Data Processing Agreement

This page summarizes Fred's standard data processing position for B2B customers using Fred to run research, manage participants, analyze evidence, and create reports. It is intended to support customer evaluation and contract incorporation. If a signed order form, enterprise agreement, or separately executed DPA applies, that document controls where it conflicts with this public reference.

Fred The User Research Shepherd SRL acts as a processor when it processes customer workspace data on a customer's documented instructions. Fred may act as an independent controller for public website visitors, sales activity, billing administration, security logs, legal records, and other processing described in the Privacy Policy.

Fred processes customer data to provide a connected research workflow: study creation, participant management, moderated or unmoderated sessions, analysis, repository organization, reporting, collaboration, and support.

AI-assisted features are used to support synthesis and review. They should not be treated as definitive statements about a person's feelings, intent, identity, health, legal status, or future behavior.

Fred will process customer personal data only to provide and protect the service, follow documented customer instructions, comply with applicable law, support customer-requested workflows, or satisfy security and legal obligations.

Fred applies appropriate technical and organizational measures for the sensitivity of research data, including controlled access, infrastructure safeguards, confidentiality expectations, privacy-aware workflows, and security monitoring.

Personnel and contractors with access to customer personal data are expected to handle it under confidentiality obligations and only for authorized business purposes.

Fred provides in-product acceptance and consent flows where applicable, including for tester registration, recordings, AI-assisted analysis, emotion analysis, eye tracking, and related behavioral features. Customers remain responsible for the research purpose, study configuration, participant selection, and any customer-side legal notices or lawful basis decisions that sit outside Fred's product flow.

If a customer uploads or imports external recordings, transcripts, or similar participant material that was collected outside Fred's native notice and acceptance flow, the customer must ensure that the collection, upload, and requested analysis are lawful and appropriately disclosed. Fred may require attestation or supporting context before enabling a sensitive workflow.

Customers must ensure that material they upload, import, request, or instruct Fred to process is lawful and appropriate for the research purpose. Customers must not upload or process illegal, pornographic, exploitative, abusive, discriminatory, infringing, or otherwise prohibited material, or material that violates applicable law, human rights, participant rights, confidentiality duties, intellectual property rights, or other third-party rights.

Customers should not upload unnecessary sensitive data, secrets, production credentials, or participant material that is unrelated to the research purpose. Fred is designed to support evidence-based work, but customers remain responsible for the research design and for the materials they choose to provide or request through the platform.

Fred may use sub-processors and service providers to host the platform, secure traffic, process payments, provide authentication or integrations, monitor reliability, support customers, and measure product usage where permitted.

The current public list is maintained on the Sub-processors page. Material changes will be reflected there, and enterprise agreements may include additional notice or objection mechanics.

Fred is based in Italy. Core application infrastructure and customer data are hosted in Europe, with current AWS infrastructure and the Supabase/Postgres database layer configured in Frankfurt, Germany.

Fred uses European contracting entities where applicable, including for AWS and Google services. If a limited service component or provider configuration requires an international transfer mechanism for operational metadata, Fred expects to rely on appropriate contractual protections, provider data processing terms, Standard Contractual Clauses where applicable, and supplementary safeguards aligned with the nature of the processing.

If Fred receives a data subject request that relates to customer-controlled research data, Fred will direct the requester to the customer where appropriate and provide reasonable assistance so the customer can respond.

If Fred becomes aware of a confirmed personal data breach affecting customer personal data, Fred will notify affected customers without undue delay and provide information reasonably available to support legal, operational, and participant communication obligations.

Fred may use security logs, diagnostics, and operational records to investigate incidents, prevent abuse, and protect the platform, customers, and participants.

Customers can request deletion or export of customer-controlled data according to the product capabilities, customer agreement, and applicable law. Fred may retain limited records where required for billing, legal obligations, security, auditability, dispute resolution, or backup integrity.

Fred's retention expectations should be read together with the Privacy Policy and any written customer agreement that specifies retention, export, or deletion requirements.