Data Processing Agreement

• “Controller” — the photographer or entity that determines the purposes and means of processing personal data through the Platform. This is the photographer account holder.
• “Processor” — TriPrism, Inc. dba PhotoTouch, Inc., which processes personal data on behalf of the Controller.
• “Sub-Processor” — a third party engaged by the Processor to process personal data on behalf of the Controller. See our Sub-Processor Disclosure.
• “Data Subject” — an identified or identifiable natural person whose personal data is processed. In the PhotoTouch context, this includes customers, event attendees, parents/guardians, and students/athletes.
• “Personal Data” — any information relating to a Data Subject, including names, email addresses, phone numbers, photographs, and photo access codes.
• “Processing” — any operation performed on personal data, including collection, storage, retrieval, transmission, deletion, and any other use.

Categories of Data Subjects

• Customers of the photographer (event attendees, students, athletes, families)
• Parents or guardians of minor Data Subjects
• Photographer employees and sub-users

Types of Personal Data Processed

• Contact information (names, email addresses, phone numbers, mailing addresses)
• Photographs and images uploaded by the Controller
• Photo access codes and gallery credentials
• Order and transaction records
• Registration data collected at photography events
• Email and SMS communication records
• Support ticket communications
• Model release consent records
• Entitlement and download records

Purpose of Processing

• Hosting and delivering photo galleries
• Processing and fulfilling print and digital orders
• Sending email and SMS communications on behalf of the Controller
• Managing event registrations
• Processing model release consents
• Providing customer service tools
• Generating reports and analytics for the Controller
• Operating marketing automation features when enabled by the Controller

The Processor shall:

• Process personal data only on documented instructions from the Controller, including with respect to transfers of personal data to a third country, unless required to do so by applicable law.
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Security Overview.
• Engage sub-processors under the Controller’s general written authorization. The current list of approved sub-processors is maintained at /legal/subprocessors and constitutes the Controller’s general authorization.
• Notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) by providing built-in GDPR tools within the Platform.
• Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations.
• At the Controller’s choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless storage is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with these obligations, and allow for and contribute to audits and inspections.
• Immediately inform the Controller if, in the Processor’s opinion, an instruction infringes applicable data protection law.

The Controller shall:

• Ensure that its collection and sharing of personal data with the Processor is lawful and complies with all applicable data protection laws.
• Provide appropriate privacy notices to Data Subjects informing them of the processing.
• Obtain all necessary consents from Data Subjects where consent is the lawful basis for processing, including parental consent for minors.
• Respond to Data Subject requests in a timely manner using the tools provided by the Platform. The Processor will assist but the Controller bears primary responsibility.
• Notify the Processor promptly of any data protection inquiries, complaints, or regulatory requests received from Data Subjects or authorities.
• Ensure that the processing instructions given to the Processor comply with applicable data protection laws.
• Manage data retention within the Platform using the provided tools and configure appropriate deletion schedules.

• The Controller provides general authorization for the Processor to engage the sub-processors listed at /legal/subprocessors.
• The Processor will make commercially reasonable efforts to notify the Controller at least 30 days before adding or replacing a sub-processor by updating the sub-processor list and sending notice to the Controller’s registered email address.
• If the Controller objects to a new sub-processor, the Controller may terminate the affected services in accordance with the governing commercial agreement by notifying the Processor within 30 days of the notice.
• The Processor will impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
• The Processor remains fully liable to the Controller for the performance of each sub-processor’s obligations.

Photographer-configured integrations (services connected by the Controller via the API Integration Builder) are not sub-processors of TriPrism. The Controller is solely responsible for data shared with services they configure.

The Processor implements and maintains appropriate technical and organizational security measures, including but not limited to:

• Encryption of personal data in transit (TLS 1.2+) and at rest
• Access controls with role-based permissions and two-factor authentication
• Comprehensive audit logging of all data access and modifications
• Regular security assessments and vulnerability management
• Employee access limited to personnel who require it for service delivery
• Incident response procedures with defined escalation paths

For full details, see our Security Overview.

• The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, including within legally required timelines where applicable (for example GDPR Article 33).
• The notification will include: (a) the nature of the breach, (b) the categories and approximate number of Data Subjects affected, (c) likely consequences, and (d) measures taken or proposed to address the breach.
• The Processor will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• The Controller is responsible for any legally required notifications to Data Subjects and supervisory authorities. The Processor will assist as needed.

• The Platform is hosted in the United States. By using the Platform, the Controller authorizes the transfer of personal data to the United States.
• Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, the Processor applies an appropriate transfer mechanism as required by applicable law.
• Applicable transfer mechanisms may include the EU–U.S. Data Privacy Framework (and UK/Swiss extensions where applicable), Standard Contractual Clauses (SCCs), or other legally recognized safeguards in effect at the time of transfer.
• The Processor will ensure that any onward transfers to sub-processors outside the United States are subject to appropriate safeguards.

The Platform provides the Controller with built-in tools to fulfill Data Subject rights requests:

The Controller is the primary point of contact for Data Subject requests. If a Data Subject contacts the Processor directly, the Processor will redirect the request to the Controller and notify the Controller promptly.

• The Controller controls data retention through the Platform’s built-in tools, including manual deletion and configurable auto-deletion schedules.
• Upon termination of the Controller’s account, the Processor will retain data for 90 days to allow for reactivation, then permanently delete all personal data from production systems.
• Backup copies will be purged according to the same schedule as primary data.
• Audit logs (which may contain references to personal data) are retained for 7 years to support contractual, security, and applicable regulatory requirements.
• The Controller may request deletion at any time by contacting support@phototouchinc.com. The Processor will process deletion requests within a commercially reasonable timeframe and in accordance with applicable law.

• The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
• The Processor will allow and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice (at least 30 days) and confidentiality obligations.
• Audits shall be conducted during normal business hours, shall not unreasonably interfere with the Processor’s operations, and shall be at the Controller’s expense.
• The Processor operates SOC 2-aligned controls and is working toward formal SOC 2 Type II attestation. Current platform assurance documentation is available to the Controller upon request under NDA.

• This DPA remains in effect for the duration of the Controller’s use of the Platform.
• Upon termination, the Processor will comply with the data retention and deletion obligations described in Section 10.
• Sections that by their nature should survive (confidentiality, liability, audit rights) shall survive termination.

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Terms of Use. Nothing in this DPA limits either party’s liability for breaches of data protection law to the extent such limitation is not permitted by applicable law.

For data processing inquiries or to exercise rights under this DPA:

Email

support@phototouchinc.com

Company

TriPrism, Inc. dba PhotoTouch, Inc.

Address

San Diego, California, United States