Data Processing Agreement (DPA)

INTRODUCTION

This Data Processing Agreement (“DPA”) forms part of the Proofpix Terms of Service (the “Agreement”) between you (the “Subscriber” or “Controller”) and Fucra Online Systems Inc., a company incorporated in the British Virgin Islands and doing business as Proofpix (“Processor,” “we,” or “us”).

This DPA applies when the Subscriber, as a Data Controller, uploads or otherwise processes Personal Data of individuals located in the European Union (EU), the European Economic Area (EEA), or the United Kingdom while using Proofpix Services. By using the Services, the Subscriber agrees that this DPA forms part of the Agreement.

DEFINITIONS

“Controller” means the Subscriber who determines the purposes and means of the processing of Personal Data.

“Processor” means Fucra Online Systems Inc. (DBA Proofpix), which processes Personal Data on behalf of the Controller.

“Personal Data” means any information relating to an identified or identifiable natural person as defined by GDPR.

“Sub-Processor” means any third party engaged by Proofpix to assist in processing Personal Data.

1. SCOPE AND ROLES

Proofpix processes Personal Data on behalf of the Subscriber solely for providing the Proofpix platform, admin portal, hosted websites, and the Proofpix Helper desktop application (together, the “Services”). The Subscriber remains the Controller of all Personal Data submitted, uploaded, or otherwise made available through the Services. Proofpix acts only as a Processor and does not determine the purposes of processing.

2. SUBJECT MATTER; DURATION; NATURE AND PURPOSE

A. Subject Matter: Hosting, storage, management, and transmission of Personal Data for the operation of photography websites and related services.

B. Duration: This DPA applies for the entire duration of the Subscriber’s use of the Services and until deletion of Personal Data in accordance with Section 10.

C. Nature and Purpose: To host and manage Subscriber websites and image galleries; send transactional communications; facilitate uploads, exports, and backups; and provide support and technical maintenance.

3. CATEGORIES OF DATA AND DATA SUBJECTS

A. Data Subjects: The Subscriber’s own customers and photography subjects, including parents, students, and minors.

B. Personal Data: Names, contact details, email addresses, image files, metadata, and other information entered by the Subscriber or its customers via the Services.

C. Special Categories: None intentionally collected by Proofpix; the Subscriber is responsible for any sensitive data it uploads.

4. PROCESSOR OBLIGATIONS

A. Process Personal Data only on the Controller’s documented instructions, including with respect to transfers of Personal Data to a third country.

B. Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.

C. Implement appropriate technical and organizational measures to protect Personal Data as described in Annex II.

D. Assist the Controller in meeting GDPR obligations regarding data-subject rights, breach notifications, and data protection impact assessments, taking into account the nature of processing and the information available to the Processor.

E. Make available all information necessary to demonstrate compliance and allow for reasonable audits or provide equivalent certifications and third-party audit summaries.

5. SUB-PROCESSORS

A. Authorization: The Controller authorizes Proofpix to engage Sub-Processors for the operation of the Services.

B. Current Sub-Processors: Wasabi Technologies Inc. (image and file storage; region chosen by the Subscriber: EU or US) and ActiveCampaign, LLC (d/b/a Postmark) (transactional email sending; US).

C. Equivalency: Proofpix will ensure each Sub-Processor is bound by data-protection obligations providing at least the same level of protection as this DPA.

D. Changes: Proofpix will notify Subscribers of material changes to its Sub-Processor list via its website or email; the Controller may object on reasonable data-protection grounds.

6. INTERNATIONAL DATA TRANSFERS

A. Location: Proofpix is located in the United States, which is not currently subject to an EU adequacy decision.

B. Standard Contractual Clauses (SCCs): Transfers of Personal Data from the EU/EEA to Proofpix or its Sub-Processors outside the EEA are governed by the European Commission Standard Contractual Clauses (2021/914), Module 2 (Controller → Processor), which are incorporated by reference into this DPA.

C. SCC Elections: The Controller is the data exporter; Proofpix is the data importer. Clause 9(a) – Option 2 (General Authorization) applies to Sub-Processors. Clause 17 (Governing Law) is Irish law. Clause 18 (Jurisdiction) is the courts of Ireland.

D. Updates: If the SCCs are replaced or amended by the European Commission, the updated version shall automatically apply.

7. SECURITY MEASURES

Proofpix implements and maintains the technical and organizational measures described in Annex II to protect Personal Data against unauthorized access, loss, alteration, or disclosure.

8. DATA SUBJECT REQUESTS

Taking into account the nature of the processing, Proofpix shall, where possible and appropriate, assist the Subscriber in fulfilling requests to exercise data-subject rights under Chapter III of the GDPR.

9. PERSONAL DATA BREACH

Proofpix will notify the Subscriber without undue delay after becoming aware of a Personal Data Breach and will provide information reasonably required for the Subscriber to comply with Articles 33 and 34 GDPR to the extent available to Proofpix.

10. DELETION OR RETURN OF DATA

Upon termination of the Agreement or upon request, Proofpix will delete or return all Personal Data (unless storage is required by law). Residual copies may remain in backups until overwritten pursuant to Proofpix’s retention policy.

11. AUDIT RIGHTS

The Subscriber may, on reasonable notice, request documentation or audit reports demonstrating Proofpix’s compliance with this DPA. Proofpix may satisfy this obligation by providing third-party certifications, audit summaries, or equivalent evidence.

12. LIABILITY; GOVERNING LAW; CONTACT

A. Liability: Each party’s liability under this DPA is subject to the limitations of liability in the main Proofpix Terms of Service, except as otherwise required by applicable data-protection law.

B. Governing Law: This DPA is governed by the laws of the British Virgin Islands, except for issues governed by the SCCs, which are subject to Irish law as set out in Section 6.

C. Contact: Questions about this DPA or data-protection matters may be sent to privacy@proofpix.com.

ANNEX I — DETAILS OF PROCESSING

Controller: Subscriber (photographer or studio).

Processor: Fucra Online Systems Inc. (DBA Proofpix).

Purpose: Hosting, storing, transmitting, and processing customer data and images for operation of photography websites, galleries, order management, communications, and related Services.

Duration: Duration of active subscription and until deletion in accordance with Section 10.

Data Categories: Names, emails, contact details, image files, and related metadata; information entered by the Subscriber or its customers.

Data Subjects: Subscribers’ customers and photographed individuals (including minors, as determined by the Controller).

ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES

A. Access Control: Role-based permissions, least-privilege access, multi-factor authentication, and access logging.

B. Encryption: TLS 1.2+ for data in transit; encryption at rest for stored data and backups.

C. Network Security: Firewalls, VPN isolation, and continuous monitoring of infrastructure.

D. Backups: Encrypted backups with defined retention and integrity verification.

E. Logging & Monitoring: Security-relevant events are logged and reviewed for anomalies.

F. Availability & Resilience: Redundant systems and failover capabilities where appropriate.

G. Incident Response: Documented breach-response plan with escalation procedures and notification workflows.

H. Training: Mandatory privacy and security awareness for relevant personnel.

ANNEX III — APPROVED SUB-PROCESSORS

Wasabi Technologies Inc. — Image and file storage (region chosen by Subscriber: EU or US).

ActiveCampaign, LLC (d/b/a Postmark) — Transactional email sending (US).

HOW THIS DPA APPLIES

This DPA automatically applies to all Proofpix Subscribers who process Personal Data of individuals in the EU, EEA, or UK. By continuing to use the Services, you agree that this DPA forms part of your binding Agreement with Proofpix. A countersigned copy may be provided upon request by emailing support@proofpix.com.

Last Updated: October 13, 2025