Data Processing Agreement
Last updated: January 1, 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between PhotoProOS, Inc. ("Processor", "we", "us") and the customer agreeing to these terms ("Controller", "you"). This DPA applies to the processing of personal data by PhotoProOS on behalf of the Controller.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Data Subject" means the individual to whom Personal Data relates.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including GDPR, CCPA, and other relevant regulations.
2. Scope and Purpose
This DPA applies when PhotoProOS processes Personal Data on behalf of the Controller in connection with the PhotoProOS services. The purpose of processing is to provide the photography business management platform services described in the Terms of Service.
Categories of Personal Data processed may include:
- Client contact information (names, email addresses, phone numbers)
- Client business information (company names, addresses)
- Photo metadata (file names, dates, locations)
- Payment and billing information
- Communication records
- Booking and scheduling data
3. Obligations of the Processor
PhotoProOS agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
- Delete or return all Personal Data upon termination of services, at the Controller's choice
- Make available information necessary to demonstrate compliance with this DPA
4. Security Measures
PhotoProOS implements the following security measures:
- 256-bit TLS encryption for all data in transit
- AES-256 encryption for data at rest
- Multi-factor authentication for access controls
- Regular security assessments and penetration testing
- SOC 2 Type II certification
- Automated backup systems with geographic redundancy
- Access logging and monitoring
- Employee security training programs
5. Sub-processors
The Controller grants general authorization for PhotoProOS to engage Sub-processors. Current Sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN and security | Global |
| Stripe | Payment processing | United States |
| Clerk | Authentication | United States |
| Railway | Database hosting | United States |
| Resend | Email delivery | United States |
PhotoProOS will notify the Controller of any intended changes to Sub-processors, allowing the Controller to object to such changes.
6. Data Transfers
Personal Data may be transferred to countries outside the European Economic Area. Such transfers are protected by:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions where applicable
- Additional supplementary measures as required
7. Data Subject Rights
PhotoProOS will assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests to:
- Access their Personal Data
- Rectify inaccurate Personal Data
- Erase Personal Data
- Restrict processing
- Data portability
- Object to processing
8. Data Breach Notification
In the event of a Personal Data breach, PhotoProOS will:
- Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of the breach
- Provide sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects
- Take reasonable steps to mitigate the effects and minimize any damage
9. Audits
PhotoProOS will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an independent auditor. Such audits shall be subject to reasonable advance notice and shall not unreasonably interfere with PhotoProOS's business operations.
10. Term and Termination
This DPA shall remain in effect for the duration of the Terms of Service. Upon termination, PhotoProOS will, at the Controller's choice, delete or return all Personal Data within 30 days, except where retention is required by applicable law.
11. Contact
For questions about this DPA or to exercise your rights, contact us at:
Email: privacy@photoproos.com
Address: PhotoProOS, Inc.