PhotoRobot Data Processing Agreement (DPA)

Choose category
PhotoRobot Terms of Service
PhotoRobot License Agreement
PhotoRobot Privacy Documents - Overview
PhotoRobot Privacy Policy
PhotoRobot GDPR Privacy Notice (Article 13)
PhotoRobot Data Processing Agreement (DPA)
PhotoRobot Acceptable Use Policy (AUP)
PhotoRobot Service Level Agreements (SLA)
Service Level Agreement (SLA) for PhotoRobot Software
Service Level Agreement (SLA) for PhotoRobot Hardware
PhotoRobot Customer Support Terms
PhotoRobot Cookie Policy
PhotoRobot Marketing Consent Policy
PhotoRobot Sub-Processor List
PhotoRobot Legal Definitions & Glossary

PhotoRobot Data Processing Agreement (DPA)

This document represents the PhotoRobot Data Processing Agreement: Version 1.0 — PhotoRobot Edition, uni-Robot Ltd., Czech Republic.

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

Controller (Customer)
The individual or legal entity that has entered into the PhotoRobot Terms of Service and uses the Service.

and

Processor:
uni-Robot Ltd.
Vodičkova 710/31
110 00 Prague 1
Czech Republic
Company ID: 01478061
VAT ID: CZ01478061
Email: legal@photorobot.com

Hereinafter collectively referred to as the “Parties”.

This DPA supplements the PhotoRobot Terms of Service and applies when PhotoRobot processes personal data on behalf of the Customer.

2. Subject Matter & Nature of Processing

PhotoRobot (“Processor”) provides cloud-based services, local software extensions, firmware management and hosting infrastructure required to process images, metadata, and related digital content uploaded by the Customer (“Controller”).

Processing includes:

  • collection
  • storage
  • transmission
  • metadata extraction
  • synchronization between CL ↔ Cloud
  • hosting of customer-uploaded content
  • creation of logs and diagnostics
  • backup operations

Processing is performed strictly on behalf of the Controller, according to their documented instructions.

3. Duration

This DPA remains in force for the duration of the contractual relationship between the Parties, and thereafter as long as the Processor stores or processes any personal data on behalf of the Controller.

4. Personal Data & Categories of Data Subjects

4.1. Types of Personal Data

Depending on how the Service is used, processed data may include:

  • identification data (name, surname, company)
  • contact data (email, telephone)
  • visual content (images, videos)
  • metadata associated with uploaded content
  • log data, IP addresses, technical identifiers
  • project-level data
  • credentials (hashed), access tokens

Processor does not require or intentionally process special categories of data (Art. 9 GDPR).

4.2. Categories of Data Subjects

  • Customer’s employees
  • Customer’s clients or partners
  • Authorized Users
  • Any individuals presented in visual content uploaded by Customer

Customer is solely responsible for ensuring lawful collection of data from data subjects.

5. Instructions from Controller

Processor processes personal data only:

  1. according to Controller’s documented instructions,
  2. as required to provide the Service,
  3. to ensure security, integrity and availability of systems,
  4. as required by EU or Czech law.

If Processor considers an instruction unlawful, Processor must notify Controller.

6. Confidentiality

Processor ensures that all persons authorized to process personal data:

  • are subject to confidentiality obligations,
  • have received appropriate training,
  • process data solely under instructions from the Controller.

7. Sub-Processors

Processor uses certain third parties (“Sub-Processors”) to support the Service.

7.1. Approved Sub-Processors

Controller grants general authorization for Processor to engage the following categories of Sub-Processors:

  • cloud infrastructure providers (e.g., Google Cloud Platform)
  • email delivery providers
  • analytics providers
  • ticketing systems
  • security monitoring services
  • backup and disaster recovery systems

A complete list is maintained in the PhotoRobot Sub-Processor List and may be updated.

7.2. Notification of Changes

Processor shall notify Controller of any intended changes to Sub-Processors at least 15 days in advance, allowing Controller to object on reasonable grounds.

8. International Data Transfers

Where Sub-Processors or infrastructure are located outside the EEA, Processor ensures:

  • application of Standard Contractual Clauses (SCC 2021),
  • supplementary technical and organizational safeguards,
  • minimized access and encryption,
  • compliance audits by the underlying provider.

Google Cloud Platform provides:

  • ISO 27001, ISO 27017, ISO 27018
  • SOC 1/2/3 reports
  • GDPR compliance documentation

Details available at https://cloud.google.com/security.

9. Security Measures

Processor shall implement industry-standard technical and organizational measures (TOMs), including:

9.1. Technical Measures

  • TLS encryption of data in transit
  • secure storage with encrypted access tokens
  • isolated processing environments
  • password hashing
  • rate limits and intrusion detection systems
  • multi-layer firewalling
  • physical data center security (via Google Cloud)

9.2. Organizational Measures

  • role-based access control
  • access logging and monitoring
  • internal policies for data handling
  • employee confidentiality obligations
  • periodic security training
  • vendor risk management

A full list of TOMs is available upon request.

10. Data Subject Rights

Processor assists Controller in responding to:

  • requests for access
  • rectification
  • deletion
  • restriction
  • data portability
  • objections

Processor shall forward any direct request from a data subject to the Controller without undue delay.

11. Data Breach Notification

In case of a personal data breach, Processor shall notify Controller:

  • without undue delay,
  • including all information required by Article 33 GDPR,
  • and provide ongoing updates until remediation is complete.

Controller remains responsible for notifying authorities and affected individuals.

12. Deletion or Return of Data

Upon termination of the contract:

  • Processor deletes Customer Data after 30 days,
  • unless otherwise instructed by Controller,
  • except where retention is required by law.

Backups are overwritten during their normal lifecycle.

13. Audits

Controller has the right to:

  • receive documentation proving GDPR compliance
  • request a report on TOMs
  • perform reasonable audits, limited to once per year
  • rely on third-party certifications (ISO/SOC reports of Google Cloud)

Audits must not jeopardize security or disrupt operations.

14. Liability

Liability of the Parties follows the Terms of Service.
Processor is liable only for breaches caused by its own violation of GDPR obligations.

15. Governing Law & Jurisdiction

This DPA is governed by the laws of the Czech Republic.
Disputes shall be resolved by the courts in Prague, Czech Republic.

16. Standard Contractual Clauses (SCC)

Where required, the SCC 2021 (Module 2: Controller → Processor) apply as an annex to this DPA.

PhotoRobot:

  • incorporates SCC by reference,
  • includes all mandatory clauses,
  • implements supplemental technical measures
  • ensures compliance for transfers to sub-processors outside the EEA.

The SCC may be provided in full upon request.

17. Contact

uni-Robot Ltd.
Vodičkova 710/31
110 00 Prague 1
Czech Republic

Email: legal@photorobot.com