Legal & Privacy

Data Processing Agreement

[Last Updated: May 2026]

This Data Processing Agreement (“DPA”) is governed by and hereby attached to the Master Service Agreement, Terms of Service, or any other agreement (“Agreement”) executed by and between Pic-Time Ltd. or Pic-Time Inc. (“Pic-Time”), and the Photographer (“Customer” or “Photographer”). Pic-Time and Customer shall each be referred to as “party” and collectively as “parties”.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.  

WHEREAS, Pic-Time operates a cloud-based platform that enables professional Photographers to host and deliver galleries, offer prints, use marketing and AI-powered tools, and provide related services to their customers (collectively the “Services”); and

WHEREAS, the Services may require Pic-Time to Process Personal Data (as defined below) on Customer’s behalf, which Customer discloses to Pic-Time only for the limited and specified purposes set forth herein, and subject to the terms and conditions of this DPA.

THEREFORE, this DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data in connection with the Agreement:

1. DEFINITIONS

  1. Adequate Country” is a country that has received an adequacy decision from the European Commission or other applicable data protection authority.
  2. AI” or “Artificial Intelligence” shall have the meaning assigned to it under applicable laws, including the AI Act (Regulation (EU) 2024/1689) (“AIA”), and generally refers to a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Artificial intelligence systems use machine-based and human-based inputs to: (a) perceive real and virtual environments; (b) abstract such perceptions into models through analysis in an automated manner; (c) use model inference to formulate options for information or action; and (d) generate images, text, videos, and other materials and content using machine learning models in response to prompts from the user.
  3. AI Prompts” refers to any content, data, material, or instructions, whether in textual, visual, audio, code-based, or other format, provided by Customer to generate the Output. AI Prompts include Personal Data and Confidential Information.
  4. Biometric Data” or "Biometric Information" shall have the meaning assigned to it under applicable laws, including the Illinois  Biometric Information Privacy Act (“BIPA”), the Texas Capture Or Use Of Biometric Identifier Act (“CUBI”), the Washington Biometric Privacy Protection Act (“H.B. 1493”), the GDPR (Article 4(14)), the CCPA and the IPPL and generally refers to any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers. “Biometric Identifier” shall have the meaning assigned to it under BIPA.
  5. The terms “Business”, “Business Purpose“, “Consumer”,Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Holder”, “Sensitive Data”, “Service Provider”, “Sale” (or “Sell”) and “Share”,Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them under applicable Data Protection Laws. Further, under this DPA “Data Subject” shall also mean and refer to a “Consumer”, and “Personal Data” shall also mean and refer to “Personal Information”, and “Special Categories of Data” or "Highly Sensitive Data" shall also mean and refer to “Sensitive Data”. Further, the terms “AI System”, “Provider”, “Deployer”, “Distributor”, “Training Data”, “Validating Data”, “Testing Data” and “General-Purpose AI System” shall all have the same meanings as ascribed to them under the AIA.
  6. Customer Data” means Customer Data (as defined in the Agreement) containing Personal Data processed by Pic-Time in the course of its Services provision to Customer, all as detailed in Annex I attached herein.
  7. Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced.
  8. Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework available at: https://www.dataprivacyframework.gov/program-articles/Participation-Requirements-Data-Privacy-Framework-(DPF)-Principles; as may be amended, superseded or replaced.
  9. Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Data Protection Laws and the US Data Protection Laws, as may be amended or superseded from time to time, and any judicial or administrative interpretation of such laws, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the applicable authority.
  10. EEA” means the European Economic Area.
  11. End User” means a customer of the Photographer.
  12. European Data Protection Laws” means collectively, the laws and regulations of the European Union, the EEA, their member states, and the United Kingdom, applicable to the Processing of Personal Data, including (where applicable):   (i) EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); Regulation 2018/1725; and the e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (ii) “UK Data Protection Laws” - the Data Protection Act 2018 (DPA 2018), as amended, and EU GDPR as incorporated into UK law as amended (“UK GDPR” and collectively with the EU GDPR shall be referred to herein as the ”GDPR”); (iii) “Swiss Data Protection Laws” or “FADP” - the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) and the Ordinance on the Federal Act on Data Protection ("FODP"); (iv) any national data protection laws made under, pursuant to, replacing or succeeding the EU GDPR or the e-Privacy Law; (v) any amendment or legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority.
  13. Face Data” means data derived from images that is used to identify, group, and search for faces as part of the Services.
  14. Instructions” means the written, documented instructions issued by the Customer to Pic-Time directing Pic-Time to perform a specific or general action with regard to Customer Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA).
  15. Israeli Data Protection Laws” means, collectively, the: (i) Israeli Privacy Protection Law, 5741-1981; (ii) the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing; and (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct, or certification mechanisms approved by the Israeli Privacy Protection Authority.
  16. Non-Users” means guests, vendors, invites of End User with access to the Gallery or that their Personal Data is processed as part of Photographer’s use of the Service, however, do not have a direct relationship with Pic-Time.
  17. 1.17.“Output” means content, code, text, images, audio, or any form of information generated by or with the assistance of an AI system, including but not limited to machine learning models, generative AI, or automated decision-making software, in response to AI Prompts. Depending on the Services and the AI Prompts, the Output may include Personal Data and Confidential Information.
  18. Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Any Personal Data Breach will comprise a Security Incident.
  19. Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of  Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here (ii) the UK “International Data Transfer Addendum to the European Commission Standard Contractual Clauses” available at: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf and incorporated herein by reference  (“UK SCC”); or (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).
  20. "US Data Protection Laws” means any U.S. federal and state privacy laws and regulations effective as of the Effective Date of this DPA and applicable to Pic-Time Processing of Customer Data, and any implementing regulations and amendments thereto, including without limitation: (i) the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act, as well as all regulations promulgated thereunder from time to time (“CCPA”); (ii) the Colorado Privacy Act, C.R.S.A. § 6-1-1301 et seq (SB 21-190) (“CPA”); (iii) the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022)  (“CTDPA”); (iv) the Delaware Personal Data Privacy Protection Act (“DPDPA”); (v) the Florida Digital Bill of Rights, S.B. 262 (“FDBR”); (vi) the Indiana Consumer Data Protection Act (“ICDPA”); (vii) the Iowa Consumer Data Protection Act (“ICDPA”); (viii) the Kentucky Consumer Data Protection Act (“KCDPA”); (ix) the Maryland Online Consumer Privacy Act (“MOCPA”); (x) the Minnesota Consumer Data Privacy Act (“MCDPA”); (xi) the Montana Consumer Data Privacy Act, 68th Legislature 2023, S.B. 0384 (“MTCDPA”); (xii) the Nebraska Data Privacy Act (“NDPA”); (xiii) the New Hampshire Data Privacy Protection Act (“NHDPA”); (xiv) the New Jersey Data Protection Act (“NJDPA”); (xv) the Oregon Consumer Data Privacy Act, ORS 646A.570-646A.589 (“OCDPA”); (xvi) the Rhode Island Data Transparency and Privacy Protection Act  (“RIDTPPA”); (xvii) the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq (“TDPSA”); (xviii) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (“UCPA”); (xix) the Washington “My Health My Data” Act, Wash. Rev. Code § 19.373.005 et seq., and Nev. Rev. Stat. § 603A, as amended by Nevada S.B. 370 (together, the “Washington and Nevada Consumer Health Data Laws”); and (xx) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392) (“VCDPA”).  All as amended or superseded from time to time and including any implementing regulations and amendments thereto.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws. A reference to any term or section of the Data Protection Laws means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law.

2. ROLES AND DETAILS OF PROCESSING

  1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, and according to the applicable Data Protection Laws, Pic-Time is acting as a Data Processor and Customer is acting as a Controller. Without derogating from the generality of the above, specifically, for the purpose of the Israeli Data Protection Laws, Pic-Time shall Process Customer Data as the Holder on behalf of Customer as the Controller. Notwithstanding the above, in case the processing of the Personal Data is conducted under Customer's role as a Data Processor, Pic-Time shall be deemed a Sub-Processor.
  2. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law. The Customer shall be exclusively responsible to ensure its Instructions are compliant with applicable Data Protection Laws and enable a lawful Processing of Customer Data, including by obtaining any required consent and providing any required disclosures under applicable Data Protection Laws.
  3. The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
  4. If any Sensitive Data or Special Categories of Personal Data or Highly Sensitive Data is processed (as those terms are defined under Data Protection Laws), including, any information that constitutes “consumer health data” under the CTDPA or the Washington and Nevada Consumer Health Data Laws or any information that constitutes “protected health information” under the Health Insurance Portability and Accountability Act of 1996, 5 U.S.C. § 553 et seq., together with any amending legislation and any regulations promulgated thereunder or any Personal Data that is deemed by US regulatory authorities as meriting sensitive treatment under US Data Protection Laws or U.S. state or federal consumer protection laws such as financial information, demographic information, credit scores, etc., it is Customer's responsibility to inform Pic-Time of such processing, and ensure additional contractual obligations are met, if needed and applicable. For avoidance of doubt, Pic-Time does not monitor, and review Customer Data processed according to this DPA, and may not be aware of any sensitivity within Customer Data.
  5. Where Pic-Time provides any Services (or any feature thereof) that involve Processing Customer Data through an AI system, including where a Service is designed to generate AI Prompts, Pic-Time shall process such Data to generate the Output requested by Customer. Pic-Time will not use identifiable Customer Data as Training Data, Development Data, or Validating Data for its Artificial Intelligence models or machine learning algorithms; provided, however, that Pic-Time may use de-identified or aggregated data derived from the Services for the purpose of maintaining, optimizing, and developing the Services and its features.
  6. To the extent Customer Data or Face Data constitutes Biometric Data, the following obligations apply: (i) prior to the collection of any Biometric Data, Photographer shall provide the End User with written notice describing the processing, the purpose for such Processing. The AI Photo Search feature (as defined under the AI Terms) will only be activated following the Photographers opt-in consent and enabling of the feature and providing End User and Non-Users with notices (or, where applicable, the Photographer's opt-in on the End User's behalf in accordance with applicable law); (ii) The AI Photo Search feature is disabled by default and shall only be activated upon the Photographer's explicit opt-in. Where End User, or Non-User wish to opt-out, the Photographer shall inform Pic-Time and Pic-Time shall comply with such request without undue delay; (iii) Pic-Time does not sell, lease, trade, profit from, or otherwise provide consideration for Biometric Identifiers or Biometric Data. Pic-Time shall not use Biometric Data for any commercial purpose beyond the performance of the Services as described in this DPA and the Agreement; (iv) Pic-Time does not disclose, redisclose, or disseminate Biometric Identifiers or Biometric Data to any third party and does not and will not use the information to identify an individual. It shall be clarified that accounts deemed “Sensitive Galleries” may not enable these features.

3. PROCESSING OF PERSONAL DATA

  1. Pic-Time represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely for the purpose of providing the Service, all in accordance with Customer’s Instructions under the Agreement and this DPA. Notwithstanding the above, in the event Pic-Time is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, Pic-Time shall make reasonable efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.  
  2. Pic-Time hereby certifies it understands the rules, requirements and definitions under applicable Data Protection Laws, and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; (iii) receive or Process any Personal Information as consideration for any Services it provides to the Customer; or (iv) combine the Customer Data with other Personal Data that it receives from, or on behalf of another customer.
  3. Pic-Time shall comply with the requirements set forth under applicable Data Protection Laws with regard to the processing of de-identified data.
  4. Pic-Time shall inform Customer without undue delay in the event that, according to Pic-Time’s reasonable discretion, any of Customer’s Instructions infringes applicable laws, and Pic-Time shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction.
  5. Pic-Time shall notify the Customer if it determines that it can no longer meet its obligations under this DPA or applicable Data Protection Law.
  6. Pic-Time shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws (including data protection impact assessments and consultations with regulatory authorities), provided that Pic-Time shall only be required to assist as for information which is reasonably available to Pic-Time.
  7. Where applicable, Pic-Time shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Customer Data it is processing is inaccurate or has become outdated.
  8. Pic-Time shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; and (ii) that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. DATA SUBJECTS RIGHTS AND LEGAL REQUEST

  1. It is agreed that where Pic-Time receives a request from a Data Subject for exercising a Data Subject’s rights or from an applicable authority in respect of Customer Data, where applicable, Pic-Time will notify the Customer of such request without undue delay and direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws.
  2. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of and responding to a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law, including such request under the Data Privacy Framework. Pic-Time shall provide Customer with the cooperation and assistance mentioned above, provided that the Customer cannot reasonably fulfill such obligations independently with the help of information available in the documentation, the website, or any other self-service feature provided by Pic-Time.

5. SUB-PROCESSING

  1. The Customer provides general authorization for Pic-Time to engage third party data Processors (“Sub-Processor”) to Process Customer Data. The Customer specifically authorizes Pic-Time to engage and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf.
  2. Pic-Time may engage an additional or replace an existing Sub-Processor to Process Customer Data, subject to the provision of thirty (30) days' prior notice of its intention to do so to the Customer (such notice can be provided through the Customer account or through email correspondence) (“Notice” and “Notice Period” respectively). In case the Customer has not objected to the adding or replacing of a Sub-Processor within the Notice Period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor within such Notice Period, Pic-Time may, at Pic-Time's sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise enable the Customer to terminate the Agreement where the Services cannot be reasonably provided under such circumstances, without liability to Customer.
  3. Pic-Time shall, where it engages any Sub-Processor, impose, through a legally binding contract between Pic-Time and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. Pic-Time shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws. Sub-processors shall be obligated, contractually, to reasonably cooperate with Pic-Time, the Customer or an applicable regulatory authority in the event of an investigation or Security Incident.  
  4. Pic-Time shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA.

6. TECHNICAL AND ORGANIZATIONAL MEASURES

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Pic-Time shall protect the security, confidentiality, integrity and availability of Customer Data and protect it against Security Incident.
  2. Current technical and organizational measures implemented and maintained by Pic-Time are further detailed in Annex II to this DPA, as updated from time to time (provided that any such amendments will not have a material negative effect on the level of protection provided to Customer Data).

7. SECURITY INCIDENT

  1. Pic-Time will notify the Customer without undue delay, no later than 72 hours, upon becoming aware of any Security Incident involving the Customer Data. Pic-Time’s notification regarding or response to a Security Incident under Section 7 shall not be construed as an acknowledgment by Pic-Time of any fault or liability with respect to the Security Incident.
  2. Pic-Time will: (i) take reasonably necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) upon Customer request, co-operate with the Customer and provide the Customer with such reasonable assistance and information in connection with the containment, investigation, remediation or mitigation of the Security Incident, including, where applicable,  obligation to notify the affected Data Subjects. Upon Customer’s request and taking into account the nature of the Processing and the information available to Pic-Time, Pic-Time will provide a report or written notice detailing the Security Incident, the affected Personal Data and Data Subjects.

8. AUDIT RIGHTS

  1. Pic-Time shall maintain accurate written records of any and all the Processing activities of any Customer Data carried out under this DPA its compliance with its obligations under this DPA, and shall make such records available to the Customer upon Customer’s thirty (30) days prior written request, however no more than once per twelve (12) months of engagement (“Audit Reports”). A summary of the ISO27001/ISO27701 certification, SOCII report or recent penetration tests, as well as information provided through Customer’s questionnaire shall be defined as a sufficient Audit Report. The Audit Report provided shall be considered Pic-Time’s Confidential Information and shall be subject to the corresponding confidentiality obligations under the Agreement or require signing a non-disclosure agreement.  
  2. In the event the Audit Report is reasonably determined as not sufficient for the purpose of demonstrating compliance, Pic-Time shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA or where required by Applicable Data Protection Law or an applicable authority, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including third parties). Pic-Time may object to an auditor appointed by the Customer in the event Pic-Time reasonably believes the auditor is not suitably qualified or is a competitor of Pic-Time. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, ensure that the Audit is conducted during regular business hours, and avoid causing any damage, injury or disruption to Pic-Time’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Pic-Time shall agree to an Audit solely under the following terms: (i) a thirty (30) day prior written notice was provided; and (ii) restrict its findings to only to information relevant to Customer Data or an applicable Security Incident.
  3. Nothing in this DPA will require Pic-Time to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Pic-Time’s customer or Pic-Time’s internal data including without limitation data processed in Pic-Time’s role as a Controller; (ii) Pic-Time’s internal accounting or financial information; (iii) any trade secret of Pic-Time or its Affiliates; (iv) any information that, in Pic-Time’s reasonable opinion, could compromise the security of any Pic-Time’s systems or cause any breach of its obligations under applicable law or its security, privacy or confidentiality obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws. No access to any part of Pic-Time’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.

9. CROSS BORDER PERSONAL DATA TRANSFERS

  1. Pic-Time participates in and certifies compliance with the Data Privacy Framework. As required by the Data Privacy Framework, Pic-Time (i) provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) will notify Customer if Pic-Time makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.
  2. Customer acknowledges and agrees that for the provision of the Services, Pic-Time may Process, including transfer, Customer Data to various jurisdictions where Pic-Time, its affiliates or Sub-Processors operate. Pic-Time will ensure that transfers are made in compliance with Data Protection Laws.
  3. Where European Data Protection Laws apply:
    1. Pic-Time will not transfer Customer Data originating from the EEA, the UK or Switzerland, to any country or recipient not recognized as providing an adequate level of protection for such Personal Data (within the meaning of the European Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) (i) transferring such Customer Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses.
    2. When Customer and Pic-Time, or Pic-Time and or its Sub-Processor rely on the Standard Contractual Clauses to facilitate a transfer to a third country the following shall apply:
      1. For Transfer of Customer Data from the EEA  the EU SCC shall apply and completed as follows:  (1) Module II (Controller to Processors) or Module III (Processor to Processor) will apply; (2) In Clause 7 the optional docking clause will not apply; (3) In Clause 9, option 2 (general written authorization) shall apply for the Sub-Processors listed under Annex III and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) In Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of the Republic of Ireland; (6) In Clause 18(b) the parties choose the competent courts of the Republic of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: Customer is the Data Exporter, Pic-Time is the Data Importer, the parties’ contact details are as completed under the Agreement; Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority Republic of Ireland; (8) Annex II of the EU SCC is deemed completed with the information set out in Annex II of this DPA; (9) Annex III of the EU SCC shall be completed with the list of Sub-Processors set out in Annex III of this DPA.
      2. For the transfer of Customer Data from the UK,  the UK SCC shall apply and be completed as follows:  (1) Table 1 shall be completed as set forth in section (7) above; (2) Table 2 shall be completed as set forth in Section (1) – (4) above; (3) Table 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (i)(7) above; Annex 1B  shall be completed with relevant information as set out in Annex I of this DPA; Annex II shall be completed with relevant information as set out in Annex II of this DPA; Annex III shall be completed with the list of sub-processors set out in Annex III of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
      3. For transfer of Customer Data from Switzerland, the Swiss SCC shall apply in with following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".

10. TERM, TERMINATION AND CONFLICT

  1. This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates or as long as Pic-Time Processes Customer Data.
  2. Pic-Time shall be entitled to terminate this DPA or cease the Processing of Customer Data in the event that the Processing of Customer Data under the Customer’s Instructions or this DPA infringes applicable legal requirements, provided Customer does not provide updated Instructions to cure such infringement within ten (10) days from receiving applicable notice from Pic-Time. Alternatively, Pic-Time may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without liability to the Customer and without prejudice to any fees incurred by Customer prior to the suspension date.
  3. Following the termination or expiration of this DPA, Pic-Time shall, at the choice of the Customer, delete or return all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Customer’s choice shall be provided in writing to Pic-Time, following effect of termination. Notwithstanding the foregoing, Pic-Time may retain Customer Data (i) as required by applicable laws; or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Pic-Time will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Data and not further Process it except for those purposes that justify further retention of Customer Data.
  4. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA.

ANNEX I

DETAILS OF PROCESSING

This Annex includes certain details of the Processing of Customer Data as required under the Data Protection Laws.

Categories of Data Subjects Customer; Authorized Users; End User; Non-Users appearing in photographs.
‍Categories of Personal Data End User data, (1) contact information; (2) photographs or videos; and (3) Face Data. Customer data, (1) contact information (when applicable), log data (accessing the system); (2) all images, photos and galleries unloaded; (3) contacts Customer provide will using the platform’s CRM. Non users data, (1) photograph or videos (when applicable, if they appear); and (2) Face Data (when applicable).
‍Special Categories of Personal Data:
 Nude End User photographs, if any. Child End User photographs, if any. Biometric Identifiers or Biometric Data, if any.
‍Nature of the processing ‍Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.
‍Purpose(s) of Processing ‍To provide the Services.
‍Retention Period ‍For as long as is necessary to provide the Services by Pic-Time; provided there is no legal obligation to retain the Customer Data post termination or unless otherwise requested by the Customer.

‍Process Frequency ‍Continuous basis.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES

The following description reviews the technical and organizational measures implemented by Pic-Time as a Processor of Customer Data, to ensure an appropriate level of security, considering the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.

As part of our data protection compliance process, Pic-Time has implemented technical, physical and administrative security measures to protect its Customer Data as explained below.

The security objectives of Pic-Time are identified and managed to maintain a high level of security and consist of the following (concerning all data assets and systems):

  • Availability – information and associated assets should be accessible to authorized users when required. The computer network must be resilient. Pic-Time will detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
  • Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.
  • Integrity – safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.

System Access Control

Access to Pic-Time’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. Pic-Time has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Customer Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Customer Data and the passwords used to gain access. Pic-Time uses automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.

Physical Access Control

Pic-Time ensures the protection of the data servers which store the Customer Data from unwanted physical access. Customer Data is stored on Microsoft Azure's servers, AWS servers, and MongoDB’s servers which are located in the EU, the US and Australia. Please see Azure’s security measures HERE, AWS security measures HERE, and MongoDB’s security measures HERE. When the Customer Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. Pic-Time also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access Pic-Time's offices by using security locks and an alarm system, amongst other measures as well.

Data Access Control

User authentication measures have been put in place in order to ensure that access to Customer Data is restricted solely to those employees who have been given permission to access it and to ensure that the Customer Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Customer Data, as well as any action performed involving the use of Customer Data requires a password and username, which is routinely changed, as well as blocked when applicable.

Each employee can perform actions solely in accordance with the permissions granted to them by Pic-Time. Each access is logged and monitored, and any unauthorized access is automatically reported. Furthermore, Pic-Time conducts ongoing reviews of employees who have been authorized to access Customer Data to assess whether such access is still required. Pic-Time revokes access to Customer Data immediately upon termination of employment. Authorized individuals can only access Customer Data located in their individual profiles.

Organizational and Operational Security

Pic-Time invests significant effort and resources into ensuring compliance with its security policies and practices, including by continuously providing employees with training regarding such security policies and practices. Pic-Time strives to raise awareness regarding the risks involved in the Processing of Customer Data. In addition, Pic-Time has implemented applicable safeguards for its hardware and software, including installing firewalls and anti-virus software on applicable Pic-Time hardware and software, in order to protect against malicious software.

Transfer Control

All transfers of Customer Data from Pic-Time to its Sub-Processors are protected using encryption safeguards, including the encryption of the Customer Data prior to the transfer of any Customer Data.

Availability Control

Pic-Time maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, Pic-Time’s servers include an automated backup procedure. Pic-Time also conducts regular controls of the condition and labelling of data storage devices for data security. Pic-Time ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable. Notwithstanding the above, Pic-Time does not provide any back up services and it is Customer's sole responsibility to back up Customer Data.

Data Retention

Customer Data is retained for as long as needed for us to provide our Services or as required under applicable laws.

Job Control, Third-Party Contractors, and Service Providers

All Pic-Time’s employees are required to carry out an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or non-compliance with Pic-Time’s policies, Pic-Time implements certain repercussions in order to ensure compliance with Pic-Time’s policies. In addition, prior to Pic-Time's engagement with Sub-Processor, Pic-Time undertakes diligence reviews of such Sub-Processor. Pic-Time ensures that it enters into data protection agreements with all its Customers and Sub-Processors.

Data Subject Request

Pic-Time has an online mechanism to enable individuals to submit a data subject request (“DSR”), furthermore, Pic-Time has implemented internal policies to handle DSRs, subject to applicable data protection laws and contractual obligations.

Contractual Obligations

Pic-Time has ensured all documents, including without limitations, agreements (including online agreements) and privacy policies are compliant with applicable Data Protection Laws, including, by implementing Data Processing Agreements and where needed Standard Contractual Clauses.



Additional Safeguards for US Transfers

  1. Measures and assurances regarding U.S. government surveillance have been implemented by Pic-Time, and Pic-Time agrees and hereby represents it maintains the following additional safeguards:
  2. Pic-Time maintains industry standard measures to protect the Customer Data from interception (including in transit from Customer to Pic-Time and between different systems and services). This includes maintaining encryption in transit and at rest.
  3. As of the "Last Updated" date stated above, Pic-Time has not received any national security orders.
  4. No court has found Pic-Time to be: (i) the type of entity eligible to receive process issued under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”); (ii) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition.
  5. In the event that FISA applies to Pic-Time, Pic-Time will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Customer Data, including (if applicable) under Section 702 of FISA.
  6. If Pic-Time becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or receive a copy of the Customer Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Pic-Time shall: (i) inform the relevant Authority that Pic-Time is a Processor of the Customer Data and that the Customer, as the Controller, has not authorized Pic-Time to disclose the Customer Data to the Authority; (ii) inform the relevant Authority that any and all requests or demands for access to Customer Data should be directed to or served upon Customer in writing; and (iii) use reasonable legal mechanisms to challenge any such demand for access to Customer Data.
  7. Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Customer Data, Pic-Time has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Pic-Time shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
  8. Pic-Time will inform the Customer, upon written request (and not more than once a year), of the types of binding legal demands for Customer Data Pic-Time has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.

ANNEX III

LIST OF SUB-PROCESSORS

NAME DESCRIPTION OF THE PROCESSING TERRITORY WEBSITE
MICROSOFT Cloud Hosting Services USA https://powerbi.microsoft.com/en-us/
MONGODB, INC. Cloud Hosting Services USA https://www.mongodb.com/
TAXJAR Store Sales tax calc and reporting USA https://www.taxjar.com/
MONDAY.COM Tasks Management ISRAEL https://monday.com/
ADOBE licenses Creative Cloud USA https://www.adobe.com/il_en/
SLING Shifts Scheduler USA https://getsling.com/
DOCUSIGN Electronic signing contracts, documents. USA https://www.docusign.com/
TWILIO INC. System Email/SMS Messages [only photographers] USA https://www.twilio.com/
SQUARESPACE INC. Hosts our Pic-Time Blog USA https://www.squarespace.com/
STRIPE, INC. Online Payment Processing Services - send electronic payments for clients, for Credit Card payments USA, EU IRELAND https://stripe.com/
BLOCK, INC. Payment Processing Platform USA, CANADA, JAPAN AND THE EU https://squareup.com/us/en
(FORMALLY KNOWN AS SQUARE)
PAYPAL, INC. Payment Processing Platform USA https://www.paypal.com/
GOOGLE PLATFORMS LLC Streaming Video channel [only photographers]   https://www.youtube.com/
LINKTREE Social Media Links [only photographers] AUSTRALIA  
INTUIT, INC. (MAILCHIMP) Email Marketing [only photographers] USA https://mailchimp.com/
INTERCOM Human chat and ticket support, USA https://www.intercom.com/
Product tour guides,
Engagement emails (photographers)
OPENAI AI text generation for photographers's blogs or emails USA https://openai.com/
FACEBOOK / META [INSTAGRAM] Facebook statistics and forms, including Ad's customizing system, by Facebook Pixel. [only photographers] USA https://www.facebook.com/
VIMEO.COM, INC. Video Marketing Platform [only photographers] USA https://vimeo.com/
PINTEREST American image sharing and social media service designed to enable saving and discovery of information [only photographers] USA https://www.pinterest.com/
BABLIC LTD. Translation Services for Website [only photographers] ISRAEL https://www.bablic.com/
MYFONTS Fonts [only photographers] USA https://www.myfonts.com/
FIGMA INC. Product Design [only photographers] USA https://www.figma.com/
USERCENTRICS A/S a tool that helps websites comply with global data privacy laws like GDPR and CCPA by automatically detecting, categorizing, and managing cookies and trackers DENMARK https://www.cookiebot.com/
ENTRI, LLC Suite of APIs to simplify the process of configuring, purchasing, and managing custom domains for other software applications USA https://www.entri.com/
GOOGLE LLC. Suite of cloud computing services from Google, offering infrastructure (IaaS), platforms (PaaS), and serverless solutions for computing, storage, networking, data analytics, and machine learning, running on Google's own global infrastructure, USA https://cloud.google.com/
HOTJAR LTD. UX platform that helps businesses understand how visitors interact with their website or app by combining behavior analytic MALTA https://www.hotjar.com/
IPQUALITYSCORE LLC A real-time threat intelligence and fraud prevention platform that assesses the risk of digital interactions by analyzing IP addresses, emails, phone numbers, and devices to detect malicious behavior, bots, and fake users USA https://www.ipqualityscore.com/
3T SOFTWARE LABS LIMITED Comprehensive graphical user interface (GUI) and Integrated Development Environment (IDE) for MongoDB, UK https://studio3t.com/
TRICENTIS ISRAEL LTD. Provider of AI-powered software quality and test automation platforms ISRAEL https://www.testim.io/
GURU TECHNOLOGIES, INC AI-powered knowledge management platform USA https://www.getguru.com/
SALESFORCE, INC. Cloud Platform as a Service (PaaS) that lets developers easily build, run, and scale modern applications without managing servers or infrastructure USA https://www.heroku.com/
HELIOM INC. A collaborative email and messaging app for teams USA https://missiveapp.com/
NOTION LABS, INC. All-in-one digital workspace that combines notes, docs, project management, and wikis into a single, highly customizable platform USA https://www.notion.com/
OUTWORK, INC. Software platform that helps businesses create, manage, and launch branded online directories to showcase their technology and service partners USA https://www.partnerpage.io/
ZAPIER, INC. A no-code/low-code platform that automates repetitive tasks and workflows between different web applications USA https://zapier.com/
CODERABBIT, INC. An AI-powered code review platform that automates feedback on pull requests (PRs) in Git repositories like GitHub and GitLab USA https://www.coderabbit.ai/
PROGRESS SOFTWARE CORPORATION A modern, cross-platform web debugging proxy for Windows, macOS, and Linux USA https://www.telerik.com/fiddler/fiddler-everywhere
MOBBIN PTE. LTD. A massive, curated online library of real-world UI/UX design patterns and screenshots from popular mobile apps and websites SINGAPORE https://mobbin.com/
AGORAPULSE SAS A comprehensive social media management platform that helps businesses, agencies, and teams streamline content scheduling, engagement, monitoring, and reporting across multiple social media channels in a single dashboard FRANCE https://www.agorapulse.com/
WOICE D.O.O. A native A/B testing and conversion optimization platform built specifically for {Link: Webflow users}, enabling them to run experiments (A/B, split, multivariate tests) to understand user behavior and boost conversions without complex coding SLOVENIA https://www.optibase.io/
REPLY APP INC. An AI-powered, all-in-one sales engagement platform USA https://reply.io/
TYPEFORM SL A user-friendly, web-based platform for creating interactive and engaging online forms, surveys, quizzes, and apps SPAIN https://www.typeform.com/
HERTZA L.L.C. a leading email validation and deliverability platform that helps businesses clean their email lists by identifying and removing invalid, risky, or inactive email addresses USA https://www.zerobounce.net/
SHARONI MANAGEMENT SERVICES LTD An accounting software designed to help businesses manage bookkeeping, invoices, expenses, and financial reporting. ISRAEL https://www.conto.co.il/index_.htm
ATLASSIAN PTY LTD A popular video messaging platform for async communication AUSTRALIA https://www.loom.com/
INTUIT, LTD. An accounting software by Intuit for small to medium-sized businesses, USA https://quickbooks.intuit.com/global/
LIRAM SOFTWARE FOR PROFESSIONALS LTD An accounting software. ISRAEL https://liram.co.il/
GREEN INVOICE LTD Online invoicing system ISRAEL https://www.greeninvoice.co.il/
DATABRICKS INC. Open analytics platform USA https://www.databricks.com/
BRAZE, INC. Customer engagement platform USA https://www.braze.com/
WM G ATKINS PTY LTD Photograph and Product Development AUSTRALIA https://www.atkins.com.au/
TRADING AS ATKINS PHOTO LAB, ATKINS PRO, AND ATKINSTECHNICOLOUR
BAY PHOTO, LLC Photograph and Product Development USA https://bayphoto.com/
DEKORA ALBUM CORPORATION Photograph and Product Development USA https://dekoraalbum.com/
DIALAB OY Photograph and Product Development EU https://www.dialab.com/
DIGITALAB LTD Photograph and Product Development UK https://www.digitalab.co.uk/
DUTCH INK ALBUMS B.V. Photograph and Product Development EU https://dutchinkalbums.com/en/
FLORIANO DA COSTA & GAVINA LDA. Photograph and Product Development PORTUGAL https://floricolor.com/
FOLIO ALBUMS LTD. Photograph and Product Development USA https://www.folioalbums.com/
GTA IMAGING INC. Photograph and Product Development CANADA https://gtaimaging.com/
VIDEOPHOTOGRAPHICA DI LUCA BUONGIORNO Photograph and Product Development EU https://www.gicleeart.it/
HENLEY ALBUMS LTD Photograph and Product Development UK https://www.henleyalbums.com/
INDIE PRINT COMPANY Photograph and Product Development USA https://indieprintco.com/
KISS WEDDING BOOKS, LLC Photograph and Product Development USA https://www.kiss.us/
PHOTOLOX LTD TRADING AS LOXLEY COLOUR Photograph and Product Development USA, UK https://www.loxleycolour.com/
MATISSEO Photograph and Product Development EU https://www.matisseo.com/
MILLER'S PROFESSIONAL IMAGING CO. Photograph and Product Development USA https://www.millerslab.com/
MUSEA LLC Photograph and Product Development USA https://www.musealab.com/
NATIONS PHOTO LAB LLC, A MARYLAND LIMITED LIABILITY COMPANY Photograph and Product Development USA https://www.nationsphotolab.com/
ONE VISION IMAGING LIMITED Photograph and Product Development UK https://www.onevisionimaging.com/
SNAPCHAI PRODUCTIONS PRIVATE LIMITED Photograph and Product Development INDIA https://oodio.net/
CYFROWA FOTO SP. Z O.O. Photograph and Product Development EU, UK, USA https://nphoto.com/en
PIKTO INC. Photograph and Product Development CANADA https://www.pikto.com/
RAMVERKSTADEN ONLINE SWEDEN AB Photograph and Product Development EU https://printsbydkj.se/
PROFOTONET B.V. Photograph and Product Development EU https://www.profotonet.com/en/
QTALBUMS MARCIN BITTNER Photograph and Product Development EU, USA, UK https://www.qtalbums.com/
REDTREE DESIGN, LLC. Photograph and Product Development USA https://www.redtreealbums.com/
RICHARD PHOTO LAB, INC. Photograph and Product Development USA https://richardphotolab.com/?srsltid=AfmBOoqWhx-EMsfu-KTSwxT5plLdVZYCS7cxvtg-znnH4ZIqeO0lZ-FO
SIM 2000 IMAGING LTD Photograph and Product Development UK https://www.simimaging.co.uk/
SELDEX ARTISTIC ALBUMS Photograph and Product Development AUSTRALIA https://seldex.com.au/
SNAPALBUMS MARCIN BITTNER UL. Photograph and Product Development POLAND https://snapalbums.pl/
WHITE HOUSE CUSTOM COLOUR, LP Photograph and Product Development USA https://www.whcc.com/
WOODEN BANANA MAREK PACURA Photograph and Product Development POLAND https://www.woodenbanana.com/