Data Processing Agreement

Illustrative placeholder · 2026-04-19

This Data Processing Agreement (“DPA”) applies to enterprise Venues customers on commission tier 5% or lower and supplements the master Terms of Service. Where this DPA conflicts with the Terms, this DPA prevails for matters of personal-data processing.

1. Scope

Fotiqo acts as a “processor” (GDPR Art. 4(8)) for personal data that Customer (“controller”) uploads to or captures through the Service. This DPA implements Art. 28 obligations and the European Commission’s Standard Contractual Clauses (SCCs) 2021/914 where relevant.

2. Nature and purpose of processing

Fotiqo processes personal data to deliver the contracted Service: hosting galleries, sending delivery messages, processing payments, aggregating reviews, and operating Service Interception flows. No processing occurs for purposes outside the documented scope unless instructed by Customer in writing.

3. Categories of personal data

• Guest contact (WhatsApp, email, name, room number).
• Photographic and video content.
• Transactional data (purchases, downloads, booking records).
• Ephemeral biometric vectors (face recognition — deleted within seconds of match per COMPLIANCE.md §2.1).
• Service Interception conversation logs and review-request audit records.

4. Sub-processors

Fotiqo engages the sub-processors below. Customer consents to these sub-processors at signing and will be notified 30 days before any new sub-processor is engaged.

5. Data subject rights procedures

Fotiqo provides tooling that enables Customer to respond to access, rectification, erasure, restriction, portability, and objection requests from data subjects within statutory deadlines. Where a data subject contacts Fotiqo directly, Fotiqo forwards the request to Customer without undue delay and assists with response.

6. Security measures

Fotiqo implements technical and organisational measures appropriate to the risk (GDPR Art. 32), including encryption in transit and at rest, access controls with least privilege, secret rotation, logging and monitoring, secure-SDLC practices, and periodic penetration testing. A detailed description is available upon request under NDA.

7. Breach notification

Fotiqo will notify Customer without undue delay and, in any event, within 72 hours of becoming aware of a personal data breach, providing the information required by GDPR Art. 33(3).

8. Transfer mechanisms

For transfers of personal data to third countries, Fotiqo incorporates by reference the Standard Contractual Clauses 2021/914, Module 2 (controller to processor) and, where relevant, Module 3 (processor to sub-processor). Supplementary measures (encryption, pseudonymisation where practicable, access restrictions) are applied per the CJEU “Schrems II” guidance.

9. Audit rights

Customer may audit Fotiqo’s compliance with this DPA once per calendar year on 30 days’ written notice, during business hours, subject to reasonable security and confidentiality constraints. Fotiqo may satisfy audit obligations through independent third-party reports (SOC 2 / ISO 27001) where available.

10. Term and termination

This DPA remains in effect for the term of the underlying subscription or order form. On termination, Fotiqo will return or delete personal data per Customer’s choice within 30 days, subject to retention obligations for tax, audit, or compliance (see Privacy Policy §7).

11. Governing law

This DPA is governed by the laws of Ireland. Any dispute is subject to the exclusive jurisdiction of the courts of Dublin, Ireland, without prejudice to mandatory jurisdiction rules for the protection of data subjects.