Note: when providing our service, Framer may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/ customers we’ve developed a Data Processing Addendum (DPA) that we enter into free of charge with anyone that uses our service and requests it.
The terms of this DPA are attached to Framer's Terms of Service and form part of your agreement with us when you sign up to use our Services.
However, should there be a requirement for you to sign a separate DPA with us, Framer offers a Data Processing Addendum that supplements the Terms of Service or any other Agreement. Please have an authorized individual execute this DPA. Once you sign the agreement, you will immediately receive a fully executed downloadable copy via email.
This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Agreement between Framer B.V. (“Framer”) and the entity or person placing an order for or accessing the Services (“Customer”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (including the SCCs (where applicable), as defined herein).
This DPA governs Framer’s and Customers obligations as to the protection of Personal Data, Content, and other Customer Confidential Information pursuant to Data Protection Law.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means Framer’s Terms of Service, or other written or electronic agreement, which govern the provision of the Services to Customer, as such terms or agreement may be updated from time to time.
“CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.
“Controller”, “Data Subject”, “Process” and “Processor” (whether or not capitalized) have the meanings provided in the GDPR and include analogous provisions under Data Protection Laws in other jurisdictions.
“Data Protection Law(s)” means all laws and regulations applicable to Framer’s processing of Personal Data under the Agreement, including CCPA and GDPR.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Framer on Customer’s behalf pursuant to the Agreement.
“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Content, User Personal Data or other Customer Confidential Information processed by Framer on Customer’s behalf pursuant to the Agreement.
Processing of Personal Data
2.1 Roles of the Parties. Customer may be the controller of Personal Data or a processor. Framer will act as a processor or Sub-processor, as appropriate. Framer will comply with obligations under Data Protection Laws that govern Framer’s activities when processing Personal Data. Customer shall be solely responsible for compliance with Data Protection Laws regarding the collection of and transfer to Framer of Personal Data, and for advising Framer of any obligations imposed on Framer as a Sub-processor of or service provider to Customer.
2.2 Details of the Processing. The subject-matter of processing of Personal Data by Framer is the performance of the Framer Application pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annex A.
2.3 Processing in Accordance with Data Protection Law. Framer shall only process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (a) processing in accordance with the Agreement and applicable Order Form(s); (b) processing initiated by Users in their use of the Framer Application; and (c) processing to comply with other documented instructions provided by Customer. Framer will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Law.
2.4 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Framer will not “sell” (as defined in the CCPA) any Personal Data; and (b) Framer will not collect, share or use any Personal Data except as necessary to perform services for Customer.
2.5 Confidentiality of Processing. Framer will treat Personal Data as Customer’s Confidential Information and protect it in accordance with the confidentiality obligations in the Agreement. Framer shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements no less protective of Customer’s rights in such data as this DPA.
2.6 Data Subject Requests; Data Impact Assessments. Framer shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws; (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data, and (c) any data protection impact assessment that Customer may be required to perform under Data Protection Law. If any such request, correspondence, enquiry or complaint is made directly to Framer, Framer will promptly inform Customer providing full details of the same. Framer shall not respond to a data subject request without Customer’s prior written consent except to confirm that such request relates to Customer.
3.1 Authorized Sub-processors. Customer consents to Framer engaging Framer Affiliates and third party Sub-processors to process Personal Data for the purposes described in the Agreement and this DPA. The Sub-processors currently engaged by Framer are available here. Framer or a Framer Affiliate will enter a written agreement with each Sub-processor imposing data protection terms on the Sub-processor substantially equivalent to, and no less protective of data subjects’ rights in Personal Data than, this DPA. Framer shall notify Customer if it adds or removes Sub-processors within ten (10) business days of such changes if Customer opts in to receive such notifications here. Customer may object to Framer's appointment or replacement of a Sub-processor, provided such objection is based on reasonable grounds relating to data protection. If Customer does not object to a new Sub-processor within ten (10) business days, Customer will be deemed to have authorized Framer’s use of the new Sub-processor and to have waived its right to object. If Customer objects to a new Sub-processor Framer will use reasonable efforts to avoid using that Sub-processor to process Personal Data, either by adapting or recommending a change in Customer’s configuration of the Framer Application. If neither of the foregoing is commercially practicable, Framer will terminate the applicable subscription with respect to the portion of the Framer Application that can only be provided by Framer using that Sub-processor. Customer will not receive a refund of any unused prepaid fees on such termination and if fees remain unpaid for a subscription term, Customer will immediately pay the remaining balance due for the remainder of the subscription term.
3.2 Liability for Sub-processors. Where a Sub-processor fails to fulfil its data protection obligations, Framer shall remain fully liable to Customer for the performance of that Sub-processor's obligations.
4.1 Security Measures. Framer will use procedural, technical and administrative safeguards designed to ensure the confidentiality, security, integrity, availability and privacy of Content, Personal Data and other Customer Confidential Information stored in the Framer Application. Framer may update or modify such measures from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Framer Application during Customer’s subscription term. Framer is not responsible for any breach or loss caused by Customer, Customer’s users or by Customer’s configuration of and deployment specifications for the Framer Application.
4.2 Audit Rights. Framer will make available to Customer such information as Customer may reasonably request to demonstrate Framer’s compliance with the obligations under Data Protection Laws. Framer will further allow for and contribute to audits conducted by Customer or an auditor mandated by Customer so long as it is not a competitor of Framer. All such information and audit requests and procedures: (a) must be reasonable based on the nature of the Framer Application and the categories of Personal Data processed, (b) must be subject to an appropriate confidentiality agreement; and (c) may be made no more than once per year unless otherwise required by instruction of a competent data protection authority. Before the commencement of any such audit, Customer and Framer shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Framer incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Framer. Customer shall promptly notify Framer with information regarding any non-compliance discovered during the course of an audit.
4.3 Breach Notice. Framer will inform Customer via email without undue delay on its discovery of a Security Incident. Framer will take all actions reasonably necessary to remedy or mitigate the effects of the Security Incident. Framer will further keep Customer informed of all material developments regarding the incident and provide such information and cooperation as Customer may reasonable require in order to fulfil its data breach reporting obligations under Data Protection Law.
Return and Deletion of Personal Data
Upon termination or expiration of the Agreement, Framer shall (at Customer’s election) delete or return to Customer all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Framer is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Framer shall securely isolate, protect from any further processing and eventually delete in accordance with Framer’s deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Framer to Customer only upon Customer’s written request.
6.1 Cross-Border Data Transfer Mechanisms. The transfer mechanisms listed in Annex B shall apply, in the order of precedence below, to any transfers of Personal Data from member states of the European Union, the European Economic Area and the United Kingdom to countries that have not been designated by the European Commission as providing an adequate level of protection for Personal Data.
6.2 To the extent Framer processes Personal Data originating from member states of the European Union, the European Economic Area or the United Kingdom in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection by virtue of the unchanged European Commission-approved version of the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914 (the “SCCs”) as set out in http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm as of the DPA Effective Date, which are incorporated by reference into this DPA. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the SCCs. The information required by Annexes 1 and 2 of the SCCs is provided in Annexes A and B of this DPA.
7.1 Limits of Liability. Each party’s liability to the other under this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability in the Agreement.
7.2 Construction; Interpretation. This DPA is not a standalone agreement and is only effective while the Agreement is in effect between Framer and Customer. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
7.3 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
7.4 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties hereto. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
7.5 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
7.6 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by the GDPR, in which case this DPA will be governed by the laws of the Netherlands.
7.7 Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS
1. Incorporation of SCCs
The parties agree that the SCCs are hereby incorporated by reference into this DPA as follows:
1.1 Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Framer Processes Personal Data as a Controller pursuant to the terms of the Agreement, Framer and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
1.2 Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Framer Processes Personal Data as a Processor pursuant to the terms of the Agreement, Framer and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
1.3 Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Framer Processes Personal Data as a Processor pursuant to the terms of the Agreement, Framer and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.
1.4 Module 4: Transfer processor to controller, Clauses 1 to 6, 8, 10 to 12, and 14 to 18 apply where Framer Processes Personal Data as a Processor pursuant to the terms of the Agreement, and Framer and its relevant Sub-Processor Affiliates are located in the EEA, and Customer and its relevant Affiliates are located in non-adequacy approved third countries.
2. Standard Contractual Clause Optional Provisions
In addition to Section 1.1, where the SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
2.1 Clause 7 (Docking Clause) is omitted;
2.2 In Clause 9(a) (Use of sub-processors) (Module 2) – Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;
2.3 In Clause 11(a) (Redress) (Module 1, 2 or 4) – the Optional provision shall NOT apply;
2.4 In Clause 16(b) (Suspension of transfers) if Framer is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
3. EU Optional Provisions
3.1 In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of the Netherlands shall govern; and
3.2 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts of the Netherlands shall have jurisdiction.
4. UK-Specific Provisions
4.1 Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.”
4.2 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
4.3 References to Regulation (EU) 2018/1725 are removed.
4.4 References to the “Union”, “EU” and “EU Member State” are all replaced with “United Kingdom”.
4.5 In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of England and Wales shall govern; and
4.6 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts in London England shall have jurisdiction.
5. Supplementary Terms to SCCs
5.1 Documentation and compliance. For the purposes of Clause 8.9(b) – Module One, Clause 8.9(e) – Module Two and Clause 8.3 – Module Four the review and audit provisions in the Agreement and DPA shall apply.
5.2 Notification and Transparency. The Parties acknowledge and agree that Framer, where required by the SCCs to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly.
5.3 For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Framer to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the Data Importer) have the option to be the party who makes any communication to the data subject, and Framer shall provide the level of assistance set out in the DPA.
5.4 Liability. For the purposes of Clause 12(a), the liability of the parties shall be limited in accordance with the limitation of liability provisions in the Agreement.
5.5 Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Framer and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
ANNEX A – DETAILS OF THE PROCESSING
Subject Matter of Processing
Framer will process Personal Data as necessary to provide the Framer Application to Customer pursuant to the Agreement.
Duration of Processing
Framer will process Personal Data for the duration of the Agreement until termination of the Agreement, unless otherwise agreed in writing.
Categories of Data Subjects
Framer collects Personal Data from Customer’s Users in order to provide the Framer Application.
Nature and Purpose of Processing
The purpose of processing of Customer Personal Data by Framer is the provision of the Services pursuant to the Agreement.
Types of Personal Data
Personal Data collected from Customer’s users may include without limitation: Identification Data such as name and email address, and Electronic identification data such as IP address and other online identifiers. Other types of Personal Data includes physical address (for payment purposes), telephone/mobile number, location data, and device ID. Framer does not monitor content users introduce into the Framer Application. If users add Personal Data to the Framer Application (in a Framer project within the Services), Framer will automatically process that Personal Data.
Sensitive Personal Data Transferred
Customer will not be required to submit sensitive Personal Data to the Services.
Frequency of Transfer of Data
Period for which the Personal Data will be retained
The period for which the Personal Data will be retained is more fully described in the Agreement, DPA, and accompanying applicable Order Forms.
Obligations and rights of the Customer
The obligations and rights of Customer as a controller are set out in the Agreement and this DPA.
ANNEX B – SECURITY CONTROLS
Description of Framer’s Technical and Organizational Security Measures
Framer establishes data security in accordance with applicable laws. The Technical and Organizational Security Measures implemented are set forth below. The measures taken are designed to guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, must also be taken into account. Framer has set out a number of Technical and Organizational Security Measures and may implement alternative adequate measures from time to time, provided such measures will not materially reduce Framer’s security level. Framer can provide Customer, upon reasonable request, adequate evidence of compliance with its Data Processing obligations under this Agreement.
Measures of pseudonymization and encryption of personal data
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Measures for user identification and authorization
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring physical security of locations at which personal data are processed
Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimization
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure
Click the button below if you want to clear your existing cookie settings.