Data Processing Agreement (Article 28 GDPR)
This Data Processing Agreement ("DPA") forms part of and is incorporated into the Eye.photo Terms of Service (the "Agreement") between:
- Customer: the legal entity or person that accepts the Agreement and uses Eye.photo; and
- Processor: Eyepic S.L., operator of Eye.photo ("Eyepic", "we", "us").
This DPA applies where Eyepic processes Personal Data on behalf of Customer in connection with the Services.
1. Definitions
For purposes of this DPA:
- Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority, and Personal Data Breach have the meanings given in the GDPR.
- Customer Personal Data means Personal Data processed by Eyepic on behalf of Customer in connection with the Services.
- Subprocessor means any third party engaged by Eyepic to process Customer Personal Data on behalf of Customer.
2. Scope and Roles
2.1 The parties acknowledge that, with respect to Customer Personal Data uploaded or submitted by Customer or on Customer's behalf to the Services for processing for Customer's own business purposes, Customer is the Controller and Eyepic is the Processor.
2.2 Eyepic may also act as an independent controller for personal data relating to its own business operations, including account administration, billing, fraud prevention, security, support, legal compliance, and direct relationships with its own customers and website visitors.
2.3 This DPA applies only to processing by Eyepic as Processor on behalf of Customer.
3. Subject Matter, Duration, Nature and Purpose of Processing
3.1 Subject matter: provision of the Eye.photo services, including upload, storage, organization, processing, enhancement, export, delivery, support, and related functionality requested by Customer.
3.2 Duration: from the date Customer first submits Customer Personal Data to the Services until deletion or return of Customer Personal Data in accordance with this DPA.
3.3 Nature of processing: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, making available, alignment, restriction, deletion, and destruction.
3.4 Purpose: to provide the Services to Customer in accordance with the Agreement and Customer's documented instructions.
4. Categories of Data and Data Subjects
4.1 Categories of Data Subjects may include:
- Customer's end customers
- Customer's employees, contractors, or representatives
- Individuals whose eye photos or related contact details are uploaded by Customer
4.2 Categories of Personal Data may include:
- Name
- Email address
- Telephone number
- Mailing or delivery details entered by Customer
- Uploaded photos, including eye/iris images
- Metadata associated with uploads
- Customer instructions and account-linked records relevant to processing
5. Customer Instructions
5.1 Eyepic shall process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and Customer's use of the Services and settings selected within the Services, unless required to do otherwise by applicable law. If Eyepic is required by law to process Customer Personal Data other than on Customer's instructions, Eyepic shall inform Customer of that legal requirement before processing unless prohibited by law.
5.2 Customer instructs Eyepic to process Customer Personal Data as necessary to:
- provide, secure, and maintain the Services;
- store and organize uploaded data;
- process and enhance uploaded eye photos;
- generate outputs requested by Customer;
- transmit outputs or notifications as configured by Customer;
- provide support requested by Customer; and
- comply with applicable law.
6. Confidentiality
Eyepic shall ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
7. Security Measures
7.1 Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to Data Subjects, Eyepic shall implement appropriate technical and organizational measures to protect Customer Personal Data.
7.2 Such measures may include, as appropriate:
- encryption in transit;
- encryption at rest where applicable;
- access controls and role-based permissions;
- logging and monitoring;
- network and infrastructure security controls;
- least-privilege access practices;
- backup and disaster recovery procedures;
- secure software development and vulnerability management;
- measures to restore availability and access in a timely manner following incidents.
8. Subprocessors
8.1 Customer grants Eyepic general authorization to engage Subprocessors for the processing of Customer Personal Data, provided that Eyepic remains responsible for ensuring such Subprocessors are bound by written terms that provide a level of protection for Customer Personal Data no less protective than this DPA.
8.2 Eyepic shall make available to Customer a current list of Subprocessors, whether directly in the Services, on its website, or upon request.
8.3 Eyepic shall inform Customer of intended additions or replacements of Subprocessors in a reasonable manner. Customer may object on reasonable data protection grounds within fifteen (15) days of notice. If the parties cannot resolve the objection, Customer may cease using the affected part of the Services or terminate the Agreement to that extent.
8.4 Customer acknowledges that infrastructure, hosting, storage, analytics strictly necessary for service operations, communications providers configured by Customer, and other service providers used to deliver the Services may act as Subprocessors where they process Customer Personal Data on Eyepic's behalf.
9. Assistance with Data Subject Rights
Taking into account the nature of the processing, Eyepic shall assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising Data Subjects' rights.
10. Assistance with Security, Breaches, DPIAs, and Consultations
Taking into account the nature of processing and the information available to Eyepic, Eyepic shall assist Customer in ensuring compliance with Customer's obligations relating to:
- security of processing;
- notification of Personal Data Breaches to supervisory authorities;
- communication of Personal Data Breaches to Data Subjects where required;
- data protection impact assessments; and
- prior consultation with supervisory authorities where required.
11. Personal Data Breach Notification
Eyepic shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and shall provide available information reasonably necessary for Customer to meet its breach-related obligations.
12. Return and Deletion
12.1 Upon termination or expiration of the Agreement, and at Customer's choice, Eyepic shall delete or return Customer Personal Data, unless applicable law requires storage.
12.2 Unless the parties agree otherwise in writing, Eyepic may retain Customer Personal Data for up to 60 days after account termination solely to permit recovery or export by Customer, after which Eyepic shall delete or anonymize Customer Personal Data from active systems, unless retention is required by law.
12.3 Residual copies in backup systems may remain until overwritten in accordance with Eyepic's standard backup retention practices, provided they remain protected and are not actively processed except as required for security, disaster recovery, or legal compliance.
13. Audits and Information
Eyepic shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits or inspections by Customer or an auditor mandated by Customer, subject to reasonable notice, confidentiality obligations, proportionality, and no more than once annually unless required by law or triggered by a substantiated security incident.
14. International Transfers
To the extent Eyepic transfers Customer Personal Data outside the EEA/UK/Switzerland, Eyepic shall ensure such transfers are made in accordance with applicable data protection law and are subject to appropriate safeguards, including adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms where required.
15. Liability
Liability under this DPA shall be subject to the liability limitations in the Agreement, except to the extent such limitations are prohibited by applicable law.
16. No Training or Secondary Use by Default
Eyepic shall not use Customer Personal Data processed under this DPA for its own independent purposes such as general product analytics unrelated to service delivery, advertising, marketing, or training machine learning or artificial intelligence models, unless the parties separately agree in writing to such use and Customer has an appropriate legal basis where required.
17. Order of Precedence
If there is a conflict between this DPA and the Agreement with respect to processing of Customer Personal Data, this DPA controls.
18. Annex 1 - Processing Details
Subject matter: provision of AI-powered eye photo processing and related service features.
Duration: term of the Agreement plus applicable deletion/return period.
Nature and purpose: upload, storage, organization, enhancement, export, support, and related transmission as instructed by Customer.
Data subjects: Customer's end customers, staff, contractors, and other individuals whose data Customer uploads.
Personal data: names, contact details, uploaded images including eye/iris photos, metadata, and associated customer records.
19. Annex 2 - Technical and Organizational Measures
Eyepic maintains measures appropriate to the risk, including:
- logical access controls;
- authentication and credential management;
- encryption in transit;
- encryption at rest where appropriate;
- environment segregation and secure hosting;
- logging and monitoring;
- staff confidentiality obligations;
- incident response procedures;
- backup and recovery controls;
- vulnerability management and patching practices.