Data Processing Agreement
This Data Processing Agreement governs the processing of personal data in accordance with GDPR Article 28.
1. Parties
The data controller is the customer utilizing the PixelAdmin service (“Customer” or “Data Controller”).
The data processor is PixelAdmin ApS, CVR no. 45447588, Falkoner Alle 90, 2000 Frederiksberg, Denmark (“PixelAdmin” or “Data Processor”).
This Data Processing Agreement (“DPA”) is entered into between the Data Controller and the Data Processor (collectively “the Parties”) and forms an integral part of PixelAdmin's Terms of Service.
2. Preamble
This DPA sets out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.
This DPA is designed to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).
In connection with the delivery of PixelAdmin services (“the Service”), the Data Processor processes personal data on behalf of the Data Controller in accordance with this DPA.
This DPA takes precedence over any conflicting provisions in other agreements between the Parties.
3. Scope
This Data Processing Agreement applies exclusively to Customers subject to the EU General Data Protection Regulation (GDPR). The terms of this agreement apply only to processing activities falling within the scope of the GDPR.
4. Rights and Obligations of the Data Controller
The Data Controller is responsible for ensuring that the processing of personal data complies with the GDPR, other applicable data protection provisions of EU or Member State law, and this DPA.
The Data Controller has the right and obligation to determine the purposes and means of the processing of personal data.
The Data Controller is responsible for ensuring a valid legal basis for the processing of personal data that the Data Processor is instructed to perform.
5. The Data Processor Acts on Instructions
The Data Processor shall process personal data only on documented instructions from the Data Controller, unless required to do so by Union or Member State law to which the Data Processor is subject. These instructions are specified in Appendices A and C. Subsequent instructions may also be given by the Data Controller throughout the duration of the processing of personal data, provided they are documented and kept in written form, including electronically, together with this DPA.
The Data Processor must immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
6. Confidentiality
The Data Processor must only grant access to personal data being processed on behalf of the Data Controller to persons operating under the Data Processor's authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only on a strict need-to-know basis.
At the Data Controller's request, the Data Processor must be able to demonstrate that the persons operating under its authority are subject to the aforementioned confidentiality obligation.
7. Security of Processing
In accordance with GDPR Article 32, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller's obligations pursuant to GDPR Article 32, including by providing the Data Controller with information concerning the technical and organizational measures already implemented by the Data Processor.
If the Data Controller's assessment of the identified risks requires the implementation of measures beyond those already implemented by the Data Processor, the Data Controller must specify these required additional measures in Appendix C.
8. Use of Sub-processors
The Data Processor must meet the conditions set out in GDPR Article 28(2) and (4) to engage another processor (a sub-processor).
The Data Processor has the Data Controller's general authorization to engage sub-processors. The Data Processor must notify the Data Controller in writing of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Data Controller the opportunity to object to such changes.
Where the Data Processor engages a sub-processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA shall be imposed on the sub-processor by way of a contract. The Data Processor is therefore responsible for ensuring that the sub-processor complies at a minimum with the obligations to which the Data Processor is subject pursuant to this DPA and the GDPR.
If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-processor's obligations.
9. Transfer of Data to Third Countries or International Organizations
Any transfer of personal data to third countries or international organizations by the Data Processor shall only occur on the basis of documented instructions from the Data Controller and must always take place in compliance with Chapter V of the GDPR.
If a transfer of personal data to a third country or international organization, which the Data Processor has not been instructed to perform by the Data Controller, is required under EU or Member State law to which the Data Processor is subject, the Data Processor must inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Data Controller's instructions regarding the transfer of personal data to a third country, including the relevant transfer mechanism under GDPR Chapter V on which the transfer is based, must be set out in Appendix C.6.
10. Assistance to the Data Controller
Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR. This includes assistance with:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
The Data Processor shall assist the Data Controller in ensuring compliance with the following obligations, taking into account the nature of processing and the information available to the Data Processor:
- The obligation to notify a personal data breach to the competent supervisory authority without undue delay.
- The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to processing.
- The obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk.
11. Notification of Personal Data Breach
The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.
The Data Processor's notification to the Data Controller must, where possible, take place within 48 hours of becoming aware of the breach, enabling the Data Controller to comply with its obligation to report the personal data breach to the competent supervisory authority, cf. GDPR Article 33.
12. Deletion and Return of Data
Upon termination of the provision of data processing services, the Data Processor is obligated, at the choice of the Data Controller, to delete or return all personal data to the Data Controller and delete existing copies unless EU or Member State law requires storage of the personal data.
13. Audits and Inspections
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with GDPR Article 28 and this DPA, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
The procedures for the Data Controller's audits, including inspections, of the Data Processor and sub-processors are detailed in Appendices C.7 and C.8.
14. Other Agreements
The parties may agree on other provisions relating to the service, e.g., liability, provided that these other provisions do not contradict directly or indirectly this DPA or prejudice the fundamental rights and freedoms of the data subject as provided by the GDPR.
This DPA is supplemented by the following additional agreements:
- AI Data Processing Agreement (AI DPA) — if the Customer has given explicit consent for PixelAdmin to train AI models on Customer data, this supplementary agreement governs the processing of personal data in this context.
- Beta Data Processing Agreement (Beta DPA) - governs the processing of personal data in connection with beta and preview features.
15. Effective Date and Termination
This DPA becomes effective on the date of Customer acceptance.
This DPA remains valid as long as the data processing services are provided. During this period, the DPA cannot be terminated unless other provisions governing the provision of services are agreed upon between the Parties.
Appendix A: Processing Information
A.1. Purpose of Processing
The Data Processor's processing of personal data on behalf of the Data Controller is carried out for the purpose of providing the PixelAdmin service as described in the Terms of Service. This includes enabling the Data Controller to manage its content production, including workflow management, digital asset management, project management, and distribution.
A.2. Nature of Processing
Processing includes storing, organizing, displaying, and facilitating the transfer of data uploaded by the Data Controller to the PixelAdmin platform. This involves creating backups, generating thumbnails, processing user-driven actions (e.g., sharing, deleting), and providing customer support.
A.3. Types of Personal Data
The processing encompasses the following types of personal data concerning data subjects:
- Data Controller User Information: Name, email address, phone number, address, billing details, and account information for the Data Controller's employees and authorized users.
- Customer Information: Name, email address, phone number, address, and other contact details of the Data Controller's clients.
- Photos and Videos: Digital images and videos uploaded by the Data Controller, which may contain images of identifiable individuals.
- Project and Communication Data: Project details, customer feedback, comments, contracts, invoices, and other communication related to the Controller's business.
- Communication Data: Messages, comments, and feedback exchanged between the Controller and their customers via the Service.
- Technical Data: IP addresses, browser information, and usage data related to interactions with the Service.
A.4. Categories of Data Subjects
- Controller Users: Employees or authorized representatives of the Controller accessing and using the Service.
- Controller Customers: Individuals or representatives of companies who are customers of the Controller.
- Persons in Photos/Videos: Individuals appearing in the photos and videos uploaded by the Controller.
A.5. Duration of Processing
Processing will take place for the duration of the Controller's subscription to the Service. Upon termination of the Service, personal data will be deleted in accordance with Section 12 of this DPA.
Appendix B: Sub-processors
B.1. Approved Sub-processors
As of the effective date of the DPA, the Controller has approved the use of the following sub-processors:
| Sub-processor | Description | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure for hosting the PixelAdmin platform and storing all customer data. | EU |
B.2. Notice for Approval of Sub-processors
The Processor shall provide the Controller with at least 30 days' written notice of any intended changes concerning the addition or replacement of sub-processors.
Appendix C: Instructions regarding Personal Data Processing
C.1. Subject Matter and Instructions
The Processor's processing of personal data on behalf of the Controller occurs by the Processor performing the services described in the Terms of Service and this DPA.
C.2. Processing Security
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing. Our approach is risk-based, focusing on protecting the rights and freedoms of natural persons. The measures are designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. These measures are subject to ongoing technical development and review.
The Processor has, as a minimum, implemented the following measures:
Access Control
Access to systems and data is strictly controlled. We enforce the principle of least privilege, ensuring that personnel only have access to the data necessary to perform their job functions. All access to production environments requires multi-factor authentication (MFA), and all access is logged and monitored for suspicious activity.
Encryption and Pseudonymization
All personal data is encrypted in transit using strong TLS protocols (TLS 1.2 or higher) and at rest using industry-standard AES-256 encryption. Where relevant for the protection of personal data, pseudonymization techniques are applied to reduce the risks to data subjects.
System Integrity and Resilience
Our services are hosted on Microsoft Azure's highly available and resilient cloud infrastructure. The systems are designed with redundancy across multiple availability zones to ensure continuous availability and withstand system failures. We continuously monitor system performance and security to ensure the integrity of the processing environment.
Backup and Recovery
We perform regular, automated backups of all customer data. These backups are encrypted and stored securely in a geographically separate location from the primary data center. We have established and regularly test procedures to ensure timely restoration of data availability and access in the event of a physical or technical incident.
Security Testing and Evaluation
We have a procedure for regularly testing, assessing, and evaluating the effectiveness of our technical and organizational security measures. This includes periodic vulnerability scanning and penetration testing to identify and remediate potential security weaknesses.
Incident Management
We have an incident response plan to detect, respond to, and report personal data breaches. In the event of a security incident, we will follow the procedures described in this DPA to notify the Controller without undue delay.
Personnel Security
All employees and contractors with access to personal data are subject to background checks and are bound by strict confidentiality agreements. Personnel receive regular training in data protection and security to ensure they are aware of their responsibilities for protecting customer data.
Physical Security
Our cloud provider, Microsoft Azure, is responsible for the physical security of the data centers where customer data is stored. These data centers are protected by multi-layered security controls, including 24/7 monitoring, biometric access control, and video surveillance. Microsoft's compliance with internationally recognized standards (e.g., ISO 27001, SOC 2) is regularly verified by third-party auditors.
C.3. Processing Location
Processing of personal data covered by this DPA may not occur at locations other than Microsoft Azure data centers within the European Union without the Controller's prior written approval.
C.4. Instructions regarding Transfer of Personal Data to Third Countries
The Processor is instructed not to transfer personal data to third countries outside the EU/EEA without a valid transfer basis under GDPR Chapter V and documented instructions from the Controller. All primary data processing and storage occurs within the EU.
C.5. Procedures for Data Controller Audits
Upon reasonable request, the Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28. This includes providing documentation of the implemented security measures.
If the Data Controller requires a formal audit conducted by an independent third party, the Data Controller is responsible for all costs associated with such an audit. The audit must be agreed upon in writing, conducted with reasonable notice, and take place during normal business hours to minimize disruption to the Data Processor's operations.