This Data Processing Agreement ("DPA") forms part of the agreement between FoodPhoto.ai ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of AI-powered food photography services.
This DPA applies where and only to the extent that FoodPhoto.ai processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws
- "Data Protection Laws" means the GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection legislation
- "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
- "Data Subject" means the individual to whom Personal Data relates
2. Scope of Processing
2.1 Subject Matter
The Processor processes Personal Data solely for the purpose of providing AI-powered food photography enhancement services as described in the Terms of Service.
2.2 Categories of Data Subjects
- Customer employees and authorized users
- End users of Customer's services (if applicable)
2.3 Types of Personal Data
- Account information (name, email address)
- Photos uploaded for processing
- Usage and analytics data
- Payment-related identifiers (processed by third-party payment providers)
2.4 Duration
Processing continues for the duration of the service agreement, plus any retention periods required by law or specified in this DPA.
3. Obligations of the Processor
FoodPhoto.ai agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organizational security measures as described in our Security page
- Not engage another processor without prior written authorization of the Controller
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, impact assessments, and prior consultation
- Delete or return all Personal Data upon termination of the service, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
4. Sub-processors
4.1 Authorized Sub-processors
The Controller authorizes the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Cloud | Infrastructure and hosting | Germany / Finland |
| Cloudflare | CDN, DDoS protection, DNS | Global (US HQ) |
| Stripe | Payment processing | United States |
| MercadoPago | Payment processing (LATAM) | Argentina |
| Replicate / FAL.ai | AI model inference | United States |
| Resend | Transactional email delivery | United States |
4.2 Changes to Sub-processors
The Processor will notify the Controller at least 30 days before engaging a new sub-processor. The Controller may object to the new sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the agreement.
5. Data Security
The Processor implements the following security measures:
- TLS 1.3 encryption for data in transit
- AES-256 encryption for data at rest
- Role-based access controls with principle of least privilege
- Regular security assessments and vulnerability scanning
- Automated backups with encryption
- Container isolation for all services
- DDoS protection and web application firewall via Cloudflare
6. Data Breach Notification
In the event of a Personal Data breach, the Processor will:
- Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach
- Provide details of the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
7. Data Subject Rights
The Processor will assist the Controller in fulfilling Data Subject requests including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
The Processor will respond to Controller requests regarding Data Subject rights within 10 business days.
8. International Transfers
Where Personal Data is transferred outside the EEA/UK, the Processor ensures adequate protection through:
- EU Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914
- UK International Data Transfer Agreement (IDTA) where applicable
- Supplementary measures where required by applicable law
9. Data Retention and Deletion
- Photos: Deleted 90 days after processing, or immediately upon Controller request
- Account data: Deleted within 30 days of account closure
- Billing records: Retained for 7 years as required by tax and financial regulations
- Logs: Anonymized or deleted after 12 months
10. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor, upon reasonable notice (at least 30 days) and during normal business hours. The Controller bears the cost of any audit.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
12. Governing Law
This DPA is governed by the same laws that govern the Terms of Service, except where Data Protection Laws require otherwise.
How to Execute This DPA
Enterprise customers can request a signed copy of this DPA by contacting [email protected]. By using the FoodPhoto.ai service, all customers agree to the data processing terms outlined in this DPA and our Privacy Policy.