Data Processing Agreement

1. Definitions and Interpretation

This Data Processing Agreement ("DPA") is entered into between MALCOMSON BROTHERS LIMITED ("Data Processor", "Processor", "we", "us", or "our") and the customer ("Data Controller", "Controller", "you", or "your") using BlurrySelfie's AI photo generation services.

1.1 Definitions

In this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person, including photographic images
• "Processing" means any operation performed on Personal Data, including storage, modification, and AI-based image generation
• "Data Subject" means the individual whose Personal Data is processed (e.g., persons in uploaded photos)
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "Data Protection Laws" means GDPR, UK GDPR, CCPA, and any applicable data protection legislation
• "Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Personal Data
• "Image Data" means photographs uploaded by users and AI-generated images created by our Service

2. Scope and Application

2.1 Relationship of the Parties

The parties acknowledge that with regard to the Processing of Personal Data, the Controller is the data controller, the Processor is the data processor, and the Processor will engage Sub-processors pursuant to the requirements set forth in this DPA.

2.2 Incorporation into Terms

This DPA supplements and forms part of the Terms of Service between the parties. In case of conflict between this DPA and the Terms of Service regarding Personal Data processing, this DPA shall prevail.

2.3 Duration

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Terms of Service.

3. Details of Processing

3.1 Nature and Purpose of Processing

Nature: AI-powered photo processing and generation services including:

• Receipt and storage of uploaded photographs
• AI analysis and processing of facial features and image characteristics
• Generation of new images based on uploaded photos and selected scenarios
• Temporary storage and delivery of generated images

Purpose: To provide AI photo generation services as requested by the Controller

3.2 Categories of Data Subjects

• Controller's employees, contractors, or agents
• Controller's customers or users
• Individuals whose images are uploaded with proper consent
• Any other individuals identified by the Controller

3.3 Types of Personal Data

• Photographic images containing faces and physical appearance
• Biometric data derived from photos for AI processing
• Names and email addresses (if provided)
• Account and authentication information
• Usage data and generation history
• Payment information (processed by Sub-processors)

3.4 Duration of Processing

• Uploaded Photos: Deleted immediately after AI generation is complete (typically within 24 hours)
• Generated Images: Retained for Controller's access unless deletion is requested
• Account Data: Retained for the duration of the account plus statutory retention periods
• Backups: Deleted within 90 days of primary deletion

4. Processor's Obligations

4.1 General Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorised to process Personal Data have committed to confidentiality
• Implement appropriate technical and organisational measures to ensure data security
• Not transfer Personal Data outside the EEA without appropriate safeguards
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with security and breach notification obligations
• Delete or return all Personal Data at the end of the service provision
• Make available all information necessary to demonstrate compliance

4.2 Data Security Measures

The Processor implements the following security measures:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Control: Role-based access, multi-factor authentication, principle of least privilege
• Infrastructure: Secure cloud infrastructure with SOC 2 certified providers
• Monitoring: 24/7 security monitoring, intrusion detection, and audit logging
• Incident Response: Documented incident response procedures and breach notification protocols
• Employee Training: Regular security and privacy training for all staff
• Vulnerability Management: Regular security assessments and penetration testing
• Data Minimisation: Automatic deletion of uploaded photos after processing

4.3 Specific Obligations for Image Processing

For photographic and biometric data, the Processor shall:

• Process facial recognition data solely for image generation purposes
• Not use uploaded photos to train AI models without explicit consent
• Implement measures to prevent generation of prohibited content
• Ensure secure deletion of temporary processing data
• Maintain audit logs of all image processing activities

5. Controller's Obligations

The Controller shall:

• Ensure it has all necessary legal bases for Processing Personal Data
• Obtain all required consents from Data Subjects for photo uploads
• Ensure uploaded photos do not violate third-party rights
• Provide clear and lawful processing instructions
• Comply with all applicable Data Protection Laws
• Not upload photos of minors without proper parental consent
• Ensure users are informed about AI processing of their images
• Maintain records of processing activities as required by law

6. Sub-processing

6.1 Authorised Sub-processors

The Controller provides general authorisation for the Processor to engage the following Sub-processors:

• Hetzner - Cloud infrastructure and storage (Location: Germany/EU)
• Cloudflare - Content delivery and DDoS protection (Location: Global)
• Stripe - Payment processing (Location: EU/US)
• SendGrid/Postmark - Transactional email services (Location: EU/US)
• AI Model Providers - Image generation services (Location: EU/US)

6.2 Sub-processor Requirements

The Processor shall:

• Impose data protection obligations on Sub-processors equivalent to those in this DPA
• Remain fully liable for Sub-processor performance
• Notify the Controller of any intended changes to Sub-processors
• Provide 30 days for the Controller to object to new Sub-processors
• Ensure appropriate safeguards for international transfers

6.3 Objection to Sub-processors

If the Controller objects to a new Sub-processor, the parties will work together in good faith to find a resolution. If no resolution is found, the Controller may terminate the affected services.

7. Data Subject Rights

7.1 Assistance with Requests

The Processor shall:

• Forward any Data Subject requests received to the Controller within 48 hours
• Assist the Controller in responding to requests for:
  • Access to Personal Data
  • Rectification or erasure of Personal Data
  • Data portability
  • Objection to or restriction of Processing
• Provide necessary technical capabilities for data export and deletion

7.2 Automated Processing

The Processor's AI image generation involves automated processing. The Controller must inform Data Subjects about the logic involved, significance, and envisaged consequences of such processing.

8. Security Incidents and Breach Notification

8.1 Notification Obligations

The Processor shall:

• Notify the Controller without undue delay and within 48 hours of becoming aware of a Security Incident
• Provide sufficient information for the Controller to meet breach notification obligations
• Cooperate with the Controller in investigating and mitigating the incident
• Document all Security Incidents, regardless of notification requirements

8.2 Information to be Provided

Breach notifications shall include:

• Nature of the Security Incident and categories of data affected
• Estimated number of Data Subjects and records affected
• Likely consequences of the incident
• Measures taken or proposed to address the incident
• Contact details for further information

8.3 Incident Response

The Processor maintains an incident response plan that includes procedures for detection, containment, investigation, and remediation of Security Incidents.

9. Audits and Compliance

9.1 Right to Audit

The Controller may:

• Request evidence of compliance with this DPA
• Conduct audits once per year with 30 days' notice
• Request immediate audits in case of suspected breach
• Use a qualified third-party auditor under NDA

9.2 Processor Cooperation

The Processor shall:

• Provide relevant compliance certifications (e.g., SOC 2, ISO 27001)
• Respond to reasonable compliance questionnaires
• Allow access to relevant records and facilities
• Cooperate with supervisory authorities

9.3 Audit Costs

The Controller bears audit costs unless the audit reveals material non-compliance, in which case the Processor shall reimburse reasonable audit costs.

10. International Data Transfers

10.1 Transfer Mechanisms

For transfers outside the EEA, the Processor shall ensure:

• Use of Standard Contractual Clauses (Module 2: Controller to Processor)
• Compliance with supplementary measures as required
• Regular assessment of third-country data protection laws
• Notification of any government access requests

10.2 Data Localisation

Where possible, the Processor offers data residency options within the EEA. The Controller may request specific data localisation subject to technical feasibility.

11. Liability and Indemnification

11.1 Liability Caps

Each party's liability under this DPA shall be subject to the limitations set forth in the Terms of Service, except for:

• Breaches caused by wilful misconduct or gross negligence
• Regulatory fines directly resulting from the party's violation of Data Protection Laws

11.2 Indemnification

Each party shall indemnify the other against losses arising from its breach of this DPA or Data Protection Laws, subject to the liability caps above.

12. Term and Termination

12.1 Duration

This DPA remains effective while the Processor processes Personal Data on behalf of the Controller.

12.2 Termination

Upon termination:

• The Processor shall stop Processing Personal Data
• At the Controller's option, delete or return all Personal Data
• Delete existing copies unless legally required to retain
• Certify compliance with deletion requirements

12.3 Survival

Obligations regarding confidentiality, security, and liability survive termination of this DPA.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, except where Data Protection Laws require otherwise.

14. Amendments

Amendments to this DPA require written agreement, except for updates required by changes in Data Protection Laws, which the Processor may implement with 30 days' notice.

15. Contact Information

For all matters relating to this DPA, including exercise of audit rights and Security Incident notifications:

16. Execution

This DPA is deemed executed and binding when the Controller accepts our Terms of Service or continues to use the Service after notification of this DPA.

For enterprise customers requiring a signed DPA, please contact us at hi@blurryselfie.com for a customised agreement.