These Data Processing Terms form part of the agreement between Virtual Framer SAS and our customers. They govern how we process personal data on your behalf when you use the Service. These terms apply automatically when you subscribe to Virtual Framer and are incorporated into our Terms and Conditions.
01Introduction and scope
These Data Processing Terms apply to the processing of personal data that Virtual Framer SAS ("we", "us", "our") carries out on behalf of you ("you", "your", "Customer") when you use the Virtual Framer Service. They are designed to meet the requirements of applicable data protection law, including the General Data Protection Regulation (GDPR).
Where we process personal data contained in Your Content on your behalf, we act as a processor and you act as the controller (or, where applicable, another processor on behalf of a controller). These terms set out our respective obligations.
02Definitions
Terms used in these Data Processing Terms have the meanings given in our Terms and Conditions, except where defined differently below.
03Data processing
Scope and purpose. We process Customer personal data only for the purpose of providing, maintaining and supporting the Service, as described in our Terms and Conditions and as instructed by you through your use of the Service.
Duration. We process Customer personal data for the duration of your Subscription and for a limited period afterward as set out in clause 10 (Data deletion).
Nature of processing. The processing operations include hosting, storing, backing up, transmitting, displaying and otherwise making the Service work, including any processing that is inherent in the operation of an online software platform.
Categories of data subjects. Data subjects may include your staff, your End Customers, and any other individuals whose personal data you choose to include in Your Content.
Types of personal data. Customer personal data may include names, email addresses, phone numbers, postal addresses, order and invoice data, images, and any other personal data that you choose to process using the Service.
04Our responsibilities
We will:
- Process Customer personal data only on your documented instructions, unless required to do otherwise by law (in which case we will inform you of that legal requirement before processing, unless the law prohibits it);
- Ensure that persons authorized to process Customer personal data are subject to a duty of confidentiality;
- Implement appropriate technical and organizational measures to protect Customer personal data, as described in clause 6;
- Not engage a Sub-processor without informing you and giving you the opportunity to object, as described in clause 7;
- Assist you by appropriate measures to fulfil your obligation to respond to data subject requests, as described in clause 8;
- Assist you in ensuring compliance with your obligations relating to security of processing, data breach notification, data protection impact assessments and prior consultation;
- Make available to you all information necessary to demonstrate compliance with these obligations and allow for audits, as described in clause 11;
- Delete or return Customer personal data at the end of the provision of the Service, as described in clause 10.
05Your responsibilities
You are responsible for:
- Having a lawful basis to process the personal data you upload to the Service, including any personal data of your End Customers;
- Providing any privacy notices and obtaining any consents required under data protection law;
- Determining how long you need to retain personal data and ensuring you export it before your account is canceled;
- Ensuring that your instructions to us comply with data protection law;
- Complying with your obligations as a controller under data protection law.
You confirm that you are, or are acting on behalf of, the controller of the Customer personal data, and that you have the authority to give the instructions set out in these terms.
06Data security
We maintain appropriate technical and organizational measures to protect Customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. These measures include:
- Encryption of data in transit using TLS and at rest using industry standard encryption;
- Access controls that limit access to Customer personal data to authorized personnel who need it to provide the Service;
- Regular security testing and vulnerability assessments;
- Physical security measures at our data centers and facilities;
- Procedures for managing and responding to personal data breaches.
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide timely information about the breach as it becomes known.
07Sub-processors
We use the following Sub-processors to provide the Service: Amazon Web Services, Infomaniak and Hetzner for hosting; Cloudflare for network delivery and security; Stripe for payment processing; and HubSpot for email, support and marketing.
We may engage new Sub-processors or replace existing ones. Before we do so, we will notify you by updating this page or by email, and you may object within 14 days. If you reasonably object and we cannot accommodate your objection, we may end your Subscription and refund any prepaid fees.
We enter into written agreements with each Sub-processor that impose data protection obligations at least as protective as these terms.
08Data subject rights
We will assist you by appropriate technical and organizational measures, insofar as this is possible, to fulfil your obligation to respond to requests from data subjects wishing to exercise their rights under data protection law, including the rights of access, rectification, erasure, restriction, portability and objection.
If we receive a direct request from a data subject relating to Customer personal data, we will promptly forward it to you and will not respond to the data subject without your prior authorization, except where required by law.
09Data transfers
Customer personal data is processed in the European Union, Switzerland and the United States. Where personal data is transferred outside the European Union, it is protected by appropriate safeguards.
Switzerland is recognized by the European Union as providing an adequate level of data protection. For transfers to the United States, we rely on safeguards such as standard contractual clauses or the EU to US Data Privacy Framework.
Where our Sub-processors process data outside the European Union, we ensure that appropriate transfer mechanisms are in place, including standard contractual clauses where required.
10Data deletion
We keep Customer personal data only while your Subscription is active. When your account is canceled, we delete Customer personal data promptly, usually at once and rarely longer than one month, except for backups that age out over a limited time.
Before canceling your account, you should export any Customer personal data you wish to retain. We will help you do so on request, in a common machine readable format. After deletion, Customer personal data cannot be recovered.
This clause does not apply to any personal data that we are required to retain by law, such as invoice records kept for accounting and tax purposes.
11Audit and compliance
We will make available to you all information reasonably necessary to demonstrate our compliance with these terms, including records of processing activities.
If you require an audit, we will cooperate with reasonable audit requests, including inspections by you or a qualified independent auditor appointed by you. Audits must be conducted with reasonable notice, during business hours, and in a manner that does not disrupt our operations or compromise the security of other customers. You will bear the costs of any audit, except where the audit reveals a material non-compliance by us, in which case we will bear those costs.
12Limitation of liability
Our liability arising out of or in connection with these Data Processing Terms is subject to the limitations set out in clause 21 (Limitation of liability) of our Terms and Conditions. Each party's liability for any breach of these Data Processing Terms is covered by the same limits.
Nothing in these terms limits or excludes liability that cannot be limited or excluded under applicable data protection law.
13Changes and contact
We may update these Data Processing Terms from time to time to reflect changes in our data processing practices, legal requirements, or the Service. If we make a material change, we will notify you by email or through the Service before it takes effect.
If you do not agree to a material change, you may cancel your Subscription before it takes effect. Continuing to use the Service after a change takes effect means you accept the updated terms.
For any questions about these Data Processing Terms or how we process personal data, contact us at info@virtualframer.com or by post at Virtual Framer SAS, 30 avenue Maréchal Foch, Bureau 3, 69006 Lyon, France.