⚠️ Draft Document - Pending Legal Review

This is a placeholder document for development purposes. It has not been reviewed or approved by legal counsel and should not be considered legally binding. A production-ready version will be published after attorney review.

Version 1.0-DRAFT
Updated: 2025-10-19

⚠️ DRAFT DATA PROCESSING AGREEMENT - NOT LEGAL ADVICE ⚠️

This is a PLACEHOLDER document. Standard Contractual Clauses must be added by qualified legal counsel.

Data Processing Agreement (DPA)

Effective Date: [DATE TBD] Version: 1.0-DRAFT

Preamble

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and khrome ("Processor", "we", "us") and applies when Customer has data subjects in the European Economic Area (EEA), United Kingdom (UK), or Switzerland.

Purpose: This DPA ensures compliance with GDPR Article 28 (processor obligations) and provides appropriate safeguards for international data transfers.

1. Definitions

Terms used in this DPA have the meanings defined in the GDPR:

  • "Controller": The Photographer (Customer) who determines purposes and means of processing Guest Personal Data
  • "Processor": khrome, who processes Personal Data on behalf of Controller
  • "Data Subject": Guests whose Personal Data is processed
  • "Personal Data": Information relating to an identified or identifiable Guest
  • "Processing": Any operation performed on Personal Data (storage, delivery, deletion, etc.)
  • "Sub-processor": Third-party service providers used by khrome (Cloud

inary, Resend, etc.)

  • "Standard Contractual Clauses" (SCCs): EU Commission approved clauses for international data transfers

2. Scope & Roles

2.1 Controller and Processor Roles

  • Controller (Customer): You determine what Guest data to collect, which galleries to share, and retention settings
  • Processor (khrome): We process Guest data only on your instructions via platform features

2.2 Data Covered

This DPA applies to:

  • Guest names, email addresses, phone numbers
  • Guest photos and videos from events
  • Guest biometric data (if facial recognition enabled)
  • Guest browsing activity in galleries

2.3 Processing Activities

We process Personal Data to:

  • Store photos on Cloudinary
  • Deliver gallery links via email (Resend) or SMS (Telnyx)
  • Display photos in online galleries
  • Enable downloads
  • Provide analytics (aggregated, anonymized)
  • Optional: Facial recognition tagging (with Guest consent)

3. Customer Instructions

3.1 Documented Instructions

Customer instructs khrome to process Personal Data as follows:

  1. Via the Terms of Service and Privacy Policy
  2. Via platform settings (enable/disable features, set retention, etc.)
  3. Via support requests (e.g., delete specific Guest data)

3.2 Instruction Limitations

We will only process Personal Data according to Customer's documented instructions unless:

  • Required by EU or Member State law (we will notify Customer unless prohibited)
  • Necessary to comply with legal obligations

3.3 Unlawful Instructions

If we believe Customer's instructions violate GDPR or other data protection laws, we will notify Customer and may refuse to comply.

4. Confidentiality

4.1 Personnel Obligations

Our personnel with access to Personal Data are:

  • Bound by confidentiality agreements
  • Trained on data protection requirements
  • Subject to disciplinary action for breaches

4.2 Access Controls

Access to Personal Data is limited to personnel who need it to:

  • Provide Services
  • Comply with legal obligations
  • Maintain platform security

5. Security Measures (Article 32)

5.1 Technical Measures

  • Encryption in Transit: TLS 1.3 for all data transmission
  • Encryption at Rest: AES-256 for stored photos and database
  • Access Controls: Role-based access with multi-factor authentication
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Vulnerability Management: Regular scans, penetration testing, patch management

5.2 Organizational Measures

  • Security Policies: Documented information security program
  • Personnel Training: Annual security awareness training
  • Incident Response: 24/7 monitoring, documented response procedures
  • Audit Logging: All data access logged and retained for 1 year
  • Vendor Management: Security requirements for all sub-processors

5.3 Certification & Audits

[TO BE ADDED: SOC 2, ISO 27001, or other certifications if applicable]

6. Sub-Processors (Article 28(2))

6.1 General Authorization

Customer authorizes khrome to use the sub-processors listed in Annex III (Sub-Processor List).

6.2 Current Sub-Processors

Sub-ProcessorPurposeLocationSafeguards
CloudinaryPhoto storage & deliveryUnited StatesDPA + SCCs
ResendEmail deliveryUnited StatesDPA + SCCs
TelnyxSMS deliveryUnited StatesDPA + SCCs
VercelWebsite hostingUnited StatesDPA + SCCs
SupabaseDatabase hostingUnited StatesDPA + SCCs
StripePayment processingUnited StatesDPA + SCCs
MicrosoftAnalytics (Clarity)United StatesDPA + SCCs

6.3 Adding/Changing Sub-Processors

Notification:

  • We will notify Customer of new/replacement sub-processors at least 30 days before the change
  • Notification via email to Customer's registered address

Objection:

  • Customer may object on reasonable grounds related to data protection
  • Objection must be submitted in writing within 30 days
  • If we cannot accommodate objection, either party may terminate affected Services

6.4 Sub-Processor Obligations

We ensure all sub-processors:

  • Sign data processing agreements with equivalent obligations
  • Implement appropriate security measures
  • Comply with GDPR requirements
  • Are liable for breaches

7. Data Subject Rights (Articles 15-22)

7.1 Assistance Obligation

We will assist Customer in responding to Data Subject requests for:

  • Access (Article 15): Provide copy of Personal Data
  • Rectification (Article 16): Correct inaccurate data
  • Erasure (Article 17): Delete data ("right to be forgotten")
  • Restriction (Article 18): Limit processing
  • Portability (Article 20): Export data in machine-readable format
  • Objection (Article 21): Stop processing

7.2 Our Tools

We provide Customer with tools to:

  • Export Guest data via dashboard
  • Delete Guest data via API or support request
  • Restrict Gallery access (disable facial recognition, etc.)

7.3 Direct Requests

If a Data Subject contacts us directly:

  • We will redirect them to Customer (unless legally prohibited)
  • We will notify Customer of the request
  • We will not respond without Customer's instructions

7.4 Response Time

We will respond to Customer's assistance requests within 10 business days.

8. Personal Data Breaches (Article 33-34)

8.1 Notification to Customer

If we discover a Personal Data Breach affecting Customer's Guest data, we will notify Customer without undue delay and in any event within 72 hours of becoming aware.

8.2 Breach Information

Our notification will include:

  • Nature of the breach (what data, how many Data Subjects)
  • Contact point for more information
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8.3 Notification to Data Subjects

Customer is responsible for determining whether to notify Data Subjects. We will assist Customer by providing necessary information.

8.4 Documentation

We will document all Personal Data Breaches, including:

  • Facts of the breach
  • Effects and remedial action taken
  • Maintained for at least 5 years

9. Data Protection Impact Assessments (Article 35)

If Customer is required to conduct a Data Protection Impact Assessment (DPIA), we will:

  • Provide information about our processing activities
  • Describe security measures implemented
  • Identify risks to Data Subjects
  • Assist in assessing necessity and proportionality

10. Deletion or Return of Data (Article 28(3)(g))

10.1 Upon Termination

When Services end, Customer may choose:

  • Export: Download all Guest data within 30 days (grace period)
  • Delete: Request immediate deletion

10.2 Automatic Deletion

If Customer does not export within 30 days, we will permanently delete all Personal Data.

10.3 Legal Retention

We may retain Personal Data if required by law (e.g., tax records, legal disputes), but only to the extent and for the duration required.

10.4 Certification

Upon request, we will provide written certification that data has been deleted.

11. Audit Rights (Article 28(3)(h))

11.1 Audit Scope

Customer may audit our compliance with this DPA, including:

  • Security measures
  • Sub-processor management
  • Data Subject rights handling
  • Breach notification procedures

11.2 Audit Frequency

  • Maximum: Once per year (unless breach or supervisory authority request)
  • Notice: At least 30 days advance notice
  • Timing: During business hours, minimizing disruption
  • Cost: Customer pays audit costs

11.3 Audit Process

  1. Customer proposes audit scope and auditor
  2. We review and approve (approval not unreasonably withheld)
  3. Auditor signs confidentiality agreement
  4. Audit conducted on-site or remotely
  5. We receive draft report and may comment
  6. Final report shared with Customer

11.4 Alternative: Third-Party Audits

Customer may rely on our third-party audit reports (e.g., SOC 2, ISO 27001) in lieu of conducting its own audit.

12. International Data Transfers

12.1 Transfer Mechanisms

Transfers of Personal Data from EEA/UK/Switzerland to United States are governed by:

  • Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914 (Module 2: Controller-to-Processor)
  • UK Addendum: UK International Data Transfer Addendum to EU SCCs
  • Swiss Addendum: [If applicable]

12.2 Incorporation of SCCs

The Standard Contractual Clauses are incorporated into this DPA as Annex I (Transfer Details) and Annex II (Security Measures).

12.3 Onward Transfers

Sub-processors located outside EEA/UK/Switzerland are also covered by SCCs (Module 3: Processor-to-Sub-processor).

12.4 Future Adequacy Decisions

If the European Commission issues an adequacy decision for the United States (or other destination), we may rely on that instead of SCCs.

13. Liability & Indemnification

13.1 GDPR Liability (Article 82)

  • Each party is liable for damages caused by breaches of this DPA
  • If both parties contribute to damage, liability is apportioned based on responsibility
  • Customer is liable for unlawful instructions to khrome

13.2 Indemnification

Customer indemnifies khrome for:

  • Fines imposed due to Customer's unlawful instructions
  • Data Subject claims arising from Customer's GDPR violations
  • Costs of regulatory investigations caused by Customer

14. Term & Termination

14.1 Term

This DPA begins on the Effective Date and continues until:

  • Termination of the Terms of Service, OR
  • All Personal Data is deleted (whichever is later)

14.2 Survival

Sections 10 (Deletion), 11 (Audit), 13 (Liability) survive termination.

15. Governing Law

15.1 GDPR Prevails

If conflict between this DPA and Terms of Service, this DPA prevails for GDPR purposes.

15.2 Supervisory Authority

For EU/EEA data subjects:

  • Competent Authority: Data Protection Authority where Customer is established
  • Lead Authority: [Customer's country] Data Protection Authority

For UK data subjects:

  • UK ICO (Information Commissioner's Office)

16. Amendments

We may update this DPA to:

  • Reflect changes in data protection laws
  • Add new sub-processors (with notice)
  • Update security measures
  • Incorporate updated SCCs

Material changes require 30 days' notice.

17. Contact

For DPA Questions:

  • Email: dpo@khro.me
  • Mail: [Company Address - TO BE ADDED]

Annex I: Transfer Details (for SCCs)

Data Exporter: Customer (Photographer) Data Importer: khrome

Categories of Data Subjects:

  • Guests at events (wedding attendees, party guests, corporate event participants)

Types of Personal Data:

  • Contact data: Names, email addresses, phone numbers
  • Visual data: Photos, videos from events
  • Biometric data: Facial recognition markers (if enabled with consent)
  • Usage data: Gallery browsing activity, download history

Sensitive Data:

  • Biometric data (facial recognition) - requires explicit consent
  • Photos may incidentally capture health data, religious beliefs, etc. (Customer responsible for consent)

Frequency of Transfer:

  • Continuous during gallery lifetime (2-4 years)

Purpose of Processing:

  • Photo storage and delivery
  • Gallery hosting and access
  • Optional facial recognition tagging

Retention Period:

  • 2 years standard (up to 4 years with extension)
  • Upon request: Immediate deletion

Annex II: Security Measures

See Section 5 (Security Measures) above for detailed list.

Summary:

  • Encryption (TLS 1.3, AES-256)
  • Access controls (RBAC, MFA)
  • Monitoring (24/7 SOC, SIEM)
  • Incident response (documented procedures)
  • Employee training (annual)
  • Vendor management (sub-processor security requirements)

Annex III: Sub-Processor List

See Section 6.2 above for current sub-processor list.

Last Updated: 2025-10-19

UK Addendum

[TO BE ADDED: UK International Data Transfer Addendum template from ICO]

Version History

  • Version 1.0-DRAFT (2025-10-19): Initial draft for legal review

⚠️ REMINDER: This is a PLACEHOLDER document. Standard Contractual Clauses must be added by qualified legal counsel before use. ⚠️

Privacy PolicyTerms of ServiceData Processing AgreementSMS Terms

Questions? Contact legal@khro.me

← Back to Home