PixelAdmin Logo
Legal

Joint Controllership Agreement for AI Model Training

This agreement outlines the distribution of responsibilities between the parties regarding data processing for training and improving AI models, in accordance with GDPR Article 26.

Last updated:May 2, 2026

1. Parties

This agreement (“Agreement”) governs the processing of personal data in connection with PixelAdmin's AI features and is entered into between PixelAdmin ApS, CVR no. 45447588, Falkoner Allé 90, 2000 Frederiksberg, Denmark (“PixelAdmin”) and the party activating or using an AI feature within the Service (“Customer”).

This agreement applies to two distinct scenarios that reflect how the PixelAdmin platform can be used:

  • Studio Customers: A commercial photo studio or an in-house brand production studio that subscribes to PixelAdmin and utilizes the platform's AI features as part of its own production workflows.
  • Brand Customers via the Customer Portal: A brand granted access to the PixelAdmin Customer Portal through a partnership with a Studio Customer, which then purchases an independent brand subscription (Pro, Business, or Enterprise) complete with associated AI credits and features.

In both scenarios, the Customer acts as the data controller for personal data processed via AI features, while PixelAdmin acts as the data processor in accordance with GDPR Article 28. This agreement serves as an addendum to PixelAdmin's Terms of Service and general Data Processing Agreement (DPA). In the event of any discrepancies between these documents, this agreement takes precedence, but strictly regarding AI processing.

For the distinct and limited processing activity where the Customer voluntarily consents to PixelAdmin using anonymized content to train and improve PixelAdmin's own AI models, a joint controllership is established under GDPR Article 26. This joint controllership requires separate, explicit consent from the Customer and is not included in the standard provision of AI features.

2. Purpose, Scope, and Applicability

This agreement establishes the distribution of responsibilities and the technical and organizational framework for the AI-powered features PixelAdmin provides to its customers. These AI features are delivered as an integral part of the PixelAdmin platform, covering both the internal workflows of Studio Customers and the usage by Brand Customers via the Customer Portal.

For brand customers subscribing via the Customer Portal, the AI features primarily include the following, depending on the selected subscription tier (the applicable AI credit quotas for each tier are available in the Customer Portal and on the pricing page, which takes precedence in case of discrepancy):

  • Pro: Basic AI image processing, including background removal, automatic color correction, and similar standardized image transformations, within the monthly AI credit quota allocated to this tier.
  • Business: All Pro-tier features, plus automatic AI image tagging, visual search (find-similar-images), and ad-hoc AI image transformations based on user descriptions, within the monthly AI credit quota allocated to this tier.
  • Enterprise: All AI features with a quota individually agreed upon in the Order Form, along with the option for customer-specific controls, including Customer-Managed Encryption Keys (CMEK) and extended audit reports.

AI credits are consumed whenever an AI feature is activated by a Customer's user. This consumption is logged in the Customer's admin panel solely for billing and capacity management; it is never used for model training or marketing. AI features are always triggered by a deliberate user action and never run automatically across the Customer's entire image repository without prior selection.

For the specific activity of using anonymized content to train and improve PixelAdmin's own AI models, a joint controllership exists under GDPR Article 26. This training occurs exclusively based on separate, explicit, and documented consent from the Customer, which can be revoked at any time with forward-looking effect. For all other AI processing activities, including the features described above, PixelAdmin acts as a data processor in accordance with GDPR Article 28, acting solely on the Customer's documented instructions as defined by the platform's functionality and user interface.

The essential contents of this agreement are made available to data subjects via the PixelAdmin Privacy Policy, as well as through the Customer's own disclosures. Regardless of the agreement's terms, data subjects may exercise their rights under the GDPR against either party in accordance with their respective areas of responsibility.

This agreement is an integral part of PixelAdmin's Terms of Service and applies to customers subject to the EU General Data Protection Regulation (GDPR). The rights and obligations herein apply to processing activities involving the personal data of data subjects within the European Union (EU) and the European Economic Area (EEA).

3. Overall distribution of responsibilities

The identity of the data controller varies depending on which party activates a specific AI feature and within which account type this occurs. The distribution of responsibility must be read in the context of actual platform usage, reflecting the party that genuinely determines the purpose and means of the specific processing.

Studio Customers as Data Controller: When a Studio Customer user activates an AI feature on content uploaded to the studio's own workspace, the Studio Customer is the data controller for the processing. This includes ensuring a valid legal basis for processing and adequately informing data subjects.

Brand Customers as Data Controller: When a Brand Customer user activates an AI feature via the Customer Portal on content accessible under their own subscription (Pro, Business, or Enterprise), the Brand Customer is the independent data controller for that specific AI processing. Consequently, the Brand Customer is responsible for the legal basis underpinning the processing and for fulfilling the obligation to inform the individuals depicted.

PixelAdmin as Data Processor: In both scenarios above, PixelAdmin acts as a data processor pursuant to GDPR Article 28, processing personal data solely according to the Customer's documented instructions. This encompasses delivering the AI features—including sending relevant data to the sub-processor providing the AI model—as well as platform operations, security, and logging.

Vertex AI Gemini as Sub-Processor: The underlying AI model is provided by Google Ireland Limited via Google Cloud Vertex AI with the Gemini model, acting as a sub-processor to PixelAdmin. Google Ireland Limited processes personal data under the Google Cloud Data Processing Addendum and is strictly prohibited from using the Customer's prompts, inputs, or outputs to train Google's own foundational models.

Joint Controllership for AI Training: Solely for the distinct activity where the Customer has voluntarily consented to the use of anonymized content for training and improving PixelAdmin's own AI models, the Customer and PixelAdmin act as joint controllers under GDPR Article 26. In this scenario, the Customer maintains direct contact with the data subjects, while PixelAdmin handles the technical execution of the training and the security of the training data.

4. Principles and Legal Basis for Processing

The Customer (Data Controller 1) is responsible for securing and documenting a valid legal basis for the collection and transfer of personal data to the Service.

Both Parties are individually responsible for complying with the principles relating to processing of personal data (Article 5 of the GDPR) within their respective areas of responsibility.

5. Data subject rights

To ensure a clear and practical process for data subjects, responsibility for facilitating data subject rights is allocated as follows:

The Customer (Data Controller 1) as the party with direct contact with data subjects, is primarily responsible for handling:

  • Information obligations upon collection of personal data (Articles 13 and 14).
  • The data subject's right of access (Article 15).
  • Right to rectification (Article 16).
  • Right to erasure (Article 17).
  • Right to object to processing (Article 21).

PixelAdmin (Data Controller 2) is responsible for handling requests related to the technical platform:

  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20).

The Parties are obligated to assist one another. If a Party receives a request that falls under the other Party's responsibility, the request must be forwarded without undue delay. The Customer is designated as the central point of contact for data subjects, and will route requests to PixelAdmin as needed.

6. Processing Security

PixelAdmin and the Customer are independently responsible for implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, per GDPR Articles 24, 25, and 32. In selecting and configuring its AI provider, PixelAdmin has implemented a series of specific security measures, detailed below.

Data Residency (Regional Binding): The AI features run on Google Cloud Vertex AI in the europe-west4 region (Netherlands). All prompts, input images, and output data remain strictly within this EU region throughout processing. PixelAdmin has configured the service so that it is technically impossible to move processing outside the EU/EEA without an explicit contractual amendment.

No-Training Mode: Vertex AI Gemini is used in its standard configuration, where neither the Customer's prompts, inputs, nor model outputs are used to train, fine-tune, or improve Google's foundation models, other Google services, or shared models made available to other customers. This obligation is explicitly stated in the Google Cloud Service Specific Terms for Vertex AI (under "Generative AI Services"), which dictates that Google will not use "Customer Data" to train or fine-tune foundation models without the Customer's explicit permission. PixelAdmin has documented this contractual obligation as part of its own vendor management and periodically verifies that this configuration remains unchanged during Gemini version upgrades.

Zero Data Retention and Caching Opt-Out: For the relevant Vertex AI models, PixelAdmin has enabled the configuration that minimizes Google's temporary storage of prompts and outputs. Specifically, the prompt caching ("context caching") feature is disabled by default, and where caching is technically necessary for performance, it occurs within the same Cloud project and EU region without cross-customer sharing. Model outputs are returned directly to PixelAdmin and are not stored in Vertex AI beyond the brief transactional period required to deliver the response.

Encryption in Transit and at Rest: All communication between the PixelAdmin platform and Vertex AI occurs over TLS 1.2 or higher. Data temporarily stored during an AI request is encrypted at rest using AES-256. Additionally, PixelAdmin encrypts the Customer's primary content in its own repositories, as outlined in the general Data Processing Agreement.

Customer-Managed Encryption Keys (CMEK) for Enterprise: Enterprise customers can opt to use Customer-Managed Encryption Keys (CMEK) in Google Cloud KMS for repositories supporting AI processing. This enables the Customer to independently revoke access to encrypted data by disabling the key—a critical feature for exit scenarios or suspected compromises.

Limited Logging and No Human Review: Vertex AI stores operational logs for up to 24 hours solely for abuse detection and operational stability. These logs are not manually reviewed by Google employees as part of standard operations, are not shared with third parties (except as required by applicable law), and are not used to train models. Furthermore, PixelAdmin has opted out of the "abuse monitoring with human review" feature via the Vertex AI console, ensuring that neither prompts nor outputs are routinely subjected to human review at Google. PixelAdmin's own logs of AI requests are used for billing, troubleshooting, and security monitoring, and are deleted according to our general data retention policy.

Access by Google Affiliates: Although ongoing processing takes place between PixelAdmin and Google Ireland Limited within the EU/EEA, Google Ireland Limited may, in limited support, security, and incident scenarios, draw on affiliated Google entities, including Google LLC in the US. Such access is configured as an exception, requires a valid transfer mechanism via the EU Commission's Standard Contractual Clauses (Module 3) supplemented by Google's certification under the EU-US Data Privacy Framework, and is subject to technical measures like access restrictions, time-bound tokens, full audit logging, and Google's "Transparency Reports" and "Customer Data Requests Policy". PixelAdmin adheres to Schrems II practices and documents in its transfer impact assessment that, following the latest European Data Protection Board (EDPB) decisions, the US legal regime does not undermine the required level of protection as long as these safeguards are in place.

Access and Role Management: Only select PixelAdmin employees with a documented need-to-know have access to the technical systems orchestrating AI requests. This access is governed by the principle of least privilege, requires multi-factor authentication, and is fully logged. The Customer remains responsible for access management within their own organization, including proper role assignment in the admin panel and secure password storage.

7. Use of Data Processors

PixelAdmin utilizes a limited group of carefully vetted sub-processors to deliver its AI features. The primary sub-processor for the AI model itself is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Registration No. 368047), providing the Google Cloud Vertex AI service with the Gemini model in the europe-west4 region. Processing operates under the Google Cloud Data Processing Addendum and corresponding Service Specific Terms for Vertex AI, which PixelAdmin has thoroughly reviewed and accepted as part of its vendor management.

Google Ireland Limited has committed to the Google Cloud EU Data Boundary, ensuring the services selected by PixelAdmin are processed and stored entirely within the EU/EEA. Because AI feature processing occurs between PixelAdmin and an EU-established entity within the EU/EEA, routine operations do not constitute a third-country data transfer, eliminating the need for Standard Contractual Clauses (SCCs) for this processing. However, as a conservative safeguard, PixelAdmin and Google have executed SCCs to cover any incidental or internal Google transfers that might touch data outside the EU/EEA, and to secure transfers during support scenarios.

By accepting this agreement, the Customer grants general prior authorization for PixelAdmin to use Google Ireland Limited as a sub-processor for delivering AI features. PixelAdmin publishes its comprehensive sub-processor list in Appendix B of the general Data Processing Agreement and provides ample notice of any changes, allowing the Customer to object in accordance with the procedures outlined in the general DPA.

For all other sub-processors utilized to operate the PixelAdmin platform—including hosting with Microsoft Azure in EU regions—the standard sub-processor provisions in the general Data Processing Agreement apply.

8. Records of Processing Activities

Each Party is responsible for maintaining a record of processing activities carried out under its responsibility, in accordance with Article 30 of the GDPR.

9. Personal Data Breach

In the event of a personal data breach, the Party that discovers the breach is responsible for notifying the other Party without undue delay.

PixelAdmin (Data Controller 2) is responsible for notifying the competent supervisory authority (the Danish Data Protection Agency) of the breach in accordance with Article 33 of the GDPR.

The Customer (Data Controller 1) is responsible for notifying the affected data subjects of the breach in accordance with Article 34 of the GDPR, with assistance from PixelAdmin.

10. Data Protection Impact Assessment (DPIA)

As part of its accountability obligations under GDPR Article 35, PixelAdmin has conducted a Data Protection Impact Assessment (DPIA) covering the AI features provided via the platform, including AI image editing, automated AI tagging, visual search, and ad hoc image transformations. This DPIA is reviewed at least annually, as well as upon any material changes to functionality, vendor setup, or risk landscape.

The documented conclusion of the DPIA is that the AI features, in their current design, pose a limited risk to the rights and freedoms of data subjects, provided the Customer uses the features for the platform's intended purposes. This assessment is primarily based on the fact that the features are applied to content for which the Customer holds an independent legal basis to process, processing is strictly confined to the EU/EEA, content is not used to train AI models, and the features do not produce legal or similarly significant decisions affecting natural persons.

In PixelAdmin's assessment, the AI features do not constitute automated decision-making, including profiling, that produces legal effects concerning or similarly significantly affecting the data subject under GDPR Article 22. AI-suggested tags, search results, and image transformations serve as decision-support tools for the Customer's users, who can override, modify, or ignore the AI system's output at any time. PixelAdmin performs no scoring, ranking, or categorization of natural persons based on the individuals depicted.

Processing does not generally involve sensitive information, and PixelAdmin encourages the Customer in its platform documentation not to upload content that directly or indirectly reveals information covered by GDPR Article 9, unless the Customer has an independent legal basis for doing so. The result of the DPIA is made available to the Customer upon request to an appropriate extent, allowing the Customer to base its own DPIA on the document, cf. GDPR Article 28(3)(f). Based on the DPIA, PixelAdmin has assessed that there are no grounds for prior consultation with the Danish Data Protection Agency under GDPR Article 36.

Assistance with Customer DPIAs: Upon request, PixelAdmin provides a DPIA Support Pack for the Customer, following the methodology recommended by the Danish Data Protection Agency for impact assessments. This includes a systematic description of the processing, an assessment of necessity and proportionality, identification of risks to data subjects' rights, and the technical and organizational measures addressing these risks. The material covers AI model capabilities, known limitations, hallucination risks, data flows, retention periods, and potential human controls. The Customer remains responsible for conducting and documenting their own DPIA where required under GDPR Article 35.

Hallucinations and Mandatory Human Review: AI features generating descriptive text, automatic tags, alt text, or other linguistic outputs may rarely produce inaccurate, incomplete, or misleading content ("hallucinations"). Similarly, AI image transformations can occasionally introduce visual artifacts or unintended alterations. PixelAdmin clearly indicates in the platform UI that AI outputs must be verified by a human user before publication, sharing with clients, or use in marketing. The platform is designed so that AI outputs always pass through an editable state before export or distribution. The Customer is responsible for ensuring relevant internal workflows include necessary human verification. PixelAdmin provides reports documenting which users have reviewed and approved AI-generated content.

Bias Management and Error Reporting: PixelAdmin continuously monitors the utilized Gemini model for systematic biases—including representation across demographics, skin tones, body types, and cultural contexts in photographic production—and documents identified issues in an internal risk register. The Customer and their users can report unacceptable or biased outputs via a built-in reporting button or via legal@pixeladmin.com. Reported cases are handled confidentially and may, where relevant, lead to system prompt adjustments, model changes, or the deactivation of affected features. They are also included in the annual DPIA review.

11. EU AI Act – Regulation (EU) 2024/1689

PixelAdmin has assessed its AI features in light of the European Parliament and Council Regulation (EU) 2024/1689 (EU AI Act) and continuously adapts its service to comply with the applicable requirements as the provisions of the regulation enter into force. The assessment covers both PixelAdmin's role as the provider of the integrated AI system and the Customer's role as the deployer, including for brand customers who activate AI features via the Customer Portal.

Staged Entry into Force: The EU AI Act formally entered into force on August 1, 2024, but substantive obligations are phased in gradually. Prohibited practices under Article 5 and the AI literacy obligation under Article 4 have been applicable since February 2, 2025. Obligations for providers of general-purpose AI (GPAI) models under Articles 51–55 have been applicable since August 2, 2025. General transparency obligations under Article 50, including labeling of synthetic and AI-generated content, apply from August 2, 2026. Obligations for high-risk AI systems under Annex III apply from August 2, 2026, and obligations for high-risk AI systems embedded in products covered by existing harmonization legislation (Annex I) apply from August 2, 2027. PixelAdmin has implemented an internal roadmap for each milestone and continuously updates this agreement as individual obligations become binding.

Risk Classification: The AI features are classified as limited risk AI systems and partially as minimal risk systems. AI image transformations that generate or manipulate visual content may in certain cases be covered by the rules on synthetic content, whereas automated tagging and visual search are generally only subject to the general transparency obligations. The features do not constitute a high-risk AI system under Annex III of the regulation, as they are not used as safety components, for biometric identification, credit scoring, employment, or similar critical decisions.

Article 4 – AI Literacy (Applicable from February 2, 2025): PixelAdmin maintains an internal AI literacy program ensuring that employees developing, operating, or supporting AI features have an appropriate level of knowledge regarding AI system functionalities, limitations, risks, and relevant GDPR and AI Act obligations. The program is reviewed at least annually and covers both technical and commercial roles. Furthermore, PixelAdmin provides written onboarding materials, user guides, and brief explainer videos for the Customer's own users, enabling the Customer to fulfill their corresponding Article 4 obligation toward employees using AI features in daily production.

Article 26 – Customer's Obligations as Deployer: The Customer acknowledges that, in their capacity as a deployer of the AI features, they hold independent obligations under the EU AI Act. This includes the duty to use the system in accordance with PixelAdmin’s instructions, ensure an appropriate level of human oversight of AI outputs, monitor feature operations, and report significant incidents or malfunctions to PixelAdmin without undue delay. Furthermore, where relevant, the Customer must inform affected individuals that they are interacting with an AI system. PixelAdmin supports the Customer by providing usage instructions, precise system documentation, and reporting channels, and both parties actively collaborate to ensure compliant usage.

Article 14 – Human Oversight: The AI features are designed so that a human user can review, edit, approve, or reject each individual AI output before it is included in the Customer's final content or distributed to third parties. PixelAdmin provides mechanisms to understand the AI system's capabilities and limitations, including the model name, version, applied prompt pattern, and confidence indicators where technically meaningful. We also provide the ability to disable specific AI features at the organizational, team, or user level. The Customer is responsible for applying these controls to an extent commensurate with the risk of their specific use case.

Article 50 – Transparency (Applicable From August 2, 2026): PixelAdmin ensures that users of the platform and the Customer Portal are clearly informed that they are interacting with an AI system. This information is provided partly through a general notice on the AI features (banner, tooltip, or information panel), and partly through visual indicators on each individual AI output, such as the labels “AI-generated tag”, “AI-suggested”, or similar markings on AI-generated image versions. The Customer is responsible for ensuring that its own users do not disable or hide these indicators if the Customer exposes AI output to third parties.

Marking of Synthetic Content (C2PA and IPTC): For ad hoc AI image transformations that visually alter or generate content in a manner covered by Article 50(2), PixelAdmin commits to embedding machine-readable marking in the output no later than August 2, 2026. This marking adheres to the open C2PA standard (Coalition for Content Provenance and Authenticity, ISO 22144) via embedded Content Credentials manifests, alongside IPTC Photo Metadata fields for digital source type. Specifically, the value “algorithmicmedia” is used for fully AI-generated images, “trainedalgorithmicmedia” for outputs from trained generative models, and “compositewithtrainedalgorithmicmedia” for images where an authentic photographic source is combined with AI-generated elements. The marking is designed to be robust against common image manipulations, including cropping and recompression, and is supplemented by visible indicators within the platform's UI. The Customer must not remove, alter, or obscure these markings during onward distribution.

Information for Deployers and End Users: As the provider, PixelAdmin supplies the necessary technical documentation enabling the Customer, as the deployer, to fulfill its own obligations under the EU AI Act, including guidelines on proper use, known limitations, and appropriate human oversight. The Customer's own users are informed directly in the interface that they are using AI, and brand customers are additionally informed of this in the Customer Portal's onboarding flow upon the first activation of an AI feature.

Prohibited Practices Under Article 5: PixelAdmin's AI features do not use subliminal techniques, exploit vulnerabilities of specific groups of persons, and are not used for social scoring, predictive policing, facial recognition databases based on internet scraping, biometric categorization based on sensitive characteristics, or emotion recognition in the workplace or educational institutions. Therefore, it is PixelAdmin's assessment that the features do not constitute a prohibited practice under Article 5 of the EU AI Act.

High-Risk and GPAI Assessment: PixelAdmin has documented an assessment concluding that the AI features do not constitute a high-risk AI system, and that PixelAdmin is not itself a provider of a general-purpose AI model (GPAI), as the underlying foundation model is provided by Google Ireland Limited via Vertex AI Gemini. Through its vendor management, PixelAdmin ensures that the Gemini version in use consistently meets the relevant requirements for GPAI providers under Articles 51–55. This includes technical documentation, downstream information sharing, a policy for compliance with EU copyright law, and a public summary of training data. PixelAdmin adheres to Google Cloud's commitments regarding Codes of Practice under Article 56, and periodically obtains confirmation that Google complies with these across its Gemini stack.

Fundamental Rights Impact Assessment (FRIA): A fundamental rights impact assessment under Article 27 is primarily the responsibility of deployers that are public bodies, or private deployers providing public services or using high-risk AI systems listed in Annex III. PixelAdmin's AI features are typically used by commercial photo studios and brand organizations for commercial content production and are not classified as high-risk, meaning there is generally no obligation to conduct a FRIA. Should a specific Customer nevertheless fall under the scope of Article 27 for a specific use case, PixelAdmin will provide the necessary system documentation to support the Customer's own FRIA.

Output, Copyright, and Intellectual Property Rights: In accordance with the Vertex AI Service Specific Terms, the rights to AI outputs belong to the Customer to the fullest extent possible. Neither Google nor PixelAdmin claims ownership or licenses to the Customer's prompts, inputs, or outputs beyond what is strictly necessary to provide the service. The Customer is responsible for ensuring that their use of AI outputs does not infringe upon third-party rights, and for conducting the human review described in Section 10. PixelAdmin notes that AI-generated content does not enjoy independent copyright protection in certain jurisdictions, and the Customer should account for this in their own rights management.

Complaint Mechanism and Incident Reporting: Users and data subjects may complain about an AI feature's output at any time by contacting PixelAdmin at legal@pixeladmin.com or via the channel specified within the platform. PixelAdmin ensures that such inquiries are addressed within a reasonable timeframe and that relevant inquiries are forwarded to the Customer in their capacity as the data controller. Furthermore, PixelAdmin maintains an internal register of serious incidents and AI feature malfunctions to report to market surveillance authorities to the extent required under Article 73, and to support the Customer's own obligations. PixelAdmin closely monitors developments regarding the proposed AI Liability Directive and will amend this agreement if the directive is adopted and implemented into Danish law.

12. International Transfers

PixelAdmin has configured the AI features so that the continuous processing of personal data takes place within the EU/EEA. The primary subprocessor, Google Ireland Limited, has, as previously mentioned, committed to the EU Data Boundary and runs the Vertex AI services selected by PixelAdmin in the europe-west4 (Netherlands) region. Consequently, personal data processed via the AI features are generally not transferred to countries outside the EU/EEA.

To the extent that a support situation, a security incident, or an internal Google transfer exceptionally results in a transfer to a third country, the transfer will be based on a valid transfer mechanism in accordance with GDPR Chapter V. As a conservative measure, PixelAdmin has entered into the European Commission's Standard Contractual Clauses (Module 3) with Google Ireland Limited and supplemented these with appropriate supplementary measures, including encryption, access control, and logging, ensuring the transfer level complies with the Schrems II ruling of the CJEU.

The Customer may request an overview of the relevant transfer mechanisms for the sub-processors used in connection with the AI features at any time by contacting PixelAdmin at legal@pixeladmin.com.

13. Complaints

The Parties are individually responsible for handling any complaints from data subjects regarding violations of the GDPR provisions for which the Party is responsible under this Agreement. Complaints shall be forwarded to the relevant Party as necessary.

14. Entry into Force and Termination

This Agreement enters into force upon the Customer's acceptance of the Terms of Service.

This agreement remains valid as long as the processing occurs or until it is replaced by a new agreement.