FrameQuery

Data Processing Addendum

Last updated: April 2, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between the entity agreeing to these terms ("Customer", "Controller") and Elly Software ("Processor", "we", "us") for the provision of the FrameQuery service ("Service").

This DPA applies where and only to the extent that we process Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to the General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), or the Swiss Federal Act on Data Protection ("FADP").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Customer through the Service.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Customer.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, and FADP.

2. Scope of Processing

2.1 Role of the Parties

The Customer is the Controller. FrameQuery is the Processor. The Customer determines the purposes and means of processing; FrameQuery processes Personal Data only on documented instructions from the Customer to provide the Service.

2.2 Categories of Data Subjects

  • Customer's end users
  • Individuals appearing in or audible within uploaded video and audio content

2.3 Types of Personal Data Processed

  • Account data: email address, user identifier
  • Uploaded content: video files, extracted audio
  • Derived data: video scene descriptions, object labels, transcription text, anonymised speaker labels ("Speaker 1", "Speaker 2", etc.)
  • Usage data: job metadata, processing timestamps, subscription tier
  • Technical data: IP addresses (retained for 30 days in infrastructure logs)

2.4 Processing Activities

  • Video ingestion, transcoding, and validation
  • Video frame extraction and visual analysis (scene captioning, object detection, shot classification)
  • Audio extraction and speech-to-text transcription with speaker diarization
  • Storage of processing results
  • Billing and usage metering
  • Product analytics (with opt-out)

2.5 Duration of Processing

Processing continues for the duration of the Agreement. Upon termination or account deletion, all Personal Data is deleted in accordance with Section 8.

3. Customer Instructions

FrameQuery will process Personal Data only in accordance with the Customer's documented instructions, which include: (a) providing the Service as described in the Agreement and documentation; (b) processing initiated by the Customer through their use of the Service; and (c) any additional written instructions agreed upon by both parties.

If FrameQuery is required by applicable law to process Personal Data other than in accordance with the Customer's instructions, FrameQuery will inform the Customer of that legal requirement before processing (unless prohibited by law from doing so).

4. Confidentiality

FrameQuery ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security Measures

FrameQuery implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Encryption

  • All data encrypted in transit (TLS 1.2+)
  • All data encrypted at rest (GCP-managed encryption for Firestore, Cloud Storage, and Cloud Logging)

Access Control

  • Least-privilege IAM service accounts per service
  • API authentication via JWT and SHA-256 hashed API keys
  • Internal service endpoints protected by shared secret middleware
  • Rate limiting per user and per IP address

Network Security

  • GPU worker instances run with no public IP (internal VPC only)
  • SSRF protections on all external URL fetches (private IP blocking, redirect validation)

Data Minimisation

  • Audio extracted as minimal-quality mono OGG (48kbps) for transcription
  • Only extracted audio is sent to US processing — not the full video file
  • Speaker diarization produces anonymous labels only — no voice profiles are stored
  • Sensitive tokens and query parameters are redacted from all logs

Infrastructure

  • GPU processing instances are ephemeral (Spot VMs that self-delete on idle)
  • Temporary files deleted immediately after processing
  • Services deployed on Google Cloud Platform with SOC 2 Type II certification

6. Sub-processors

6.1 Authorised Sub-processors

The Customer provides general authorisation for FrameQuery to engage the following Sub-processors:

Sub-processorPurposeRegion
Google Cloud PlatformInfrastructure (compute, storage, database)EU and US
Google Vertex AI (Gemini)Video frame analysisEU and US
Cloudflare (R2, Workers, D1)Object storage, authenticationGlobal
PolarBilling and subscriptionsUS
PostHogProduct analytics (opt-out available)EU
UpstashFrame analysis cache

An up-to-date list is also available via the API at GET /v1/privacy/data-processors.

6.2 Sub-processor Changes

FrameQuery will notify the Customer at least 30 days before adding or replacing a Sub-processor by updating the Sub-processor list and, where the Customer has provided a contact email, by email notification.

If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Customer may terminate the affected Service by providing written notice within 30 days of the notification.

6.3 Sub-processor Obligations

FrameQuery imposes data protection obligations on each Sub-processor no less protective than those in this DPA, by way of a written contract. FrameQuery remains liable for the acts and omissions of its Sub-processors.

7. International Transfers

7.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA, UK, or Switzerland, FrameQuery ensures that appropriate safeguards are in place:

  • Google Cloud Platform: Standard Contractual Clauses (SCCs) incorporated in Google's Data Processing Addendum; Google LLC is certified under the EU-US Data Privacy Framework
  • Polar: Standard Contractual Clauses incorporated in Polar's Data Processing Addendum

7.2 US-Based Processing

Speech-to-text transcription is performed on US-based GPU instances due to GPU availability constraints. A Transfer Impact Assessment is maintained documenting the necessity, safeguards, and risk assessment for this transfer. Key safeguards include:

  • Audio data is ephemeral (present on US infrastructure for 10 to 120 seconds)
  • Source audio is deleted immediately after successful transcription
  • GPU instances have no public IP and self-terminate on idle
  • All transfers are encrypted (TLS 1.2+)

7.3 Transfer Impact Assessment

A copy of the Transfer Impact Assessment is available on request.

8. Data Retention and Deletion

8.1 Retention Periods

Data TypeRetention
Raw video uploadsDeleted after processing (7-day safety fallback)
Transcoded video proxiesDeleted after processing (90-day safety fallback)
Extracted video framesDeleted after analysis (30-day safety fallback)
Audio filesDeleted immediately after transcription
Processing job results6 months
Retained proxies (user-initiated)30 days standard, then 90 days cold storage
Frame analysis cache30 days
Audit logs1 year
Infrastructure logs30 days

8.2 Account Deletion

Upon the Customer's request to delete their account:

  1. A 7-day recovery window allows the Customer to cancel the deletion.
  2. After 7 days, all Personal Data is permanently deleted across all systems, including: all job data, billing records, API keys, video reviews, comments, invitations, retained proxies, shared indexes, object storage files, analytics data, audit log entries, frame analysis cache entries, and bug reports.
  3. Deletion continues on subsystem failures and reports any systems that could not be fully purged.

8.3 Termination

Upon termination of the Agreement, FrameQuery will delete all Customer Personal Data within 30 days, unless retention is required by applicable law.

9. Data Subject Rights

9.1 Assistance

FrameQuery will assist the Customer in fulfilling its obligation to respond to Data Subject requests, including:

  • Right of access / data portability: The Customer can export all their data via the Service.
  • Right to erasure: The Customer can delete their account and all associated data via the Service.
  • Right to object to processing: The Customer can opt out of product analytics via the Service.
  • Right to rectification: The Customer can contact FrameQuery to update personal data.

9.2 Notification

If FrameQuery receives a request directly from a Data Subject, FrameQuery will promptly redirect the Data Subject to the Customer, unless legally required to respond directly.

10. Data Breach Notification

FrameQuery will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Customer's data.

The notification will include, to the extent available:

  • The nature of the breach, including categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

FrameQuery will cooperate with and assist the Customer in fulfilling the Customer's breach notification obligations under Applicable Data Protection Law.

11. Audits

FrameQuery will make available to the Customer, on request, all information reasonably necessary to demonstrate compliance with this DPA.

The Customer may conduct an audit, or appoint a third-party auditor (subject to confidentiality obligations), to verify FrameQuery's compliance with this DPA. Audits shall be conducted with reasonable prior notice, during business hours, and no more than once per year unless required by a supervisory authority or following a data breach.

FrameQuery may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation from its Sub-processors (e.g., Google Cloud SOC 2 Type II reports).

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.

13. General

This DPA is governed by the same governing law as the Agreement (United Kingdom), unless otherwise required by Applicable Data Protection Law.

In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions remain in full force and effect.

Annex 1: Standard Contractual Clauses

Where required under Applicable Data Protection Law, the parties agree to the EU Commission's Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries (Commission Implementing Decision (EU) 2021/914), which are incorporated by reference.

  • Module Two (Controller to Processor) applies
  • Clause 7: The optional docking clause is included
  • Clause 9(a): General written authorisation (Option 2) — see Section 6.2
  • Clause 11: The optional language is not included
  • Clause 13: The competent supervisory authority is the Information Commissioner's Office (ICO) of the United Kingdom
  • Clause 17: The SCCs are governed by the law of the United Kingdom
  • Clause 18(b): Disputes shall be resolved before the courts of the United Kingdom

For UK transfers, the UK International Data Transfer Addendum (issued by the ICO under Section 119A of the UK Data Protection Act 2018) is incorporated by reference.

For Swiss transfers, the SCCs apply with the modifications required by the FADP.