Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR · As of: February 2026 · Version 1.0

Preamble

This Data Processing Agreement regulates the rights and obligations of the parties in connection with the processing of personal data by the Contractor on behalf of the Client pursuant to Art. 28 GDPR.

§ 1 Parties to the Agreement

1.1 Client (Controller)

The Client is the Tenant (photographer / company) registered on Pixalo who uses the platform to process personal data.

The Client is the Controller within the meaning of Art. 4 No. 7 GDPR.

1.2 Contractor (Processor)

The Contractor is the Processor within the meaning of Art. 4 No. 8 GDPR.

§ 2 Subject Matter and Duration of the Agreement

2.1 Subject Matter

The subject matter of this Agreement is the processing of personal data by the Contractor within the scope of providing the SaaS platform Pixalo.

Pixalo is a technical platform for operating digital photographer shops. Pixalo is neither a marketplace nor a payment service provider and does not act as a contractual partner between the Client and their end customers.

2.2 Duration

This Agreement applies for the duration of the usage relationship. It ends automatically with the termination of the main contract (Terms of Use).

Statutory retention obligations remain unaffected by the termination of the contract.

§ 3 Type, Purpose, and Scope of Processing

3.1 Type of Processing

The processing comprises:

• Collection, storage, organization
• Provision, transmission
• Erasure, archiving

3.2 Purpose of Processing

• Operation of the platform and photographer online shops
• Provision of preview images and downloads
• Order processing
• Ensuring security, stability, and abuse prevention

3.3 Categories of Data Subjects

• End customers of the Client (e.g., parents, students, clients)
• Employees of the Client
• Other users authorized by the Client

3.4 Categories of Personal Data

• Names and contact details
• Assignment data (e.g., classes, groups, access codes)
• Order and transaction data
• Preview images (with watermarks)
• Purchased image files
• Technical metadata (e.g., access times, IP addresses)

A detailed description is available in Annex 3.

§ 4 Obligations of the Client

The Client is obligated to:

• ensure the lawfulness of the data processing
• guarantee valid legal bases for the processing
• properly inform data subjects
• obtain necessary consents (especially for minors)
• issue only lawful instructions to the Contractor
• ensure the correctness of the transmitted data

The Contractor is not obligated to verify the lawfulness of content, legal bases, or consents.

§ 5 Obligations of the Contractor

The Contractor commits to:

• process personal data only on documented instructions from the Client
• implement appropriate technical and organizational measures pursuant to Art. 32 GDPR
• maintain the confidentiality of the processing
• employ only persons bound by confidentiality obligations
• assist the Client in fulfilling data subject rights requests
• assist the Client in conducting data protection impact assessments
• notify the Client of data breaches without undue delay
• erase or return data upon termination of the contract

The Contractor takes reasonable measures to ensure system availability within the contractually agreed scope.

§ 6 Right of Instruction

The Contractor processes personal data exclusively on instructions from the Client. The Terms of Use and this DPA constitute the basic documented instructions.

Instructions may be issued in text form (email). Verbal instructions must be confirmed in writing without delay.

If the Contractor is of the opinion that an instruction violates applicable law, they shall inform the Client immediately.

§ 7 Confidentiality

The Contractor ensures that all persons entrusted with processing are bound by confidentiality or are subject to an appropriate statutory duty of confidentiality.

This obligation continues to exist after termination of the contract.

§ 8 Technical and Organizational Measures

The Contractor implements appropriate technical and organizational measures pursuant to Art. 32 GDPR to guarantee a level of security appropriate to the risk.

The measures are documented in Annex 1 (TOMs) and constitute a binding part of this contract.

The Contractor is entitled to further develop the measures, provided that the level of protection is not reduced.

§ 9 Sub-processors

9.1 General Authorization

The Client grants the Contractor general authorization to employ sub-processors.

Sub-processors employed at the time of contract conclusion are listed in Annex 2.

9.2 Modifications

The Contractor shall inform the Client of any intended changes regarding the addition or replacement of sub-processors.

The Client may object in writing for cause within 14 days after receipt of the information.

The information can be sent via email or the customer area.

9.3 Contractual Binding

The Contractor ensures that sub-processors are bound contractually to at least the same data protection obligations as in this contract.

§ 10 Third Country Transfer

A transfer of personal data to third countries only occurs if the special requirements of Art. 44-49 GDPR are met.

This can be ensured in particular by:

• Adequacy decision of the EU Commission (Art. 45 GDPR)
• Standard contractual clauses (Art. 46 Abs. 2 lit. c GDPR)
• Additional technical and organizational protection measures

§ 11 Support in Data Subject Rights

The Contractor assists the Client within a reasonable scope in fulfilling requests of data subjects pursuant to Art. 15-22 GDPR.

Requests addressed directly to the Contractor will be forwarded to the Client.

The Contractor may request reasonable compensation for support services exceeding the contractually agreed scope.

§ 12 Notification of Data Breaches

The Contractor notifies the Client of personal data breaches without undue delay after becoming aware.

The notification contains at least:

• Description of the nature of the breach
• Categories and approximate number of data subjects and datasets affected
• Measures taken or proposed to address the breach

The notification obligation pursuant to Art. 33 GDPR towards the supervisory authority remains with the Client.

§ 13 Audit Rights

The Client has the right to verify compliance with this contract.

The Contractor provides the Client upon request with all necessary information to demonstrate compliance. This can occur in particular by:

• Self-assessments and documentation
• Certifications and audit reports
• Answering questionnaires

On-site audits are only permitted for cause and after prior written agreement (at least 30 days notice). Costs are borne by the Client.

§ 14 Erasure and Return

Upon termination of the contract:

• the Contractor erases all personal data, unless a statutory retention obligation exists
• the Contractor returns data in a common format upon request
• the Contractor archives tax-relevant order and invoice data pursuant to § 147 AO, § 257 HGB (up to 10 years)

Erasure will be confirmed in writing upon request.

Snapshots and revision-secure archive data are not considered operational personal data within the meaning of the erasure obligation.

§ 15 Liability

The liability of the parties is governed by statutory provisions, in particular Art. 82 GDPR.

The Contractor is not liable for damages resulting from incorrect instructions, unlawful content, or missing consents of the Client.

§ 16 Miscellaneous

• This DPA is concluded electronically upon registration.
• It is legally binding upon acceptance (Art. 28 Abs. 9 GDPR).
• Modifications must be in text form.
• German law applies.
• Jurisdiction is – as far as permissible – the registered office of the Contractor.
• If individual provisions are invalid, the contract remains otherwise valid.

Annex 1 – Technical and Organizational Measures (TOMs)

This annex describes the measures pursuant to Art. 32 GDPR.

1. Entry Control

Measures to prevent unauthorized entry to data processing systems.

• Use of certified data centers with physical entry control
• No proprietary physical servers outside of data centers

2. Access Control

Measures to prevent unauthorized system usage.

• Strong authentication (password guidelines)
• Automatic blocking after failed attempts
• Encrypted transmission (TLS)

3. Usage Control

Measures to restrict to authorized usage.

• Role-based access control systems (RBAC)
• Principle of least privilege
• Regular audit of authorization rights

4. Separation Control

Measures to process data of different clients separately.

• Strict logical multi-tenant isolation
• Tenant-ID-based access control on database level
• No view of third-party tenant data

5. Transmission Control

Measures to secure transmission and storage.

• Encrypted data transmission (TLS 1.2+)
• Signed download links with expiry date
• No unencrypted email transmission of sensitive data

6. Input Control

Traceability of data input and modifications.

• Logging of security-relevant actions
• Revision-secure archiving of ordering processes

7. Availability Control

Protection against loss and destruction.

• Regular backups
• Redundant infrastructure
• Monitoring and alerting
• DDoS protection and rate limiting

8. Recoverability

• Defined recovery procedures
• Regular test of backup integrity

Annex 2 – Sub-processors

The Contractor employs the following categories of sub-processors:

* For third country transfers only with adequacy decision or SCC + TOMs.

A current list of sub-processors by name can be requested from [email protected].

Annex 3 – Description of Processing Activities

Subject Matter of Processing

Technical provision of a SaaS platform to operate digital photographer shops including storage, provision, and delivery of photos as well as processing of orders.

Duration of Processing

• Active data: Duration of usage relationship
• Download links: maximum 7 days
• Order/invoice data: up to 10 years (statutory retention)
• Security logs: maximum 90 days

Purpose of Processing

• Provision of platform functionality
• Storage and delivery of photos
• Order processing and archiving
• Ensuring security, stability, and availability

Type of Personal Data

• Master and contact details (names, email addresses)
• Assignment details (classes, groups, access codes)
• Order details (products, quantities, prices)
• Image files (preview with watermark, purchased originals)
• Technical details (IP addresses, access times, user-agent)

Categories of Data Subjects

• End customers of the Client (e.g., parents, guardians, students)
• Employees and representatives of the Client