LEGAL

Data Processing Addendum

Last updated: July 1, 2026

This addendum applies when you process personal data through Secondframe that is subject to the GDPR or similar laws. It sets out how we protect that data as your processor and forms part of our Terms of Service.

001

Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Secondframe ("Secondframe," "Processor") and the customer that has accepted the Agreement ("Customer," "Controller"). It governs Secondframe's processing of Customer Personal Data on the Customer's behalf in connection with the Service.
Where the Customer acts as a processor for its own customers, Secondframe acts as a sub processor, and references to Controller are read accordingly.
If there is a conflict between this DPA and the rest of the Agreement on data protection matters, this DPA controls.
002

Definitions

"Data Protection Laws" means all laws applicable to the processing of personal data under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the CCPA and CPRA, and PIPEDA.
"Customer Personal Data" means personal data that Secondframe processes on the Customer's behalf in providing the Service, as described in Annex I.
"Sub processor" means any third party engaged by Secondframe to process Customer Personal Data.
"Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of personal data to third countries, and, for the UK, the UK International Data Transfer Addendum.
The terms "controller," "processor," "data subject," "personal data," "processing," and "personal data breach" have the meanings given in the GDPR.
003

Roles and Instructions

The Customer is the controller and Secondframe is the processor of Customer Personal Data. Secondframe will process Customer Personal Data only on the Customer's documented instructions, including as set out in the Agreement and this DPA, and as needed to provide and secure the Service, unless required by law, in which case Secondframe will inform the Customer unless the law prohibits it.
The Customer is responsible for the accuracy and legality of Customer Personal Data and for having a lawful basis and all required notices and consents for the processing, including for AI based assessment.
004

Secondframe Obligations

4.1 Instructions. Secondframe processes Customer Personal Data only as described in Section 003. Secondframe will notify the Customer if, in its opinion, an instruction infringes Data Protection Laws.
4.2 Confidentiality. Secondframe ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
4.3 Security. Secondframe implements appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex II, taking into account the state of the art, the costs, and the risks.
4.4 Sub processors. The Customer provides general authorization for Secondframe to engage Sub processors. A current list is at Annex III and on our Sub Processor List. Secondframe will give at least 30 days notice of new or replacement Sub processors, and the Customer may object on reasonable data protection grounds within that period. Secondframe imposes data protection obligations on Sub processors no less protective than those in this DPA and remains responsible for their performance.
4.5 Data subject requests. Taking into account the nature of the processing, Secondframe will assist the Customer by appropriate measures, insofar as possible, to respond to requests from data subjects. If Secondframe receives such a request directly, it will forward it to the Customer and will not respond except on the Customer's instruction or as legally required.
4.6 Assistance. Secondframe will assist the Customer, taking into account the nature of processing and the information available to it, with security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
4.7 Breach notification. Secondframe will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its notification obligations.
4.8 Deletion or return. On termination of the Service, Secondframe will delete or return Customer Personal Data at the Customer's choice, and delete existing copies, except to the extent retention is required by law. Live session state expires automatically as described in the Privacy Policy, and deletion timelines follow the retention schedule in the Privacy Policy.
4.9 Audits. Secondframe will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, no more than once per year except where required by a supervisory authority or following a breach, subject to reasonable confidentiality and security conditions. Secondframe may satisfy audit requests by providing third party certifications or reports where available.
005

International Transfers

To the extent Secondframe transfers Customer Personal Data outside the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses (and the UK Addendum where applicable) are incorporated by reference and apply, with Secondframe as data importer and the Customer as data exporter, completed with the details in the Annexes. Module Two applies for controller to processor transfers, and Module Three for processor to sub processor transfers.
006

California (CCPA and CPRA)

Where the CCPA applies, Secondframe acts as a service provider. Secondframe will not sell or share Customer Personal Data, will not retain, use, or disclose it except to perform the Service or as permitted by law, and will not combine it with personal information from other sources except as permitted. Secondframe certifies it understands and will comply with these restrictions.
007

Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
008

Term and Governing Law

This DPA takes effect when the Customer accepts the Agreement and continues while Secondframe processes Customer Personal Data. It is governed by the law stated in the Agreement, except where Data Protection Laws require otherwise.
009

Annex I: Details of Processing

A. Parties. Data exporter: the Customer. Data importer: Secondframe.
B. Subject matter and duration. Provision of the Secondframe assessment Service for the term of the Agreement.
C. Nature and purpose. Hosting, processing, and analysis of assessment interactions to deliver simulations, generate scores and reports, and operate and secure the Service.
D. Categories of data subjects. Candidates assessed by the Customer, and the Customer's authorized users.
E. Categories of personal data. Identifiers (name, email), account data, assessment interactions and transcripts, scores and reports, profile data where applicable, and usage and technical data such as IP address and device information.
F. Special category data. Not intended or required. The Customer must not submit special category data, and Candidates are instructed not to share it.
G. Frequency. Continuous for the term.
H. Retention. As set out in the Privacy Policy retention schedule.
010

Annex II: Security Measures

  • Encryption of data in transit using TLS, and encryption of data at rest in supported stores.
  • Role based access control and least privilege access to production systems.
  • Authentication controls, including for administrative access.
  • Network controls and isolation within a managed cloud environment.
  • Automatic expiry of live session state approximately two hours after a session ends.
  • Logging and monitoring of access and security events.
  • Secure software development practices and dependency management.
  • Backup management with rolling backups purged within 90 days.
  • Vendor management and data protection terms with Sub processors.
  • Incident response procedures, including breach notification as set out in Section 004.
011

Annex III: Sub Processors

The current list of Sub processors, with their processing purpose and location, is maintained on our Sub Processor List, which is incorporated by reference. Changes are notified as set out in Section 004.4.
012

Contact

Secondframe
Email: hello@secondframe.co

Questions about data processing?

Our team responds within one business day.

Email Us