional document governing the contractual relationship between Frontify and Customer.

“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Data” means data, including Customer Personal Data, submitted, stored, sent, or received via the Frontify Services by Customer, its Affiliates, or Users.

“Customer” shall include, for the purposes of this DPA only, and except if indicated otherwise, a customer of Frontify under the Agreement, including such customer’s Affiliates.

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, which may include but is not limited to the GDPR, the laws of the EEA and its member states, Switzerland, the United States of America, and the United Kingdom.

“Data Subject” means the individual to whom Personal Data relates.

“Data Subject Request” is a demand made by a Data Subject that seeks to exercise the Data Subject’s right to access, rectify, erase, transfer, or port Customer Personal Data or to restrict the Processing of Customer Personal Data in accordance with Chapter III GDPR.

“EEA” means the European Economic Area.

“Frontify” means Frontify AG.

“Frontify Platform” means the software supplied by Frontify to Customer for use via the Internet, namely the all-in-one web-based brand management SaaS solution, the mobile app, and the desktop app offered by Frontify.

“Frontify Services” means the services offered by Frontify and purchased by Customer under the Agreement, both currently and in the future, including the subscription to the Frontify Platform.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information that directly or indirectly identifies a Data Subject under the Data Protection Laws.

“Processing” or “Process” means any operation or set of operations which is performed upon Customer Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;

“Standard Contractual Clauses” or “SCC” means Commission Implementing Decision (EU) 2021/914 of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Sub-Processor” means any third party engaged by or on behalf of Frontify that will Process Customer Personal Data as part of the performance of the Frontify Services. This does not include third-party ancillary services, which Frontify uses, for example, as telecommunications services, postal/transport services, and other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data Processing systems. However, Frontify shall be obligated to implement appropriate and legally compliant contractual agreements as well as control measures to ensure the protection and the security of Customer Data also in the case of outsourced ancillary services.

“Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection (SR 235.1).

“Technical and Organizational Measures” or “TOMs” means a set of rules, guidelines, policies, and procedures designed to ensure that all users, servers, networks, and processes within an organization fulfil the adequate level of security and data protection standards under Data Protection Laws.

“Term” means the period starting from the Effective Date until the cessation of the provision of the Frontify Services under the Agreement, including, if applicable, any period during which the provision of the Frontify Services may be suspended and any period following the termination of the Agreement during which Frontify may continue providing the Frontify Services for transitional purposes.

“Third-Party Products and Services” means independent third-party products and services not licensed directly by Frontify, including but not limited to web-based, mobile, offline, or other software functionalities that interoperate with the Frontify Services, that are provided by Customer or a third-party, and that Customer can enable to extend the experience and functionality of the Frontify Services.

“UK Data Protection Laws” means the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation.

“User” means any natural person who is authorized to use the Frontify Services under the Agreement.

3. Execution and duration

3.1. Introduction

This DPA is an integral part of the Agreement (and does not need to be executed separately). Either Party enters into this DPA on behalf of itself and, to the extent required and/or permitted under Data Protection Laws, in the name and on behalf of its Affiliates.

This DPA shall, as from the Effective Date, become legally binding and replace any terms previously agreed by the parties regarding privacy, data processing, and/or data security. This DPA shall terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms set forth herein.

3.2. Parts of this DPA

This DPA consists of four (4) parts:

• The main body of the DPA;
• Exhibit A (Subject matter and details of Processing activities);
• Exhibit B (Sub-Processor list);
• Exhibit C (Technical and organizational measures)

4. Roles and regulatory compliance

4.1. Controller and processor

In full compliance with their respective roles and responsibilities under the Data Protection Laws, Customer in its quality as Controller or Processor, and Frontify in its quality as Processor or Sub-Processor, acknowledge and agree that:

1. the subject matter and details of the Processing are described in Exhibit A;
2. each Party will comply with the obligations of the Data Protection Laws with respect to the Processing of Customer Personal Data.

4.2. Authorization by third-party controller

As far as Customer is a Processor, Customer warrants that Customer’s instructions and actions concerning Customer Personal Data, including the appointment of Frontify as a Sub-Processor, have been duly authorized by the relevant Controller.

5. Processing

5.1. Scope of processing

By entering this DPA, the Parties agree that Frontify will only Process Customer Personal Data in connection with the provision of the Frontify Services and/or on Customer’s documented instructions.

The purposes for Processing are specified in Exhibit A and Frontify will solely rely on those, unless Processing is required by applicable laws or otherwise agreed by both Parties in writing. For clarity, Frontify will not Process Customer Personal Data for advertising purposes. If and to the extent applicable law requires further Processing of Customer Personal Data, Frontify will promptly inform Customer by email at the notification email address specified in the Agreement, and where no email address is specified, to the email address of one or more Customer’s contacts on Frontify’s record, unless Frontify is prevented from doing so under applicable law.

Frontify shall notify Customer if it believes that Customer’s documented instructions violate Data Protection Laws and shall be entitled to suspend the execution of the relevant instruction until Customer provides an instruction that complies with Data Protection Laws. If such instruction violates Data Protection Laws, Customer shall indemnify and keep Frontify harmless.

5.2. Legality of processing

Customer shall, in its use of the Frontify Services and provision of instructions, use and Process Customer Personal Data in accordance with the requirements of the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and how Customer acquired Customer Personal Data.

5.3. Deletion or return of customer personal data

During the Term, Frontify will enable Customer and/or Users to delete Customer Data through the functionalities of the Frontify Services. If Customer or a User deletes any Customer Data, this will constitute an instruction to Frontify to remove the relevant Customer Data from Frontify’s systems in accordance with applicable law.

Following termination of the Agreement, and upon written request, Frontify will provide Customer with a copy of Customer Data on a customary data carrier or by electronic transfer in a format agreed to by the Parties. Ninety (90) days after the effective date of termination of the Agreement or upon Customer's request even prior to this date, Frontify shall delete all Customer Data except where legal retention requirements prevent Frontify from doing so.

Frontify may retain Customer Data that is (a) contained in an archived computer system back-up in accordance with security and/or disaster recovery procedures; (b) contained in latent data, including deleted files and other non-logical data types such as memory dumps, swap files, temporary files, printer spool files and metadata that are not generally retrievable or accessible without the use of specialized tools and techniques; (c) prepared for regulatory compliance, archival or record retention purposes in accordance with applicable law; or (d) for purposes of confirming compliance with this DPA, subject in each case to the destruction of such Customer Data in due course and the inaccessibility of such Customer Data by Frontify and its personnel in the ordinary course of business, and further that in each case such Customer Data shall remain subject to the terms and conditions of the DPA.

6. Sub-processing

6.1. Engagement of sub-processors

Customer generally agrees that Frontify may use Sub-Processors to fulfil its contractual obligations under the Agreement or to provide certain services on its behalf. Therefore, Customer authorizes the engagement of Frontify’s Affiliates and of third parties as Sub-Processors, to the extent the conditions set forth in this section 6 and in section 10 are complied with.

Frontify will enter into a written agreement with the Sub-Processor including data protection obligations that are substantially equivalent to those agreed by the Parties under this DPA, to the extent applicable to the nature of the services provided by the Sub-Processor.

Frontify ensures that the Sub-Processor shall only access and Process Customer Data to the extent required to perform the obligations subcontracted to it in accordance with the Agreement, including this DPA.

Frontify shall remain liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processors to the same extent as Frontify would be liable if performing the services of each Sub-Processor directly under the terms of this DPA, consistent with the limitations of liability set forth in the Agreement or this DPA.

6.2. List of sub-processors and involvement of new sub-processors

Frontify’s current Sub-Processors are listed in Exhibit B (“Sub-Processor List’). When any new Sub-Processor is to be engaged, Frontify will update the Sub-Processor List to include the new Sub-Processor at least fourteen (14) business days prior to giving the Sub-Processor access to Customer Personal Data. In order to give Customer the possibility to be notified via email of such updates to the Sub–Processor List, the Customer can request a subscription to such updates by writing an email to legal@frontify.com.

Customer may object to any new Sub-Processor on reasonable and legitimate grounds (e.g., if the involvement of the new Sub-Processor may violate Data Protection Laws). In the event Customer objects to a new Sub-Processor, Customer shall provide written notification to legal@frontify.com within 10 business days and outline the Customer’s specific concerns about the new Sub-Processor in order to give Frontify the opportunity to address such concerns. Frontify shall use commercially reasonable efforts to analyze any valid concerns and may, at its sole discretion: (a) decide to not appoint the new Sub-Processor and/or propose an alternative Sub-Processor; (b) take steps to remedy or mitigate Customer’s specific concerns and obtain Customer’s written consent to use the new Sub-Processor; or (c) make available to Customer the Frontify Services without the service or functionality provided by the new Sub-Processor. If Frontify is unable or determines, in its reasonable judgment, that it is commercially unreasonable to do any of the aforementioned options, Customer may extraordinarily terminate the affected parts of the Frontify Services by giving written notice within thirty (30) days.

Frontify shall refund Customer on a pro-rata basis any prepaid fees covering the remainder of the term of the Agreement following the effective date of termination with respect to such terminated Frontify Services, without imposing a penalty for such termination on Customer.

7. Data subjects

7.1. Access to customer personal data

During the applicable Term, Frontify will enable Customer to access, rectify, restrict, delete, and export Customer Personal Data through functionalities of the Frontify Services.

7.2. Data subject requests

In the event any Data Subject Request is made directly to Frontify in connection with Frontify’s Processing of Customer Personal Data, Frontify will either promptly inform Customer and provide details of the same, to the extent legally permitted, or will advise the Data Subject to submit the request directly to Customer. Customer will be responsible for responding to a Data Subject Request, including, where necessary, by using the functionalities of the Frontify Services.

7.3 Assistance by Frontify

Frontify ensures that it takes commercially reasonable efforts to assist Customer in fulfilling any obligation to respond to requests made by Data Subjects, including obligations requiring Customer to respond to Data Subject Requests.

8. Security

8.1. Technical and organizational measures (“TOMs”)

The Processing activities performed by Frontify shall comply with the obligations imposed by the Data Protection Laws regarding the security of Customer Personal Data. More specifically, Frontify shall, taking into account the scope and purpose of the Processing of Customer Personal Data, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, confidentiality and integrity of Customer Personal Data. The TOMs form an integral part of the DPA and are attached as Exhibit C.

The TOMs may change or be replaced from time to time. However, Frontify shall ensure that no such change or replacement will ever diminish the appropriate level of security for Customer Personal Data.

8.2. Audit

Upon Customer’s written request and provided that Customer is bound by confidentiality obligations, Frontify shall provide Customer (or Customer’s independent third-party auditor) with information regarding Frontify’s compliance with the obligations set forth in the DPA. Frontify shall engage external auditors to verify the adequacy of its security measures. Such audits shall (a) be performed at least annually in the light of the ISO 27001 standards or any alternative standards that are substantially equivalent to ISO 27001; (b) be performed by independent third-party security professionals at Frontify’s selection and expense; and (c) result in the generation of an audit report (“Report”), which shall be considered Frontify’s confidential information. Upon Customer’s written request, and provided that Customer is bound by confidentiality obligations, Frontify shall provide a copy of the Report.

If, despite the foregoing, Customer wishes to perform an additional audit on Frontify’s procedures affecting Customer Personal Data, Customer shall notify a request to Frontify and Frontify may consent to the extent a) such audit is required under Data Protection Laws; and b) a similar audit has not been already conducted less than twelve (12) months prior, except where there are indications of non-compliance and/or the audit is requested by a supervisory authority or other similar regulatory authority responsible for the enforcement of applicable law. Customer shall reimburse Frontify for the time expended on any such audit at Frontify’s then-current rates, which shall be made available to Customer upon request. Before the commencement of any such audit, Customer and Frontify shall mutually agree upon the scope, timing, and duration, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, considering the resources expended by Frontify. Customer shall promptly notify Frontify with information regarding any non-compliance discovered during an audit, and Frontify shall use commercially reasonable efforts to address any non-compliance accepted by Frontify. The parties agree to keep the information related to such audit strictly confidential.

8.3. Confidentiality and training

Frontify shall ensure that its employees and contractors who are authorized to Process Customer Data are bound by confidentiality obligations. Additionally, Frontify organizes regular employee training sessions on privacy, confidentiality and data security.

8.4. Incident management and notification

Frontify shall maintain security incident management policies and procedures. Frontify shall notify Customer without undue delay, and in any event within 48 hours of becoming aware, of any breach relating to Customer Personal Data which may require a notification to a supervisory authority, Data Subject or Customer under Data Protection Laws (“Security Incident”). The Notification of a Security Incident will be delivered by email at the email address specified for legal notices in the Agreement, and where no email address is specified, to the email address of one or more Customer’s contacts on Frontify’s record.

The Parties agree that Frontify’s obligation to notify Customer of a Security Incident is not considered an acknowledgement by Frontify of any fault or liability with regard to the Security Incident. Frontify shall provide commercially reasonable cooperation to identify the cause of such Security Incident and, where the remediation is within Frontify’s control, take reasonable steps to remediate such cause. Except as required by Data Protection Laws, the obligations herein shall not apply to incidents that are caused by Customer, Users, or any Third-Party Products and Services.

9. Limitation of liability

Each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of, or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section of the Agreement.

10. Data transfer

10.1. General

Customer Personal Data will be Processed within the EEA or a third country for which the European Commission has issued an adequacy decision within the meaning of art.45(1) GDPR (hereinafter “Safe Third Country”). Where specific Processing activities involve a transfer of Customer Personal Data to a location outside a Safe Third Country, the Parties hereby agree that Frontify shall ensure compliance with Chapter V GDPR by adopting such measures as required under art 46(2) GDPR. Such measures may include, without limitation, transferring Customer Personal Data (a) to a Sub-Processor that has achieved binding corporate rules authorization in accordance with art 47 GDPR; or (b) to a Sub-Processor that has executed the Standard Contractual Clauses. As of the Effective Date, Frontify has executed the applicable module of the Standard Contractual Clauses with all its current Sub-Processors located outside a Safe Third Country.

In the event that a decision of the European Commission authorizing the transfer of Personal Data outside the EEA is invalidated or a supervisory authority requires the suspension of the transfer of Personal Data, including those transfers based on the Standard Contractual Clauses, Frontify will cooperate with Customer to implement an alternative data transfer mechanism that will allow Customer to continue to benefit from the Frontify Services in compliance with Data Protection Laws.

10.2. Transfer under UK data protection laws

To the extent that UK Data Protection Law is applicable to Customer Personal Data and insofar as required under UK Data Protection Law, Frontify will only transfer Personal Data to a location outside a Safe Third Country if the applicable measures are implemented according to UK Data Protection Law and the instructions of the Information Commissioner of the UK.

10.3. Transfer under swiss data protection laws

To the extent that UK Data Protection Law is applicable to Customer Personal Data and insofar required under Swiss Data Protection Law, Frontify will only transfer Personal Data to a location outside a Safe Third Country if the applicable measures are implemented according to Swiss Data Protection Law and the instructions of the Swiss Federal Data Protection and Information Commissioner.

11. Cooperation

11.1. Data protection impact assessment

Upon request and where required byunder Data Protection Laws, Frontify shall, provided that Customer does not otherwise have access to the relevant information, reasonably assist Customer in performing (a) data protection impact assessments; and (b) consultations with supervisory authorities or other competent data protection authorities.

11.2. Governmental inquiries

If Frontify is compelled to disclose Customer Personal Data to law enforcement or other governmental authorities, Frontify will, to the extent permitted by law, provide Customer with reasonable notice to enable Customer to seek appropriate remedies against such orders.

12. Final provisions

12.1. Severability clause

Should individual provisions of this DPA be invalid or incomplete or should performance be impossible, this shall not affect the validity of the remaining provisions of this DPA. Invalid provisions shall be replaced by a valid and permissible provision that is as close as possible to the content of the original in terms of intent.

12.2. Applicable law and place of jurisdiction

The DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Switzerland.

In the event of any differences of opinion in connection with this DPA or its Exhibits, the Parties shall seek resolution in good faith. If despite the efforts of the Parties, no amicable agreement can be reached, the place of jurisdiction for all disputes, differences of opinion, or claims arising from or in connection with the contractual relationship between Frontify and Customer including their validity, invalidity, violation, or dissolution, shall be St. Gallen, Switzerland.