DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement ("Agreement") forms part of the Service Agreement between AsWeShare (the "Processor") and the Client (the "Controller").

1. Scope and Roles

The Processor provides a photo printing and shipping service via API. In providing these services, the Processor will process Personal Data on behalf of the Controller. The Controller is the owner/manager of the relationship with the end-users whose photos are being printed.

2. Description of Processing

• Subject Matter: The processing of digital images and delivery information for the purpose of creating and shipping physical photo prints.
• Duration: The duration of the processing corresponds to the term of the service, with a specific retention period for photo files.
• Nature and Purpose: Collecting image URLs or files, processing them for physical printing via internal equipment, and managing logistics for final delivery.
• Types of Personal Data:
• • Recipient Identity: Full name.
  • Delivery Information: Complete physical postal address
  • Content Data: Photographic images
• Categories of Data Subjects: Customers of the Controller or individuals designated by them as recipients.

3. Data Retention and Deletion

• Photo Files: To allow for dispute resolution, shipping issues, or reprinting requests, the Processor stores digital photo files for a maximum of 30 days.
• Automatic Deletion: After this 30-day period, the Processor shall automatically and permanently delete the photographic files from its storage systems.

4. Obligations of the Processor

The Processor agrees to:

1. Process Personal Data only on documented instructions from the Controller.
2. Ensure that persons authorized to process the data (internal production staff) are committed to confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
4. Assist the Controller in fulfilling its obligations to respond to data subjects' requests (access, erasure, etc.).

5. Authorized Sub-processors

The Controller grants general authorization to the Processor to engage the following sub-processors for the execution of the service:

• Cloud Hosting & Storage: Scaleway (France), for server infrastructure and private image buckets.
• Delivery Services: La Poste / Colissimo (France), for the transport and delivery of physical prints.
• B2B Payment Processing: Adyen (via the adyengo interface), for billing the Controller for API services.

6. Security Measures

The Processor implements the following security standards:

• Logical Access Control: Use of private storage buckets with restricted access.
• Data at Rest: Data is stored in isolated environments. While data is not encrypted at rest, access is strictly limited to authorized production systems and personnel.
• Internal Production: Printing is performed in-house by the Processor on its own hardware, minimizing the circulation of files to third-party printers.

7. Personal Data Breach

The Processor shall notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a personal data breach.