Data Processing Agreement
Effective date: 26 June 2026
This Data Processing Agreement ("DPA") supplements the Dropframe Terms of Service and applies when Dropframe processes personal data on behalf of a customer ("Controller") who uses Dropframe to deploy web applications that themselves collect or display personal data about end users.
1. Definitions
"Controller" means the Dropframe customer who determines the purposes and means of processing personal data within their deployed applications.
"Processor" means Dropframe, acting on the Controller's instructions to store and serve deployed content.
"Data Subject" means an identified or identifiable natural person whose personal data is processed.
"Personal Data" has the meaning given by the UK GDPR and EU GDPR — any information relating to an identified or identifiable natural person.
"Processing" has the meaning given by the applicable data protection legislation.
2. Scope and nature of processing
Dropframe acts as a Processor when it stores and serves HTML content deployed by the Controller that contains, displays, or collects personal data from end users.
| Element | Detail |
|---|---|
| Subject matter | Storage and serving of HTML content |
| Duration | Duration of the deployment (free tier: up to 14 days; paid tier: until deletion) |
| Nature | Storage, retrieval, and transmission of static or dynamic HTML files |
| Purpose | Enabling the Controller's deployed application to be served to end users |
| Data types | Any personal data embedded in or collected by the Controller's deployed application |
| Data subjects | End users of the Controller's deployed application |
Dropframe does not determine the categories or volumes of personal data included in deployments. That is entirely within the Controller's control.
3. Controller obligations
The Controller warrants that:
- It has a lawful basis for any personal data processing carried out through its deployed applications.
- It has provided all required notices to data subjects about how their data is processed.
- It has obtained any required consents.
- It will not instruct Dropframe to process personal data in a manner that would violate applicable data protection law.
4. Processor obligations
Dropframe, as Processor, will:
- Process personal data only on documented instructions from the Controller (i.e. by storing and serving the content the Controller deploys).
- Ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures, as described in the Security Policy at dropframe.run/security.
- Assist the Controller in responding to data subject rights requests to the extent technically feasible, given that Dropframe does not inspect the content of deployments.
- Delete or return all personal data on termination of the service, in accordance with the data retention periods stated in the Privacy Policy.
- Make available all information necessary to demonstrate compliance with this DPA.
- Notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach affecting the Controller's deployments.
5. Sub-processors
Dropframe uses the following sub-processors to provide the service:
| Sub-processor | Location | Role |
|---|---|---|
| Cloudflare, Inc. | USA (global edge) | Edge compute, KV storage, DNS |
| Clerk, Inc. | USA | Identity and authentication (paid plans only) |
| Paddle Payments | UK/Ireland/Global | Merchant of record & payment processing (paid plans only) |
By accepting these Terms, the Controller consents to the use of these sub-processors.
We will give the Controller at least 30 days written notice before adding a new sub-processor. If the Controller objects to a new sub-processor on reasonable data protection grounds, we will work to find a resolution. If no resolution is possible, the Controller may terminate the service.
Dropframe remains responsible to the Controller for the acts and omissions of its sub-processors to the same extent as if Dropframe were performing the services itself.
6. International transfers
Cloudflare operates a global edge network. Content may be stored and served from data centres in multiple jurisdictions. Cloudflare maintains Standard Contractual Clauses and appropriate transfer mechanisms under the UK GDPR and EU GDPR for international transfers. Details are available in the Cloudflare GDPR documentation.
7. Data subject rights
Where a data subject exercises their rights under applicable data protection law (access, rectification, erasure, etc.) in relation to personal data processed through a Controller's deployed application, the Controller is responsible for responding.
Dropframe will assist the Controller insofar as it is technically possible — for example, by deleting a specific deployment on request. Dropframe cannot selectively extract or modify personal data embedded within deployed HTML.
8. Security measures
The technical and organisational measures Dropframe implements include:
- HTTPS-only transport with TLS 1.2+ for all data in transit
- Storage encryption at rest via Cloudflare KV
- Iframe sandboxing for all deployed applications
- Access controls limiting Dropframe personnel access to stored content
- Cloudflare's DDoS protection and rate limiting at the network layer
A full description is available in the Security Policy at dropframe.run/security.
9. Audits
The Controller may request written confirmation of Dropframe's compliance with this DPA once per year. Dropframe will respond within 30 days. Where a formal audit is required by applicable law, the parties will agree the scope, timing, and cost in writing.
10. Term and termination
This DPA is in effect for as long as Dropframe processes personal data on behalf of the Controller under the Terms of Service. It terminates automatically when the Terms of Service terminate or when the Controller's last deployment is deleted.
11. Order of precedence
In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters only.
12. Contact
Data protection enquiries: hello@dropframe.run (subject: "DPA")
Website: dropframe.run