Data Processing Agreement
Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Fristly ("Processor") and the customer ("Controller") for the use of Fristly's services.
1. Definitions
- Personal Data: any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
- Processing: any operation performed on Personal Data, as defined by GDPR Article 4(2).
- Sub-processor: any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope of Processing
The Processor processes Personal Data on behalf of the Controller for the following purposes:
- Providing the Fristly SaaS contract tracking service
- Sending renewal alerts and notifications
- Generating analytics and reports on contract usage
3. Categories of Data
- Contact information (name, email address)
- Company information (company name, role)
- Contract data (vendor names, renewal dates, costs, terms)
- Usage data (login timestamps, feature usage)
4. Obligations of the Processor
- Process Personal Data only on documented instructions from the Controller.
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with GDPR Article 32.
- Assist the Controller in responding to data subject access requests.
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach.
- Delete or return all Personal Data at the end of the service agreement, at the Controller's choice.
5. Sub-processors
The Processor uses the following sub-processors. The Controller will be notified of any changes to this list at least 30 days in advance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon | Database | EU (Frankfurt) |
| Vercel | Application hosting | EU |
| Resend | Transactional email | EU/US |
6. Data Transfers
Personal Data is stored and processed within the European Economic Area (EEA). No Personal Data is transferred to countries outside the EEA unless appropriate safeguards are in place (e.g., Standard Contractual Clauses as per GDPR Article 46(2)(c)).
7. Security Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and role-based permissions
- Regular security assessments
- Incident response procedures
- Employee security awareness training
8. Data Retention
Personal Data is retained for the duration of the service agreement. Upon termination, all Personal Data will be deleted within 30 days unless retention is required by applicable law (e.g., Nordic bookkeeping retention requirements of up to 7 years for financial records).
9. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits and inspections conducted by the Controller or an appointed auditor.
10. Contact
For questions about this DPA or to request a signed copy, contact us at:
hello@fristly.dev