Legal

Data Processing Agreement

Last updated: May 5, 2026

Parties and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Use or other agreement between the customer ("Controller") and Boilerplate Ventures UG (haftungsbeschränkt), Galenusstraße 63D, 13187 Berlin, Germany, registered with the commercial register of Amtsgericht Charlottenburg under HRB 273526 B ("Processor", "we", "us") for the hosted Frontman service.

This DPA applies where we process personal data on behalf of the Controller in connection with the hosted Frontman service. It is intended to satisfy Article 28 GDPR.

Roles

The Controller determines the purposes and means of processing Customer Personal Data. The Processor processes Customer Personal Data only on behalf of the Controller and in accordance with this DPA, the Terms of Use, and the Controller's documented instructions.

For account administration, billing, marketing website analytics, product analytics, service communications, security, and our own legal obligations, we may act as an independent controller as described in our Privacy Policy.

Subject Matter and Duration

The subject matter of processing is the provision of the hosted Frontman service, including agentic development workflows, hosted history, account access, diagnostics, security, support, and related functionality.

The duration of processing is the term of the customer's hosted Frontman account or subscription, plus any retention period required for deletion, backups, legal obligations, dispute resolution, or security.

Nature and Purpose of Processing

Processing may include collecting, receiving, hosting, storing, accessing, displaying, organizing, transmitting, analyzing, generating, modifying, deleting, and otherwise processing Customer Personal Data as necessary to provide Frontman.

Purposes include:

  • providing agentic development workflows;
  • inspecting runtime and project context;
  • generating and applying development source-code changes;
  • storing conversation and task history;
  • transmitting customer-selected context to customer-selected AI providers;
  • securing, maintaining, monitoring, troubleshooting, and supporting the service;
  • complying with documented customer instructions and applicable law.

Categories of Data Subjects

Customer Personal Data may relate to:

  • Controller's employees, contractors, founders, developers, designers, product managers, and other users;
  • Controller's customers, users, prospects, or end users where their data appears in code, screenshots, logs, DOM data, prompts, or project content;
  • other individuals whose personal data is included in Customer Content.

Categories of Personal Data

Customer Personal Data may include:

  • names, email addresses, usernames, identifiers, and contact details;
  • account, project, session, and usage metadata;
  • prompts, instructions, generated output, and task history;
  • source-code snippets, project files, routes, source maps, build errors, logs, and diagnostics;
  • screenshots, DOM structure, component information, CSS information, and browser/runtime context;
  • API keys, provider credentials, OAuth metadata, and connection metadata;
  • any other personal data the Controller chooses to process through Frontman.

Special Categories of Data

Frontman is not designed to process special categories of personal data under Article 9 GDPR. The Controller must not intentionally submit special categories of personal data unless the Controller has a valid legal basis and has implemented appropriate safeguards.

Controller Instructions

The Controller instructs the Processor to process Customer Personal Data as necessary to provide the hosted Frontman service under the Terms of Use, this DPA, product settings, user actions, support requests, and other documented instructions.

The Processor will promptly inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so.

Processor Obligations

The Processor will:

  • process Customer Personal Data only on documented instructions from the Controller unless required by law;
  • ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
  • implement appropriate technical and organizational measures described in Technical and Organizational Measures;
  • assist the Controller with data subject requests, security obligations, breach notifications, data protection impact assessments, and consultations with supervisory authorities where required and reasonably possible;
  • make available information reasonably necessary to demonstrate compliance with Article 28 GDPR;
  • delete or return Customer Personal Data after the end of the services as described in this DPA and the Terms of Use.

Controller Obligations

The Controller is responsible for:

  • lawfully collecting and processing Customer Personal Data;
  • providing all required notices and obtaining all required rights, consents, and legal bases;
  • deciding what Customer Content is submitted to Frontman;
  • deciding which AI providers to connect and whether Customer Personal Data may be transmitted to them;
  • configuring provider accounts, provider-side retention, and provider data processing settings;
  • responding to data subject requests where the Controller controls the relevant data;
  • ensuring that users comply with the Terms of Use and this DPA.

Customer-Selected AI Providers

Frontman uses a bring-your-own-key model. The Controller selects and connects third-party AI providers using its own credentials or provider-authorized connection.

When the Controller uses Frontman with a selected AI provider, the Processor transmits Customer Personal Data and Customer Content to that provider as instructed by the Controller. The Controller is responsible for assessing the provider, entering into any required terms or data processing agreement with that provider, and ensuring the transfer and processing are lawful.

Customer-selected AI providers may act as independent providers to the Controller rather than ordinary subprocessors of the Processor, depending on the provider terms and account relationship.

Subprocessors

The Controller authorizes the Processor to use subprocessors to provide the hosted Frontman service. Current subprocessors are listed at Subprocessors.

The Processor will impose data protection obligations on subprocessors that are materially consistent with this DPA. The Processor remains responsible to the Controller for subprocessor performance of data protection obligations, except where the relevant third party is selected and controlled by the Controller, such as customer-selected AI providers.

We may update the subprocessor list from time to time. We will provide reasonable notice of material new subprocessors where required. If the Controller reasonably objects to a new subprocessor on data protection grounds, the Controller may stop using the affected hosted service or terminate the subscription before the subprocessor is used, unless the subprocessor is necessary for legal, security, or operational continuity reasons.

International Transfers

The hosted Frontman service is hosted in the European Union using Hetzner infrastructure. Some subprocessors or customer-selected AI providers may process Customer Personal Data outside the European Economic Area.

Where the Processor transfers Customer Personal Data outside the EEA and no adequacy decision applies, the Processor will use appropriate safeguards such as Standard Contractual Clauses, supplementary measures, or another lawful transfer mechanism.

For transfers to customer-selected AI providers, the Controller is responsible for assessing and authorizing the transfer through its provider selection and provider account relationship.

Security Measures

The Processor will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Current measures are described in Technical and Organizational Measures. The Processor may update these measures over time, provided the overall level of protection is not materially reduced.

Personal Data Breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include information reasonably available to the Processor to help the Controller meet its breach notification obligations.

The Processor will take reasonable steps to investigate, contain, mitigate, and remediate the breach.

Data Subject Requests

Taking into account the nature of processing, the Processor will reasonably assist the Controller with data subject requests relating to Customer Personal Data. If a data subject contacts the Processor directly about Customer Personal Data controlled by the Controller, the Processor may refer the request to the Controller where appropriate.

Deletion and Return

Conversation and task history is stored until user deletion. When the Controller or its user deletes history, it is deleted from active systems. Backup copies may retain deleted data for up to 3 months before automatic backup expiry.

At the end of the hosted service relationship, the Processor will delete or return Customer Personal Data according to available product functionality, documented instructions, and applicable retention requirements. Some data may be retained where required for billing, tax, security, legal compliance, dispute resolution, or enforcement of rights.

Audits and Information

Upon reasonable written request, the Processor will provide information necessary to demonstrate compliance with this DPA, such as security documentation, subprocessor information, and descriptions of technical and organizational measures.

On-site audits are only available where legally required and subject to reasonable notice, confidentiality, security restrictions, scope limitations, and scheduling. The Controller must first use available documentation and less intrusive audit methods where sufficient.

Liability

Liability under this DPA is subject to the liability provisions in the Terms of Use or other agreement between the parties, unless mandatory data protection law requires otherwise.

Governing Law

This DPA is governed by the laws of the Federal Republic of Germany, unless mandatory data protection law requires otherwise.