pursuant to Art. 28 GDPR between ProofShare (Processor) and the registered Photographer (Controller)
(1) This Data Processing Agreement ("DPA") governs the processing of personal data by ProofShare ("Processor", operating ProofShare) on behalf of the registered photographer ("Controller") within the scope of the ProofShare platform service.
(2) The DPA takes effect upon the Controller's registration on the ProofShare platform and acceptance of these terms. It remains in force for the duration of the subscription and terminates automatically upon deletion of the Controller's account.
(3) The General Terms of Service remain unaffected. In the event of a conflict between this DPA and the General Terms of Service, this DPA shall prevail with respect to data protection matters.
(1) The Processor processes personal data on behalf of the Controller for the following purposes:
(2) Processing takes place exclusively within the European Economic Area, except where data is transferred to sub-processors listed in § 8 of this DPA.
(3) A detailed description of processing activities, data categories and data subjects is set out in Annex 1 to this DPA.
(1) The Processor undertakes to process personal data exclusively on the documented instructions of the Controller (Art. 28(3)(a) GDPR), unless required to do so by Union or Member State law. In such cases, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.
(2) The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
(3) The Processor shall take all measures required pursuant to Art. 32 GDPR (see § 7 and Annex 2 of this DPA).
(4) The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.
(5) At the choice of the Controller, the Processor shall delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data.
(6) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (Art. 28(3)(h) GDPR).
(1) The Controller is solely responsible for assessing the lawfulness of the processing of personal data of their clients and ensuring that the processing is permitted under applicable data protection law.
(2) The Controller shall provide the Processor with documented instructions regarding the processing of personal data. Instructions deviating from the agreed scope of this DPA shall be documented and approved by the Processor.
(3) The Controller shall inform their clients about the involvement of ProofShare as a processor and include the necessary information in their own privacy policy.
(4) The Controller shall immediately notify the Processor if they become aware of any errors or irregularities in data protection compliance during inspection of the Processor's work.
(1) The Controller is entitled to issue binding instructions to the Processor regarding the processing of personal data at any time during the term of this DPA.
(2) Instructions must be issued in text form (e.g. email). Oral instructions must be confirmed in text form without undue delay.
(3) If the Processor is of the opinion that an instruction of the Controller violates the GDPR or other applicable data protection provisions, the Processor shall inform the Controller immediately. The Processor may suspend the execution of the relevant instruction pending confirmation or amendment by the Controller.
(1) The Processor shall treat all personal data and information made available by the Controller as strictly confidential and shall not disclose it to third parties without authorisation.
(2) Access to personal data shall be limited to those employees of the Processor who require it for the performance of the contractual obligations (need-to-know principle).
(3) The confidentiality obligation continues beyond the end of the contractual relationship.
(1) The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR.
(2) The specific measures are described in Annex 2 (Technical and Organisational Measures) to this DPA, which can be viewed at tom.php.
(3) The Processor is entitled to adapt the technical and organisational measures over time as long as the level of security is not reduced below the contractually agreed standard. Material changes shall be communicated to the Controller in text form with reasonable advance notice.
(1) The Controller grants general authorisation to the Processor to engage the sub-processors listed in Annex 1. The Processor shall inform the Controller of any intended changes to sub-processors (addition or replacement) and give the Controller the opportunity to object to such changes within 14 days of notification.
(2) The Processor shall impose the same data protection obligations as set out in this DPA on its sub-processors by contract.
(3) The following sub-processors are currently engaged:
| Provider | Registered Office | Purpose | Transfer Mechanism |
|---|---|---|---|
| Cloudflare, Inc. (R2 Storage) | 101 Townsend St, San Francisco, CA 94107, USA | Storage of photos, thumbnails, logos | EU-US Data Privacy Framework (DPF) |
| Stripe Payments Europe, Ltd. | 1 Grand Canal Street Lower, Dublin, Ireland | Payment processing and billing | EU-based entity (no third-country transfer) |
| Sendinblue SAS (Brevo) | 7 rue de Madrid, 75008 Paris, France | Transactional email delivery | EU-based entity (no third-country transfer) |
(4) If a sub-processor does not fulfil its data protection obligations, the Processor remains liable to the Controller for the sub-processor's compliance with its obligations (Art. 28(4) GDPR).
(1) The Processor shall notify the Controller of any breach of the security of personal data without undue delay and at the latest within 36 hours of becoming aware of the breach. The notification shall be made by email to the Controller's registered email address and, where available, via the in-platform notification system.
(2) The notification shall contain at a minimum (insofar as the information is available at the time of notification):
(3) Where it is not possible to provide all information simultaneously, the information may be provided in phases without further undue delay.
(4) The Processor shall document any breach of the security of personal data, including the facts relating to the breach, its effects and the remedial action taken (Art. 33(5) GDPR). The Processor shall provide the Controller with a written post-incident report within 30 days of containment of the incident.
(5) The Processor shall also notify the Controller without undue delay of significant technical disruptions and suspected data protection violations that may affect the personal data processed under this DPA.
(6) If a security incident potentially affects multiple Controllers (e.g. due to lateral access across multiple accounts), the Processor shall notify each potentially affected Controller individually, even if the full extent of the access has not yet been established.
(1) The Processor shall support the Controller in fulfilling requests from data subjects to exercise their rights pursuant to Art. 15 to 22 GDPR, insofar as possible given the nature of the processing and limited to the information available in the ProofShare system.
(2) If a data subject contacts the Processor directly with a request to exercise their rights, the Processor shall forward the request to the Controller without undue delay and shall not respond to the data subject independently unless instructed to do so by the Controller.
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR, in particular with regard to:
The support shall be limited to the information available to the Processor in the ProofShare system.
(1) Upon termination of the contractual relationship and deletion of the account, the Processor shall delete all personal data of the Controller and their clients from all systems within a reasonable period (ordinarily within 30 days), unless statutory retention obligations require longer storage.
(2) The Controller is responsible for exporting their data prior to account deletion. The Processor provides download and export functions for this purpose.
(3) Upon request, the Processor shall confirm in writing that all data has been deleted.
(1) The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations of Art. 28 GDPR upon request and within a reasonable period.
(2) The Controller is entitled to conduct audits or to commission an independent auditor to do so. Audits shall be announced with reasonable advance notice (at least 14 days), shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
(3) Costs of the audit shall be borne by the Controller, unless the audit reveals a material breach by the Processor.
(1) Processing of personal data in third countries outside the European Economic Area shall take place only with the Controller's authorisation (which is granted by acceptance of this DPA for the sub-processors listed in § 8) and only where the conditions of Art. 44 et seq. GDPR are met.
(2) Cloudflare, Inc. has joined the EU-US Data Privacy Framework (DPF). The Processor shall monitor changes to the DPF status of its sub-processors and shall promptly notify the Controller of any relevant changes.
(1) The liability of the parties is governed by Art. 82 GDPR and the General Terms of Service. The Processor shall be liable to the Controller for verifiable damages caused by processing that does not comply with this DPA or the GDPR.
(2) The Processor shall be released from liability pursuant to Art. 82(3) GDPR if it proves that it is not in any way responsible for the event giving rise to the damage.
(1) This DPA and its annexes are subject to the law of the Federal Republic of Germany.
(2) Should individual provisions of this DPA be or become invalid, this shall not affect the validity of the remaining provisions.
(3) The Controller accepts this DPA upon registration on the ProofShare platform by checking the corresponding checkbox. The timestamp of acceptance is stored for documentation purposes.
| Category | Details |
|---|---|
| Subject matter | Hosting and operation of photo gallery and client proofing services |
| Duration | Duration of the subscription; deletion within 30 days of account cancellation |
| Nature of processing | Collection, storage, retrieval, use, disclosure, deletion |
| Purpose | Providing the ProofShare SaaS platform as contracted |
| Data categories | Contact data (name, email), access codes, image content, annotations, approval decisions, moodboard data, callsheet data |
| Data subjects | Clients of the Controller (photographer's customers): adult and minor individuals |
| Special categories | Not processed by agreement (Controllers must not upload data under Art. 9 GDPR without separate agreement) |
Annex 2 – Technical and Organisational Measures: View TOM document
Last updated: June 2026