Data Processing Agreement
Last updated: March 16, 2026
1. Subject Matter and Duration
This Data Processing Agreement ("DPA"), pursuant to Art. 28 GDPR, governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the FrameScope SaaS service ("Service") as described in the Terms of Service.
Parties
Between the organization using the FrameScope service ("Controller") and 27Street GmbH, Gleimstrasse 36, 10437 Berlin, Germany ("Processor").
1.2 Duration
This DPA shall remain in effect for the duration of the Controller’s use of the Service. Upon termination, the provisions of Section 10 (Deletion and Return of Data) shall apply.
2. Nature and Purpose of Processing
The Processor processes personal data on behalf of the Controller for the following purposes:
- Hosting and operating the FrameScope web application
- Storing and managing client project data (requirements, tasks, quotes, timelines, costs)
- Generating semantic search embeddings for content discovery (optional, subject to organization opt-out)
- Sending transactional emails on behalf of the Controller (invitations, notifications)
- Synchronizing calendar data when connected by users
- Generating audit logs for security and compliance
3. Types of Personal Data
The following categories of personal data are processed:
| Category | Examples |
|---|---|
| Authentication data | Email addresses, hashed passwords, session tokens |
| User profile data | Display names, avatar images, theme preferences |
| Organization data | Organization names, membership roles, timestamps |
| Client project data | Client names, project descriptions, task details, cost calculations, stakeholder contact information |
| Meeting data | Meeting titles, attendee names and emails, agenda items, imported meeting notes |
| Questionnaire data | Respondent names, email addresses, questionnaire answers |
| Audit data | User actions, IP addresses, user agent strings (retained 90 days) |
| Technical data | OAuth tokens (encrypted), calendar event metadata, file uploads |
4. Categories of Data Subjects
- Registered users of the Controller’s organization
- Client contacts and stakeholders (names, emails in project data)
- External questionnaire respondents
- Meeting participants (imported from calendar/documents)
5. Obligations of the Processor
The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law.
5.1 Processing Instructions (Art. 28(3)(a))
The Controller’s instructions are documented in this DPA and its annexes, the Terms of Service, the Privacy Policy, and written instructions via email to privacy@27street.de.
5.2 Confidentiality (Art. 28(3)(b))
The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security Measures (Art. 28(3)(c))
The Processor shall implement and maintain appropriate technical and organizational measures as described in Annex II to ensure a level of security appropriate to the risk. These measures include:
- Encryption of personal data in transit (HTTPS/TLS) and at rest (Supabase Vault)
- Row-Level Security (RLS) for multi-tenant data isolation
- Role-based access control (viewer, editor, admin, owner)
- Audit logging with automated retention enforcement
- Automated data purge after retention periods expire
- CSRF protection and constant-time token comparison
5.4 Sub-Processors (Art. 28(3)(d))
The Processor shall not engage another processor without prior specific or general written authorization of the Controller. The Controller hereby provides general authorization for the sub-processors listed in Annex III, subject to the objection mechanism described in Section 6.
5.5 Assistance to the Controller (Art. 28(3)(e) and (f))
The Processor shall assist the Controller in responding to requests for exercising the data subject’s rights (Art. 15–22 GDPR) by providing self-service data export and account deletion features, and by supporting manual requests via privacy@27street.de.
5.6 Deletion or Return (Art. 28(3)(g))
At the choice of the Controller, the Processor shall delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the personal data. See Section 10.
5.7 Audit Rights (Art. 28(3)(h))
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Audit requests shall be directed to privacy@27street.de with at least 30 days’ advance notice. The Processor may charge reasonable costs for on-site audits.
6. Sub-Processor Management
The current list of sub-processors is provided in Annex III and on the Processor’s website.
6.2 Notification of Changes
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors by email to the Controller’s registered email address.
6.3 Objection Right
The Controller may object to a new sub-processor within 14 days of receiving the notification. If the Controller objects on reasonable grounds relating to data protection, the Parties shall discuss the objection in good faith. If no resolution can be reached, the Controller may terminate the affected processing activities or the Service.
6.4 Sub-Processor Agreements
The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.
7. International Data Transfers
Personal data may be transferred to sub-processors located outside the European Economic Area (EEA) only where adequate safeguards are in place:
- EU-US Data Privacy Framework (DPF): For sub-processors certified under the DPF, the transfer is based on the adequacy decision of the European Commission (Implementing Decision (EU) 2023/1795).
- Standard Contractual Clauses (SCC): For all US-based sub-processors, the Processor has concluded SCCs (Commission Implementing Decision (EU) 2021/914) as supplementary safeguards.
The Processor has conducted Transfer Impact Assessments for each US-based sub-processor, available upon request.
8. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data. The notification shall include:
- The nature of the breach
- The categories and approximate number of data subjects and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach
The Processor shall assist the Controller in meeting its notification obligations under Articles 33 and 34 GDPR.
9. Data Subject Rights
The Service provides the following self-service features for data subjects:
- Data export (Art. 20): JSON export of all personal data via the application
- Account deletion (Art. 17): Self-service account deletion with 30-day cascade purge
- Embedding opt-out (Art. 21): Organization-level toggle to disable AI processing
- Data rectification (Art. 16): Users can edit their profile and content directly
For data subject requests that cannot be fulfilled via self-service (e.g., requests from external respondents, restriction of processing), the Processor shall assist the Controller in responding within the legally required timeframes.
10. Deletion and Return of Data
Upon termination of the Service:
- The Controller may export all data via the data export feature before account deletion
- Upon account deletion, all personal data is soft-deleted immediately and permanently purged after 30 days
- The Processor shall confirm deletion in writing upon request
Retention exceptions: Audit logs are retained for up to 90 days from the date of the event (automated deletion). Aggregated, anonymized data that can no longer be attributed to a data subject may also be retained.
11. Liability
The Parties’ liability is governed by the Terms of Service and applicable law, including Art. 82 GDPR.
12. Governing Law and Jurisdiction
This DPA shall be governed by the laws of the Federal Republic of Germany. The courts of Berlin shall have exclusive jurisdiction for disputes arising from this DPA.
13. Annex I: Description of Processing
| Field | Details |
|---|---|
| Subject matter | Provision of the FrameScope SaaS service |
| Duration | Duration of the Controller’s subscription |
| Nature of processing | Collection, storage, organization, retrieval, consultation, use, disclosure by transmission, erasure |
| Purpose | Client project management, quote generation, timeline planning, cost tracking, team collaboration |
| Types of personal data | See Section 3 |
| Categories of data subjects | See Section 4 |
14. Annex II: Technical and Organizational Measures (TOMs)
| Category | Measure |
|---|---|
| Encryption in transit | HTTPS/TLS for all communications |
| Encryption at rest | Supabase Vault (pgsodium) for OAuth tokens and secrets |
| Access control | Row-Level Security (RLS) for multi-tenant data isolation |
| Authentication | Supabase Auth with bcrypt password hashing, JWT sessions |
| Authorization | Role hierarchy: viewer < editor < admin < owner |
| CSRF protection | Double-submit cookie pattern with constant time token comparison |
| Audit trail | Application-level audit logging with 90-day automated retention |
| Data minimization | Only necessary data collected; embedding vectors stored instead of source text |
| Deletion | Soft-delete with 30-day recovery window; automated hard-delete purge via pg_cron |
| Breach detection | Vercel server logs, Supabase dashboard monitoring, audit log review |
| Backup | Supabase automated database backups with point-in-time recovery |
| Availability | Vercel edge network with automatic failover; Supabase managed infrastructure |
15. Annex III: Authorized Sub-Processors
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage, encryption (Vault) | EU | Processing within the EU |
| OpenAI, L.P. | Semantic search embeddings (text-embedding-3-small) | USA | EU-US DPF + SCCs |
| Google LLC | Google Calendar/Drive OAuth integration, Gemini document import | USA | EU-US DPF + SCC |
| Resend Inc. | Transactional email delivery | USA | EU-US DPF + SCC |
| Stripe, Inc. | Subscription billing, payment processing, invoicing. Processes payment method tokens, invoice records, and customer contact details. | USA | EU-US DPF + SCCs |
| Vercel Inc. | Web application hosting and edge delivery | EU/USA | EU-US DPF + SCC |
To execute this DPA, contact privacy@27street.de.