Skip to main content

Data Processing Agreement

Last updated: March 25, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Picsui ("Processor", "we", "us", or "our") and the customer ("Controller", "you", or "your") for the use of Picsui's event photo sharing platform ("the Service"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

  • "Controller" means the customer who determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) GDPR.
  • "Processor" means Picsui, which processes Personal Data on behalf of the Controller, as defined in Article 4(8) GDPR.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) GDPR.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 GDPR.
  • "Standard Contractual Clauses" ("SCCs") means the contractual clauses approved by the European Commission for international data transfers as set out in Commission Implementing Decision (EU) 2021/914.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service.

2.2 Nature and Purpose of Processing

The Processor processes Personal Data for the purpose of providing the Service, which includes:

  • Hosting and delivering event photo sharing functionality
  • Storing and serving photos and media uploaded by event guests
  • Managing event guest registration and participation
  • Providing real-time photo moderation using AI-powered tools
  • Sending event-related email notifications
  • Processing payments for subscription services
  • Generating analytics and reporting for event hosts
  • Providing customer support

2.3 Types of Personal Data

The Personal Data processed under this DPA may include:

  • Names and email addresses of event hosts and guests
  • Photographs and media files (which may contain biometric data or other sensitive information)
  • IP addresses and device information
  • Payment and billing information
  • Event metadata (dates, locations, settings)
  • Usage data and interaction logs

2.4 Categories of Data Subjects

The Data Subjects may include:

  • Event hosts (Controller's employees, agents, or authorized users)
  • Event guests and participants
  • Individuals depicted in uploaded photographs

2.5 Duration of Processing

Processing shall continue for the duration of the Controller's use of the Service, plus any retention period required by law or as specified in Section 12.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject (Article 28(3)(a) GDPR).
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
  • Take all measures required pursuant to Article 32 GDPR regarding the security of processing.
  • Respect the conditions for engaging Sub-processors as set out in Section 5.
  • Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights (Article 28(3)(e) GDPR).
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Article 28(3)(g) GDPR).
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR).
  • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

4. Obligations of the Controller

The Controller shall:

  • Ensure that the processing of Personal Data is lawful and that an appropriate legal basis exists under Article 6 GDPR (and, where applicable, Article 9 GDPR for special categories of data).
  • Provide documented instructions to the Processor regarding the processing of Personal Data.
  • Ensure that Data Subjects have been informed of the processing in accordance with Articles 13 and 14 GDPR, including the involvement of the Processor and any Sub-processors.
  • Be responsible for obtaining any necessary consents from Data Subjects, including consent for the upload and processing of photographs.
  • Comply with all applicable data protection laws in its use of the Service.
  • Promptly notify the Processor of any changes to applicable data protection laws that may affect the Processor's obligations under this DPA.
  • Ensure that the Controller's instructions to the Processor comply with applicable laws.

5. Sub-processors

5.1 General Authorization

The Controller provides general written authorization for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within thirty (30) days of notification.

5.2 Current Sub-processors

The following Sub-processors are currently engaged by the Processor:

Sub-processorPurposeLocation
SupabaseDatabase hosting, authentication, and backend servicesUnited States (AWS infrastructure)
CloudflarePhoto and media storage (R2), CDN, and DDoS protectionGlobal (with data residency options)
StripePayment processing and billing managementUnited States
ResendTransactional email deliveryUnited States
OpenAIAI-powered content moderation of uploaded photosUnited States
SentryError monitoring and application performance trackingUnited States
VercelApplication hosting, deployment, and edge networkGlobal (with data residency options)

5.3 Sub-processor Obligations

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

5.4 Objection to Sub-processors

If the Controller objects to a new Sub-processor on reasonable data protection grounds, the Processor shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is available, either party may terminate the affected portion of the Service.

6. Data Security Measures

In accordance with Article 32 GDPR, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1 Technical Measures

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256
  • Regular automated backups with encrypted storage
  • Network segmentation and firewall protection
  • Intrusion detection and prevention systems
  • Regular vulnerability scanning and penetration testing
  • Secure development lifecycle practices
  • Multi-factor authentication for administrative access

6.2 Organizational Measures

  • Access control policies based on the principle of least privilege
  • Confidentiality agreements for all personnel with access to Personal Data
  • Regular security awareness training for employees
  • Documented incident response procedures
  • Regular review and testing of security measures
  • Business continuity and disaster recovery planning
  • Vendor security assessment processes

7. Data Breach Notification

7.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach, in accordance with Article 33(2) GDPR.

7.2 Content of Notification

The breach notification shall include, to the extent available:

  • A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned
  • The name and contact details of the Processor's data protection contact
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects

7.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

8. Data Subject Rights

8.1 Assistance with Requests

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject requests under Chapter III of the GDPR, including:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)
  • Rights related to automated decision-making (Article 22 GDPR)

8.2 Direct Requests

If the Processor receives a request from a Data Subject directly, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise instructed by the Controller.

9. International Data Transfers

9.1 Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland, the Processor shall ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • Adequacy decisions by the European Commission (e.g., the EU-U.S. Data Privacy Framework)
  • Binding Corporate Rules where applicable
  • Any other approved transfer mechanism under GDPR Article 46

9.2 Additional Safeguards

Where required by applicable law, the Processor shall implement supplementary measures to ensure that the level of protection of Personal Data is not undermined by the transfer, including:

  • Data encryption in transit and at rest
  • Assessment of the legal framework of the recipient country
  • Contractual commitments by Sub-processors to resist unlawful access requests

10. Duration and Termination

10.1 Duration

This DPA shall remain in effect for the duration of the Controller's use of the Service, and shall automatically terminate upon termination or expiration of the underlying service agreement.

10.2 Survival

Sections relating to confidentiality, liability, and any obligations that by their nature should survive termination shall survive the termination of this DPA.

11. Return and Deletion of Data

11.1 Upon Termination

Upon termination of the Service, the Processor shall, at the Controller's choice:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format; or
  • Delete all Personal Data, including all existing copies, unless Union or Member State law requires storage of the Personal Data.

11.2 Deletion Timeline

The Processor shall complete the return or deletion of Personal Data within thirty (30) days of the termination of the Service, unless a longer period is required by applicable law. The Processor shall provide written confirmation of deletion upon the Controller's request.

11.3 Backup Copies

Personal Data contained in backup systems shall be deleted in accordance with the Processor's standard backup rotation schedule, not to exceed ninety (90) days from the date of deletion of the production data.

12. Audit Rights

12.1 Right to Audit

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections.

12.2 Audit Procedures

Audits shall be conducted subject to the following conditions:

  • The Controller shall provide at least thirty (30) days' prior written notice of an audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  • The Controller shall bear its own costs of the audit, except where the audit reveals material non-compliance by the Processor.
  • Audit findings and reports shall be treated as confidential information.
  • Audits shall be limited to once per calendar year, unless a Personal Data Breach or regulatory investigation requires additional audits.

12.3 Third-Party Certifications

The Processor may satisfy the audit requirement by providing up-to-date third-party certifications, audit reports (such as SOC 2 Type II), or other evidence of compliance, provided that the Controller may still conduct its own audit if the provided documentation does not reasonably address the Controller's concerns.

13. Liability

13.1 Allocation of Liability

Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 GDPR. The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to lawful instructions of the Controller.

13.2 Limitation of Liability

The total aggregate liability of the Processor under this DPA shall be subject to the limitation of liability provisions in the underlying service agreement between the parties, except to the extent that such limitations are prohibited by applicable data protection law.

13.3 Indemnification

Each party shall indemnify the other for any costs, claims, damages, or expenses arising from the indemnifying party's breach of this DPA or applicable data protection laws, including any fines imposed by a Supervisory Authority to the extent attributable to the indemnifying party's breach.

14. GDPR Article 28 Compliance

This DPA is designed to satisfy the requirements of Article 28 of the GDPR, which mandates that processing by a processor shall be governed by a contract or other legal act that is binding on the processor and sets out:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of Personal Data and categories of Data Subjects
  • The obligations and rights of the Controller

This DPA incorporates all mandatory provisions required by Article 28(3) GDPR, and shall be interpreted and applied in accordance with the GDPR and applicable guidance from Supervisory Authorities and the European Data Protection Board.

15. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the State of Delaware, United States, except that the provisions relating to data protection shall be governed by the GDPR and the applicable data protection laws of the relevant EU Member State. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the underlying service agreement.

16. Amendments

This DPA may be amended by the Processor to reflect changes in applicable data protection laws or regulatory guidance. The Processor shall notify the Controller of any material amendments at least thirty (30) days in advance. Continued use of the Service after such notice constitutes acceptance of the amended DPA.

17. Contact Information

For questions about this DPA or to exercise any rights under this agreement, please contact us at:

Data Protection Officer: dpo@picsui.com

Legal Department: Support@Picsui.com

General Support: Support@Picsui.com