Data Processing Addendum (DPA) for FotoWare SaaS
This Data Processing Addendum (“DPA”) forms part of the SaaS Subscription Agreement available on https://www.fotoware.com/company/legal/saas-subscription-agreement between FotoWare and Customer (the "Agreement") under which FotoWare provides its Software-as-a-Service for Digital Asset Management of Customer's Content.
- "Data Center Region" means the region offered by FotoWare and chosen by Customer in which FotoWare stores Customer's Personal Data in a data center. Available data centers are listed on https://www.fotoware.com/company/legal/how-fotoware-protects-your-data.
- "Data Controller" means the legal entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- "Data Processor" means the legal entity which Processes Personal Data on behalf of the Data Controller.
- "Data Protection Laws" means all data protection laws applicable to the Processing of Personal Data under this DPA.
- "Data Subject" means an identifiable natural person which the Processing of Personal Data is related to.
- “EEA” means the European Economic Area.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- “Personal Data” means Personal Data relating to a Data Subject as an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- "Processing or Process" means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, altering, retrieving, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, restricting, erasing or destroying.
- “Subprocessor” means a third party engaged by FotoWare as a Data Processor under this DPA.
- “Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data pursuant to GDPR.
2. Processing of Personal Data
- Scope and roles of the parties. This DPA applies to FotoWare's Processing of Personal Data by virtue of providing the Service to Customer. For the purposes of this DPA, Customer is the Data Controller and FotoWare is the Data Processor Processing Personal Data on Customer's behalf.
- Purpose and duration of the Processing. FotoWare will Process Personal Data to provide FotoWare's Software-as-a-Service for Digital Asset Management. The duration of Processing Personal Data shall be for the term of the Agreement.
- Types of Personal Data and categories of Data Subjects. The types of Personal Data and categories of Data Subjects are set forth in Appendix 1 below.
- Instructions for processing. FotoWare shall process Personal Data in accordance with Customer's documented instructions, including with regards to transfers of Personal Data to a Third Country. Customer instructs FotoWare to Process Personal Data to provide the Service in accordance with the Agreement and this DPA. FotoWare may process Personal Data otherwise than on Customer's instructions if requested to do so by applicable law. FotoWare will in such case inform Customer of that legal requirement before Processing unless that law prohibits such information on important grounds of public interests.
- FotoWare personnel. FotoWare ensures that all personnel authorized to Process Personal Data is subject to a perpetual confidentiality obligation, and that such personnel receive appropriate training on their responsibilities regarding the Processing and safeguarding of Personal Data pursuant to applicable Data Protection Laws. Authorized personnel shall only be granted access to Process Personal Data to the extent strictly necessary to carry out the Agreement.
- Return and deletion of Personal Data. FotoWare shall return and delete Personal Data in accordance with the Agreement upon termination of the Agreement. FotoWare shall confirm upon written request from Customer that such return and deletion has been conducted.
- Compliance with laws. FotoWare shall comply with all Data Protection Laws applicable to FotoWare in its role as a Data Processor Processing Personal Data. Customer shall comply with all Data Protection Laws applicable to Customer as a Data Controller.
- Authorization to engage Subprocessors. FotoWare may engage Subprocessors to provide certain services on its behalf. Customer authorizes FotoWare to engage the Subprocessors listed in Appendix 2 and available on https://www.fotoware.com/company/legal/data-processors. Customer acknowledges that this authorization constitutes prior written consent to Processing of Personal Data by the listed Subprocessors.
- Subprocessors' compliance. FotoWare is fully responsible for its Subprocessors' compliance with this DPA. FotoWare shall conclude a written agreement with each Subprocessor (i) making the Subprocessor subject to at least the same level of data protection as imposed on FotoWare in this DPA, and (ii) restricting Subprocessor from Processing Personal Data for any other purpose than delivering the contracted services.
- Notification of new Subprocessors. FotoWare may replace or engage new Subprocessors. FotoWare shall in such case give Customer 30 days prior written notice before the new Subprocessor is authorized to Process Personal Data.
- Subprocessor's objection right. Customer is entitled to object to the engagement of a new Subprocessor within 14 calendar days from FotoWare's prior written notice pursuant to Section 3.3. The objection notice shall be given in writing and describe Customer's reasonable grounds for objection. FotoWare shall notify Customer at least 14 calendar days before authorizing the new Subprocessor to Process Personal Data if FotoWare chooses to retain the Subprocessor. Customer may in such case discontinue using the Service immediately and terminate the Agreement with 30 calendar days prior written notice from FotoWare's notification. Customer is entitled to a refund proportional to the remaining Subscription Period already paid for.
4. Data center regions and data transfers
- Storage of Personal Data. Personal Data will be stored in the Data Center Region chosen by Customer.
- Transfer of Personal Data. FotoWare will not transfer Personal Data from Customer's chosen Data Center Region except as necessary to provide the Services to Customer or to comply with law or a valid and binding order of a governmental body. FotoWare ensures that it will only transfer Personal Data from the EEA to a Third Country by using appropriate safeguards such as, but not limited to the at any time applicable EU Standard Contractual Clauses. Customer agrees that Personal Data may be temporarily transferred to a Third Country on the conditions outlined in this Section.
5. Rights of Data Subjects
- Requests from Data Subjects. Customer is responsible for responding to Data Subjects' requests for access, correction, deletion, or restriction of that person's Personal Data. If FotoWare receives a request from a Data Subject, FotoWare shall promptly redirect the Data Subject to the Customer.
- FotoWare's assistance. FotoWare shall comply with Customer's reasonable requests on behalf of Data Subjects pursuant to Data Protection Laws to (a) correct, delete, or restrict Processing of Personal Data, (b) make available Personal Data and associated Processing information, and (c) to enable data portability of a Data Subject's Personal Data if alternative (a), (b) or (c) is not feasible to Customer through the Service. FotoWare may charge Customer for reasonable costs inflicted on a time and material basis for assistance according to this Section.
6. Security of Personal Data
- Security of Processing. FotoWare shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. FotoWare shall ensure a level of security appropriate to the risk, including encryption of Personal Data to ensure ongoing confidentiality, integrity, availability, and resilience of FotoWare's Service and associated systems as described in Appendix 3.
- Personal Data Breach. FotoWare shall without undue delay notify Customer when becoming aware of a Personal Data Breach. Such notification shall describe (i) the nature of the Personal Data Breach, (ii) the details of a contact point where more information concerning the Personal Data Breach can be obtained, (iii) the Personal Data Breach's effect and consequences for the Service, (iv) and the measures taken or proposed to be taken by FotoWare to address the Personal Data Breach, including measures to mitigate its possible adverse effects. FotoWare shall cooperate with and assist Customer in preventing, mitigating, and rectifying Personal Data Breach in accordance with applicable Data Protection Laws considering the nature of the processing and the information available to FotoWare. FotoWare may charge Customer for reasonable costs on a time and material basis for any assistance related to Personal Data Breach under this Section unless FotoWare must be deemed responsible for the cause initiating the activity.
- Data Protection Impact Assessments and prior consultations. FotoWare shall provide reasonable assistance to Customer to carry out data protection impact assessment and prior consultation with the supervisory authority related to Customer's use of the Service. Customer is entitled to use FotoWare's audit reports when conducting such activities imposed by Data Protection Laws, including GDPR Article 35 and 36. FotoWare may charge Customer for reasonable costs inflicted on a time and material basis based on assistance according to this Section.
- Audit. FotoWare shall make available to Customer all information necessary to demonstrate compliance with this DPA. The information is subject to Customer’s confidentiality as stipulated in the Agreement. If Customer requires additional information, Customer may conduct an audit by engaging an independent, qualified third party to conduct such audit. Any such audit shall follow FotoWare’s reasonable security requirements and not interfere unreasonably with FotoWare’s business activities. The Customer shall give FotoWare 14 calendar days prior written notice before any audit can be initiated. All costs relating to the audit shall be compensated by Customer.
- Notification of unlawfulness. FotoWare shall immediately inform Customer if it considers that its Processing of Personal pursuant to this DPA violates applicable Data Protection Laws. Customer is in such case entitled to suspend any further Processing of Personal Data until FotoWare has conducted necessary corrections.
- Liability. Each party's liability under this DPA is governed by the SaaS Terms unless otherwise required by applicable Data Protection Laws.
- Affiliates of Customer. Customer is responsible for coordinating all communication with FotoWare on behalf of its Affiliates regarding this DPA. Customer represents that it is authorized to issue instructions as well as make and receive any communications or notifications in relation to this DPA on behalf of its Affiliates.
- Termination. The term of this DPA will end upon termination of the Agreement.
- Conflict. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail regarding the parties’ data protection obligations.
1. Types of Personal Data and categories of Data Subjects
Types of personal data:
- Names, images, and other Personal Data included in the Content uploaded by Customer into the Software-as-a-Service solution for Digital Asset Management
- Contact person's and User’s name, username, email address and phone number
Categories of data subjects:
- Natural persons within Customer's organization operating as Users or a contact person
- Natural persons which may be identified in any Content uploaded by Customer into the Service
Type of service provider
Location of processing
Customer's Data Center Region
Email service provider
3. Security Measures
Access control and measures for user identification and authorization for FotoWare personnel
FotoWare has implemented a robust access control system to ensure that only authorized FotoWare personnel have access to Personal Data. Access to Personal Data is limited to authorized personnel who require access for support purposes only. Access is restricted through a role-based access control system that grants access only to the data necessary for the support task at hand.
FotoWare uses a range of measures to ensure user identification and authorization, including user authentication, two-factor authentication, and single sign-on. Unique login credentials are required for all users, and access to Personal Data is granted based on the user's role and level of authorization, ensuring that users only have access to the data necessary for their job functions.
All user accounts are monitored, and we conduct regular reviews of user access privileges to ensure that only authorized individuals have access to Personal Data. Any suspicious activity or unauthorized access attempts are immediately flagged and addressed. Furthermore, FotoWare maintains detailed logs of all user activity, including login attempts and access to Personal Data, providing an audit trail for forensic analysis in the event of a security incident.
All FotoWare personnel authorized to access Personal Data are trained to comply with applicable Data Protection Laws and are subject to a perpetual confidentiality obligation applicable to their support work.
Data encryption and pseudonymization
We implement encryption and pseudonymization measures to protect Personal Data against unauthorized access, disclosure, or destruction. FotoWare uses state-of-the-art encryption technologies to secure data both in transit and at rest.
Data storage and retention
We act appropriately to ensure that Customers’ data is stored and retained in a secure manner. Customers’s data is logically separated from system- and application data and other Customers’ data, with access controls and monitoring mechanisms in place. We also regularly test, assess, and evaluate the effectiveness of our technical and organizational measures to ensure the security of the Processing.
FotoWare has implemented measures to ensure the availability and access to Personal Data in the event of a physical or technical incident.
In addition to these measures, FotoWare maintains disaster recovery and business continuity plans that are designed to ensure that we can respond quickly and effectively in the event of a disruption or outage. Our plans include procedures for restoring access to personal data, identifying and mitigating potential risks, and communicating with customers and other stakeholders in a timely and transparent manner.
FotoWare is about to obtain the ISO 27001 certification, which demonstrates our commitment to information security management. We will regularly undergo audits and assessments to maintain this certification, ensuring our compliance with applicable Data Protection Laws.
FotoWare acts appropriately to ensure the physical security of locations where Personal Data is Processed. Access to locations where Personal Data is Processed in the form of storage is restricted to authorized personnel only, and we use security measures such as security cameras, alarms, and access controls to prevent unauthorized access.
In addition to the above measures, FotoWare also restricts access to Personal Data on FotoWare's own devices by implementing device encryption, password protection, and remote wipe capabilities. This ensures that Personal Data is protected even in the event of device loss or theft.
Effectiveness of technical and organizational measures
FotoWare regularly tests, assesses, and evaluates the effectiveness of our technical and organizational measures to ensure the security of the Processing of Personal Data. We conduct regular security audits and assessments to identify any potential vulnerabilities or weaknesses in our security measures.
We also conduct regular penetration testing and vulnerability assessments to identify any potential security risks and to test the effectiveness of our security controls. In addition, we regularly review and update our policies and procedures to ensure that they remain current and effective.
FotoWare also maintains incident response and business continuity plans to ensure that we can respond quickly and effectively in the event of a security incident or other disruptive event. Our incident response plans are tested regularly through simulations to ensure that they are effective and that our personnel are trained to respond in a timely and effective manner.
FotoWare implements measures to ensure the security and integrity of our systems and processes, including our system configuration and default configuration settings. We follow best industry practices and standards to ensure that our systems are configured securely and that default configurations do not create vulnerabilities.
We regularly review and update our system configuration settings to ensure that they are aligned with our security policies and procedures. We also maintain strict controls over changes to system configuration settings, ensuring that changes are documented, approved, and tested before they are implemented.
Furthermore, our software development processes include secure coding practices, and we regularly assess and update our default configurations to ensure that they are secure and do not create potential vulnerabilities.
FotoWare has implemented measures to ensure that our internal IT and IT security governance and management are aligned with best industry practices and standards. We have established an IT security governance framework that includes policies, procedures, and controls to ensure the ongoing security and integrity of our systems and processes.
We regularly review and update our IT security governance framework to ensure that it remains current up-to-date and effective. This includes conducting regular risk assessments to identify potential security risks and vulnerabilities and implementing controls to mitigate those risks.
FotoWare also has an IT security team responsible for overseeing our IT security governance and management. Our IT security team includes experienced professionals who are trained in the latest security technologies and techniques.
Furthermore, we conduct regular security awareness training for all FotoWare personnel to ensure that they are aware of potential security risks and how to mitigate them. Our training programs cover a wide range of topics, including password security, phishing prevention, and secure data handling.
Measures for ensuring deletion of Personal Data
FotoWare understands the importance of ensuring the deletion of Personal Data when it is no longer needed or when requested by Customer on behalf of a Data Subject. We have implemented measures to ensure that all Personal Data is securely and effectively deleted from our systems and processes upon termination of the Agreement.
We have established clear guidelines and procedures for handling requests for deletion, and we ensure that Personal Data is securely deleted or anonymized when it is no longer needed for the purposes for which it was collected. This includes implementing secure deletion methods and tools to ensure that Personal Data is permanently deleted and cannot be recovered.
FotoWare’s assistance to Customer as a Data Controller
FotoWare understands that as a Data Processor, we have a responsibility to assist the Customer in ensuring the security and protection of Personal Data. To that end, we have implemented specific technical and organizational measures to enable us to provide effective assistance to Customer as a Data Controller.
One of the key measures we have implemented is the establishment of a dedicated customer support team with personnel who are trained to comply with applicable Data Protection Laws and regulations. This team is responsible for aiding the Customer in managing and Processing Personal Data, including handling requests for data access, rectification, and deletion.
We also maintain a detailed knowledge base and provide clear documentation to help the Customer to understand and use our Service in a secure and compliant manner. This includes providing guidance on how to configure our Service to comply with applicable Data Protection Laws and regulations.