Data Processing Addendum

Background

This Data Processing Addendum ("DPA") is incorporated into and forms part of the FrontFoot Terms of Service ("Agreement") between you (or, if you are acting on behalf of an organisation, that organisation ("Customer")) and FrontFoot Software Limited, a company incorporated in England and Wales (company number 17214755), whose registered office is at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ ("FrontFoot"), governing Customer's use of the FrontFoot service (the "Service"). It takes effect automatically on acceptance of the Terms of Service — no separate signature is required. This DPA reflects FrontFoot's obligations as a processor under the UK General Data Protection Regulation as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR") and Regulation (EU) 2016/679 ("EU GDPR"), where applicable.

Where there is conflict between this DPA and the Agreement on data protection matters, this DPA prevails.

If Customer requires a countersigned copy of this DPA for its own records, FrontFoot will provide one on request to [email protected].

1. Definitions

Terms not defined here have the meanings given in UK GDPR. In addition:

"Personal Data" means personal data processed by FrontFoot on behalf of Customer under the Agreement.
"Sub-processor" means any third party engaged by FrontFoot to process Personal Data.
"Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), and any other applicable laws relating to the processing of Personal Data.
"Standard Contractual Clauses" or "SCCs" means the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries, as approved under Decision (EU) 2021/914.
"UK IDTA" means the UK International Data Transfer Agreement issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, or the UK Addendum to the EU SCCs.

2. Roles and applicability

2.1 In respect of Personal Data processed under the Agreement, Customer is the controller and FrontFoot is the processor.

2.2 The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are described in Annex 1.

2.3 This DPA applies to all processing of Personal Data by FrontFoot on behalf of Customer for the duration of the Agreement.

3. Customer's instructions

3.1 FrontFoot will process Personal Data only on Customer's documented instructions, including with regard to international transfers, except where otherwise required by law (in which case FrontFoot will inform Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest).

3.2 Customer's use of the Service in accordance with the Agreement constitutes Customer's documented instructions to FrontFoot to process Personal Data for the purposes of providing the Service.

3.3 FrontFoot will inform Customer if, in its opinion, an instruction infringes Data Protection Law.

4. Confidentiality

4.1 FrontFoot will ensure that persons authorised to process Personal Data are bound by appropriate obligations of confidentiality, whether by contract or by statutory duty.

5. Security

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, FrontFoot will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex 3.

5.2 FrontFoot will review and update these measures from time to time. Material changes that reduce the level of security will be notified to Customer.

6. Sub-processors

6.1 Customer grants general authorisation to FrontFoot to engage the sub-processors listed in Annex 2, and any future sub-processors appointed in accordance with this clause.

6.2 FrontFoot will impose data protection obligations on each Sub-processor by written contract (or other binding legal act) that are no less protective than those set out in this DPA.

6.3 FrontFoot will give Customer at least 30 days' notice of any intended addition to or replacement of Sub-processors initiated by FrontFoot, by updating Annex 2 on the FrontFoot website and notifying the tenant administrator email address on file. Where a Sub-processor change is initiated by an existing Sub-processor on shorter notice, FrontFoot will notify Customer as soon as reasonably practicable.

6.4 Customer may object to a new Sub-processor on reasonable data protection grounds within 30 days of notification. If FrontFoot cannot accommodate the objection, Customer may terminate the Agreement on written notice without further liability beyond fees accrued to the date of termination.

6.5 FrontFoot remains liable to Customer for the performance of each Sub-processor's data protection obligations.

7. Data subject rights

7.1 FrontFoot will assist Customer, by appropriate technical and organisational measures and taking into account the nature of processing, in fulfilling Customer's obligations to respond to requests by data subjects exercising their rights under Data Protection Law.

7.2 If a data subject contacts FrontFoot directly with a request relating to Personal Data, FrontFoot will redirect the data subject to Customer (acting as controller) without undue delay.

8. Personal data breaches

8.1 FrontFoot will notify Customer without undue delay, and where reasonably practicable within 72 hours, of becoming aware of a personal data breach affecting Customer's Personal Data.

8.2 The notification will include, at a minimum:

the nature of the breach and, where possible, the categories and approximate number of data subjects and Personal Data records affected;
the name and contact details of the FrontFoot point of contact for further information;
the likely consequences of the breach; and
the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

8.3 Where it is not possible to provide all the information at the same time, the information may be provided in stages without undue further delay.

9. Data Protection Impact Assessment

9.1 FrontFoot will provide reasonable assistance to Customer with any data protection impact assessment or prior consultation with supervisory authorities required under Data Protection Law in respect of the processing under the Agreement.

10. International transfers

10.1 FrontFoot is located in the United Kingdom. Several Sub-processors are located outside the UK and EEA. Customer authorises FrontFoot to transfer Personal Data to such Sub-processors as necessary to provide the Service.

10.2 Where Personal Data is transferred to a country without a UK or EU adequacy decision in force, FrontFoot will rely on one or more of the following lawful transfer mechanisms:

the UK IDTA, or the EU SCCs with the UK Addendum;
the EU SCCs (controller-to-processor or processor-to-processor modules, as applicable);
the EU-US Data Privacy Framework (or its UK extension), where the Sub-processor is self-certified under the Framework; or
another mechanism recognised under Data Protection Law.

10.3 The applicable transfer mechanism for each Sub-processor is recorded in Annex 2. Copies of executed transfer agreements are available to Customer on reasonable request.

10.4 To the extent the EU SCCs apply, the parties agree that: (a) the controller-to-processor module (Module 2) applies between Customer and FrontFoot where Customer is established in the EEA and FrontFoot is processing Personal Data outside the EEA; (b) the optional clauses requiring docking, third-party beneficiary rights, and supervisory authority consent apply as set out in the SCCs; (c) the governing law and forum are England and Wales unless an EEA jurisdiction is required by law; (d) Annex I of the SCCs is satisfied by Annex 1 of this DPA; (e) Annex II of the SCCs is satisfied by Annex 3 of this DPA; (f) Annex III of the SCCs (sub-processor list) is satisfied by Annex 2 of this DPA.

11. Audit

11.1 FrontFoot will, on Customer's reasonable written request and not more than once per calendar year (except in the event of a confirmed personal data breach affecting Customer's Personal Data, or where required by a supervisory authority), make available the information necessary to demonstrate compliance with this DPA.

11.2 The information may take the form of:

responses to a written security questionnaire;
third-party audit reports or certifications, including the CASA Tier 2 Letter of Verification issued in respect of the Service's Google Workspace integrations; and
where Customer has reasonable grounds following review of the foregoing, a remote inspection conducted at Customer's expense, during normal business hours, on at least 30 days' written notice, and subject to confidentiality obligations.

11.3 The auditor must not be a competitor of FrontFoot. Customer will share the audit report with FrontFoot and discuss any findings before sharing with any third party.

12. Return or deletion

12.1 On termination or expiry of the Agreement, FrontFoot will, at Customer's choice, return or delete all Personal Data held in FrontFoot's own systems within 30 days of Customer's written request to [email protected], and will request deletion from all sub-processors within the same period. Deletion by sub-processors is subject to those sub-processors' own contractual deletion timelines. FrontFoot will retain Personal Data only to the extent required by: (a) applicable law; (b) resolution of a dispute between the parties arising under the Agreement; (c) prevention or investigation of abuse or harmful use of the Service; or (d) technical impracticability where deletion follows a standard backup rotation schedule, in which case FrontFoot will ensure deletion occurs as soon as practicable thereafter.

12.2 Tenant administrators may also hard-purge organisation data at any time during the Agreement using the controls provided in the Service.

13. Liability

13.1 The liability provisions of the Agreement apply to this DPA. Liability arising out of or in connection with this DPA forms part of, and counts against, the overall liability cap in the Agreement.

13.2 Nothing in this DPA limits any liability that cannot be limited under applicable law.

14. Term and termination

14.1 This DPA takes effect on the effective date of the Agreement and continues for as long as FrontFoot processes Personal Data on Customer's behalf.

14.2 The obligations under clauses 4 (Confidentiality), 8 (Personal data breaches), 11 (Audit), 12 (Return or deletion), and 13 (Liability) survive termination of the Agreement to the extent and for the period required to give effect to those obligations.

15. Governing law and jurisdiction

15.1 This DPA is governed by the laws of England and Wales.

15.2 Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the courts of England and Wales, except where applicable law requires otherwise.

Annex 1 — Description of processing

Subject matter

FrontFoot's provision of an AI-assisted customer email drafting service to Customer.

Duration

For the duration of the Agreement and any period of post-termination data retention referred to in clause 12.

Nature and purpose of processing

Reading customer email content (sender, subject, body) from the open email or ticket when a Customer Success Manager uses the FrontFoot Gmail add-on, Chrome extension, Outlook add-in, or Zendesk add-on, or from a connected shared mailbox when Customer has enabled email-automation.
Sending customer email content to the configured AI provider to generate an AI-drafted reply.
Storing customer email content and AI-generated drafts as part of the conversation thread in Customer's FrontFoot account.
Creating an AI-generated draft via the Gmail API and opening it in a Gmail compose window for the CSM to review and send manually (Gmail add-on and Chrome extension), displaying an AI-generated draft in the FrontFoot Outlook add-in sidebar for the CSM to review and send manually (Outlook add-in), displaying an AI-generated draft in the FrontFoot Zendesk add-on sidebar for the CSM to review and send manually (Zendesk add-on), or sending the AI-generated reply directly from the connected mailbox (email-automation).
Optionally performing CRM contact lookups (HubSpot, Salesforce, or Microsoft Dynamics 365) to enrich AI context; these lookups are read-only.
Where Customer has enabled CRM write-back, writing a completed activity (Task) record back to the matched contact in Customer's CRM after a thread reaches a terminal outcome. The record contains the thread outcome, any concession type and detail, the CSM's name, the thread subject, and an AI-drafted decision note. The write is initiated by a CSM after a review-and-confirm step.
Authenticating Customer's users (CSMs, tenant administrators) via Clerk.

Types of Personal Data

Email addresses, names, email subject lines, and email body content of persons who email Customer's mailbox or who are recipients of replies sent via the Service.
AI-generated draft replies that may incorporate the foregoing.
CRM contact and company fields where Customer has enabled CRM lookup.
Where Customer has enabled CRM write-back, decision-note content written to Customer's CRM — the thread outcome, any concession detail, the CSM's name, the thread subject, and an AI-drafted summary of the customer's ask, the recommended response, and the rationale.
User account names and email addresses of Customer's CSMs and tenant administrators.

Categories of data subjects

Customer's customers — the persons emailing Customer's mailbox or being replied to via the Service.
Customer's users — Customer's CSMs and tenant administrators who use the Service.

Sensitive categories of personal data

The Service is not designed to process special category data within the meaning of Article 9 UK GDPR. Customer should not submit special category data to the Service.

Annex 2 — Sub-processors

The current Sub-processors used by FrontFoot to provide the Service are:

Sub-processor	Purpose	Location of processing	Transfer mechanism
Anthropic, PBC (Claude API)	AI draft generation (default model)	United States	EU SCCs / UK IDTA; EU-US Data Privacy Framework where in force
Google LLC (Gmail API)	Email read/send for tenants connected to Google Workspace; Gmail add-on and Chrome extension	Global (Customer-determined Workspace region)	EU SCCs / UK IDTA; EU-US Data Privacy Framework where in force
Microsoft Corporation (Microsoft Graph)	Email read/send for tenants connected to Microsoft 365 via email-automation (shared mailbox). The Outlook add-in uses Office.js client-side and does not involve Microsoft as a sub-processor.	Global (Customer-determined tenant region)	EU SCCs / UK IDTA; EU-US Data Privacy Framework where in force
Clerk, Inc.	Authentication and user management	United States	EU SCCs / UK IDTA; EU-US Data Privacy Framework where in force
Render Services, Inc.	Cloud infrastructure (web hosting, managed PostgreSQL)	European Union (Frankfurt, Germany)	UK adequacy decision applies; no additional transfer mechanism required
PostHog Inc.	Product analytics and session recording	European Union (EU-hosted instance confirmed)	No transfer — EU-hosted instance; no personal data transferred outside the EEA
Sentry (Functional Software, Inc.)	Server-side error monitoring — stack traces, request paths, and internal identifiers (tenant ID, request ID). No customer email content or message bodies.	European Union (Germany)	No transfer — data stored within the EEA
HubSpot, Inc.	CRM contact lookup (read); CRM write-back — writing completed Task records to the Customer's CRM when the crmWriteback feature is enabled (write). Both features are optional and tenant-controlled.	United States or EU (depending on Customer's HubSpot region)	EU SCCs / UK IDTA; EU-US Data Privacy Framework where in force
Salesforce, Inc.	CRM contact lookup (read); CRM write-back — writing completed Task records to the Customer's CRM when the crmWriteback feature is enabled (write). Both features are optional and tenant-controlled.	Global (depending on Customer's Salesforce instance region)	EU SCCs / UK IDTA; EU-US Data Privacy Framework where in force
Microsoft Corporation (Dynamics 365 / Dataverse)	CRM contact lookup (read); CRM write-back — writing completed Task records to the Customer's CRM when the crmWriteback feature is enabled (write). Both features are optional and tenant-controlled.	Global (depending on Customer's Dynamics 365 environment region)	EU SCCs / UK IDTA; EU-US Data Privacy Framework where in force
Cloudflare, Inc.	Network edge — TLS termination, DDoS mitigation, WAF, CDN. All inbound HTTPS traffic (including API request bodies containing customer email content) passes through Cloudflare in Full Strict TLS mode.	United States (global edge network)	EU SCCs / UK IDTA; Cloudflare DPA

Annex 3 — Technical and organisational measures

FrontFoot maintains the following technical and organisational measures to protect Personal Data. Specific implementation may evolve; FrontFoot will not reduce the overall level of security without notifying Customer.

Encryption

All traffic to and from the Service is encrypted in transit using TLS 1.2 or higher.
Data at rest is protected by managed disk encryption provided by the hosting provider (Render).
Sensitive credentials — including third-party API keys and OAuth refresh tokens for AI, email, and CRM providers — are encrypted at the application layer using AES-256-GCM with per-tenant HKDF-derived keys before being written to the database. Plaintext credentials are never returned by any API endpoint and are never written to logs. FrontFoot, as the service operator, holds the application-layer encryption key; credentials are protected against external breach and are isolated per organisation, but FrontFoot retains the technical ability to decrypt them as part of platform operations, governed by the obligations in this Agreement.

Access control and tenant isolation

Authentication of Customer's users is delegated to Clerk; the Service verifies the Clerk JWT on every request and holds no server-side session state.
FrontFoot's super-administrator surface is protected by email + password with mandatory second-factor authentication (WebAuthn passkey). Super-administrator session tokens are short-lived (15 minutes) and held only in browser memory.
Tenant data isolation is enforced at two layers simultaneously. At the database layer, PostgreSQL row-level security policies on all tenant-scoped tables prevent cross-tenant access; the application's runtime database role holds no direct table grants and must switch to a tenant-scoped role per transaction, so a missing application-layer check produces a database-level permission error rather than a silent bypass. At the application layer, every tenant-scoped query is additionally parameterised with the authenticated organisation's identifier and includes an explicit tenant filter. The integration test suite, which runs on every change in continuous integration, explicitly verifies that one organisation cannot read or modify another organisation's threads, messages, or configuration via any endpoint.
Cross-tenant database operations are restricted to a small enumerated set of platform-level paths, enforced by the database role model rather than by application convention alone.

Staff access controls

By default, no FrontFoot staff member is authorised to access Customer's email content, AI drafts, or thread data through the FrontFoot application. As operator of the platform, FrontFoot retains infrastructure-level database access necessary to operate and maintain the Service; such access is governed by the confidentiality and sub-processor obligations in this Agreement and is restricted to what is operationally necessary.
Where a tenant administrator explicitly opts in, they can grant a named FrontFoot staff member time-bounded, scope-limited access to read content for a specified purpose. Each grant is created and managed by the tenant administrator only; FrontFoot staff are not permitted to create or modify grants for their own accounts; expires at a date set by the administrator; is revocable at any time with immediate effect; and is audit-logged with timestamp, scope, and accessor.
Staff members are bound by appropriate confidentiality obligations.

Network and transport security

The Service is hosted on Render with HTTPS enforced at the edge.
The application database is on Render's private network and is not internet-accessible.
External HTTP calls from the Service use a mandatory timeout wrapper to prevent resource exhaustion.

Input validation and security controls

All API route handlers validate required fields and types at the boundary.
Customer-supplied email content is wrapped in a per-request nonce-tagged XML element before being sent to the AI model, to mitigate prompt injection.
SQL queries use parameterised queries exclusively. No use of eval, dynamic code execution, or string concatenation into SQL.
Inbound email webhooks are verified before any database access: Google Pub/Sub push notifications are verified via Google-signed OIDC JWT (service account identity and audience check); Microsoft Graph change notifications are verified via a pre-shared clientState secret.

Logging and monitoring

Structured logs are produced with request correlation identifiers.
Logs do not include email body content, customer names, decrypted credentials, or stack traces.
Product usage analytics (PostHog) capture identifiers, counts, and durations only — not customer email content or names. Session recordings of the FrontFoot user interface suppress customer-supplied content via per-element opt-out.

Backup and resilience

Database backups are managed by the hosting provider (Render) under their managed PostgreSQL service, with point-in-time recovery available.
Application code is deployed via continuous integration with automated test gates.

Incident response

A documented breach notification process is in place to give effect to the 72-hour notification obligation in clause 8.
Where a breach involves third-party services, FrontFoot will coordinate with the relevant Sub-processor to gather facts and remediation steps.

Data minimisation and retention

FrontFoot processes Personal Data only as necessary to provide the Service.
Tenant administrators can hard-purge organisation data at any time. On account closure, FrontFoot hard-purges within 30 days of receiving a written request, except where retention is required by law.
Tenant administrators may request hard-purge of organisation data at any time by contacting [email protected]. FrontFoot will action the request within 30 days.