1. Definitions
Capitalized terms not defined here have the meaning given in the Terms of Service or in applicable data-protection law (including the EU GDPR, the UK GDPR, and similar laws). "Personal Data" means information relating to an identified or identifiable natural person processed by Frank on Customer's behalf.
2. Roles
- Customer is the controller of Personal Data submitted to or generated by the Service in connection with Customer's meetings.
- Frank is the processor and processes Personal Data only on Customer's documented instructions, which include the Terms of Service, this DPA, and Customer's use of the Service's features.
3. Subject matter and duration
- Subject matter: processing required to provide the Service.
- Duration: the term of the Customer's subscription, plus any retention period set out in the Privacy Policy.
- Nature and purpose: joining meetings at Customer's request, transcribing audio, generating flags, delivering Output to Customer.
- Categories of data subjects: Customer's users; meeting participants invited by Customer.
- Categories of Personal Data: identifiers (name, email, display name), audio captured during meetings, transcripts and flags derived from that audio, usage and device data.
4. Frank's obligations
- Process Personal Data only on Customer's documented instructions, including for international transfers, unless required by law (in which case Frank will inform Customer unless prohibited).
- Ensure personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. A summary is available on request.
- Assist Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting Customer's obligations under applicable law (including Articles 32–36 GDPR).
- Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's data, and provide information reasonably necessary to allow Customer to meet its notification obligations.
- At Customer's choice, delete or return Personal Data after the end of the provision of the Service, subject to legal retention requirements.
5. Subprocessors
Customer authorizes Frank to engage subprocessors to provide the Service, including cloud-hosting providers, AI model providers, transcription providers, payment processors, customer-support tooling, and analytics providers. A current list is available on request from privacy@frankflags.com. Frank will:
- Impose data-protection obligations on subprocessors that are no less protective than those in this DPA.
- Remain liable for the acts and omissions of its subprocessors.
- Provide reasonable notice of new subprocessors and allow Customer to object on reasonable data-protection grounds.
6. International transfers
Where Frank transfers Personal Data outside the EEA, UK, or Switzerland, the parties will rely on a valid transfer mechanism, such as the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum, which are incorporated by reference and deemed completed with the parties, descriptions, and choices set out in this DPA.
7. Audits
Frank will make available, on Customer's reasonable written request and no more than once per year (unless required by a supervisory authority), information necessary to demonstrate compliance with this DPA, including third-party audit reports or certifications where available. On-site audits are not required where such information is sufficient and may be subject to reasonable confidentiality and security restrictions.
8. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
9. Order of precedence
If there is a conflict between the Terms of Service and this DPA on a data-protection matter, this DPA controls. Otherwise the Terms of Service control.
10. Contact
For DPA execution requests or data-protection questions, email privacy@frankflags.com.