Data Processing Agreement
Updates are currently underway to this Data Processing Agreement page. Please check back soon — revised terms and documentation will be published here shortly.
Template — Effective: March 27, 2026
This DPA template is provided for B2B and GDPR compliance discussions. For a binding agreement, execute it with Frontier R&D Ltd (or reference it in your order) after review by your legal team.
Parties
This Data Processing Agreement (“DPA”) is between Frontier R&D Ltd (“Processor”) and the customer entity that orders Codex Services (“Controller”). The Controller’s name and address are as set out in the applicable order form or subscription.
1. Subject matter and duration
The Processor provides the Codex Translation Editor and related cloud services as described in the Terms of Service and order. This DPA applies for the duration of the agreement and until the Controller’s personal data is deleted or returned in accordance with Section 6.
2. Nature and purpose of processing
The Processor processes personal data solely to deliver the Services the Controller configures and uses: account management, authentication, project collaboration, AI-assisted translation workflows, support, security, and billing as applicable.
3. Types of personal data
Depending on the Services used, this may include: account identifiers (e.g. name, email), authentication metadata, organization and project identifiers, usage and technical logs, support communications, and content the Controller’s users upload or generate in projects (which may include personal data if users include it in translation or notes).
The Processor does not require translation text for marketing and does not sell personal data. Details of categories of data subjects (e.g. translators, reviewers, administrators) follow from the Controller’s deployment.
4. Processor obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller (including these Terms and the Privacy Policy), unless EU/UK law requires otherwise.
- Ensure persons authorized to process data are bound by confidentiality.
- Implement appropriate technical and organizational measures (see Security below).
- Assist the Controller with data subject requests, DPIAs, and breach notifications where reasonably possible and considering the nature of processing.
- Delete or return personal data at the end of the Services, unless law requires retention.
- Make available information necessary to demonstrate compliance and allow audits agreed in writing with reasonable notice.
5. Subprocessors
The Controller authorizes the Processor to engage subprocessors listed in our Privacy Policy (subprocessors section). The Processor remains responsible for subprocessors’ performance. The Processor will notify the Controller of material changes to subprocessors (e.g. via the Privacy Policy or email) and allow objection where legally required.
6. International transfers
Where personal data is transferred outside the UK/EEA, the Processor uses appropriate safeguards (e.g. UK IDTA / EU SCCs or equivalent) as required by applicable law.
7. Security
The Processor implements measures appropriate to the risk, including access controls, encryption in transit where applicable, and resilience of processing systems. Further detail may be provided under NDA or in security questionnaires for enterprise customers.
8. Contact
For DPA-related requests: admin@frontierrnd.com