Data Processing Agreement (DPA)

Last updated: April 2026

1. Purpose

This page provides an overview of the Data Processing Agreement (“DPA”) offered by Framebaker in connection with its digital signage platform and related services.

The DPA applies where Framebaker processes personal data on behalf of a customer in the course of providing the Service.

The DPA is intended to address applicable data protection requirements, including Regulation (EU) 2016/679 (“GDPR”) and, where applicable, related national data protection laws.

2. Roles of the Parties

For processing activities covered by the DPA:

  • Customer acts as the data controller, or as a processor acting on behalf of its own controller.
  • Framebaker acts as the data processor, or where relevant, as a subprocessor.

The customer determines the purposes of the processing and the use of the Service.

Framebaker processes personal data only on documented instructions from the customer, unless otherwise required by applicable law.

3. Scope of Processing

The DPA covers personal data processed by Framebaker on behalf of customers in connection with use of the Framebaker platform and related services, which may include:

  • account and workspace administration;
  • user access and permissions;
  • content management and publishing;
  • templates, playlists, layouts, and scheduling;
  • screen, player, and device management;
  • monitoring, diagnostics, uptime, and telemetry;
  • support and troubleshooting; and
  • AI-assisted or automated features used within the Service.

4. Categories of Data

Depending on how the customer uses the Service, Framebaker may process the following categories of personal data on the customer’s behalf:

A. Account and User Data

  • names;
  • business email addresses;
  • usernames or account identifiers;
  • job titles or company information where provided; and
  • authentication or access-related metadata.

B. Customer Content and Service Data

  • media files, templates, layouts, playlists, and scheduling data;
  • screen names, tags, player identifiers, and deployment metadata;
  • user-generated content uploaded to the platform; and
  • prompts, inputs, and generated outputs used in AI-enabled features.

C. Technical and Operational Data

  • device and player status information;
  • uptime, health, crash, and diagnostic information;
  • logs relating to account, platform, or player activity;
  • support-related technical information; and
  • security and audit log data.

The exact categories of personal data processed depend on the customer’s own implementation and use of the Service.

Framebaker does not intentionally require special categories of personal data for the normal operation of the Service.

5. Categories of Data Subjects

Depending on the customer’s use of the Service, data subjects may include:

  • the customer’s employees, contractors, and authorised users;
  • administrators and operators of the customer’s workspace;
  • individuals whose personal data is included in content uploaded by the customer; and
  • other individuals whose personal data the customer chooses to process through the Service.

6. Nature and Purpose of Processing

Framebaker processes personal data only as necessary to provide the Service to the customer.

This may include processing necessary for:

  • hosting and operating the platform;
  • authenticating users and managing access;
  • storing, rendering, publishing, syncing, and displaying customer-managed content;
  • managing screens, players, and devices;
  • scheduling and configuration workflows;
  • monitoring service health and player status;
  • providing support and troubleshooting;
  • maintaining platform security, reliability, and abuse prevention; and
  • carrying out customer-requested AI-assisted or automated functions within the Service.

Framebaker does not process customer personal data for its own advertising purposes.

7. Duration of Processing

Framebaker will process personal data for the duration of the applicable customer relationship and as long as necessary to provide the Service, unless otherwise agreed in writing or required by law.

Upon termination of the relevant services, Framebaker will delete or return personal data in accordance with the applicable agreement, customer instructions, and legal retention obligations.

8. Subprocessors

Framebaker may engage subprocessors to support delivery of the Service.

These subprocessors may include providers of:

  • cloud hosting and infrastructure;
  • storage and content delivery;
  • authentication and identity services;
  • email and transactional communication services;
  • monitoring, logging, and security tooling;
  • payment and billing infrastructure where relevant to the Service; and
  • customer support tooling.

Framebaker remains responsible for ensuring that subprocessors engaged on its behalf are subject to appropriate contractual obligations for data protection and confidentiality.

A current subprocessor list may be made available upon request or through customer documentation, where applicable.

9. International Data Transfers

Framebaker seeks to process customer data within the European Economic Area where reasonably possible.

Where personal data is transferred outside the EEA or to a jurisdiction not subject to an adequacy decision, Framebaker will implement appropriate safeguards as required by applicable data protection law.

These safeguards may include Standard Contractual Clauses or other legally recognised transfer mechanisms, together with supplementary technical and organisational measures where appropriate.

10. Security Measures

Framebaker implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures may include, where appropriate:

  • encryption in transit;
  • encryption at rest;
  • access controls and least-privilege permissions;
  • role-based access management;
  • logging, monitoring, and alerting;
  • network and infrastructure protections;
  • environment separation;
  • backup and recovery measures; and
  • internal administrative and organisational safeguards.

Specific security measures may evolve over time as part of ongoing security and operational improvements.

11. Assistance to Customers

Taking into account the nature of the processing and the information available to Framebaker, Framebaker will provide reasonable assistance to customers in relation to:

  • responding to data subject requests;
  • security obligations;
  • personal data breach notifications;
  • data protection impact assessments where relevant; and
  • consultations with supervisory authorities where required and applicable.

Such assistance may be subject to the scope of the customer agreement and may require reasonable cooperation from the customer.

12. Personal Data Breach Notification

If Framebaker becomes aware of a personal data breach affecting customer personal data processed under the DPA, Framebaker will notify the customer without undue delay.

Where reasonably possible, such notification will include available information about:

  • the nature of the breach;
  • the categories of data concerned;
  • the likely consequences;
  • measures taken or proposed; and
  • relevant contact points for follow-up.

13. Audit and Information Rights

Framebaker may make available information reasonably necessary to demonstrate compliance with its processor obligations.

Where required by applicable law or contract, and subject to appropriate confidentiality, security, and proportionality safeguards, Framebaker may allow reasonable audits or inspections by the customer or an independent auditor mandated by the customer.

Any such audit rights are subject to reasonable notice, scope limitations, and protection of Framebaker confidential information and other customers’ data.

14. Customer Responsibilities

Customers are responsible for:

  • ensuring they have a lawful basis for the personal data they process through the Service;
  • providing required notices to data subjects;
  • using the Service in compliance with applicable law;
  • configuring the Service appropriately for their use case;
  • ensuring that content and personal data uploaded to the Service are lawful to process; and
  • avoiding unnecessary upload of sensitive or special category data unless clearly required and lawful.

Customers are also responsible for their own decisions regarding retention, access, user permissions, and deployment of content through the Service.

15. How to Request a Signed DPA

Customers who require a signed DPA may request one by contacting:

Email us

Where applicable, the full DPA may include additional contractual details such as:

  • the parties’ full legal details;
  • annexes describing the processing;
  • subprocessor and security schedules;
  • international transfer clauses or references; and
  • execution and notice provisions.