Data Processing Addendum (DPA)

Parties

This DPA is entered into between:

Customer — [CUSTOMER_LEGAL_NAME], of [CUSTOMER_ADDRESS] ("Controller").
Fotowall — [FOTOWALL_LEGAL_ENTITY], of [FOTOWALL_ADDRESS] ("Processor").

By executing the underlying agreement, Order Form, or by accepting Fotowall's online terms with this DPA incorporated by reference, the parties agree to be bound by this DPA. Capitalized terms not defined here have the meaning given in the Terms of Service.

1. Definitions

"Applicable Data Protection Law": All laws and regulations applicable to a party's processing of Customer Personal Data, including (where applicable) the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), and U.S. state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, and equivalents).
"Customer Personal Data": Personal Data processed by Fotowall on behalf of Customer under the Agreement.
"Data Subject," "Personal Data," "Processing," "Controller," "Processor": Have the meanings given in the GDPR (or equivalent terms under Applicable Data Protection Law).
"Sub-processor": Any third party engaged by Fotowall to Process Customer Personal Data.
"Security Incident": Any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
"SCCs": The Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as updated, and the UK International Data Transfer Addendum (IDTA).

2. Scope and roles

This DPA applies when Fotowall Processes Customer Personal Data on behalf of Customer in connection with the Service.

Customer is the Controller of Customer Personal Data (including guest photos, captions, optional uploader names and emails, and any custom-field data Customer configures).
Fotowall is the Processor of Customer Personal Data.
For Customer's own account, billing, and support data, Fotowall acts as an independent Controller; the Privacy Policy governs that processing.

3. Details of processing (Annex I.B equivalent)

Subject matter	Provision of the Fotowall photo-wall Service.
Duration	The Subscription Term plus the retention periods set out in Section 9 and the Privacy Policy.
Nature and purpose	Hosting, storage, display, moderation, distribution, and post-event archival of guest-uploaded media and related metadata, on Customer's instructions.
Categories of data subjects	Customer's authorized admins; event guests who upload content; individuals depicted in uploaded content.
Categories of personal data	Photos and any personal data contained therein; uploader name (optional); uploader email (optional); caption text; upload timestamp; approximate region; user-agent; IP address (used only for abuse prevention and rate-limiting, not stored long-term).
Special categories	None intentionally collected. Customer must not enable the Service for purposes that would result in routine processing of special-category data without an additional lawful basis and supplementary measures.
Frequency of transfer	Continuous, on demand.
Recipients	Customer's authorized admins, public gallery viewers as configured by Customer, Sub-processors listed in Annex III / /subprocessors.

4. Processor obligations

Fotowall will:

Process Customer Personal Data only on documented instructions from Customer (the Agreement, this DPA, configurations made via the Service, and written instructions sent to privacy@fotowall.io). If Fotowall is required by law to Process otherwise, it will notify Customer first unless prohibited.
Ensure personnel authorized to Process Customer Personal Data are bound by confidentiality.
Implement and maintain the technical and organizational measures set out in Annex II (Section 7).
Engage Sub-processors only under written terms imposing data-protection obligations no less protective than this DPA.
Assist Customer with Data Subject requests as described in Section 5.
Assist Customer with data protection impact assessments and prior consultations to the extent reasonable, given the nature of Processing and information available.
Notify Customer of Security Incidents as described in Section 8.
At Customer's election, return or delete Customer Personal Data on termination as described in Section 9.
Make available information reasonably necessary to demonstrate compliance, including audits as described in Section 10.
Inform Customer if, in Fotowall's opinion, an instruction infringes Applicable Data Protection Law.

5. Data subject requests

Fotowall provides self-service tooling that lets Customer respond to Data Subject requests directly:

Public photo removal request form, routed to Customer's event admin queue.
Per-photo delete in the admin moderation interface.
Per-event archival and hard-delete on a 30-day timer.
Full data export of Customer's account on request (delivered via signed URL within 24 hours, valid 7 days).
Account deletion with a 30-day soft-delete grace period.

If Fotowall receives a request from a Data Subject directly, Fotowall will, where possible, refer the Data Subject to Customer and will not respond except to acknowledge receipt or as required by law. For requests Customer cannot resolve through tooling, contact privacy@fotowall.io.

6. Sub-processors (Annex III)

Customer authorizes Fotowall to engage the Sub-processors listed at /subprocessors (current list reproduced below for reference):

Sub-processor	Function	Location
Google LLC — Google Cloud Platform / Firebase	Hosting, Firestore, Cloud Storage, Authentication, App Check	United States (us-east1); EU on request
Cloudflare, Inc.	DNS, edge protection, WAF	Global edge; metadata in U.S.
Stripe, Inc.	Payment processing	United States
Resend (Drip, Inc.)	Transactional email	United States

Changes. Fotowall will provide at least 30 days' notice before adding or replacing a Sub-processor (via email to the account contact and an update at /subprocessors). Customers may subscribe to a notification feed at that page. Customer may object on reasonable data-protection grounds during the notice period; if Fotowall cannot accommodate the objection through alternative measures, Customer may terminate the affected portion of the Subscription with a pro-rated refund of prepaid, unused fees.

Fotowall remains liable to Customer for the acts and omissions of its Sub-processors as if performed by Fotowall.

7. Security measures (Annex II)

Fotowall maintains the following technical and organizational measures, which may evolve provided the overall level of protection is not diminished:

Encryption in transit: TLS 1.2+ for all network traffic; HSTS enforced.
Encryption at rest: Google Cloud KMS-managed AES-256 encryption for stored data and media.
Access control: Role-based access; least-privilege staff access; SSO and multi-factor authentication for production access.
Audit logging: Admin actions, exports, deletions, and access to production data are logged and retained 5 years.
App Check: Firebase reCAPTCHA Enterprise on public-facing endpoints to prevent abuse.
Network controls: Cloudflare WAF; private VPC for backend; egress restrictions.
Secure SDLC: Code review on all production changes; dependency vulnerability scanning; staging environment with synthetic data.
Backups: Encrypted, rolling 35-day retention; restoration tested at least annually.
Incident response: Documented runbook; named on-call; post-incident reviews.
Personnel: Background checks where lawful; mandatory security and privacy training at onboarding and annually; written confidentiality undertakings.
Physical security: Inherited from Google Cloud Platform (SOC 2 / ISO 27001 certified).
Vulnerability management: Patches applied per severity SLO; coordinated vulnerability disclosure at security@fotowall.io.
Independent assessment: SOC 2 Type II audit planned. Annual penetration test scheduled post-launch. Current status published at /trust.

8. Security Incident notification

Fotowall will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer Personal Data. The notification will include, to the extent then known: the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, the measures taken or proposed, and the contact point for further information.

Fotowall will continue to provide updates as the investigation progresses and will reasonably cooperate with Customer's own notification obligations. Notifications are not an acknowledgement of fault or liability.

9. Return or deletion of Customer Personal Data

On termination or expiry of the Agreement, Fotowall will, at Customer's election, return or delete Customer Personal Data within 30 days, subject to: (a) any longer retention required by law (e.g., tax, audit logs); and (b) a 30-day soft-delete grace period during which Customer may restore. Backups expire on the rolling 35-day schedule. Fotowall will provide written confirmation of deletion on request.

10. Audits and information rights

Fotowall will, on reasonable written request and no more than once per 12-month period (or as required following a Security Incident or by a supervisory authority), make available to Customer:

Fotowall's most recent independent audit reports (SOC 2 Type II once available; ISO 27001 certificate where applicable) under NDA.
Written responses to a reasonable security questionnaire (SIG Lite or similar).
Information necessary to demonstrate compliance with this DPA.

On-site audits are limited to Enterprise customers, scheduled at least 60 days in advance, conducted by a mutually agreed independent auditor under NDA, during business hours, in a manner that does not disrupt Fotowall's operations or compromise other customers' confidentiality. Customer bears the cost of audits except where the audit uncovers a material breach of this DPA by Fotowall.

11. International data transfers

Where Customer Personal Data of EEA, UK, or Swiss Data Subjects is transferred to Fotowall or its Sub-processors in a third country that has not received an adequacy decision, the parties incorporate the SCCs by reference and agree:

Module Two (Controller to Processor) applies between Customer (data exporter, Controller) and Fotowall (data importer, Processor).
Module Three (Processor to Processor) applies between Fotowall and onward Sub-processors as needed.
Clause 7 (Docking clause) — applies.
Clause 9(a) Option 2 — general written authorization with 30 days' notice (Section 6).
Clause 11(a) — independent dispute resolution option is not selected.
Clause 17 (Governing law) — the law of Ireland applies.
Clause 18(b) — the courts of Ireland have jurisdiction.
Annex I.A — the parties are as identified in this DPA. Annex I.B — Section 3 above. Annex I.C — the competent supervisory authority is the lead supervisory authority of the Customer or, where Customer is established outside the EEA, the Irish Data Protection Commission.
Annex II — Section 7 above. Annex III — Section 6 above.

For UK transfers, the UK International Data Transfer Addendum (Version B1.0) is incorporated, with Tables 1–3 populated by reference to this DPA and Table 4 reflecting that neither party may end the addendum when the Approved Addendum changes. For Swiss transfers, references in the SCCs to "GDPR" include the FADP, "EU Member State" includes Switzerland, and the competent supervisory authority is the FDPIC.

Fotowall has performed a transfer impact assessment in light of Schrems II and applies supplementary measures including encryption in transit and at rest, access controls, audit logging, and a published government-access response policy. Government access requests will be challenged where lawful and reported to Customer where permitted.

12. U.S. state privacy law terms (Service Provider)

To the extent Fotowall Processes "personal information" of California residents within the meaning of the CCPA/CPRA (or equivalent terms under VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA), Fotowall is a "service provider" or "processor" (as applicable) and:

Will not sell or share Customer Personal Data (as those terms are defined under CPRA).
Will not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than the specific purpose of performing the Service.
Will not combine Customer Personal Data with personal information received from other sources, except as expressly permitted under §1798.140(ag)(2).
Will notify Customer if Fotowall determines it can no longer meet these obligations.
Grants Customer the right, on notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

13. Liability

The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits the rights of Data Subjects under Applicable Data Protection Law, including under the SCCs.

14. Order of precedence; conflicts

In case of conflict between this DPA and the Agreement, this DPA controls on matters of personal data protection. The SCCs (where incorporated) control over conflicting provisions of this DPA in respect of restricted transfers.

15. Term and termination

This DPA takes effect on the effective date of the Agreement and remains in effect for as long as Fotowall Processes Customer Personal Data, plus any tail obligations. Sections relating to confidentiality, audit, liability, deletion, and international transfers survive termination.

16. Contact

For DPA matters, signed copies, or Enterprise-specific terms: legal@fotowall.io. For privacy operations: privacy@fotowall.io.

Signature block (for signed copies)

By signing below, the parties accept this DPA as of the Effective Date.

Customer

Name: __________________________

Title: ___________________________

Date: ___________________________

Signature: _______________________

Fotowall