Data Processing Agreement

Last updated: 3 June 2026  |  FrameLogic Limited (Companies House: 17193146)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Controller”) and FrameLogic Limited (“Processor”, “we”, “us”). It applies whenever we process Personal Data on your behalf in the course of providing Autera, and is intended to comply with Article 28 of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Definitions

• Controller: you, the Autera workshop subscriber, who determines the purposes and means of processing Personal Data about your own customers, technicians, suppliers, and vehicles.
• Processor: FrameLogic Limited, processing Personal Data on the Controller’s behalf.
• Personal Data: any data within Autera relating to identified or identifiable natural persons (typically your end-customers and team members).
• Sub-processor: any third party we engage to process Personal Data on our behalf.
• Data Subject: the natural person to whom Personal Data relates.
• Personal Data Breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• Other terms have the meanings given in the UK GDPR.

2. Subject matter and duration

• Subject matter: Provision of the Autera SaaS platform, including hosting, processing, and storage of Personal Data the Controller enters into the platform.
• Duration: For as long as the Controller’s subscription is active, plus any retention windows set out in section 8 of the Terms.
• Nature and purpose: Storage, retrieval, display, and incidental processing necessary to operate workshop management features (jobs, invoices, quotes, customers, vehicles, documents).
• Categories of Data Subjects: The Controller’s customers, technicians, team members, suppliers, and vehicle owners.
• Categories of Personal Data: Names, contact details, addresses, vehicle registrations, job history, invoice and payment records, uploaded documents, and any other Personal Data the Controller chooses to enter.

3. Processor obligations

We will:

• Process Personal Data only on documented instructions from the Controller, including with regard to international transfers (such instructions are given through the use of Autera and these Terms).
• Ensure that personnel authorised to process Personal Data are bound by a duty of confidentiality.
• Implement and maintain appropriate technical and organisational measures (see section 6) to ensure a level of security appropriate to the risk.
• Engage Sub-processors only on the terms set out in section 5.
• Assist the Controller, taking into account the nature of processing and the information available to us, in fulfilling its obligations to respond to Data Subject rights requests under UK GDPR.
• Assist the Controller in ensuring compliance with Articles 32 to 36 of the UK GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to us.
• At the Controller’s choice, delete or return all Personal Data after the end of the provision of services, in line with the retention timelines in section 8 of the Terms.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits are limited to once per twelve-month period absent a security incident, must be reasonable in scope, must not unduly disrupt operations, and the Controller is responsible for the audit costs.
• Inform the Controller without undue delay if, in our opinion, an instruction infringes UK GDPR or any other UK or EU data protection provision.

4. Controller obligations

The Controller will:

• Have a lawful basis for the processing it instructs us to carry out.
• Provide privacy notices and obtain any required consents from its own customers and other Data Subjects.
• Handle Data Subject rights requests it receives, with our reasonable assistance.
• Ensure that any Personal Data uploaded to Autera complies with the Acceptable Use Policy and applicable law.

5. Sub-processors

The Controller authorises us to engage the following Sub-processors:

• Stripe Inc.: payment processing
• Resend Inc.: transactional email delivery
• Cloudflare Ltd: object storage (R2), DNS, edge networking, and Turnstile bot challenge on signup (IP address and browser signals)
• Google LLC (Firebase): user authentication, and push notification delivery to Android devices via Firebase Cloud Messaging (payloads can include customer name, vehicle registration, and job or invoice details)
• Apple Inc.: push notification delivery to iOS devices via the Apple Push Notification service (APNs); payloads can include customer name, vehicle registration, and job or invoice details
• Browser push providers (Google, Mozilla, Apple): delivery of web (PWA) push notifications via the browser’s push endpoint; payloads can include customer name, vehicle registration, and job or invoice details
• IONOS SE (UK data centre): primary database and application hosting (UK-based VPS)
• Xero Limited: accounting sync, engaged only when the Controller connects Xero (customer name, email, phone, address, and invoice line items)
• Intuit Inc. (QuickBooks Online): accounting sync alternative, engaged only when the Controller connects QuickBooks (customer name, email, phone, address, and invoice line items)
• Anthropic PBC (Claude API): the optional “tidy up job notes” AI feature (the advisor’s note text plus vehicle registration, make, and model)
• PostHog Inc. (EU region): product analytics and session replay on the marketing site, loaded only after the visitor accepts the cookie banner
• Functional Software Inc. (Sentry): error and exception tracking (workshop and user identifiers and IP address)
• Trustpilot A/S: review-invite emails via Trustpilot’s feedback service (recent customers’ email and name)
• Calendly LLC: demo-booking widget on the marketing site (prospect contact details entered into the widget)
• Telegram FZ-LLC: internal operational alerting tooling; alerts can include workshop identifiers

We will:

• Provide at least 30 days’ notice of any new Sub-processor or replacement of an existing one. We will publish updates on this page (the “Last updated” date will reflect changes).
• Bind every Sub-processor by a written contract that imposes equivalent data-protection obligations to those set out in this DPA.
• Remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

If the Controller has a reasonable objection to a new Sub-processor, the Controller may terminate the Terms by giving notice in writing during the 30-day notice period. If no objection is raised within that period, the Controller is deemed to have approved the Sub-processor.

6. Technical and organisational measures

We implement, and require Sub-processors to implement, measures including:

• Encryption of data in transit (TLS 1.2 or higher) and encryption of database backups at rest (AES-256)
• Strict role-based access controls within Autera
• Logged and audited internal staff access to workshop data
• Signed, time-limited URLs for file downloads
• Network-level firewalling and DDoS protection at the edge
• Automated daily database backups, weekly object-storage snapshots, and tested restore procedures
• Continuous security monitoring, log retention, and incident response procedures
• Secure software development practices, including code review and dependency vulnerability scanning

7. International transfers

Where Personal Data is transferred outside the United Kingdom, we rely on:

• The UK’s adequacy regulations where one applies, or
• The UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum, with appropriate supplementary measures

The Controller authorises such transfers as necessary to deliver the service.

8. Personal Data Breach notification

We will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting the Controller’s Personal Data. Notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

9. Liability

The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions set out in section 12 of the Terms of Service.

10. Governing law

This DPA is governed by the laws of England and Wales. Any dispute arising under this DPA is subject to the exclusive jurisdiction of the courts of England and Wales, in line with section 16 of the Terms.

11. Contact

Data protection queries: privacy@getautera.com
Postal: FrameLogic Limited, 58 Rochester Avenue, Feltham, TW13 4EJ, United Kingdom

12. Acceptance

By accepting the Terms of Service, the Controller accepts this DPA. A signed copy is not required: the contractual nature of the agreement is established by acceptance of the Terms. If your business requires a counter-signed PDF for compliance records, request one at privacy@getautera.com.