Data Processing Agreement (DPA)

Last updated: April 12, 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service ("Agreement") between Manikandan G, trading as Ironmint ("Morph", "we", "Processor"), and the customer using the Service ("Customer", "you", "Controller").

It applies whenever we process personal data on your behalf in connection with the Service. It accepts automatically when you sign up for Morph, and a signed copy is available on request.

1. Definitions

In this DPA the following terms have the meanings given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and, where applicable, the UK Data Protection Act 2018 and the UK GDPR:

Personal Data
Processing
Controller
Processor
Data Subject
Sub-processor
Supervisory Authority
Personal Data Breach
Standard Contractual Clauses or SCCs — the European Commission's Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914 of 4 June 2021

Any capitalized terms used but not defined here have the meaning given in the Agreement.

2. Roles

In relation to Customer Personal Data (personal data about your site visitors and other individuals whose data you submit to the Service):

You are the Controller.
We are the Processor, acting on your documented instructions.

In relation to personal data we collect about you as our customer (account email, billing details, usage logs), we are the Controller. That processing is governed by our Privacy Policy, not this DPA.

3. Subject matter and duration

| Item | Detail | |---|---| | Subject matter | Processing of personal data about your site visitors to deliver the personalization Service | | Duration | For as long as the Agreement is in force, plus any retention period set out in the Privacy Policy | | Nature and purpose | Receiving visitor context (referrer, device, location, return state), matching it against your rules, returning the appropriate variant, logging aggregate counts, and storing first-party cookies on your behalf | | Types of personal data | Approximate geolocation (country/region) derived from IP, referrer URL and query parameters, device and browser characteristics, a random opaque cookie ID for return-visitor detection. We do not intentionally process special categories of personal data. | | Categories of data subjects | Visitors to your Framer site |

4. Customer instructions

We will process Customer Personal Data only:

On your documented instructions, including as set out in the Agreement, this DPA, and instructions you give through the Service (e.g. rule configuration).
As required by applicable law — in which case we will inform you unless the law prohibits it on public-interest grounds.

You warrant that your instructions to us comply with applicable data protection law, that you have a valid legal basis for the processing, and that your privacy notice to visitors accurately describes Morph's role.

If we believe an instruction infringes data protection law, we will notify you promptly and may suspend the processing until resolved.

5. Confidentiality

We will ensure that any person authorized to process Customer Personal Data is bound by a duty of confidentiality, whether by statute or contract.

At the time of writing, production data access is limited to Mani, the sole operator of the Service. Any future additions to that access group will be bound by written confidentiality obligations at least as protective as those in the Agreement.

6. Security

We will implement appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, at minimum:

Technical measures

TLS 1.2+ for all data in transit
AES-256 encryption at rest via our database provider
Hashed passwords (bcrypt via Supabase Auth)
Row-level security (RLS) enforced at the database layer so tenants cannot read each other's data
Scoped API keys with least-privilege access
Automated dependency scanning and security updates
Structured audit logging for administrative actions

Organizational measures

Access to production data restricted to the sole operator (Mani) via MFA-protected accounts
Written incident response procedure with a 72-hour breach notification target (see Section 11)
Regular review of vendor security practices (Section 9)

A fuller description is in Annex II at the end of this DPA.

7. Assistance to the Controller

We will provide reasonable assistance to you, taking into account the nature of the processing and the information available to us, with:

Responding to requests from data subjects exercising their rights under Articles 12–22 GDPR (access, rectification, erasure, restriction, portability, objection)
Ensuring compliance with your security obligations under Article 32 GDPR
Notifying and investigating Personal Data Breaches under Articles 33 and 34 GDPR
Conducting data protection impact assessments (DPIAs) and prior consultations under Articles 35 and 36 GDPR where requested

For data subject requests received directly by us, we will promptly forward them to you and will not respond substantively unless you instruct us to.

If your assistance requests become materially burdensome beyond what is necessary for compliance, we may charge reasonable fees at cost after giving you notice.

8. Personal Data Breaches

We will notify you of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hours after becoming aware of it.

Our notification will include, to the extent known at the time:

The nature of the breach, including categories and approximate number of data subjects and records affected
The name and contact details of the person to contact for more information
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects

We will also reasonably assist you in meeting your own notification obligations under Articles 33 and 34 GDPR, including notifications to supervisory authorities and data subjects where required.

9. Sub-processors

9.1 General authorization

You give us general authorization to engage sub-processors to process Customer Personal Data, subject to the rest of this Section.

A current list of our sub-processors is at Subprocessors and is incorporated into this DPA by reference. At the time of writing it includes: Supabase, Vercel, Lemon Squeezy, and Resend.

9.2 Conditions

For each sub-processor, we will:

Enter into a written agreement with obligations at least as protective as those in this DPA
Remain fully liable to you for the sub-processor's performance
Conduct reasonable due diligence on their security and privacy practices

9.3 New sub-processors — objection right

We will give you at least 30 days' notice before adding or replacing a sub-processor, by updating the subprocessors page and notifying you through the Service (email or in-app).

You have 30 days from that notice to object on reasonable data protection grounds. If we cannot accommodate your objection (e.g. by continuing to provide the Service without the new sub-processor), your exclusive remedy is to terminate the Agreement for the affected part of the Service and receive a pro-rata refund for any prepaid but unused period.

10. International transfers

Where we or a sub-processor transfer Customer Personal Data out of the EU/EEA, UK, or Switzerland to a country that does not have an adequacy decision, the transfer will be made under:

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable; and
For transfers from the UK, the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office; and
For transfers from Switzerland, the SCCs adapted in line with guidance from the Swiss Federal Data Protection and Information Commissioner.

The SCCs are incorporated into this DPA by reference and are deemed signed on the effective date of the Agreement. To the extent there is any conflict between this DPA and the SCCs, the SCCs prevail.

Where required, we will assist you in carrying out a transfer impact assessment for onward transfers to third countries.

11. Audits

We will make available to you all information reasonably necessary to demonstrate compliance with this DPA.

We will allow and contribute to audits, including inspections, by you or an independent auditor mandated by you, subject to reasonable conditions:

Audits may occur no more than once per year, unless a prior audit revealed a material issue or a data protection authority requires it
You will give at least 30 days' written notice
Audits will be conducted during business hours, will not unreasonably interfere with our operations, and will respect the confidentiality of other customers' data
You will bear the cost of the audit unless it reveals material non-compliance, in which case reasonable costs are borne by us

As Morph grows, we may obtain third-party security certifications or audit reports. If available, you agree to accept those in place of on-site audits where they reasonably satisfy the relevant requirement.

12. Deletion and return of data

On termination of the Agreement, we will, at your choice:

Return the Customer Personal Data to you in a machine-readable format; or
Delete the Customer Personal Data from our production systems.

Deletion is completed within 90 days of account termination, in line with the retention schedule in the Privacy Policy. Backups are overwritten on the ordinary backup rotation cycle.

We may retain Customer Personal Data to the extent required by applicable law, provided that confidentiality and security obligations continue to apply for as long as the data is retained.

13. Liability

The liability of each party under this DPA is subject to the limitation of liability provisions in the Agreement.

Where Module Two or Module Three of the SCCs applies, Clause 12 of the SCCs (Liability) applies in addition.

14. General

Conflict. If there is a conflict between this DPA and the Agreement, this DPA prevails in respect of personal data processing.
Modifications. We may modify this DPA to reflect changes in applicable law or our processing operations. Material changes will be notified in the same way as changes to the Terms of Service.
Severability. If any provision of this DPA is held to be unenforceable, the rest of the DPA remains in effect.

Annex I — Description of processing

A. List of parties

Data Exporter (Controller)

Name and contact details: the Customer as identified in the account
Activities relevant to data transferred: use of Morph to personalize a Framer site
Role: Controller

Data Importer (Processor)

Name: Ironmint
Address: Coimbatore, Tamil Nadu, India
Contact: support@ironmint.studio
Activities relevant to data transferred: providing the Morph Service
Role: Processor

B. Description of transfer

| Item | Detail | |---|---| | Categories of data subjects | Visitors to Customer's Framer site | | Categories of personal data | Approximate geolocation (country/region), referrer URL and query parameters, device and browser characteristics, a random opaque first-party cookie ID | | Sensitive data transferred | None intentionally. Customer agrees not to submit sensitive personal data (special categories under Article 9 GDPR) to the Service. | | Frequency | Continuous, triggered by page loads on Customer's site | | Nature of the processing | Receiving visitor context, matching it against Customer's rules, returning the appropriate variant, logging aggregate counts, storing first-party cookies on Customer's behalf | | Purpose of the processing | Delivering the personalization Service to Customer | | Retention | Per retention schedule in the Privacy Policy. Site/rule data: life of account + 90 days for paused accounts. Logs: 30 days. Aggregate counts: retained as anonymized aggregates. | | Sub-processors | See Subprocessors |

C. Competent supervisory authority

The supervisory authority competent for the Customer (Controller) applies. For a Customer established in the EU/EEA, this is the supervisory authority of the EU/EEA member state where the Customer has its main establishment or sole establishment. Morph does not currently have an EU representative appointed under Article 27 GDPR.

Annex II — Technical and organizational measures

This Annex describes the measures we take to ensure a level of security appropriate to the risk.

1. Encryption

TLS 1.2 or higher for all data in transit, using modern cipher suites
AES-256 encryption at rest for all databases and object storage
Passwords stored using bcrypt (via Supabase Auth)

2. Access control

Multi-factor authentication required for all administrative access to production systems
Production data access limited to the sole operator (Mani)
Row-level security (RLS) enforced at the database layer so customers cannot access each other's data
Scoped API keys with least-privilege access
Automatic session expiration on the dashboard

3. Availability and resilience

Hosted on major cloud providers (Vercel, Supabase) with built-in redundancy
Automated database backups with point-in-time recovery
Regular restore testing (quarterly)

4. Data integrity

Database constraints and foreign-key enforcement
Structured audit logging for administrative actions
Application-level input validation

5. Vendor management

All sub-processors bound by written DPAs and obligations at least as protective as this DPA
Sub-processor list reviewed and updated as changes occur (minimum quarterly)

6. Incident response

Written incident response procedure
72-hour breach notification target under Article 33 GDPR
Post-incident review and root-cause analysis

7. Secure development

Code review for changes to production systems
Automated dependency scanning and security updates
Separate staging environment for pre-production testing

8. Data minimization and retention

We do not collect personal data we do not need
Retention schedules documented in the Privacy Policy
Automated deletion of paused account data after 90 days

9. Staff

At the time of writing, production access is limited to the sole operator
Future staff will be bound by written confidentiality agreements and trained on data protection

10. Physical security

Data stored in certified data centers operated by our cloud providers (see Subprocessors)
No physical data storage outside those providers