Template — for evaluation. This summary is provided so a security or procurement reviewer can assess our posture early. It is a template and is subject to final legal review; the executed agreement governs.
1. Roles of the parties
When you use Frontelio to run your operation, you are the controllerof your staff’s personal data and Frontelio is the processor. We process that data only to provide the service and only on your documented instructions — we do not sell it, and we do not use it for our own purposes beyond operating and securing the platform.
- Controller
- The customer (the company that subscribes to Frontelio). The customer decides why and how the personal data of its staff is processed.
- Processor
- Frontelio, operated by MISSAN COMPUTER L.L.C.SP. We process the data only on the customer's documented instructions, to provide the service.
- Sub-processor
- A vetted third-party provider engaged by Frontelio to help deliver the service (e.g. cloud hosting, object storage, push notifications, transactional email, AI photo verification). See the subprocessor list.
- Data subject
- An individual whose personal data is processed — primarily the customer's staff and managers.
2. Subject-matter, nature & purpose
Subject-matter: provision of the Frontelio workforce-operations platform (scheduling, attendance, checklists, evidence, HR, and related modules) to the customer.
Nature & purpose:hosting, storage, retrieval, organisation, and analysis of the customer’s operational and HR data so that the customer can run and supervise its frontline teams. Processing continues for the duration of the subscription.
3. Categories of data & data subjects
The personal data processed depends on the modules the customer enables. Typical categories:
Name, role, work email and/or phone, employee/payroll identifiers, attendance records (clock-in/out times, GPS location at punch, verification selfie), schedules, leave and approvals, performance and disciplinary notes, and — where the customer chooses to record them — identity/visa document details for compliance.
Checklist completions, task and audit photos, manager logbook entries, asset and maintenance records, and the timestamps and audit-log entries attached to each.
Login credentials (passwords stored only as bcrypt hashes), device/push tokens, app version, and security/audit logs needed to operate and protect the service.
Where the customer chooses to record identity or visa documents, those may include data treated as sensitive under applicable law; the customer remains responsible for having a lawful basis to collect them.
4. Our obligations as processor
Confidentiality
We ensure that personnel authorised to process the data are bound by confidentiality and access it only on a need-to-know basis.
Security
We maintain appropriate technical and organisational measures — encryption in transit and at rest, tenant isolation, role-based access control, bcrypt password hashing, audit logging, daily backups, and monitoring. These are described on our security practices page.
Assistance
We assist the customer, to the extent reasonable, in responding to data-subject requests and in meeting the customer’s own security, breach-notification, and impact-assessment obligations.
5. Sub-processing
The customer authorises Frontelio to engage the sub-processors listed on our subprocessors page. We impose data-protection terms on each sub-processor that are no less protective than those in this agreement, and we remain responsible for their performance. We will give reasonable notice of any intended change so the customer has an opportunity to object.
6. International transfers & data residency
Customer data is hosted in the EU (Frankfurt) by default. Where data is transferred to or accessed from outside the hosting region — for example by a global push-notification or email provider — that transfer is made under an appropriate safeguard (such as standard contractual clauses or an adequacy mechanism). Regional hosting options are available on request.
7. Retention, return & deletion
We retain personal data only for as long as needed to provide the service. Evidence and selfie retention is configurable with automatic purge once the window passes; audit logs are retained for a defined period (12 months by default, adjustable by plan). On termination, the customer can export its data, after which we delete or return it within 30 days unless retention is required by law.
8. Personal-data breach
If we become aware of a personal-data breach affecting the customer, we will notify the customer without undue delay and provide the information reasonably needed for the customer to meet its own notification duties. We target acknowledgement of a reported security issue within one business day.
9. Audit & contact
On reasonable request and subject to confidentiality, we will make available the information needed to demonstrate compliance with this agreement. To request a signed DPA, the full subprocessor list, or our current compliance status, contact support@frontelio.com.
Processor entity: MISSAN COMPUTER L.L.C.SP · Office 1503, 15th Floor, Lake Corniche Street, Al Majaz, Sharjah, UAE · Trade Licence 527553.