🛍️ Commerce ⚙️ Ops 🧠 Intelligence 🌐 Marketplace ⚙️ Execra 👥 CRM 🚀 Growth 🎓 Training (LMS) 🛡️ Platform Admin 🔄 Exchange 💰 HR & Payroll 🎯 TalentMatch 🏠 Home

Data Processing Agreement

🔧 INTERNAL
🤖
👤
Terms of Service Data Processing Agreement Partner MSA (template) Dispute Resolution Fund Agreement

CloudFran Developer Data Processing Agreement (DPA)

Effective date: 2026-04-23

Document version: 2.0

This Data Processing Agreement ("DPA") applies to every CloudFran Developer ("Processor", "you") accessing or processing any CloudFran tenant's personal data ("Tenant Data") through any CloudFran API, webhook, export, or SDK. This DPA is executed pursuant to and incorporated into the CloudFran Developer Terms of Service.

1. Roles and Definitions

  • Controller — the CloudFran tenant whose data is processed.
  • Processor — the Developer.
  • Sub-processor — CloudFran (as the underlying platform) and any additional sub-processor engaged by Developer.
  • Personal Data, Processing, Data Subject, Special Categories — as defined in GDPR Article 4 and, where applicable, the CCPA/CPRA, UK GDPR, LGPD, and PIPEDA.
  • Security Incident — confirmed or reasonably suspected unauthorized access, disclosure, alteration, loss, or destruction of Personal Data.

2. Nature, Purpose, and Scope of Processing

Developer shall Process Tenant Data only (a) to perform the functionality disclosed in the Marketplace listing, (b) within the scopes granted at install by the Controller, (c) on the Controller's documented instructions (which include these Terms and the Marketplace listing), and (d) for no longer than necessary to provide the disclosed functionality. Any Processing for a new or changed purpose requires a new consent from the Controller. Developer shall not sell, rent, share, license, or otherwise monetize Tenant Data. Developer shall not use Tenant Data to train any machine-learning or generative model, or to derive new datasets for resale, without the Controller's explicit, granular, and revocable prior written consent that names the model, the dataset, and the retention window.

3. GDPR Article 28 — Processor Obligations

Developer, acting as Processor, shall:

  • Process Personal Data only on documented Controller instructions;
  • ensure persons authorized to Process Personal Data are under a duty of confidentiality;
  • implement all measures required by Article 32 (see Section 5 below);
  • assist the Controller with Data-Subject requests and security-compliance obligations;
  • delete or return Personal Data on expiry of the Processing (see Section 9);
  • make available all information needed to demonstrate compliance, and allow audits as described in Section 10;
  • notify CloudFran immediately if any instruction infringes applicable data-protection law.

4. CCPA / CPRA — Service Provider Obligations

Developer is a Service Provider under the CCPA/CPRA with respect to Tenant Data and shall not: (a) sell or share Personal Information; (b) retain, use, or disclose it for any purpose other than the business purpose(s) disclosed at install; (c) combine it with data obtained from or on behalf of any other source. Developer certifies that it understands and will comply with these restrictions on a continuing basis.

5. Security Measures (Article 32)

Developer shall implement and maintain technical and organizational measures appropriate to the risk, including:

  • encryption of Personal Data in transit (TLS 1.2 minimum, 1.3 preferred) and at rest (AES-256 or equivalent);
  • a role-based least-privilege access model with quarterly access reviews and prompt de-provisioning;
  • multi-factor authentication for all admin-level accounts;
  • secrets management using a purpose-built vault (no hard-coded credentials, no plaintext .env files in production);
  • comprehensive audit logging (admin action, data access, bulk export, privilege change) retained for at least twelve (12) months;
  • prompt patching of operating system and dependency vulnerabilities (critical within 72 hours, high within 14 days);
  • secure software development lifecycle with code review, SAST, dependency scanning, and pre-release security testing;
  • network segmentation, WAF or equivalent protection for public endpoints, and DDoS protection;
  • a documented incident-response plan including roles, escalation paths, and tabletop exercises at least annually;
  • tenant isolation enforced at every layer (database, cache, queue, storage, logs).

6. HIPAA Business Associate Addendum (by reference)

If Developer's app processes Protected Health Information (PHI) for any Covered Entity tenant (for example, Meditropia MedSpa OS customers), Developer shall execute CloudFran's HIPAA Business Associate Addendum (BAA) before any PHI access is enabled. The BAA is incorporated by reference and supersedes any conflicting provision of this DPA to the extent of HIPAA-required terms. PHI scopes are gated on BAA execution and cannot be granted without it.

7. Sub-processors

Developer may engage sub-processors only after giving the Controller (through CloudFran) at least thirty (30) days' written notice of the identity, location, and purpose of the sub-processor. The Controller may object; unresolved objections are escalated to CloudFran and, if the objection is not resolved within thirty (30) days, the Controller may terminate the install without penalty. Developer remains fully liable for all sub-processor acts and omissions.

CloudFran Sub-processor List (placeholder). CloudFran maintains a current list of its own infrastructure sub-processors at cloudfran.com/legal/subprocessors. Typical categories include cloud-hosting, email delivery, telephony, payments, and analytics providers. Developer's current sub-processor list must be maintained and furnished on request.

8. Data Residency and International Transfers

Developer shall respect each tenant's data-residency region and shall not export Personal Data outside that region without an approved lawful transfer mechanism. For EEA, UK, and Swiss data, Developer shall execute the EU Standard Contractual Clauses (2021 Modules 2 and 3, as applicable) and the UK IDTA or UK Addendum, plus any supplementary measures required by the transfer-impact assessment. For Canadian and Brazilian data, Developer shall comply with PIPEDA and LGPD respectively. No transfer to embargoed jurisdictions is permitted.

9. Retention, Return, and Destruction

Within thirty (30) days after termination of the install or a Controller's request, Developer shall (at the Controller's option) return or permanently destroy all Tenant Data, including backups, caches, and archives, and certify such return or destruction in writing. Legal-hold exceptions apply only where a demonstrable legal obligation requires retention, and only for the minimum period required.

10. Audit Rights

Once per twelve (12)-month period (or more often after a confirmed Security Incident), the Controller — or CloudFran on the Controller's behalf — may audit Developer's compliance with this DPA on thirty (30) days' notice. Audits may include a review of policies, access logs, and relevant SOC 2 Type II, ISO 27001, or HITRUST reports. Developer shall cooperate reasonably and bear the cost of remediating any material finding.

11. Security-Incident Notification

Developer shall notify CloudFran in writing at legal@cloudfran.com (and the affected Controller, if directly contactable) of any Security Incident within 72 hours of discovery, providing at minimum the information required by GDPR Article 33(3): (a) nature of the incident and categories/approximate numbers of Data Subjects and records; (b) contact details of Developer's Data Protection Officer or incident lead; (c) likely consequences; (d) remediation measures taken or proposed. Developer shall cooperate in good faith with CloudFran's and the Controller's incident-response and regulatory notification obligations.

12. Data-Subject Requests

Developer shall forward any access, rectification, erasure, portability, restriction, objection, or automated-decision request received directly from a Data Subject to the relevant Controller within five (5) business days. Where the Controller authorizes Developer to respond directly, Developer shall do so within the applicable statutory timeline (typically thirty (30) days under GDPR, forty-five (45) under CCPA).

13. Data-Protection Impact Assessments

On reasonable request, Developer shall provide information to assist the Controller with its Data-Protection Impact Assessments, Transfer-Impact Assessments, and regulator consultations.

14. Liability

Developer's liability for breach of this DPA is uncapped with respect to indemnification obligations, gross negligence, willful misconduct, and breach of Sections 2 (scope), 5 (security), 8 (residency), and 11 (notification). All other liability under this DPA is subject to the limitation of liability in Section 15 of the Terms of Service, except where a higher cap is required by applicable law.

15. Conflict; Changes; Governing Law

Where this DPA conflicts with the Terms of Service, the DPA controls for data-protection matters. CloudFran may update this DPA to reflect legal developments on thirty (30) days' notice. Governing law and dispute resolution are as set forth in the Terms of Service and Arbitration Policy.

16. Contact

legal@cloudfran.com · legal@cloudfran.com · CloudFran Data Protection Officer, CloudFran, Inc., Delaware, United States

---

Document control

  • Effective date: 2026-04-23
  • Update cadence: Reviewed quarterly; material changes notified 30 days in advance by email and in-dashboard banner.
  • How to request changes: Send requested edits with rationale to legal@cloudfran.com. CloudFran will respond within ten (10) business days with accept, reject, or counter-proposal.
  • Latest version: The canonical current version lives at /wwwroot/legal/ in this repository and is mirrored at https://cloudfran.com/legal/.
© 2026 CloudFran · Terms · Privacy · Copyright