Data Processing Agreement for Brand Customers

1. Parties

The data controller is the brand (the legal entity) that creates an account on the PixelAdmin Customer Portal and uploads, processes, or otherwise handles data via the portal (“Customer”, “Brand”, or “Data Controller”).

The data processor is PixelAdmin ApS, CVR no. 45447588, Falkoner Allé 90, 2000 Frederiksberg, Denmark (“PixelAdmin” or “Data Processor”).

This Data Processing Agreement (“Brand DPA” or “Agreement”) is entered into between the Data Controller and the Data Processor (collectively the “Parties”) and forms an integral part of PixelAdmin's Terms of Service for the Customer Portal as well as the subscription plan chosen by the Brand (Free, Pro, Business, or Enterprise).

The Agreement is accepted electronically by an authorized representative of the Brand in connection with the creation of the brand account and is confirmed by continued use of the Customer Portal. The Brand warrants that the person accepting the Agreement is duly authorized to bind the company.

For paid subscriptions (Pro, Business, and Enterprise), acceptance of the Agreement occurs in a single, unified click-through flow alongside the Subscription Terms, AUP, and Privacy Policy, with payment processed via Stripe's payment forms. A time-stamped log of this acceptance is retained by PixelAdmin as documentation of the agreement, in accordance with GDPR Article 7 and the accountability principle in Article 5(2). Free-tier accounts, created via an invitation link from a studio, accept the Agreement upon their first active login action, as the portal displays links to this Brand DPA and other terms prior to access.

2. Preamble and Background

PixelAdmin develops and operates a Content Operations Platform for professional product photography, digital asset management, AI-powered image editing, and distribution of visual assets to e-commerce and marketing channels. As part of the platform, PixelAdmin offers a Customer Portal where brand customers of PixelAdmin's studio partners—and brands using PixelAdmin directly—can log in, review, approve, download, and redistribute product visual content.

When the Brand uses the Customer Portal to independently upload its own product sheets, pay for Pro, Business, or Enterprise features, activate AI features, or push assets to its own sales channels (e.g., Shopify or Zalando), the Brand determines the purpose and means of processing any personal data included in that data. The Brand is thus the data controller, and PixelAdmin acts as a data processor on the Brand's behalf.

This Brand DPA is designed to ensure the Parties' compliance with Article 28(3) of the European Parliament and Council Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection legislation, including the Danish Data Protection Act.

The Agreement follows the structure of the Danish Data Protection Agency's standard contract for data processing agreements and is adapted to the processing activities taking place within the PixelAdmin Customer Portal, including hosting, AI image analysis, integrations, and analytics.

In the event of a conflict between this Brand DPA and PixelAdmin's other terms, this Brand DPA takes precedence regarding the processing of personal data.

3. Scope and Relationship to Other Agreements

This Brand DPA applies to the processing of personal data that occurs when the Brand uses the Customer Portal directly—that is, uploads, imports, or generates data via the portal's interfaces, APIs, or integrations, and when PixelAdmin processes this data solely according to the Brand's instructions.

The Customer Portal is used by two distinct types of customers: (i) brand customers whose content is delivered to the portal by a studio using PixelAdmin's main platform under a separate data processing agreement with PixelAdmin (the “Main DPA”), and (ii) brand customers using the Customer Portal as a standalone service, including to upload their own products and data.

For data delivered by a studio to the Brand via the Customer Portal, PixelAdmin is already part of a processor chain under the Main DPA between the studio (data controller) and PixelAdmin (data processor). In these cases, PixelAdmin acts as a subprocessor in relation to the studio's role as data controller, and this Brand DPA does not apply to that specific data flow. Read more in PixelAdmin's Main DPA.

For data that the Brand uploads, imports, or generates directly in the Customer Portal—independently of a studio—the Brand is the data controller, and PixelAdmin is the data processor under this Brand DPA. This applies regardless of whether the Brand simultaneously receives studio-delivered material in the same portal.

Free-tier brands without a paid subscription are covered by this Brand DPA to the same extent as paying brands regarding the data they upload themselves. However, for studio-delivered material on the same account, the Main DPA's processor chain applies—even for free-tier brands.

The Agreement applies only to processing that falls within the territorial scope of the GDPR, cf. GDPR Article 3. For processing outside the scope of the GDPR, PixelAdmin's standard confidentiality and security obligations apply.

This Brand DPA must be read in conjunction with PixelAdmin's other agreement documents for the Customer Portal, including the Subscription Terms (commercial terms, limitations of liability, and tier-specific rights), the Acceptable Use Policy (AUP) (restrictions on content and service usage), and the Privacy Policy (PixelAdmin's own processing of personal data as a data controller, including account management and billing). In the event of any conflict between this Brand DPA and the other documents, the Brand DPA shall prevail regarding the processing of personal data, pursuant to Section 2.

4. Controller's Rights and Obligations

The Brand is the data controller for the personal data it processes in the Customer Portal and is responsible for ensuring that the processing complies with the GDPR, other applicable EU data protection legislation, and national data protection laws.

The Brand has the right and obligation to determine the purposes and means of the processing, including the choice of categories of data subjects, legal basis, retention periods, which AI and integration features are activated, and to which recipients assets are distributed.

The Brand is responsible for ensuring the necessary legal basis for processing any personal data included in uploaded material. This includes consent, model releases, duty of disclosure to employees, models, retailers, and end customers, as well as—where relevant—conducting Data Protection Impact Assessments (DPIAs) for the processing activities the Brand chooses to carry out via the Customer Portal.

Furthermore, the Brand is responsible for configuring the portal's access rights, user roles, and deletion policies in accordance with its own internal governance and data protection regime.

The Customer Portal is developed and delivered as a content operations tool for managing visual assets, product catalogs, and production workflows. The portal is not designed, categorized, or security-cleared to serve as a CRM, marketing automation, or end-customer database system. Consequently, the Brand must not upload, import, or otherwise process personal data concerning the Brand's end customers (consumers, e-commerce shoppers, newsletter subscribers, etc.) within the Customer Portal—including contact lists, order history, segments, or behavioral data—unless explicitly agreed upon in writing with PixelAdmin and documented as a special instruction in Appendix C. Violating this restriction constitutes a material breach, pursuant to Section 16, and may also violate the AUP.

The Customer Portal does not support the creation of accounts for the Brand's end customers or other external users outside the Brand's own organization and invited partners. Therefore, the Brand is neither obligated to—nor can it—handle data subject access requests (DSARs) from end customers through the portal's native features. Should the Brand nevertheless use the portal to log identifiable end customers (e.g., within style guides or comment threads), the Brand remains solely responsible for fulfilling the rights of the data subjects outside the portal, while PixelAdmin will provide its standard assistance under Section 12.

5. Processing According to Documented Instructions

PixelAdmin may only process personal data on behalf of the Brand based on documented instructions from the Brand, unless required to do so by Union or Member State law to which PixelAdmin is subject. The documented instructions are derived partly from the Agreement (including Appendices A and C) and partly from the Brand's ongoing configuration and use of the Customer Portal, including subscription choices, activation of AI features, creation of integrations, user administration, and uploads.

Additional instructions may be provided in writing by the Brand's designated data controller contact or an authorized administrator in the Customer Portal. Where instructions require development beyond PixelAdmin's standard functionality, PixelAdmin may condition the implementation on a separate agreement or on the Brand covering the reasonable costs incurred.

PixelAdmin will immediately inform the Brand if, in PixelAdmin's opinion, an instruction infringes the GDPR or other applicable data protection provisions. In such cases, PixelAdmin may suspend the relevant processing until the instruction is confirmed, amended, or withdrawn by the Brand.

PixelAdmin does not process personal data for its own purposes, including marketing, profiling, or model development, except where explicitly stated in the Agreement or where the Brand has otherwise provided explicit instructions.

6. Confidentiality

PixelAdmin ensures that access to personal data processed on behalf of the Brand is limited to personnel operating under PixelAdmin's authority, who have a business need for the access, and who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access is granted based on the principle of least privilege.

All PixelAdmin employees and consultants sign non-disclosure agreements as part of their employment or vendor contracts. This confidentiality obligation survives the termination of employment or engagement.

Upon reasonable request from the Brand, PixelAdmin must be able to document that the personnel operating under PixelAdmin's authority are subject to the aforementioned duty of confidentiality. Such documentation may involve presenting internal policies, anonymized terms of employment, or compliance certificates.

PixelAdmin does not disclose personal data processed on behalf of the Brand to public authorities, law enforcement agencies, or intelligence services unless the disclosure is legally binding under EU or national law applicable to PixelAdmin. Should PixelAdmin receive such a request, we will—unless prohibited by law—notify the Brand without undue delay, challenge disproportionately broad or unlawful requests, limit any disclosure to what is strictly necessary, and attempt to redirect the authority to request the data directly from the Brand as the data controller. PixelAdmin publishes statistics on received government requests in our Trust Center, unless doing so would violate confidentiality obligations or mandatory law.

7. Security of Processing

PixelAdmin implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as per GDPR Article 32. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

PixelAdmin's security baseline for the Customer Portal includes, among other things: hosting in Microsoft Azure (region "europe-west"), encryption of data in transit (TLS 1.2+) and at rest (AES-256 via Azure Storage Service Encryption and Cosmos DB encryption-at-rest), role-based access control (RBAC) via Azure AD B2C with multi-factor authentication for all administrators, and audit logging of all administrative actions and data access via Azure Monitor and Application Insights.

The Customer Portal is built with strict logical separation between brands through tenant isolation, ensuring a brand cannot access another brand's data. Backups are performed daily, encrypted, and stored geographically separated within the EU. Restore procedures are tested at least once annually.

Multi-brand tenant isolation is implemented as a defense-in-depth architecture: each brand is allocated a unique tenant identifier, which is filtered at the database level via partition keys in Cosmos DB and container/prefix scoping in Azure Blob Storage; all API calls are validated against the tenant context in the issued Azure AD B2C token, rejecting cross-tenant requests before they reach the data layer; administrative support access is logged per tenant and subject to break-glass procedures with escalation requirements. Logical testing of tenant isolation is included in PixelAdmin's internal security testing and review processes during architecture and feature changes.

PixelAdmin performs continuous vulnerability scanning of the application, container images, code dependencies, and infrastructure (e.g., via Dependabot, Microsoft Defender for Cloud, and similar tools), monthly patch cycles for critical components, and internal code and security reviews of new features and architecture changes. A coordinated vulnerability disclosure channel at security@pixeladmin.com enables external researchers and customers to report suspected vulnerabilities. Results and implemented remediations are documented in PixelAdmin's management review and can be made available at a summarized level for the Brand upon request. External penetration testing of the platform does not occur on a fixed recurring cadence but can be conducted as needed and under separate agreement.

PixelAdmin's underlying cloud platform (Microsoft Azure) is certified against ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and SOC 2 Type II, and Google Cloud (Vertex AI) maintains corresponding ISO/IEC 27001/27017/27018 and SOC 2 Type II certifications for the underlying AI services. PixelAdmin itself is not ISO/IEC 27001 or SOC 2 Type II certified but maintains written internal security and governance policies, change management, and continuous vulnerability scanning, and can upon reasonable request present these policies and complete security questionnaires (CAIQ-Lite, SIG-Lite, or the Brand's own) under a mutual non-disclosure agreement. The currently applicable overview of security measures can be found in Appendix C, section C.2, and in updated form on PixelAdmin's Trust Center.

Where the Brand's risk assessment requires additional measures beyond those already implemented by PixelAdmin, the Brand must specify these in writing. PixelAdmin will evaluate in good faith whether the additional measures can be implemented as standard, for a fee, or if they fall outside the scope of the service.

8. Use of Sub-processors

PixelAdmin meets the conditions set out in GDPR Article 28(2) and (4) for engaging another processor (a "Sub-processor") to process personal data on behalf of the Brand.

By entering into this Agreement, the Brand grants general prior authorization for PixelAdmin to engage the Sub-processors listed in Appendix B. Furthermore, the Brand authorizes PixelAdmin to add or replace Sub-processors by providing written notice at least 30 days before the new Sub-processor commences processing.

Within the notice period, the Brand may object in writing to the change based on reasonable grounds. If, in PixelAdmin's reasonable assessment, the objection cannot be resolved through alternative measures, the Brand may terminate the affected subscription(s) with immediate effect, and PixelAdmin will refund any prepaid fees for the unused portion of the subscription term.

When PixelAdmin engages a Sub-processor for specific processing activities on behalf of the Brand, PixelAdmin imposes on the Sub-processor at least the same data protection obligations as set out in this Agreement, by way of a written contract. PixelAdmin remains fully liable to the Brand for the Sub-processor's performance of its obligations.

An up-to-date list of approved Sub-processors is always available in Appendix B and on PixelAdmin's Trust Center. The Brand can subscribe to an email-based notification list for changes by specifying a dedicated data protection contact in the Customer Portal account settings; this is considered the agreed point of communication for notices under this section. If the Brand has not provided such a contact, notices will be sent to the primary administrator of the brand account, and the Brand is responsible for keeping contact information current.

9. International Transfers

As a rule, PixelAdmin's processing of personal data on behalf of the Brand takes place within the European Union (EU) and the European Economic Area (EEA). Microsoft Azure resources are hosted in the "west europe" (Netherlands) and "north europe" (Ireland) regions, and Google Vertex AI calls are routed to the "europe-west4" (Netherlands) region.

Where limited transfers to third countries exceptionally occur—for instance, if Microsoft or Google Ireland utilize support personnel outside the EU/EEA, or if the Brand actively enables integrations with recipients outside the EU/EEA—this will only be done pursuant to a valid transfer mechanism under GDPR Chapter V, such as the EU Commission's Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or the Data Privacy Framework, where applicable.

PixelAdmin will not unilaterally execute transfers to third countries outside the EU/EEA without prior documented instructions from the Brand. If EU or Member State law requires PixelAdmin to perform such a transfer, PixelAdmin will notify the Brand prior to processing, unless prohibited by law on important grounds of public interest.

Any instructions from the Brand regarding transfers to third countries, including the choice of transfer mechanism, are specified in Appendix C, Section C.4.

Regarding payment processing via Stripe Payments Europe Limited, the following applies: The Stripe group uses US and other third-country affiliates for the global settlement of card transactions. Such intra-group transfers are covered by the EU Commission's Standard Contractual Clauses (Module 1 and Module 4) in Stripe's own intra-group data processing agreement, supplemented by technical and organizational measures and—where applicable—adherence to the EU-US Data Privacy Framework. PixelAdmin has conducted a Transfer Impact Assessment (TIA) for this data flow and can provide a summary to the Brand upon reasonable request.

Where the Brand is established in the UK or otherwise subject to the UK GDPR, the Parties use the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Commission's Standard Contractual Clauses, whichever best reflects the data flow. For brand customers established in Switzerland, the recognized SCC adaptations by the Swiss data protection authority apply. Such supplementary transfer mechanisms are incorporated by reference as an integral part of this Agreement, with the relevant appendices made available upon request.

PixelAdmin conducts periodic TIAs for significant transfers pursuant to EDPB Recommendations 01/2020, documenting the supplementary technical, contractual, and organizational measures that—together with the chosen transfer mechanism—ensure an equivalent level of protection. Summarized results are made available via the PixelAdmin Trust Center.

10. AI Features and Special Processing

The Customer Portal includes several optional AI features, including auto-tagging, visual search, background removal, category suggestions, and similarity vector generation for product images. These AI features are activated by the Brand at the workspace or asset level, and the Brand is responsible for assessing the legality of routing specific data through the AI pipeline.

The AI features are powered by API calls to Google Cloud Vertex AI (Gemini models) in the "europe-west4" region, provided by Google Ireland Limited acting as a Sub-processor. PixelAdmin has configured the integration so that data sent to Vertex AI is processed in "no-training" mode: Google may only use the data to generate the requested output for the specific call, and data is logged in accordance with Google's standard DPA. Data is not used to train, fine-tune, or improve Google's foundation models.

When an AI feature is activated, the following data may be sent to Vertex AI: product images (originals or scaled versions), accompanying metadata (SKU, category, season, brand-defined style notes), and any short text prompts from the Brand's users. Output—including suggested tags, descriptions, categories, and similarity vectors—is received back and stored in Cosmos DB tied to the relevant asset.

PixelAdmin does not make automated decisions producing legal effects or similarly significant impacts on natural persons via the Customer Portal (cf. GDPR Article 22). AI outputs are presented as suggestions, and a human user at the Brand must actively approve changes before they are applied.

The Brand is responsible for providing information to data subjects about the use of AI features where required by Articles 13/14, and for ensuring that special categories of personal data (Article 9) or criminal conviction data (Article 10) are not uploaded to the Customer Portal without a legal basis and a specific configuration agreement with PixelAdmin.

Regarding features that generate or manipulate image or text content (e.g., background removal, generating alternative product scenes, or AI-based descriptions), the Brand is responsible for complying with the transparency obligations arising from Article 50 of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), including labeling synthetic or manipulated content for end recipients where required. PixelAdmin provides the necessary technical documentation—including model provider, model version, and configuration metadata—to the Brand via the portal's asset metadata, enabling the Brand to fulfill these obligations.

PixelAdmin monitors developments in the EU AI Act and the Danish implementation landscape, continuously adjusting AI features to keep them classified outside the high-risk categories defined in the regulation. If a specific AI feature qualifies as high-risk due to a legislative change, PixelAdmin will either implement the necessary additional measures or disable the feature and notify the Brand in accordance with section 8.

11. Integrations and External Recipients

The Customer Portal offers integrations enabling the Brand to push product and image data to external sales and marketing channels, including Shopify and Zalando, as well as other channels that may be added over time. These integrations are only available on the Business and Enterprise tiers.

When the Brand activates an integration and provides valid API credentials, the Brand instructs PixelAdmin to send the selected payload (typically product metadata and image URLs or the image files themselves) to the external recipient. PixelAdmin executes the transmission as a data processor on the Brand's behalf under this Agreement.

The external recipients—including Shopify Inc., Shopify International Ltd., Zalando SE, and similar platforms—are considered independent data controllers concerning the personal data they receive. Therefore, they are not Sub-processors under this Agreement. The recipients' processing of the transferred data is governed by their own terms of service, privacy policies, and data processing agreements with the Brand.

This classification—external recipient as an independent data controller (controller-to-controller transfer), not as a Sub-processor—is a deliberate and essential part of the agreement design and reflects EDPB Guidelines 07/2020 on the concepts of controller and processor. PixelAdmin does not determine the purpose or means of the subsequent processing by the recipient, does not select the recipient on behalf of the Brand, and exercises no instructional authority over the recipient. PixelAdmin acts solely as a technical transmission conduit according to the Brand's documented instructions, cf. Appendix C, section C.6, and assumes no liability—under this Agreement or otherwise—for the recipient's subsequent processing of data.

The Brand is responsible for securing a lawful transfer mechanism between the Brand and the external recipient, including executing separate data processing agreements, controller-to-controller agreements, or Standard Contractual Clauses for third-country transfers where applicable. PixelAdmin provides reasonable assistance in documenting technical data flows upon request.

PixelAdmin retains integration run logs (timestamp, status, record count, error messages) for up to 12 months for troubleshooting and audit purposes. The payloads themselves are not retained beyond what is necessary for automated error retries and are subsequently deleted.

12. Assistance to the Controller

Taking into account the nature of the processing, PixelAdmin will, insofar as possible, assist the Brand through appropriate technical and organizational measures in fulfilling the Brand's obligation to respond to requests for exercising data subjects' rights as laid down in GDPR Chapter III, including:

• Right of Access (Article 15)
• Right to Rectification (Article 16)
• Right to Erasure (Article 17)
• Right to Restriction of Processing (Article 18)
• Right to Data Portability (Article 20)
• Right to Object (Article 21)

Assistance is primarily provided via the Customer Portal's self-service features—e.g., exporting data, deleting users or assets, and searching for data subjects via metadata. Where self-service is insufficient, the Brand can contact PixelAdmin's data protection team at dpo@pixeladmin.com, who will respond within a reasonable timeframe.

PixelAdmin further assists the Brand in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, including security of processing, breach notification, prior consultation, and Data Protection Impact Assessments (DPIAs), taking into account the nature of the processing and the information available to PixelAdmin.

Assistance within the standard scope of the service is provided free of charge. For extensive or atypical requests—such as comprehensive historical data pulls or customized analyses—PixelAdmin may charge a reasonable time-and-materials fee, agreed upon in writing prior to execution.

The Customer Portal is not a channel for end-customer data subject access requests. Requests from the Brand's end customers, consumers, or other external data subjects must be handled directly by the Brand outside the portal. If PixelAdmin nonetheless receives such a request concerning personal data processed on behalf of the Brand, PixelAdmin will forward the request without undue delay to the primary data protection contact on the Brand's account and subsequently assist the Brand in accordance with this section. PixelAdmin does not independently respond to such requests from data subjects.

Regarding the Brand's own portal users (employees, partners, and invited guests), access requests are primarily handled via the Brand's administrator in the Customer Portal, who has the ability to export user data, change roles, and delete user accounts. Upon request, PixelAdmin can provide information on the technical data flows and logging associated with the individual user.

13. Personal Data Breaches

PixelAdmin will notify the Brand without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Brand. The notification is sent to the primary contact associated with the Brand's account and to the Brand's registered security/DPO contact, if specified in the portal.

Where possible, notification must be provided within 48 hours of PixelAdmin becoming aware of the breach, enabling the Brand to comply with its obligation to notify the competent supervisory authority within 72 hours, as per GDPR Article 33.

At minimum, the notification must include: a description of the nature of the breach, including the categories and approximate number of data subjects and records concerned; likely consequences; measures taken or proposed to mitigate the breach; and contact details for a relevant representative at PixelAdmin. Further information will be provided in phases as it becomes available.

PixelAdmin provides reasonable assistance to the Brand with documenting the breach, communicating with affected data subjects and authorities, and conducting subsequent root-cause analysis and preventive measures.

Breach notifications are sent via a secure, encrypted communication channel (signed email or MFA-protected portal message). The Brand specifies one or more breach recipients in the Customer Portal account settings. Until the breach has been investigated and communicated, information about the breach is treated as strictly confidential by both Parties, cf. section 6.

It is at the Brand's sole discretion as the data controller to assess whether a breach triggers a notification obligation to the supervisory authority under GDPR Article 33 and/or a communication obligation to the data subjects under GDPR Article 34. PixelAdmin does not independently notify supervisory authorities or data subjects regarding processing on behalf of the Brand, unless explicitly instructed to do so by the Brand or if PixelAdmin is legally obligated to do so in its capacity as data controller for adjacent processing.

In the event of a breach, PixelAdmin ensures the preservation of relevant forensic evidence (logs, snapshots, memory dumps, and configuration dumps) in an immutable format for at least 12 months after the breach's conclusion, to allow for subsequent regulatory investigations, legal proceedings, or audits. The chain of custody is documented in a formalized incident report, which can be made available under confidentiality upon the Brand's request.

14. Deletion and Return Upon Termination

Upon termination of the services covered by the Agreement, PixelAdmin shall—at the Brand's discretion—delete or return all personal data processed on behalf of the Brand and delete existing copies unless EU or national law requires continued storage.

For paid subscriptions (Pro, Business, Enterprise), the Brand's data is retained indefinitely as long as the subscription is active and paid. For free-tier accounts, the Brand's self-uploaded data is retained for up to 12 months from the last login or most recent activity, after which PixelAdmin is entitled to delete the data following a minimum 30-day prior written notice to the primary contact.

When a subscription is canceled or expires, the account enters a "recovery" state for up to 90 days. During this period, the Brand can export data using the portal's built-in export tools (CSV export of metadata, ZIP download of assets, and API-based export for the Enterprise tier). After the recovery period, data is deleted from the production environment.

Final deletion from backups occurs as part of the standard backup rotation and expiration cycle, but no later than 90 days after deletion from production. Logs containing personal data are deleted according to the retention periods specified in Appendix A.

PixelAdmin will confirm in writing to the Brand when the deletion is complete, if requested by the Brand. Certain aggregated and anonymized metadata that can no longer be attributed to an identifiable person may be retained for operations, capacity planning, and troubleshooting.

The Brand may at any time—but no later than upon subscription termination and prior to final deletion—inform PixelAdmin whether the Brand requires (i) deletion of all personal data, (ii) return of the data in a commonly used, structured, and machine-readable format, or (iii) a combination of the two, cf. GDPR Article 28(3)(g). If the Brand does not actively make a choice before the recovery period expires, deletion is deemed selected, and PixelAdmin will execute the deletion according to the documented deletion process.

Deletion is executed according to recognized technical standards for secure deletion (logical deletion accompanied by cryptographic erasure of the corresponding encryption keys in Azure Key Vault, rendering the Brand's data cryptographically inaccessible, including from existing backup snapshots, prior to the final rotation-based deletion). The chosen deletion protocol is documented as part of PixelAdmin's management system and can be made available upon reasonable request as documentation for the Brand's auditor or supervisory authority.

15. Audit and Inspection

PixelAdmin makes all information necessary to demonstrate compliance with GDPR Article 28 and this Agreement available to the Brand, and enables and contributes to audits, including inspections conducted by the Brand or another auditor mandated by the Brand.

PixelAdmin fulfills the obligation in GDPR Article 28(3)(h) to continuously make available the information necessary to demonstrate compliance through the PixelAdmin Trust Center. The Trust Center is PixelAdmin's publicly accessible legal document hub and contains the current public legal documents (this DPA, the SaaS Agreement, EULA, AUP, SLA, and Privacy Policy), the currently applicable overview of Sub-processors, and sub-processor notices. Material not published directly—including sub-processor attestations (SOC 2 Type II and ISO/IEC 27001/27017/27018 reports for Microsoft Azure and Google Cloud, as well as PCI DSS Level 1, SOC 1, and SOC 2 attestations for Stripe), PixelAdmin's own internal security and governance policies, and completed security questionnaires (CAIQ-Lite, SIG-Lite, or the Brand's own)—can be made available upon reasonable written request from the Brand under a mutual non-disclosure agreement.

The Brand accepts that PixelAdmin may, as a first tier, fulfill its obligations by providing recognized third-party attestations and reports for PixelAdmin's sub-processors ("burden of proof via attestation"), including ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certificates and SOC 2 Type II reports for Microsoft Azure and Google Cloud (Vertex AI Gemini), as well as PCI DSS Level 1, SOC 1, and SOC 2 attestations for Stripe (for processing of payment data), combined with PixelAdmin's own internal security and governance policies and written responses to security questionnaires (CAIQ-Lite, SIG-Lite, or similar). PixelAdmin itself is not ISO/IEC 27001 or SOC 2 Type II certified, and the burden of proof for PixelAdmin's own controls is thus managed through the internal policies and questionnaire responses, while the third-party reports solely concern the sub-processors. Depending on the Brand's risk exposure and agreed tier, this documentation—together with the Brand's right to conduct remote audits via written questionnaires (e.g., CAIQ-Lite or SIG-Lite)—is considered sufficient to fulfill the Brand's audit obligation, unless there is a specific justified suspicion of breach.

If the provided reports are insufficient to address specifically justified compliance concerns, the Brand may require a supplementary audit conducted by the Brand itself or by an independent third-party auditor who is not a competitor of PixelAdmin. The audit must be agreed upon in writing, conducted with reasonable notice (at least 30 days), during normal business hours, no more than once per calendar year (unless there is a specific suspicion of a breach), and in a manner that minimally disrupts PixelAdmin's operations.

The Brand bears its own costs as well as PixelAdmin's reasonable costs associated with the audit, unless the audit reveals a material breach by PixelAdmin. The results of the audit are confidential and may only be used to assess PixelAdmin's compliance with the Agreement.

16. Liability and Breach

The Parties' liability under this Agreement is governed by the general limitations of liability in PixelAdmin's Terms of Service, provided that limitations of liability cannot be invoked where this would contravene mandatory provisions of data protection legislation, including GDPR Article 82.

The aggregated liability cap for claims arising out of or related to this Agreement is set out in the relevant provisions in Subscription Terms and is calibrated to the Brand's subscription tier (Free, Pro, Business, or Enterprise), such that lower tiers have a lower absolute cap and the Enterprise tier has a higher cap commensurate with the agreed remuneration. The cap does not apply to claims that cannot be limited by contract (including claims under GDPR Article 82, claims arising from willful misconduct or gross negligence, or claims regarding personal injury).

Each Party is liable for its own violations of the GDPR. Where a data subject brings a claim under GDPR Article 82 against one of the Parties, and the claim is due to the other Party's circumstances, the liable Party has a right of recourse against the other Party in accordance with GDPR Article 82(5).

In the event of a material breach of the Agreement that is not remedied within 30 days of written notice, the non-breaching Party may terminate the underlying subscription(s), in which case the provisions on deletion and return in section 14 shall apply.

17. Effective Date and Termination

The Agreement enters into force on the date of the Brand's acceptance (typically upon creation of the brand account or first activation of the Customer Portal) and remains in effect as long as PixelAdmin processes personal data on behalf of the Brand.

The Agreement cannot be terminated independently as long as there is an active subscription or active brand account, but terminates automatically when all processing on behalf of the Brand is completed and section 14 has been executed.

Provisions that by their nature are intended to apply after the termination of the Agreement—including provisions on confidentiality, deletion, liability, and governing law—shall remain in force to the necessary extent.

The Agreement is governed by Danish law, and any dispute arising in connection with the Agreement shall be settled by the Maritime and Commercial High Court in Copenhagen as the court of first instance, unless mandatory rules of jurisdiction dictate otherwise.

Appendix A: Processing Details

A.1. Purpose of Processing

PixelAdmin processes personal data on behalf of the Brand for the purpose of delivering the features in the Customer Portal that the Brand has chosen to activate, including account management, asset management, AI-powered image editing, omnichannel distribution, billing, and analytics.

A.2. Nature of Processing

Processing includes, among other things, collection, recording, organization, structuring, storage, adaptation, display, retrieval, use, disclosure by transmission, deletion, and destruction in connection with operating the Customer Portal. This includes generating derived versions of visual assets (presets, thumbnails, AI tags) as well as logging user activity for security and analytics purposes.

A.3. Types of Personal Data

The processing may include the following types of personal data:

• Identity Data for Portal Users: name, email address, user role, login times, IP address, and device information, managed via Azure AD B2C.
• Product Catalog Metadata: SKU, product name, category, season, pricing information, and brand-defined custom metadata. These fields are typically not personal data, but may in rare cases contain them (e.g., a designer's name).
• Visual Assets: delivered product photography (original files) and brand-defined download presets/scaled versions. Assets may show identifiable persons (models, employees) and thus constitute personal data.
• Collaboration Data: review and approval actions, comments, proposed changes to style guides, including author identity and timestamps.
• AI Input and Output: images and prompts sent to Vertex AI, as well as generated tags, descriptions, similarity vectors, and category suggestions (only when AI features are enabled).
• Integration Data: payloads to Shopify, Zalando, and similar channels consisting of product and image data, as well as technical receipts (only for Business+).
• Billing Data: company name, billing address, VAT number, contact person, and payment metadata. The actual credit card data is processed directly by the payment provider and is not covered by the Agreement.
• Usage Analytics: event logs of portal interactions displayed in the Brand's own analytics dashboard.

Special Categories and Third Parties: To a limited extent, the Brand may upload content containing minor amounts of personal data about end customers or models (e.g., model names in style guides, employee names in metadata descriptions). The Customer Portal is not designed to process special categories of personal data (Article 9) or criminal conviction data (Article 10), and the Brand must not upload such data without a separate agreement with PixelAdmin.

A.4. Categories of Data Subjects

• The Brand's employees and authorized users of the Customer Portal.
• Models, talent, and other individuals appearing in delivered product images.
• External partners invited as commenters or approvers.
• End customers or business contacts occasionally referenced in metadata, comments, or style guides.

A.5. Duration of Processing and Retention

Processing occurs as long as the Brand has an active subscription or an active free-tier account. Specific retention periods apply to: usage analytics events (up to 24 months), audit logs (12 months), integration payload logs (12 months), AI input/output cache (up to 90 days, unless the Brand has opted for longer storage as part of asset metadata), and backups (up to a 35-day rolling cycle).

A.6. Processing Locations

All primary processing takes place in Microsoft Azure data centers in the "west europe" (Netherlands) and "north europe" (Ireland) regions. AI calls are routed to Google Vertex AI in the "europe-west4" (Netherlands) region. Support and operational access occur from PixelAdmin's offices in Denmark and approved remote workspaces within the EU/EEA via encrypted VPN and MFA.

A.7. Deletion Procedures

Deletion occurs as described in Section 14. For free-tier accounts, the deletion process triggers automatically after 12 months of inactivity, while paid accounts are deleted following a 90-day recovery period after subscription termination. Backups rotate out of the standard cycle within 35 days. Logs are deleted on a rolling basis according to the retentions specified in A.5.

Appendix B: Sub-processors

B.1. Approved Sub-processors

Upon the Agreement's entry into force, the Brand has approved the use of the following Sub-processors:

B.2. Notice of Changes

PixelAdmin will provide the Brand with at least 30 days' written notice of any planned changes regarding the addition or replacement of Sub-processors. The notice is sent to the Brand's primary contact and published in the Customer Portal. The Brand's rights to object and terminate are set out in Section 8.

B.3. External Recipients Not Considered Sub-processors

Shopify, Zalando, and other external sales channels to which the Brand activates integrations are independent data controllers and are not Sub-processors under this Agreement, cf. Section 11.

Appendix C: Instructions regarding Personal Data Processing

C.1. Subject Matter and Documented Instructions

PixelAdmin is instructed to process personal data on behalf of the Brand to provide the Customer Portal, as described in the Agreement and PixelAdmin's Terms of Service. The documented instructions include: hosting and storing the Brand's uploaded data, providing search, review, and approval features, generating derivative versions of assets, providing AI features (when enabled), providing integrations to external channels (when enabled), generating analytics reports for the Brand's own use, and deleting or exporting data upon the Brand's request.

C.2. Technical and Organizational Measures

PixelAdmin implements an adequate security baseline, which as a minimum includes:

Access Control

Identity management via Azure AD B2C, multi-factor authentication for all administrators and PixelAdmin employees, role-based access control with the principle of least privilege, segmentation between brand tenants, and automatic revocation of access upon termination of employment.

Multi-tenant isolation is enforced as described in section 7: each brand is allocated a unique tenant identifier, which is filtered at the database level via partition keys in Cosmos DB and container/prefix scoping in Azure Blob Storage; all API requests are validated against the tenant context in the issued access token before reaching the data layer; support access is logged per tenant and is subject to formalized break-glass procedures with escalation requirements and subsequent management review.

Encryption and Pseudonymization

Encryption in transit via TLS 1.2+ for all external and internal connections, encryption at rest via AES-256 for blob storage, Cosmos DB, and backups, and key management via Azure Key Vault. Pseudonymization is used for support cases where possible.

Logging and Monitoring

Centralized logging of access, administrative actions, and security-relevant events via Azure Monitor and Application Insights. Logs are kept in an immutable structure for the retention period specified in Appendix A.5 and are proactively monitored by PixelAdmin's operations and security team.

Backup and Business Continuity

Daily encrypted backups of Cosmos DB and Blob Storage, replication across geographically separated zones within the EU, and documented, tested recovery procedures. Recovery objectives: RPO max 24 hours, RTO max 24 hours for the critical functions of the Customer Portal.

Vulnerability Management and Testing

Continuous vulnerability scanning of the application, container images, code dependencies, and infrastructure (e.g., via Dependabot, Microsoft Defender for Cloud, and similar tools), monthly patch cycles for critical components, internal code and security reviews of new features and architecture changes, a coordinated vulnerability disclosure channel at security@pixeladmin.com, and a formalized process for handling security-relevant incidents and deviations.

Incident Management

A formalized incident response plan with clear roles, escalation paths, and communication protocols. Notification of the Brand in accordance with Section 13. Post-incident reports with root cause analysis and preventive measures.

Personnel Security

Background checks of employees with production access, mandatory non-disclosure agreements, regular data protection and security training, and onboarding/offboarding procedures for access rights.

Physical Security

Physical security is managed by Microsoft Azure in certified data centers with 24/7 monitoring, biometric access control, and CCTV. PixelAdmin's own offices are protected by keycards, alarms, and a clean-desk policy.

C.3. Processing Location

Processing of personal data covered by the Agreement takes place within the EU/EEA, cf. Appendix A.6. Any change of location requires the Brand's prior written approval, unless the change merely consists of moving between two EU/EEA-based regions with an existing Sub-processor.

C.4. Instructions Regarding Transfer to Third Countries

PixelAdmin is instructed not to transfer personal data to third countries outside the EU/EEA without a valid transfer basis under GDPR Chapter V and without prior documented instructions from the Brand. If the Brand itself activates integrations or features that entail a transfer to third countries (e.g., integrations with non-EU sales channels), the Brand bears responsibility for the transfer basis vis-à-vis the affected recipients.

C.5. Specific Instructions Regarding AI Features

When the Brand enables AI features in the Customer Portal, the Brand instructs PixelAdmin to send relevant images and metadata to Google Vertex AI under the conditions described in Section 10. The Brand can disable AI features on a workspace basis at any time, and future operations will subsequently not involve Vertex AI. Already generated AI outputs are preserved as part of the asset metadata until the Brand chooses to delete them.

C.6. Specific Instructions Regarding Integrations

When the Brand activates an integration with Shopify, Zalando, or another external channel and provides valid API credentials, the Brand instructs PixelAdmin to execute the chosen transmission to the respective recipient. The Brand is responsible for ensuring that the recipient has a valid legal basis to receive and process the data, including any controller-to-controller agreements and Standard Contractual Clauses for transfers to third countries.

C.7. Assistance to the Data Controller

PixelAdmin provides assistance as described in section 12. Requests are submitted via the Customer Portal's support function or directly to dpo@pixeladmin.com. Standard requests are answered without a separate fee. Atypical or highly extensive requests are invoiced subject to prior written agreement.

C.8. Audit Procedures

Audits and inspections are conducted as described in section 15. PixelAdmin will, upon reasonable request and under a mutual non-disclosure agreement, provide relevant attestations and reports, including ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certificates and SOC 2 Type II reports for the Sub-processors (Microsoft Azure and Google Cloud), as well as PCI DSS Level 1, SOC 1, and SOC 2 attestations for Stripe, supplemented by PixelAdmin's own internal security and governance policies and written responses to security questionnaires (CAIQ-Lite, SIG-Lite, or similar). Where a supplementary audit is necessary, the schedule, scope, and costs will be agreed upon in writing prior to execution.

C.9. Contact

For questions regarding this Agreement or PixelAdmin's processing of personal data, the Brand can contact PixelAdmin's data protection team at dpo@pixeladmin.com. The Brand specifies a primary data protection contact in the Customer Portal under account settings.