GDPR Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter "the Agreement") supplements the Fotostudio Terms and Conditions.

Its purpose is to define the conditions under which Fotosoft SA, acting as data processor, processes personal data on behalf of the User, acting as data controller, in compliance with the General Data Protection Regulation (EU 2016/679).

• Personal data: any information relating to an identified or identifiable natural person
• Data controller: the User (photographer), who determines the purposes and means of processing
• Data processor: Fotosoft SA, which processes data on behalf of the data controller
• Processing: any operation applied to personal data (collection, storage, deletion, etc.)

Fotosoft processes data to enable you to:

• manage your clients, contracts, galleries, bookings, invoices and communications
• host and share images, documents and messages with your clients
• receive online payments through the integrations provided

Depending on the features used, Fotostudio may process:

• Identification data: first name, last name, email, phone, address
• Contractual data: quotes, invoices, contracts, forms, electronic signatures
• Images and files: photos, client documents, PDFs, etc.
• Navigation data: IP address, connection logs (technical logs)

Fotosoft commits to:

• Process data only on documented instructions from you
• Ensure confidentiality of data and its authorized personnel
• Implement appropriate technical and organizational measures (encryption, backups, access control, etc.)
• Guarantee the security, integrity and availability of processed data
• Assist you in fulfilling your GDPR obligations (e.g., right of access, rectification or deletion)
• Promptly notify any security incident or data breach
• Delete or return all data at the end of the contract

You commit to:

• Process only lawful, relevant and necessary data for your business
• Inform your own clients about how their data is processed through Fotostudio
• Comply with applicable data protection regulations
• Determine the retention period for the data you manage

To deliver its services, Fotosoft uses GDPR-compliant sub-processors, notably:

• Heroku (Salesforce Inc., Europe) – application hosting
• Amazon Web Services S3 (Europe) – secure file storage
• Smtp2go – transactional email delivery
• Stripe, Mollie and Paypal – online payments

Fotosoft ensures contractually that each of them complies with the same security and confidentiality requirements.

• Upon written request, Fotosoft can provide you with the information necessary to demonstrate GDPR compliance
• You may, at your own expense, request a limited and reasonable security audit, subject to confidentiality and without disrupting the service

Fotosoft does not transfer personal data outside the European Economic Area, except if:

• the service provider is covered by an adequacy decision from the European Commission, or
• appropriate safeguards (standard contractual clauses, etc.) are in place

At the end of the contractual relationship:

• Data is permanently deleted within 30 days
• Automatic backups are erased at the end of their cycle
• Upon written request, proof of deletion can be provided

• Each party is responsible for damages caused by non-compliance with their respective obligations
• Fotosoft cannot be held liable for a breach resulting from GDPR-contrary instructions given by you

• This Agreement is governed by Belgian law
• Any dispute relating to its interpretation or execution shall be submitted to the courts of Liège, Belgium