Data Processing Agreement (DPA) – Face2Face.io

Last Updated: May 16, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:

F2F Face2Face Technology Inc. ("Face2Face", "we", "Processor")

Customer ("you", "Controller")

Quick Summary

Your data, your control: We only process your end-user data based on your instructions.

Privacy first: We do not repurpose or resell your data.

Trusted partners: We use vetted subprocessors who are GDPR-compliant.

Full control: You can delete data and manage user rights at any time.

Transparency: We’ll notify you within 48 hours of any data breach.

1. Definitions

Controller: The party that determines the purposes and means of processing Personal Data.

Processor: The party that processes Personal Data on behalf of the Controller.

Personal Data: Any data relating to an identifiable individual.

Processing: Any operation performed on Personal Data (e.g., collection, storage, transmission, deletion).

GDPR: The EU General Data Protection Regulation 2016/679.

2. Scope & Roles

Face2Face acts strictly as a Processor, handling Personal Data only on behalf of and in accordance with the Controller's instructions, in compliance with Article 28 of the GDPR.

3. Data Processed

We process the following categories of Personal Data:

Activity	Data Types	Retention
User interaction logging	IP addresses, session metadata, page views	Pricing-dependent; defaults to 14 months
Call handling (real-time)	Audio/video streams, connection metadata	Not stored (relayed only)
Co-browsing sessions	Cursor movements, DOM elements, page metadata	Not stored (live relay only)
Call recording	Audio/video recordings, participant metadata	Customer-defined; default 30 days
User authentication	Email, hashed passwords, IP addresses	Until user deletion
Error logging	Error reports, session identifiers, request metadata	30 days
Custom user data	Names, emails, user IDs, form inputs, and other optional fields	Controller-defined or based on associated activity

Important Note: Custom data may be:

Injected by the Controller (e.g., via API, session configuration), or

Directly submitted by end-users (e.g., via forms, popups, or contextual widgets).

All such data is processed only under the Controller’s instructions.

4. Subprocessors

You authorize these subprocessors:

Subprocessor	Purpose	Location	Transfer outside EEA	Safeguards
Heroku	Hosting	USA	Yes	SCCs
MongoDB Atlas	Database	Germany	No	N/A
Grafana	Error Logging	EU	No	N/A
Mixpanel	Analytics	EU	No	N/A
daily.co	Video Calls	EU/USA	Yes (non-EU users only)	SCCs
Upscope	Co-browsing	EU/USA	Yes (non-EU users only)	SCCs
Ipstack	IP geolocation	Germany	No	N/A

We'll notify you about any changes, and you have the right to object.

5. Security Measures

Face2Face ensures:

Data encryption (HTTPS/TLS)

Role-based access control

Separation of development and production environments

GDPR-compliant subprocessor vetting

Robust incident response procedures

6. International Transfers

International data transfers are secured using Standard Contractual Clauses (SCCs).

7. Data Subject Requests

We will promptly notify you of any Data Subject Requests and fully cooperate to address these requests.

8. Incident Management

We commit to notifying you promptly (within 48 hours) about any data breach involving your data, assisting fully in managing and resolving the incident.

9. Audit & Compliance

We provide compliance evidence and cooperate with audits upon reasonable request, notice, and confidentiality.

10. Termination

Upon termination of this Agreement, we will delete or return your Personal Data according to your instructions.

11. Governing Law

This DPA is governed by the laws and jurisdiction specified in the Agreement.

12. Contact

For privacy-related questions:

Nick Tomic

Privacy Lead, Face2Face

📩 privacy@face2face.io

Agreed and acknowledged by:

Face2Face Technology Inc.

Signature: ________________________

Date: ____________________________

Customer

Signature: ________________________

Date: ____________________________