Version 1 · as of July 14, 2026
Data Processing Agreement (DPA)
Agreement pursuant to Art. 28 GDPR · DPA version: Version 1
Between [Controller]
— hereinafter the “Controller” —
and Trust Center
— hereinafter the “Processor” —
Template — based on fotostudio.io's published RGPD/DPA. Pending legal review. Edit this file (
db/legal/dpa/en.md) and re-seed to change the published text.
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Fotosoft SA, a company incorporated in Belgium (enterprise no. BE 0721.709.989), operating the fotostudio.io platform ("Processor"), and governs the processing of personal data under Article 28 GDPR.
1. Roles and subject matter
The Customer (a professional photographer or studio) is the Controller of the personal data it uploads or generates in the platform. Fotosoft acts solely as Processor, processing that data on the Controller's documented instructions to provide the service (CRM, bookings, galleries, contracts, invoicing, email).
2. Nature, purpose and duration
Fotosoft commits to processing the data only within the scope of these purposes ("Fotosoft processes the data only to operate the service"). Processing lasts for the duration of the Controller's subscription.
3. Categories of data and data subjects
- Data subjects: the Controller's clients and contacts, and the Controller's staff.
- Categories: identification and contact data, booking and contract data, billing data, and uploaded image material.
4. Obligations of the Processor
Fotosoft shall: process data only on documented instructions; ensure persons authorised to process data are bound by confidentiality; implement the measures in Annex 1 (TOMs); assist the Controller with data subject requests and with its obligations under Articles 32–36 GDPR; and delete or return the data at the end of the engagement (see §8).
5. Sub-processors
5.1 General authorisation. The Controller grants Fotosoft a general written authorisation within the meaning of Art. 28(2), second sentence, GDPR to engage other processors ("Sub-processors"). The Sub-processors authorised as of the date of conclusion are listed in Annex 2.
5.2 Dynamic list. The current list of all Sub-processors engaged — including name, purpose, location and categories of data — is maintained and versioned by Fotosoft on an ongoing basis in the Trust Center under the "Sub-processors" section. This dynamic list is authoritative and forms part of this DPA; Annex 2 reflects its state as of the date of conclusion.
5.3 Prior notice. Where Fotosoft intends to add or replace a Sub-processor, Fotosoft will notify the Controller with reasonable advance notice before the intended effective date. Notice is given actively by email to the Controller's address recorded for the concluded DPA; in addition, the Controller may subscribe to change notifications in the Trust Center. The Controller is responsible for keeping a valid, up-to-date contact email address on file.
5.4 Right to object. The Controller may object to an intended change on legitimate data-protection grounds until the announced effective date. If no objection is raised by then, the change is deemed approved and takes effect on the announced date.
5.5 Consequences of an objection. In the event of an objection, the parties will seek an amicable solution in good faith. If none can be found within a reasonable period, the Controller may, for the affected part of the Service that requires the Sub-processor, terminate on an extraordinary basis. The removal of a Sub-processor without replacement does not constitute a change requiring approval and requires no prior authorisation.
5.6 Flow-down of obligations. Fotosoft imposes on each Sub-processor, by contract, materially the same data-protection obligations as those set out in this DPA, and remains liable to the Controller for the Sub-processor's compliance.
6. Technical and organizational measures (TOMs)
6.1 Measures. Fotosoft implements and maintains the technical and organizational measures under Article 32 GDPR that ensure a level of security appropriate to the risk. The measures in force as of the date of conclusion are set out in Annex 1.
6.2 Dynamic document. The current version of the TOMs — including their scope and content — is maintained and versioned by Fotosoft on an ongoing basis in the Trust Center. This version is authoritative and forms part of this DPA; Annex 1 reflects its state as of the date of conclusion.
6.3 Updates. Fotosoft may adapt the TOMs in line with technical and organizational developments, provided the agreed level of protection is not materially reduced. Unlike for Sub-processors (§5), no right of consent or objection applies in this respect.
6.4 Information. Changes to the TOMs are made traceable through versioning in the Trust Center, where the Controller may subscribe to change notifications. Active individual notice by email is not required for this purpose.
7. International transfers
Fotosoft does not transfer personal data outside the European Economic Area, save where covered by an adequacy decision or appropriate safeguards such as the EU Standard Contractual Clauses. All data is hosted exclusively in Europe.
Review note (EN): some sub-processors (Heroku/Salesforce, AWS, Stripe, PayPal, SMTP2GO) have US parent companies. Confirm transfer mechanisms with counsel even though storage is in the EU.
8. Deletion
On termination, all personal data is permanently deleted from the servers within 30 days; backups are deleted after their retention period expires.
9. Security incidents
Fotosoft notifies the Controller without undue delay, and within 72 hours where the breach affects personal data.
10. Audits
Fotosoft makes available the information necessary to demonstrate compliance with Article 28 GDPR.
11. Governing law
This DPA is governed by Belgian law; the competent courts are those of Liège.
Annex 1 — Technical and Organizational Measures
Reflects the state of the TOMs document as of the date of conclusion. The current version is maintained and versioned in the Trust Center (§6.2).
Annex 2 — Authorised sub-processors
See the separate Sub-processors list, which is authoritative and reflects the current state (§5.2). Annex 2 reflects its state as of the date of conclusion.