Data Processing Agreement

Effective date: 26 June 2026


This Data Processing Agreement ("DPA") supplements the Dropframe Terms of Service and applies when Dropframe processes personal data on behalf of a customer ("Controller") who uses Dropframe to deploy web applications that themselves collect or display personal data about end users.


1. Definitions

"Controller" means the Dropframe customer who determines the purposes and means of processing personal data within their deployed applications.

"Processor" means Dropframe, acting on the Controller's instructions to store and serve deployed content.

"Data Subject" means an identified or identifiable natural person whose personal data is processed.

"Personal Data" has the meaning given by the UK GDPR and EU GDPR — any information relating to an identified or identifiable natural person.

"Processing" has the meaning given by the applicable data protection legislation.


2. Scope and nature of processing

Dropframe acts as a Processor when it stores and serves HTML content deployed by the Controller that contains, displays, or collects personal data from end users.

Element Detail
Subject matter Storage and serving of HTML content
Duration Duration of the deployment (free tier: up to 14 days; paid tier: until deletion)
Nature Storage, retrieval, and transmission of static or dynamic HTML files
Purpose Enabling the Controller's deployed application to be served to end users
Data types Any personal data embedded in or collected by the Controller's deployed application
Data subjects End users of the Controller's deployed application

Dropframe does not determine the categories or volumes of personal data included in deployments. That is entirely within the Controller's control.


3. Controller obligations

The Controller warrants that:


4. Processor obligations

Dropframe, as Processor, will:


5. Sub-processors

Dropframe uses the following sub-processors to provide the service:

Sub-processor Location Role
Cloudflare, Inc. USA (global edge) Edge compute, KV storage, DNS
Clerk, Inc. USA Identity and authentication (paid plans only)
Paddle Payments UK/Ireland/Global Merchant of record & payment processing (paid plans only)

By accepting these Terms, the Controller consents to the use of these sub-processors.

We will give the Controller at least 30 days written notice before adding a new sub-processor. If the Controller objects to a new sub-processor on reasonable data protection grounds, we will work to find a resolution. If no resolution is possible, the Controller may terminate the service.

Dropframe remains responsible to the Controller for the acts and omissions of its sub-processors to the same extent as if Dropframe were performing the services itself.


6. International transfers

Cloudflare operates a global edge network. Content may be stored and served from data centres in multiple jurisdictions. Cloudflare maintains Standard Contractual Clauses and appropriate transfer mechanisms under the UK GDPR and EU GDPR for international transfers. Details are available in the Cloudflare GDPR documentation.


7. Data subject rights

Where a data subject exercises their rights under applicable data protection law (access, rectification, erasure, etc.) in relation to personal data processed through a Controller's deployed application, the Controller is responsible for responding.

Dropframe will assist the Controller insofar as it is technically possible — for example, by deleting a specific deployment on request. Dropframe cannot selectively extract or modify personal data embedded within deployed HTML.


8. Security measures

The technical and organisational measures Dropframe implements include:

A full description is available in the Security Policy at dropframe.run/security.


9. Audits

The Controller may request written confirmation of Dropframe's compliance with this DPA once per year. Dropframe will respond within 30 days. Where a formal audit is required by applicable law, the parties will agree the scope, timing, and cost in writing.


10. Term and termination

This DPA is in effect for as long as Dropframe processes personal data on behalf of the Controller under the Terms of Service. It terminates automatically when the Terms of Service terminate or when the Controller's last deployment is deleted.


11. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters only.


12. Contact

Data protection enquiries: hello@dropframe.run (subject: "DPA")
Website: dropframe.run