This DPA is included with all Preface plans at no additional cost. It forms part of the agreement between DevLayer Ltd (acting as Processor) and you, the Customer (acting as Controller), and is incorporated by reference into the Preface Terms of Service. By using Preface, you agree to the terms of this DPA.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the Preface Terms of Service.
- "Controller" means the Customer — the entity that determines the purposes and means of processing personal data collected through the Preface platform (for example, demo Viewer data collected via gate forms).
- "Processor" means DevLayer Ltd, which processes personal data on behalf of the Controller in the course of providing the Preface platform.
- "Data Protection Law" means UK GDPR and the Data Protection Act 2018, and where applicable EU GDPR (Regulation 2016/679), as amended or replaced from time to time.
- "Personal Data" has the meaning given in applicable Data Protection Law.
- "Processing" has the meaning given in applicable Data Protection Law.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA — primarily demo Viewers who submit information via gate forms.
- "Sub-processor" means any third party engaged by the Processor to carry out processing activities on the Controller's behalf.
- "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Roles of the parties
The parties acknowledge that for the purposes of Data Protection Law:
- The Customer is the Controller of Personal Data collected from Viewers through gate forms and other collection mechanisms within Demos published using the Preface platform.
- DevLayer Ltd is the Processor, processing that Personal Data only on the Controller's behalf and in accordance with the Controller's documented instructions, as set out in this DPA and the Terms of Service.
For the avoidance of doubt, DevLayer Ltd acts as a Controller (not a Processor) in respect of account and billing data relating to the Customer's own employees and contacts. That processing is governed by the Preface Privacy Policy.
3. Subject matter and details of processing
Full details of the processing activities covered by this DPA are set out in Annex A. In summary:
- Subject matter: Provision of the Preface interactive demo platform, including hosting of Demos and collection of Viewer data on behalf of the Controller.
- Nature: Storage, retrieval, transmission, and deletion of Personal Data.
- Purpose: To enable the Controller to collect leads, track Demo engagement, and export Viewer data via the Preface analytics and leads features.
- Duration: For the term of the Customer's active Preface Subscription, plus a 30-day post-termination retention window.
4. Processor obligations
DevLayer Ltd, as Processor, shall:
- Process Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law (in which case we will notify the Controller unless prohibited from doing so).
- Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain the technical and organisational security measures described in Annex B.
- Not engage Sub-processors without prior written authorisation from the Controller, except for those listed in Annex C, which the Controller authorises by agreeing to this DPA.
- Assist the Controller in meeting its Data Protection Law obligations in relation to Data Subject rights, security, breach notification, and impact assessments, taking into account the nature of the processing and the information available to the Processor.
- Delete or return all Personal Data to the Controller upon request or on termination of the Subscription, in accordance with Section 12.
- Make available all information reasonably necessary to demonstrate compliance with this DPA.
5. Controller obligations
The Controller shall:
- Ensure it has a valid lawful basis under Data Protection Law for collecting and processing Personal Data from Demo Viewers, including (where required) obtaining appropriate consent.
- Maintain a privacy notice or equivalent disclosure to Demo Viewers describing how their data will be used, stored, and shared.
- Respond to Data Subject requests relating to Personal Data collected through Demos in a timely manner, using the data export and deletion tools available in the Preface platform.
- Notify DevLayer Ltd promptly if it becomes aware of any Security Incident involving Personal Data processed under this DPA.
- Ensure that any instructions given to DevLayer Ltd in relation to Personal Data are consistent with applicable Data Protection Law.
6. Sub-processors
The Controller provides general written authorisation for DevLayer Ltd to engage the Sub-processors listed in Annex C. DevLayer Ltd shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
DevLayer Ltd will notify the Controller at least 30 days in advance of any changes to the Sub-processor list (additions or replacements). The Controller may object to a new Sub-processor within 14 days of notification. If the parties cannot resolve the objection, the Controller may terminate the Subscription with a pro-rated refund of any prepaid fees for unused periods.
DevLayer Ltd remains responsible to the Controller for the performance of Sub-processors' obligations under this DPA.
7. International transfers
Personal Data is primarily processed within the UK and EEA. Where Sub-processors are located outside the UK or EEA (currently ElevenLabs, which is US-based), DevLayer Ltd ensures that appropriate transfer safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved under UK GDPR and, where applicable, EU GDPR
- A Transfer Impact Assessment (TIA) confirming adequate protection in the destination country
DevLayer Ltd will not transfer Personal Data to a country without an adequacy decision unless the appropriate safeguards listed above are in place. Copies of applicable SCCs are available on request at [email protected].
8. Security measures
DevLayer Ltd implements and maintains the technical and organisational security measures described in Annex B. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.
DevLayer Ltd may update these measures from time to time to reflect improvements in security practice, provided that updates do not materially reduce the level of protection afforded to Personal Data.
9. Personal data breaches
DevLayer Ltd shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Security Incident affecting Personal Data processed under this DPA. Notification will be sent to the Controller's account email address and will include, to the extent available at the time:
- A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected
- The name and contact details of the data protection point of contact
- A description of the likely consequences of the Security Incident
- A description of measures taken or proposed to address the incident
The Controller is responsible for determining whether the incident requires notification to a supervisory authority or to affected Data Subjects, and for making any such notifications.
10. Data subject rights
DevLayer Ltd shall, taking into account the nature of the processing, assist the Controller in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. The Preface platform provides tools to:
- Export lead data (CSV) to facilitate Subject Access Requests
- Delete individual lead records on request
- Delete all data associated with a workspace on account closure
If DevLayer Ltd receives a Data Subject request directly relating to the Controller's Demos (rather than to DevLayer Ltd's own processing), it will promptly forward the request to the Controller and not respond on the Controller's behalf without authorisation.
11. Data protection impact assessments
Where the Controller is required to carry out a Data Protection Impact Assessment (DPIA) in relation to processing that uses the Preface platform, DevLayer Ltd shall provide reasonable assistance including relevant information about the processing and the security measures in place.
12. Deletion and return of data
On termination or expiry of the Customer's Subscription, DevLayer Ltd shall:
- Retain the Controller's Personal Data for 30 days to allow for export or re-activation
- Delete all Personal Data within 30 days of the end of the retention window unless a longer retention period is required by law
- On request, provide a written confirmation of deletion
The Controller may request an export of lead data at any time during the Subscription via the Preface dashboard (Growth and Scale plans) or by contacting [email protected] (Starter plan).
13. Audit rights
DevLayer Ltd shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice (no less than 30 days), DevLayer Ltd shall permit and cooperate with audits or inspections conducted by the Controller or a mandated auditor, subject to:
- Reasonable confidentiality obligations protecting DevLayer Ltd's proprietary information and other customers' data
- The audit being conducted during normal business hours and without unreasonable disruption
- The Controller bearing the costs of such audits unless a Security Incident has been identified
DevLayer Ltd may satisfy audit requests by providing relevant certifications, security summaries, or third-party audit reports in lieu of direct access.
14. Liability
The liability of each party under this DPA is subject to the limitations set out in the Preface Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects under Data Protection Law.
15. Duration and termination
This DPA remains in force for the duration of the Customer's Subscription and survives termination to the extent necessary to give effect to the deletion obligations in Section 12.
16. Governing law
This DPA is governed by the laws of England and Wales, consistent with the Terms of Service. Where EU GDPR applies to the Controller's processing (for example, where the Controller is established in the EEA), the parties agree that this DPA shall be interpreted to also satisfy EU GDPR requirements to the extent necessary.
Annexes
Annex A — Details of processing
Subject matter
Processing of Personal Data of Demo Viewers in connection with the Preface interactive product demo platform.
Nature and purpose of processing
DevLayer Ltd processes Personal Data on the Controller's behalf to: (a) receive and store gate form submissions from Demo Viewers; (b) record and present Demo engagement analytics; (c) make lead data available for export to the Controller; (d) send gate notification emails to the Controller's designated notification address.
Type of Personal Data
- Email addresses submitted via gate forms
- IP addresses (used for geographic analytics — not exposed to the Controller in individual form)
- Browser user agent and country of origin
- Demo interaction events (step views, time on step, CTA clicks)
- Any additional fields added by the Controller to gate forms
Categories of Data Subjects
Individuals who view Demos published by the Controller using the Preface platform, including prospective customers, existing customers, and other third parties to whom Demo links are shared.
Duration of processing
For the term of the Customer's active Subscription, plus a 30-day post-termination retention period as described in Section 12.
Annex B — Technical and organisational security measures
Access control
- All access to production systems requires multi-factor authentication
- Access is granted on a principle of least privilege and reviewed regularly
- Production database access is restricted to authorised personnel only
Data encryption
- All data in transit is encrypted using TLS 1.2 or higher
- Sensitive configuration values (API keys, SMTP credentials) are encrypted at rest using AES-256-CBC
- Database backups are encrypted at rest
Infrastructure security
- Platform infrastructure is hosted in UK/EEA data centres with ISO 27001 certification
- DDoS protection and web application firewall (WAF) provided by Cloudflare
- Regular automated vulnerability scanning of application and infrastructure
- Dependency updates and security patches applied on a regular schedule
Application security
- Rate limiting on all public endpoints
- Input validation and parameterised queries throughout the application
- CSRF protection on all authenticated endpoints
- Passwords hashed using bcrypt with appropriate cost factor
Organisational measures
- Confidentiality obligations for all personnel with access to Personal Data
- Security awareness training for all staff
- Documented incident response procedure
- Regular internal review of data processing activities
Business continuity
- Automated daily database backups with point-in-time recovery
- Backups stored in geographically separate locations
- Backup restoration tested on a regular basis
Annex C — Approved sub-processors
The following Sub-processors are authorised by the Controller upon acceptance of this DPA. DevLayer Ltd will provide 30 days' notice of any changes.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | CDN and DDoS protection | EEA / UK | Adequacy decision / SCCs |
| Stripe, Inc. | Payment processing and subscription billing (does not process Demo Viewer data) | EEA / UK | Adequacy decision / SCCs |
| Amazon Web Services, Inc. (SES) | Delivery of transactional emails (gate lead notifications, account confirmations, password reset) | EEA / UK | Adequacy decision / SCCs |
| ElevenLabs, Inc. | AI voiceover generation — only engaged when the Controller uses the voiceover generation feature. Voiceover scripts may be sent to ElevenLabs for synthesis. | USA | Standard Contractual Clauses (UK Addendum) |
For Sub-processors located in the USA, Standard Contractual Clauses incorporating the UK International Data Transfer Addendum (IDTA) are in place. Copies are available at [email protected].