Data Processing Addendum

1. Definitions

This Data Processing Addendum ("DPA") forms part of the agreement between Image Angel ("Processor") and you ("Controller") for the provision of forensic watermarking services.

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "UK GDPR" means the GDPR as it forms part of UK law
• "Data Subject" means an identified or identifiable natural person

2. Scope of Processing

Image Angel will process Personal Data on behalf of the Controller for the following purposes:

• Embedding forensic watermarks in digital content
• Extracting watermarks from reported leaked content
• Identifying attribution associated with unauthorized distribution
• Providing leak investigation reports

3. Nature and Categories of Personal Data

The types of Personal Data processed may include:

• Contact information (names, email addresses)
• Account credentials and user identifiers
• Digital content (images, videos) uploaded for watermarking
• Attribution identifiers embedded in watermarks
• Technical data (IP addresses, device information)

4. Data Subjects

Personal Data may relate to the following categories of Data Subjects:

• Account holders and authorized users
• Content creators and platform users
• Individuals identified in watermarked content
• Individuals associated with reported leaks

5. Processor's Obligations

Image Angel shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures to ensure data security
• Engage sub-processors only with prior written authorization from the Controller
• Assist the Controller in responding to Data Subject requests
• Assist the Controller with data protection impact assessments
• Delete or return Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance

6. Security Measures

Image Angel implements the following security measures:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Incident response and data breach notification procedures
• Employee training on data protection
• Regular backups and disaster recovery planning

7. Sub-Processors

Image Angel may engage the following sub-processors:

• Cloud infrastructure providers (e.g., AWS, Google Cloud)
• Payment processing services
• Analytics and monitoring services

The Controller authorizes Image Angel to engage these sub-processors. Image Angel will notify the Controller of any changes to sub-processors with at least 30 days' notice, allowing the Controller to object.

8. International Data Transfers

If Personal Data is transferred outside the EEA or UK, Image Angel shall ensure that appropriate safeguards are in place, including:

• EU Standard Contractual Clauses
• UK International Data Transfer Agreement
• Adequacy decisions by relevant authorities

9. Data Subject Rights

Image Angel will assist the Controller in responding to Data Subject requests to exercise their rights under GDPR/UK GDPR, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

10. Data Breach Notification

In the event of a Personal Data breach, Image Angel will:

• Notify the Controller without undue delay (within 48 hours of becoming aware)
• Provide details of the nature of the breach
• Identify the categories and approximate number of Data Subjects affected
• Describe the likely consequences of the breach
• Outline measures taken or proposed to address the breach

11. Audits and Inspections

Image Angel shall allow the Controller (or its appointed auditor) to conduct audits and inspections to verify compliance with this DPA, subject to:

• Reasonable advance notice (at least 30 days)
• Execution of a confidentiality agreement
• Limitation to one audit per year (unless required by law)
• Controller bearing the costs of the audit

12. Duration and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

• Image Angel will delete or return all Personal Data within 30 days
• Copies of Personal Data may be retained where required by law
• Image Angel will provide written certification of deletion upon request

13. Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement.

14. Contact Information

For questions about data processing, contact our Data Protection Officer:

Email: hello@imageangel.co.uk