Data Processing Agreement
1. Definitions
Capitalized terms not defined here have the meaning set out in the Master Terms of Service. "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").
2. Roles — Split Between Service Operation and Content Processing
The relationship between the parties has two distinct scopes:
- Service operation (controller scope of Service Provider). For account data, billing records, audit logs, and security data, Service Provider is the controller. This scope is governed by the Privacy Policy, not by this DPA.
- Content processing (processor scope). For images submitted by Customer, generated reports, and analysis metadata associated with that content, Customer is the Data Controller and Service Provider is the Data Processor. This DPA governs only this scope.
Customer's documented processing instructions consist of: (a) the Master Terms of Service; (b) this DPA; (c) the Service interface and API parameters Customer uses when submitting content (including prompt selection, template selection, and, for Agency / API customers, the identification of the model or end-user on whose behalf analysis is being run); and (d) any applicable order or product configuration.
3. Subject Matter and Duration
- Subject matter: AI-based analysis of images submitted by Customer and generation of report outputs.
- Duration: for as long as Customer's account remains active, plus any retention period required by law or stated in the Privacy Policy.
- Nature and purpose: automated image analysis and report generation as configured by Customer through the Service interface or API.
- Categories of data: see /legal/data-processing.
- Categories of data subjects: Customer (if a Model Tool user); Customer's models, clients, or end users; persons depicted in submitted content.
4. Customer Responsibilities
Customer represents and warrants that:
- Customer has a valid lawful basis under applicable law for the Processing it instructs the Service Provider to perform, including any required consents from Data Subjects depicted in or associated with submitted content.
- Customer has provided to its own users and Data Subjects all notices and disclosures required by applicable law (including, where applicable, GDPR Articles 13 and 14).
- Customer is solely responsible for the legality of the data it submits, including compliance with content-related laws applicable to Customer's operations (including, where applicable, age-verification obligations, record-keeping requirements for producers of sexually explicit content, and any equivalent obligations in jurisdictions where Customer or its end users are located).
- Customer is solely responsible for cross-border-transfer compliance for any personal data Customer transmits to the Service Provider.
- Customer will not submit personal data of children, sensitive data outside the ordinary scope of the Service, or any data the submission of which would be unlawful in Customer's jurisdiction or in any jurisdiction where Data Subjects are located.
- Where Customer is an Agency Tool customer, Customer represents that it has the necessary relationship with the depicted models and the necessary consents to submit their content for analysis.
- Where Customer is an API customer, Customer represents that its own end users have provided the necessary consents and that Customer's use of the Service on their behalf is lawful.
5. Service Provider Obligations
Service Provider undertakes to:
- Process personal data only on Customer's documented instructions, except where required by law.
- Ensure that personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational measures as described in /legal/security.
- Assist Customer, taking into account the nature of processing, in responding to Data Subject requests, security incidents, and impact assessments, at Customer's reasonable expense for non-routine assistance.
- Make available information necessary to demonstrate compliance with this DPA, including by providing a current subprocessor list at /legal/subprocessors.
- At Customer's choice, delete or return personal data at the end of processing, subject to retention required by law.
6. Specific Use Limitations
Service Provider warrants that Customer's content is processed only for the purpose of providing the requested analysis. Service Provider will not:
- Use Customer's content to train, improve, or evaluate AI models;
- Build user profiles or behavioral inferences from Customer's usage;
- Sell, share, or otherwise disclose personal data for cross-context behavioral advertising;
- Combine Customer's data with that of other customers for any purpose other than aggregate operational metrics that contain no personal data;
- Perform identification of persons depicted in submitted content (no facial recognition, biometric matching, or external database lookup).
7. Subprocessors
Customer authorizes Service Provider to engage subprocessors for the operation of the Service. Current subprocessors are listed at /legal/subprocessors. Service Provider will:
- Maintain a current public list of subprocessors;
- Provide a reasonable mechanism for Customer to receive notification of new subprocessors before they begin processing (typically 30 days advance notice via the published list and, where Customer has registered for them, email notifications);
- Impose contractual obligations on each subprocessor materially equivalent to those in this DPA;
- Remain liable for the acts and omissions of subprocessors with respect to its obligations under this DPA.
Customer may object to a new subprocessor on reasonable data-protection grounds. If the parties cannot resolve the objection, Customer's exclusive remedy is to terminate the Service in accordance with the Master Terms of Service.
8. Security
Service Provider implements technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risk to Data Subjects. The current measures are described at /legal/security.
9. Personal Data Breach
Service Provider will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's data, providing such information as is reasonably available to enable Customer to fulfill any obligations to notify authorities or Data Subjects under Articles 33 and 34 GDPR. Service Provider's notification is not an admission of fault or liability.
10. Data Subject Requests
Where Service Provider receives a request from a Data Subject relating to Customer's Processing, Service Provider will, where lawful, redirect the request to Customer and assist Customer in responding to it. For Model Tool customers, the Data Subject and the Customer will typically be the same person, in which case Service Provider may handle the request directly.
11. International Transfers
Service Provider is established in the Republic of Cyprus, an EU Member State. Submission of personal data to the Service therefore constitutes processing within the European Union and is not, in itself, an international transfer for the purposes of Chapter V of the GDPR.
Where Service Provider engages subprocessors located outside the European Economic Area, transfers are governed by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module Three (Processor to Processor), incorporated by reference, with Service Provider acting as data exporter. Subprocessor regions are listed at /legal/subprocessors.
Where Customer, acting as Controller, wishes to rely on Module Two (Controller to Processor) SCCs for its own transfers in connection with the Service, the SCCs as adopted by the European Commission in Decision (EU) 2021/914 are incorporated by reference, with Service Provider as data importer.
12. Audit
Service Provider will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where applicable law requires the opportunity for an on-site audit, Customer may request such an audit no more than once per year, on at least 30 days' written notice, during business hours, subject to reasonable confidentiality and security restrictions, and at Customer's expense. The parties may agree that an independent third-party report (e.g., SOC 2 Type II, when available) satisfies the audit obligation.
13. Liability and Indemnity
Customer indemnifies Service Provider against claims, losses, and liabilities arising from Customer's unlawful processing instructions or breach of section 4. Each party's liability under this DPA is subject to the limitations of liability set out in the Master Terms of Service.
14. Governing Law and Venue
This DPA is governed by the laws of the Republic of Cyprus, without regard to its conflict-of-laws principles. The parties submit to the exclusive jurisdiction of the courts of the Republic of Cyprus, except where applicable law requires a different forum. Mandatory consumer-protection rights and Data Subject rights under the GDPR and other applicable mandatory laws are not waived by this clause.
15. Order of Precedence
In the event of any conflict between this DPA and the Master Terms of Service with respect to Processing of personal data, this DPA prevails. In the event of any conflict between this DPA and a counterpart-signed Pro contract DPA executed by the same Customer, the counterpart-signed agreement prevails for that Customer.