Framedash
The authoritative version of this document is the Japanese original. This translation is provided for convenience only.

Data Processing Agreement (DPA)

Last updated: March 31, 2026

1. Purpose

This Data Processing Agreement ("DPA") sets out the obligations between the data controller ("Controller" or "you") and Crane Valley LLC ("Processor" or "we") regarding the processing of personal data in connection with the Framedash service ("Service"), pursuant to Article 28 of the EU General Data Protection Regulation (GDPR).

This DPA forms part of the Terms of Service ("Main Agreement"). In the event of a conflict between the Main Agreement and this DPA, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

  • "Personal data," "processing," "controller," "processor," "data subject," and "supervisory authority" have the meanings given in the GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "SCCs" means the EU Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914.

3. Processing Details

3.1 Subject Matter and Purpose

  • Purpose: Provision of the Service (collection, storage, analysis, and visualization of telemetry data)
  • Duration: For the term of the Main Agreement and until deletion is completed per Section 11
  • Nature: Automated processing (collection, recording, storage, structuring, analysis, erasure)

3.2 Types of Personal Data

  • Telemetry data: device information, session metadata, player coordinates, performance metrics, and other data configured by the Controller to be sent via the SDK

Note: Account information (name, email, organization name) and dashboard usage data are processed by the Processor as an independent controller under its Privacy Policy and are not within the scope of this DPA.

3.3 Categories of Data Subjects

  • End users of games or applications developed by the Controller, whose personal data may be included in telemetry data sent to the Service

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by EU or Member State law, in which case the Processor shall inform the Controller in advance unless legally prohibited.
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures in accordance with Article 32 of the GDPR (see Section 7).
  • Comply with the conditions for engaging sub-processors set out in Section 6.
  • Assist the Controller in responding to data subject rights requests.
  • Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities.
  • Delete personal data after termination of the Main Agreement in accordance with Section 11.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits pursuant to Article 28(3)(h) of the GDPR.

5. Controller Obligations

The Controller shall:

  • Ensure that instructions given to the Processor comply with applicable law.
  • Provide appropriate privacy notices to data subjects.
  • Obtain any necessary consent or other legal basis for the processing of personal data.
  • Notify the Processor if telemetry data will include personal identifiers.

6. Sub-processors

6.1 Approved Sub-processors

The Controller approves the following sub-processors for the processing of personal data under this DPA:

  • ClickHouse Cloud — telemetry data storage and query processing
  • Cloudflare (Workers, R2) — telemetry data ingestion pipeline and storage of user-uploaded files (map images, project logos)
  • Neon — PostgreSQL database hosting (project metadata associated with telemetry)
  • Vercel — web application hosting and serverless runtime (dashboard serving telemetry data)

Other third-party services listed in the Privacy Policy (such as Stripe, OAuth providers, Resend, Sentry, and Upstash) process data in their capacity as independent controllers or do not process personal data covered by this DPA.

6.2 Change Notification

The Processor shall notify the Controller by email at least 30 days before adding or replacing a sub-processor. If the Controller raises a reasoned objection in writing within 14 days of receiving the notification, the parties shall negotiate in good faith to find a resolution. If no resolution is reached within a reasonable period, the Controller may terminate the Main Agreement.

6.3 Sub-processor Obligations

The Processor shall enter into a written agreement with each sub-processor imposing data protection obligations substantially equivalent to those in this DPA. The Processor remains liable to the Controller for the acts and omissions of its sub-processors.

7. Security Measures

The Processor implements appropriate technical and organizational security measures commensurate with the risk of processing, including:

  • TLS encryption of data in transit
  • Industry-standard encryption of data at rest
  • Access controls and role-based permission management
  • Infrastructure monitoring and logging
  • Regular security reviews and vulnerability management

8. Data Breach Notification

The Processor shall notify the Controller without undue delay and not later than 48 hours after becoming aware of a personal data breach. The notification shall include:

  • The nature of the breach, including the categories and approximate number of affected data subjects
  • Contact details of the Processor's data protection contact
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

9. Data Subject Rights

The Processor shall provide reasonable technical and organizational assistance to the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). If the Processor receives a request directly from a data subject, it shall promptly forward the request to the Controller.

10. International Data Transfers

10.1 Transfers Covered by Adequacy Decisions

Where personal data is transferred from the EEA or the United Kingdom to Japan under the European Commission's adequacy decision for Japan (dated January 23, 2019) or the United Kingdom's adequacy regulations for Japan, such adequacy decision shall serve as the legal basis for the transfer and no additional safeguards are required.

10.2 Transfers Not Covered by Adequacy Decisions

Where personal data is transferred to a third country not covered by an adequacy decision, the parties shall apply the EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor). The SCCs are incorporated as an annex to this DPA and supplemented as follows:

  • Clause 9(a) (Sub-processors): Option 2 (general written authorization) applies.
  • Clause 11: The optional redress clause does not apply.
  • Clause 17 (Governing law): The law of Ireland applies.
  • Clause 18 (Forum): The courts of Ireland have jurisdiction.
  • Annex I (Party details, transfer description): As set out in Section 3 of this DPA.
  • Annex II (Technical and organizational measures): As set out in Section 7 of this DPA.

For transfers from the United Kingdom not covered by adequacy regulations, the UK International Data Transfer Addendum applies.

The governing law and forum provisions in Clauses 17 and 18 of the SCCs apply solely to the data transfer mechanism established by the SCCs. All other disputes arising under this DPA or the Main Agreement remain governed by the law and jurisdiction specified in the Main Agreement.

11. Data Return and Deletion

Upon termination of the Main Agreement, the Processor shall, at the Controller's choice, return or delete personal data processed under this DPA. Data shall be returned in a structured, commonly used, and machine-readable format. Deletion from production systems shall be completed within 30 days after the end of the grace period specified in the Main Agreement. Complete purging from backups shall be completed within 90 days after production deletion. However, the Processor may retain audit trail records (such as action logs containing user identifiers and IP addresses) where required by applicable law or necessary for compliance, fraud prevention, or security incident investigation. The Processor shall inform the Controller of any retained data categories, retention periods, and legal basis.

12. Audits

The Processor shall cooperate with audits conducted by the Controller or a third-party auditor appointed by the Controller, and provide information reasonably necessary to demonstrate compliance with this DPA, subject to the following conditions:

  • The Controller shall provide 30 days' written notice of an audit.
  • Audits shall be conducted during business hours and shall not unreasonably disrupt the Processor's operations.
  • Auditors shall enter into an appropriate confidentiality agreement.
  • Audits are limited to once per year, except for audits mandated by a supervisory authority or related to a data breach.
  • Where the Processor provides a current third-party security assessment report, penetration test report, or equivalent evidence of security controls, the Controller may accept such report in lieu of exercising its audit right for the applicable year.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Main Agreement.

14. Contact

For inquiries about this DPA or to raise an objection to a sub-processor change, please contact privacy@framedash.dev.