Data Processing Agreement

1. Parties

The data controller is the customer utilizing the PixelAdmin service (“Customer” or “Data Controller”).

The data processor is PixelAdmin ApS, CVR no. 45447588, Falkoner Allé 90, 2000 Frederiksberg, Denmark (“PixelAdmin” or “Data Processor”).

This Data Processing Agreement (“DPA”) is entered into between the Data Controller and the Data Processor (collectively “the Parties”) and forms an integral part of PixelAdmin's Terms of Service.

2. Preamble

This DPA sets out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

This DPA is designed to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).

In connection with the delivery of PixelAdmin services (“the Service”), the Data Processor processes personal data on behalf of the Data Controller in accordance with this DPA.

This DPA takes precedence over any conflicting provisions in other agreements between the Parties.

3. Scope

This Data Processing Agreement applies exclusively to Customers subject to the EU General Data Protection Regulation (GDPR). The terms of this agreement apply only to processing activities falling within the scope of the GDPR.

3a. Dual Role and Customer Portal Data

PixelAdmin offers a Customer Portal where the Data Controller's (the Studio's) brand customers can create their own user accounts, upload product data, review deliverables, and initiate AI-powered image editing. The introduction of the Customer Portal means that PixelAdmin, depending on the specific processing relationship, may act in multiple roles under the GDPR. The Parties acknowledge and accept the role distribution set out below.

For processing where the Studio (the Data Controller under this DPA) uses the Service—including the Customer Portal—to execute a production on behalf of a brand that is the ultimate data controller toward the data subjects, PixelAdmin is a data processor for the Studio. In this situation, PixelAdmin may simultaneously act as a sub-processor for the respective brand, as the Studio engages PixelAdmin to process personal data on the brand data controller's behalf. The Studio is responsible for ensuring that an adequate contractual framework exists between the Studio and the brand, including a data processing agreement that permits the Studio to use PixelAdmin as a sub-processor in accordance with GDPR Article 28(2) and (4).

For processing where a brand creates an account in the Customer Portal and uploads personal data or product data directly to PixelAdmin—including product sheets, AI instructions, and distribution details—without the Studio having received or provided the material yet, PixelAdmin is a data processor directly for the brand (the Data Controller). The same applies where the brand is a customer on a paid PixelAdmin plan (Pro, Business, or Enterprise) and uses features like AI tagging, omnichannel distribution, or its own user teams without a Studio being involved. These direct processing relationships between the brand and PixelAdmin are not governed by this DPA, but by a separate data processing agreement ("Brand DPA") entered into between the brand and PixelAdmin.

Scenario	Brand	Studio	PixelAdmin
The Studio produces and delivers via the Client Portal (Free-tier for the brand)	Data Controller	Data Processor	Sub-processor for the Studio
The brand uploads product sheets via the portal wizard before the Studio is involved	Data Controller	Not yet involved	Direct Data Processor for the brand (Brand DPA)
The brand is on a Pro, Business, or Enterprise plan with its own team, AI, and omnichannel distribution	Data Controller	Not applicable	Direct Data Processor for the brand (Brand DPA)

To the extent PixelAdmin acts as a sub-processor for the Studio in relation to a brand, all obligations in this DPA apply similarly to the sub-engagement, and PixelAdmin imposes the same data protection obligations on its own sub-processors as set out in Annex B, cf. GDPR Article 28(4). The Studio ensures that the brand (the final Data Controller) has received sufficient information about PixelAdmin's identity and processing activities, including by reference to this DPA and Annex B.

Processing where PixelAdmin acts as a direct Data Processor for a brand via the Client Portal is exhaustively governed by the separate Brand DPA. The Brand DPA is available at pixeladmin.dk/legal/dpa/brand and is automatically entered into upon the brand's acceptance of the Client Portal terms. The Studio is not a party to the Brand DPA and bears no responsibility for the processing activities initiated directly by the brand towards PixelAdmin without the Studio's involvement.

Where the same dataset transitions from a "brand-direct" flow to a "studio-delivered" flow (or vice versa), the Parties commit to loyally cooperate in ensuring continuous compliance with the GDPR, including regarding the duty of information to data subjects, legal basis for processing, security, and the exercise of data subjects' rights. PixelAdmin maintains technical separations in logging, access control, and data storage, making it possible to document under which agreement (this DPA or the Brand DPA) a given processing activity is performed.

4. Rights and Obligations of the Data Controller

The Data Controller is responsible for ensuring that the processing of personal data complies with the GDPR, other applicable data protection provisions of EU or Member State law, and this DPA.

The Data Controller has the right and obligation to determine the purposes and means of the processing of personal data.

The Data Controller is responsible for ensuring a valid legal basis for the processing of personal data that the Data Processor is instructed to perform.

5. The Data Processor Acts on Instructions

The Data Processor shall process personal data only on documented instructions from the Data Controller, unless required to do so by Union or Member State law to which the Data Processor is subject. These instructions are specified in Appendices A and C. Subsequent instructions may also be given by the Data Controller throughout the duration of the processing of personal data, provided they are documented and kept in written form, including electronically, together with this DPA.

The Data Processor must immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

6. Confidentiality

The Data Processor must only grant access to personal data being processed on behalf of the Data Controller to persons operating under the Data Processor's authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only on a strict need-to-know basis.

At the Data Controller's request, the Data Processor must be able to demonstrate that the persons operating under its authority are subject to the aforementioned confidentiality obligation.

7. Security of Processing

In accordance with GDPR Article 32, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller's obligations pursuant to GDPR Article 32, including by providing the Data Controller with information concerning the technical and organizational measures already implemented by the Data Processor.

If the Data Controller's assessment of the identified risks requires the implementation of measures beyond those already implemented by the Data Processor, the Data Controller must specify these required additional measures in Appendix C.

8. Use of Sub-processors

The Data Processor must meet the conditions set out in GDPR Article 28(2) and (4) to engage another processor (a sub-processor).

The Data Processor has the Data Controller's general authorization to use sub-processors. The exhaustive list of approved sub-processors applicable at any given time, including their legal entity name, processing activity, location, and transfer basis, is set out in Annex B to this DPA. By entering into this DPA, the Data Controller confirms having approved the sub-processors listed in Annex B.

The Data Processor must notify the Data Controller in writing of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' notice, thereby giving the Data Controller the opportunity to object to such changes. Objections must be submitted in writing to the Data Processor before the expiry of the notice period and must be reasonably justified in relation to data protection. If the Parties cannot reach an agreement on an alternative solution, the Data Controller may terminate the part of the Service affected by the new sub-processor without further obligation than payment for services rendered up to the time of termination.

Where the Data Processor engages a sub-processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA shall be imposed on the sub-processor by way of a contract. The Data Processor is therefore responsible for ensuring that the sub-processor complies at a minimum with the obligations to which the Data Processor is subject pursuant to this DPA and the GDPR.

If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-processor's obligations.

Where the Data Processor itself acts as a sub-processor vis-à-vis the Data Controller (cf. section 3a), the sub-processors listed in Annex B are subjected to corresponding data protection obligations, and the final Data Controller (e.g., the brand) is granted indirect rights through the Data Processor's agreements with these sub-processors.

9. Transfer of Data to Third Countries or International Organizations

Any transfer of personal data to third countries or international organizations by the Data Processor shall only occur on the basis of documented instructions from the Data Controller and must always take place in compliance with Chapter V of the GDPR.

If a transfer of personal data to a third country or international organization, which the Data Processor has not been instructed to perform by the Data Controller, is required under EU or Member State law to which the Data Processor is subject, the Data Processor must inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Data Controller's instructions regarding the transfer of personal data to a third country, including the relevant transfer mechanism under GDPR Chapter V on which the transfer is based, must be set out in Appendix C.6.

10. Assistance to the Data Controller

Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR. This includes assistance with:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object

The Data Processor shall assist the Data Controller in ensuring compliance with the following obligations, taking into account the nature of processing and the information available to the Data Processor:

The obligation to notify a personal data breach to the competent supervisory authority without undue delay.
The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to processing.
The obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk.

11. Notification of Personal Data Breach

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach concerning personal data covered by this DPA.

The Data Processor's notification to the Data Controller must, if possible, take place no later than 48 hours after becoming aware of the breach, enabling the Data Controller to fulfill its obligation to report the personal data breach to the competent supervisory authority within 72 hours, cf. GDPR Article 33. Where the full scope of the incident cannot be determined within the deadline, the Data Processor will provide an initial notification and update it continuously as the investigation progresses.

To the extent possible at the time of notification, the notification shall include (i) a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned, (ii) the name and contact details of the Data Processor's data protection officer or other single point of contact where more information can be obtained, (iii) a description of the likely consequences of the breach, and (iv) a description of the measures taken or proposed to be taken to address the breach and mitigate its potential adverse effects. The Data Processor will assist the Data Controller in fulfilling its communication obligation to data subjects, cf. GDPR Article 34, where such an obligation exists.

The Data Processor has implemented a 24/7-monitored incident response and a formalized escalation process ensuring that security incidents at a sub-processor (e.g., Microsoft, Google, or Stripe) are communicated to the Data Controller within the same 48-hour timeframe, calculated from the moment the Data Processor receives notification from the sub-processor. Notifications are sent to the primary administrative contact registered with the Data Processor, and—if available—to the email specified as the contact point for security incidents.

A notification from the Data Processor does not in itself constitute an admission of liability or fault. The Parties will cooperate in good faith to investigate, document, and mitigate the breach, including maintaining a shared timeline, securing evidence, and coordinating communication to data subjects and authorities.

11a. Liability and Indemnity

Each Party is liable to the other Party and to the data subjects in accordance with GDPR Article 82 and general Danish tort law principles. The Parties' liability to each other under this DPA is—unless otherwise expressly agreed—subject to the aggregated liability cap and exclusions set out in the underlying SaaS agreement between the Parties. The aggregated maximum applies cumulatively to the SaaS agreement and this DPA.

The limitation of liability does not apply to (i) fines imposed by a supervisory authority directly on the liable Party for matters proven to be caused by that Party's gross negligence or willful misconduct, (ii) losses caused by an intentional or grossly negligent breach of the confidentiality obligations in section 6, (iii) compensation to data subjects awarded by a competent court as a direct result of the liable Party's breach, or (iv) violations of applicable law where a disclaimer of liability is invalid under Danish law.

The Data Controller shall indemnify the Data Processor for any loss the Data Processor may suffer as a result of the Data Controller's instructions, legal basis for processing, or duty of disclosure to data subjects not complying with the GDPR, and which is not due to the Data Processor's own breach of this DPA. Similarly, the Data Processor shall indemnify the Data Controller for losses caused by the Data Processor's breach of this DPA, up to the agreed liability cap.

12. Deletion and Return of Data

Upon termination of the provision of data processing services, the Data Processor is obligated, at the choice of the Data Controller, to delete or return all personal data to the Data Controller and delete existing copies unless EU or Member State law requires storage of the personal data.

The Data Controller must state its choice between deletion and return no later than 30 days after the termination of the Service. Return is provided as a complete export of structured data sets in a commonly used, machine-readable format (e.g., JSON, CSV, or Parquet), alongside the asset library in the original file formats (e.g., JPEG, TIFF, and RAW), supplemented by a metadata folder. In accordance with Articles 25 and 27 of the EU Data Act (Regulation 2023/2854), the Data Processor provides reasonable assistance to enable the Data Controller to migrate data to an alternative provider, including by making technical interfaces, documentation, and data maps available.

Deletion of personal data is executed no later than 90 days after the termination of the Service (or following the Data Controller's request for earlier deletion), with the first 30 days used for any potential export, and the subsequent period used for deletion from production systems, search indexes, and rolling backups. The Data Processor is not exempt from the deletion obligation because data is written to immutable backups; data is overwritten or expires automatically in accordance with the Data Processor's documented backup rotation schedule, which does not exceed 90 days. Deletion of logs containing personal data occurs according to the retention period agreed upon in Appendix A.7.

Upon request from the Data Controller, the Data Processor issues a written Certificate of Deletion confirming that the deletion has been executed, which data categories and systems are covered, and any remaining statutory retention (e.g., accounting records under the Danish Bookkeeping Act). Personal data necessary to fulfill the Data Processor's own legal obligations or defend legal claims is retained to the minimum extent strictly necessary and isolated from the production environment.

13. Audits and Inspections

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with GDPR Article 28 and this DPA, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

To minimize operational disruptions and protect confidential information about the Processor's other customers, the audit obligation may primarily be fulfilled by the Processor providing: (i) a current description of the technical and organizational measures, cf. Appendix C.2, (ii) the Processor's own internal security and governance policies and procedures, including high-level excerpts of relevant internal reviews and a summarized status of ongoing vulnerability scanning, patch cycles, and change management, (iii) third-party attestations and auditor reports for the Processor's sub-processors, including SOC 2 Type II and ISO/IEC 27001/27017/27018 reports for Microsoft Azure and Google Cloud, as well as PCI DSS Level 1, SOC 1, and SOC 2 reports for Stripe, forwarded under a mutual non-disclosure agreement and within the frameworks permitted by the sub-processors' own terms, and (iv) written responses to a reasonable number of security and data protection questions from the Controller or their auditor (e.g., CAIQ-Lite, SIG-Lite, or similar questionnaires). The Processor itself is not SOC 2 Type II or ISO/IEC 27001 certified and therefore does not distribute its own attestation reports; the burden of proof for the Processor's own controls is managed through the internal policies and written responses mentioned under (ii) and (iv), while (iii) solely concerns the sub-processors. Where this complete documentation package reasonably documents compliance with the relevant control areas, the Parties agree that it constitutes an adequate basis for the audit obligation.

Where the Data Controller has a legitimate need for an additional on-site or remote audit, this is conducted at most once annually (unless otherwise required by a competent supervisory authority or immediately following a confirmed personal data breach), with at least 30 days' written notice, during the Data Processor's normal business hours, and under an appropriate Non-Disclosure Agreement (NDA). The audit must not unreasonably disrupt the Data Processor's operations or compromise the confidentiality or security of other customers' data. If a third-party auditor is used, they must not be a competitor to the Data Processor, and the auditor must sign an equivalent NDA. The Data Controller bears its own and its auditor's costs; the Data Processor's own staff and preparation costs exceeding a reasonable assistance of up to 16 hours annually may be invoiced at the Data Processor's standard consulting rates.

Regarding sub-processors, the audit right is primarily fulfilled by the Data Processor relaying the results of audits conducted by the sub-processor itself or its auditor, including SOC 2 Type II and ISO/IEC 27001 reports. Direct audits of a sub-processor can only be conducted where the sub-processor's own contract terms permit it, and in observance of the same framework as outlined above.

The procedures for the Data Controller's audits, including inspections, of the Data Processor and sub-processors are detailed in Appendices C.7 and C.8.

13a. Sector-Specific Flow-Down Obligations (NIS2)

Where the Data Controller is an 'essential' or 'important' entity under the NIS2 Directive (Directive (EU) 2022/2555) or provides critical services to such an entity, and the PixelAdmin service is considered a relevant ICT supply in this context, the Data Processor will cooperate in good faith regarding the NIS2 obligations that flow down to the Data Processor under national implementation laws. This includes timely sharing of relevant incident information to enable the Data Controller to meet its early warning and subsequent reporting deadlines to the competent authority, as well as reasonable assistance with the Data Controller's supply chain security management.

The Data Controller is responsible for assessing whether it or its own customers are covered by NIS2, and for notifying the Data Processor of this in writing. The Data Processor reserves the right to invoice reasonable additional costs arising from distinct sector-specific obligations outside the Service's standard configuration. PixelAdmin does not target financial entities covered by the DORA regulation (Regulation (EU) 2022/2554); if such an entity wishes to adopt the Service, specific DORA-related terms must be agreed upon separately, subject to PixelAdmin's prior written acceptance.

14. Other Agreements

The parties may agree on other provisions relating to the service, e.g., liability, provided that these other provisions do not contradict directly or indirectly this DPA or prejudice the fundamental rights and freedoms of the data subject as provided by the GDPR.

This DPA is supplemented by the following additional agreements:

AI Data Processing Agreement (AI DPA) — if the Customer has given explicit consent for PixelAdmin to train AI models on Customer data, this supplementary agreement governs the processing of personal data in this context.
Beta Data Processing Agreement (Beta DPA) - governs the processing of personal data in connection with beta and preview features.

15. Effective Date and Termination

This DPA becomes effective on the date of Customer acceptance.

This DPA remains valid as long as the data processing services are provided. During this period, the DPA cannot be terminated unless other provisions governing the provision of services are agreed upon between the Parties.

Appendix A: Processing Information

A.1. Purpose of Processing

The Data Processor's processing of personal data on behalf of the Data Controller is carried out for the purpose of providing the PixelAdmin service as described in the Terms of Service. This includes enabling the Data Controller to manage its content production, including workflow management, digital asset management, project management, and distribution.

A.2. Nature of Processing

Processing includes storing, organizing, displaying, and facilitating the transfer of data uploaded by the Data Controller to the PixelAdmin platform. This involves creating backups, generating thumbnails, processing user-driven actions (e.g., sharing, deleting), and providing customer support.

A.3. Types of Personal Data

The processing encompasses the following types of personal data concerning data subjects:

Data Controller User Information: Name, email address, phone number, address, billing details, and account information for the Data Controller's employees and authorized users.
Customer Information: Name, email address, phone number, address, and other contact details of the Data Controller's clients.
Photos and Videos: Digital images and videos uploaded by the Data Controller, which may contain images of identifiable individuals.
Project and Communication Data: Project details, customer feedback, comments, contracts, invoices, and other communication related to the Controller's business.
Communication Data: Messages, comments, and feedback exchanged between the Controller and their customers via the Service.
Technical Data: IP addresses, browser information, and usage data related to interactions with the Service.
Brand portal users' identity data: Name, email address, phone number, job title, company affiliation, authentication data from Azure AD B2C (including unique user IDs, session tokens, and login events), as well as role and permission assignments for brand employees accessing the Client Portal via an account sub-engaged by the Studio.
Brand-uploaded product metadata: Product descriptions, SKUs, item codes, color and size variations, seasonal and collection data, pricing data, country of origin, materials, and other product sheets and briefing documents uploaded by brand portal users to the Studio's workspace prior to production.
AI processing inputs and outputs: Images, prompts, instructions, and contextual metadata passed to AI features such as auto-tagging, visual search, background removal, and image transformation, as well as the derived results (tags, descriptive text, transformed images, embeddings, and confidence scores). Inputs and outputs are processed in a no-training configuration, cf. Annex B.
Distribution and omnichannel data: Configuration and log data regarding the push of finished assets to third-party platforms such as Shopify, Zalando, other PIM/ERP/e-commerce systems, and social channels, including channel-specific product IDs, delivery status, error reports, and publication times. This data may be linked to the aforementioned product metadata and user information.
Audit logs: Logs of user actions, approval flows, asset versioning, and access to personal data, retained for security, troubleshooting, and documentation of the division of responsibilities between this DPA and the Brand DPA.

A.4. Categories of Data Subjects

Controller Users: Employees or authorized representatives of the Controller accessing and using the Service.
Controller Customers: Individuals or representatives of companies who are customers of the Controller.
Persons in Photos/Videos: Individuals appearing in the photos and videos uploaded by the Controller.
Brand portal users: Employees and authorized representatives of brand companies to whom the Studio has granted access to the Client Portal for briefing, approval, asset download, and distribution purposes. The processing of their personal data occurs as part of the Studio's sub-engagement of PixelAdmin on behalf of the respective brand.

A.5. Duration of Processing

Processing will take place for the duration of the Controller's subscription to the Service. Upon termination of the Service, personal data will be deleted in accordance with Section 12 of this DPA.

A.6. Categories of Recipients

Personal data may be made available to the following categories of recipients in accordance with the Data Controller's instructions and this DPA:

The Data Controller's own users and administrators, including employees, freelancers, and external consultants to whom the Data Controller has granted access to the Service.
Brand portal users and other end customers whom the Data Controller has invited into the Customer Portal for briefing, approval, and asset download.
Third-party systems for which the Data Controller has configured integrations, including PIM, ERP, e-commerce, and DAM systems (e.g., Shopify, Zalando, and brand-specific ERP systems). Such recipients are independent data controllers for their subsequent processing.
The sub-processors listed in Appendix B (Microsoft Ireland Operations Limited, Google Ireland Limited, and Stripe Payments Europe Limited), to the extent necessary for providing the Service.
Competent public authorities and courts, where disclosure is required pursuant to applicable law, court order, or other binding request from an authority that meets the requirements of the GDPR and Chapter V.
External legal, audit, and insurance advisors to the Data Processor bound by confidentiality, and only to the extent necessary to establish, exercise, or defend legal claims.

A.7. Retention Periods

Standard retention periods for specific data categories — which can be customized in the Data Controller's admin panel within legal boundaries — are as follows:

User and account information: Retained for the duration of the subscription and deleted no later than 90 days after termination, per section 12.
Photos, videos, and derived assets: Retained throughout the subscription period and available for export upon termination; deletion occurs no later than 90 days after termination, unless a shorter or longer period is agreed upon.
AI processing inputs and outputs: Retained as long as the related asset is active; processing occurs without training models. Embeddings and tags are deleted concurrently with the related asset.
Audit and security logs: Retained as a baseline for 13 months for incident investigation and documentation of responsibility between this DPA and the Brand DPA, after which they are deleted or anonymized.
Billing data and accounting material: Retained for 5 years from the end of the financial year the material relates to, in accordance with the Bookkeeping Act.
Backups: Retained in accordance with a rolling backup rotation schedule not exceeding 90 days, after which data is overwritten or automatically expires.

Appendix B: Sub-processors

B.1. Approved Sub-processors

Upon the effective date of the DPA, the Data Controller has approved the use of the following sub-processors. The list is exhaustive and specifies the sub-processor's legal entity name, processing activity, categories of processed personal data, processing location, and transfer basis under GDPR Chapter V.

Legal Entity	Role and Processing Activity	Data Categories	Location	Transfer Mechanism
Microsoft Ireland Operations Limited One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland	Hosting and platform infrastructure (Microsoft Azure): Azure App Service and Azure Functions (execution), Azure Cosmos DB (database), Azure Blob Storage (asset and file storage), Azure AD B2C (identity and authentication for Studio and brand portal users), Azure Application Insights (telemetry and debugging), and Azure Communication Services (transactional email).	All categories of personal data listed in Annex A.3, including user and customer information, photos and videos, project and communication data, technical data, brand portal users' identity data, brand-uploaded product metadata, distribution data, and audit logs.	Microsoft Azure data centers in the EU region "Europe West" (primarily the Netherlands and Ireland). No transfer outside the EU/EEA.	Processing occurs exclusively within the EU/EEA, hence SCCs are not required. The Microsoft Products and Services Data Protection Addendum (DPA) and Standard Contractual Clauses (Module 3, Processor-to-Sub-processor) have been entered into as a backend contingency and cover any potential support access from Microsoft affiliates outside the EU.
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland	AI processing (Google Cloud Vertex AI – Gemini models): auto-tagging of assets, visual search, descriptive text generation, background removal, and image transformations. Processing takes place in a "no-training mode" configuration, contractually guaranteed via Vertex AI Service Specific Terms, ensuring customer inputs and outputs are not used to train, fine-tune, or improve Google's models.	Images and derived assets (cf. Annex A.3 "Photographs and videos"), AI processing inputs and outputs, brand-uploaded product metadata used as AI context, and associated prompts, embeddings, and tags.	Google Cloud region "europe-west4" (Eemshaven, the Netherlands). PixelAdmin has configured Vertex AI with data residency binding and zero-data-retention, ensuring neither caching nor logging of customer data occurs outside europe-west4.	Processing occurs exclusively within the EU/EEA, hence SCCs are not required. The Google Cloud Data Processing Addendum (CDPA) and Standard Contractual Clauses (Module 3) have been entered into as a backend contingency and cover any potential support access from Google affiliates outside the EU.
Stripe Payments Europe Limited 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland	Payment processing and subscription billing for brand portal users on Pro, Business, and Enterprise tiers: card payments, SEPA direct debit, invoice handling, subscription management, renewals, refunds, and chargeback handling. Stripe acts as an independent data controller for card data and payment instrument data collected via Stripe's own payment forms (Stripe Elements / Checkout) and as a data processor for PixelAdmin regarding subscription metadata, invoice IDs, and contact information transferred from PixelAdmin's systems. PixelAdmin does not store full card data on its own systems; card information is stored and tokenized by Stripe in compliance with PCI-DSS Level 1.	Billing data: company name, billing address, VAT number, contact person, email, payment method tokens, transaction IDs, subscription period, amounts, and invoice history. Card data itself is collected and stored directly with Stripe and is not part of PixelAdmin's processing.	Primary processing in Stripe's EU infrastructure (data centers in Ireland). Stripe operates a global payment processing network, which is why certain operational support functions may involve Stripe Payments Company and other affiliates outside the EU/EEA, including the US.	The Stripe Services Agreement (Europe) and Stripe Data Processing Agreement with corresponding Standard Contractual Clauses (Module 2 and Module 3) have been entered into with Stripe Payments Europe Limited. Data transfers outside the EU/EEA in connection with global payment processing occur on the basis of SCCs and supplementary measures as described in Stripe's DPA and Transfer Impact Assessment.

B.2. Sub-Processor Data Protection Agreements

The Data Processor has entered into a written agreement with each sub-processor, imposing data protection obligations that, at a minimum, match those set forth in this DPA. The Data Controller may request a copy of the relevant agreement provisions upon reasonable request, though commercial terms may be redacted. The official data processing agreements of the sub-processors are publicly available at the following locations:

Microsoft Products and Services DPA: microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Google Cloud Data Processing Addendum: cloud.google.com/terms/data-processing-addendum
Stripe Data Processing Agreement: stripe.com/legal/dpa

B.3. Notice and Objection to Changes

The Data Processor must provide the Data Controller with at least 30 days' written notice of any planned changes concerning the addition or replacement of sub-processors. Notice will be sent to the email address registered for the Data Controller's contact person and simultaneously published at pixeladmin.dk/legal/dpa/main. Within the notice period, the Data Controller may file a written, reasonable objection based on data protection concerns, following the procedure described in Section 8.

B.4. Sub-Processors in Dual Role Scenarios

When the Data Processor acts as a sub-processor for the Studio on behalf of a brand (see Section 3a), the Data Processor exclusively uses the sub-processors listed in this Appendix B. The Data Processor passes the same data protection requirements down to these sub-processors regardless of whether the Data Processor acts as the primary data processor or a sub-processor. Thus, the list in Appendix B also constitutes the sub-processor list that benefits the ultimate brand data controller in sub-engagement scenarios under GDPR Article 28(4).

B.5. Transfer Impact Assessment (TIA)

The Data Processor has conducted a Transfer Impact Assessment (TIA) for each sub-processor in Appendix B, in accordance with the Schrems II ruling and EDPB Recommendations 01/2020 on supplementary measures. The conclusions are summarized as follows:

Microsoft Ireland Operations Limited: Primary storage and processing occur in the Microsoft Azure "Europe West" region within the EU/EEA. Any support access from Microsoft affiliates outside the EU is governed by the Microsoft Products and Services DPA, including Standard Contractual Clauses (Module 3) and Microsoft's EU Data Boundary commitments. We assess no non-negligible transfer risks that are not mitigated by Microsoft's technical and organizational measures, including encryption, customer-managed keys where applicable, and published transparency reports.
Google Ireland Limited: Processing occurs exclusively in the Google Cloud "europe-west4" (Netherlands) region, with data residency commitments and zero data retention on Vertex AI. Any support access from Google affiliates outside the EU is governed by the Google Cloud Data Processing Addendum, including Standard Contractual Clauses (Module 3). We assess no non-negligible transfer risks, as customer data is neither cached, logged, nor used for training outside europe-west4.
Stripe Payments Europe Limited: Primary processing occurs in Stripe's EU infrastructure, but global payment processing involves transfers to Stripe affiliates outside the EU/EEA, including the US. These transfers are covered by Stripe's DPA and Standard Contractual Clauses (Module 2 and Module 3). Stripe has published a Transfer Impact Assessment detailing supplementary measures, including strong encryption, internal access restrictions, and challenging government requests. Where the Stripe recipient is certified under the EU–US Data Privacy Framework, this can serve as a transfer basis alongside SCCs. Stripe's TIA is publicly available on their website and can be requested from the Data Processor.

Based on the information provided in Appendix B and Appendix B.5, the Data Controller is equipped to conduct their own TIA. The Data Processor will assist upon reasonable request with further information necessary for the Data Controller's TIA documentation, per section 10.

Appendix C: Instructions regarding Personal Data Processing

C.1. Subject Matter and Instructions

The Processor's processing of personal data on behalf of the Controller occurs by the Processor performing the services described in the Terms of Service and this DPA.

C.2. Processing Security

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing. Our approach is risk-based, focusing on protecting the rights and freedoms of natural persons. The measures are designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. These measures are subject to ongoing technical development and review.

The Processor has, as a minimum, implemented the following measures:

Access Control

Access to systems and data is strictly controlled. We enforce the principle of least privilege, ensuring personnel only have access to data necessary for their roles. All access to production environments requires multi-factor authentication (MFA), and all access is logged and monitored for suspicious activity. We employ a Zero Trust approach with context-based access decisions, conditional access based on device health and network, and short session lifespans. Privileged accounts are managed in Azure Active Directory with just-in-time activation, quarterly re-attestation, and automatic expiration. End-user access is controlled via Azure AD B2C, supporting SSO, SAML/OIDC, MFA, and password policies aligned with NIST SP 800-63B recommendations.

Encryption, Key Management, and Pseudonymization

All personal data is encrypted in transit using strong TLS protocols (TLS 1.2 or higher with modern cipher suites) and at rest using industry-standard AES-256 encryption. Encryption keys are managed in Azure Key Vault as hardware-backed (HSM-backed), with separation between key managers and data custodians, automatic key rotation, and access control based on Azure roles. Keys are not exposed to standard support personnel. Where relevant for personal data protection, pseudonymization techniques are applied to reduce risk to data subjects, including the use of pseudonymous identifiers in analytics and debugging contexts.

Network and Perimeter Security

The Service's public endpoints are protected by a Web Application Firewall (Azure Front Door / Application Gateway WAF) based on the OWASP Core Rule Set, alongside platform-level DDoS protection. Network traffic between components is segmented via private endpoints, virtual networks, network security groups, and service endpoints, ensuring data traffic avoids the public internet wherever possible. Ingress and egress traffic is logged and inspected in a central Security Information and Event Management (SIEM) system, with anomalies triggering automated alerts to on-call security personnel 24/7.

Secure Software Development (Secure SDLC)

The Data Processor utilizes a formalized Secure Software Development Lifecycle based on OWASP ASVS and Microsoft SDL. All code changes undergo peer review and automated static and dynamic analysis scanning (SAST/DAST), composition analysis of third-party dependencies, and container/infrastructure scanning prior to deployment. Secrets and credentials must not be version-controlled and are continuously scanned out of the codebase. Major architectural changes undergo a formal security and privacy assessment (privacy by design), documented in the change proposal.

System Integrity and Resilience

Our services are hosted on Microsoft Azure's highly available and resilient cloud infrastructure. Systems are designed with redundancy across multiple availability zones to ensure continuous availability and withstand system failures. We continuously monitor system performance and security to ensure processing environment integrity. Database and storage services utilize point-in-time restore, geo-redundant storage within the EU, and immediate failover during availability zone events.

Backup, Recovery, and Business Continuity

We perform regular, automated backups of all customer data. These backups are encrypted and stored securely in a geographically separate location within the EU. We have established and regularly test procedures to ensure timely restoration of data availability and access in the event of a physical or technical incident. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined in the Service SLA, with restore tests conducted at least annually with documented results.

Security Testing and Evaluation

We have a procedure for regularly testing, assessing, and evaluating the effectiveness of our technical and organizational security measures. This includes continuous vulnerability scanning of the application, container images, code dependencies, and infrastructure (e.g., via Dependabot, Microsoft Defender for Cloud, and similar tools), monthly patch cycles for critical components, internal code and security reviews of new features and architecture changes, and a coordinated vulnerability disclosure channel at security@pixeladmin.com, where external researchers and customers can report suspected vulnerabilities. A summarized status of vulnerability scanning, remediation, and change management can be made available to the Controller upon reasonable request under a non-disclosure agreement. External penetration testing of the platform does not occur on a fixed recurring cadence but can be conducted as needed, for example in connection with major architecture changes or upon justified request from a customer and under separate agreement.

Incident Management

We maintain a formalized incident response plan to detect, classify, respond to, document, and report personal data breaches. On-call security personnel are available 24/7, and we maintain a pre-defined escalation matrix and communication templates. In the event of a security incident, we will follow the procedures described in this DPA — including the timeframes and content requirements in section 11 — to notify the Data Controller without undue delay. Following significant incidents, a post-incident review is prepared with a root cause analysis and preventative measures.

Personnel Security

All employees and contractors with access to personal data undergo background checks to the extent permitted by Danish law and are bound by strict confidentiality agreements that survive the end of their employment or engagement. Personnel receive regular data protection and security training to ensure awareness of their responsibilities in protecting customer data, including annual refresher training, simulated phishing tests, and role-specific technical training for development, operations, and support. Access is immediately revoked upon termination of employment or engagement via an automated offboarding process.

Data Minimization During Support Access

Support personnel do not have standing access to the Data Controller's production data. When a support case requires data access, access is granted just-in-time following a documented request and approval, limited to the necessary scope and duration. Each session is logged with a timestamp, request ID, and justification. Encryption keys are not exposed to support staff. Where the subscription allows, the Data Controller may require prior consent for each support access event (a "Customer Lockbox" style control).

Logging and Monitoring

Security and audit logs are aggregated centrally, protected against unauthorized alteration, and retained in accordance with Appendix A.7. Logging includes authentication, privileged access, configuration changes, export and deletion actions, and any access to personal data from support accounts. Logs are used for detection, investigation, and documentation of responsibilities between this DPA and the Brand DPA.

Vendor and Supply Chain Security

The Data Processor maintains a formalized vendor risk process, assessing sub-processors and critical ICT suppliers prior to engagement and at least annually thereafter. Assessments cover certifications (ISO/IEC 27001, SOC 2 Type II), DPAs, location, incident history, financial and operational resilience, and the ability to support the Data Controller's sector-specific requirements (e.g., NIS2, per section 13a).

Physical Security

Our cloud providers — Microsoft Azure and Google Cloud — are responsible for the physical security of the data centers storing customer data. These facilities are protected by multi-layered security controls, including 24/7 monitoring, biometric access control, and video surveillance. The cloud providers' adherence to internationally recognized standards (e.g., ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II) is verified regularly by third-party auditors, and reports can be requested through the Data Processor under an NDA.

C.3. Processing Location

Processing of personal data covered by this DPA may not occur at locations other than Microsoft Azure data centers within the European Union without the Controller's prior written approval.

C.4. Instructions regarding Transfer of Personal Data to Third Countries

The Processor is instructed not to transfer personal data to third countries outside the EU/EEA without a valid transfer basis under GDPR Chapter V and documented instructions from the Controller. All primary data processing and storage occurs within the EU.

C.5. Procedures for Data Controller Audits

Upon reasonable request, the Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28. This includes providing documentation of the implemented security measures.

If the Data Controller requires a formal audit conducted by an independent third party, the Data Controller is responsible for all costs associated with such an audit. The audit must be agreed upon in writing, conducted with reasonable notice, and take place during normal business hours to minimize disruption to the Data Processor's operations.

C.6. Instructions Regarding Third-Country Transfers

The Data Controller instructs the Data Processor to execute transfers of personal data to third countries only to the extent necessary to provide the Service via the sub-processors listed in Appendix B, and in accordance with the transfer bases and supplementary measures detailed in Appendix B and B.5. The Data Controller confirms that the information provided constitutes sufficient instruction under GDPR Article 28(3)(a), and that the Data Controller is able to conduct their own Transfer Impact Assessment.

Further transfers — including transfers initiated by the Data Controller via integrations with their own PIM, ERP, or e-commerce systems to third-country recipients — are the Data Controller's sole responsibility and must be supported by an independent transfer basis under GDPR Chapter V.

C.7. Audit Procedures for the Data Processor

The Data Controller's exercise of audit rights under Section 13 follows this procedure: (i) a written request is sent to the Data Processor's DPO with at least 30 days' notice, specifying the scope, purpose, and proposed methodology; (ii) the Data Processor initially provides relevant documents, certifications, and independent audit reports, and the Parties meet virtually for a review; (iii) if a further on-site or remote audit is necessary, timing, scope, and auditor are agreed upon, and an NDA is signed by all participants; (iv) the audit is conducted during normal business hours, may occur no more than once annually, and must not compromise the confidentiality or security of other customers' data; (v) the auditor prepares a draft report for the Data Processor to comment on before finalization; and (vi) any observations and remediation plans are addressed in a follow-up status meeting.

C.8. Audit Procedures for Sub-Processors

Auditing of the sub-processors listed in Appendix B is primarily fulfilled by the Data Processor forwarding independent audit reports (e.g., SOC 2 Type II and ISO/IEC 27001 reports) and certification extracts provided by the sub-processor, along with written responses to a reasonable number of follow-up security questions. Where the sub-processor's terms permit, the Data Processor may, upon reasonable request, assist the Data Controller in coordinating a further audit or formalized inquiry. The Data Controller acknowledges that global cloud providers like Microsoft and Google generally do not permit on-site customer audits of their data centers, instead providing standardized audit packages covering relevant controls.