Skip to content

Data Processing Agreement

This Data Processing Agreement is entered by and between:

  1. Photoroom, a French incorporated corporation (SAS), whose registered offices are located at 229 Rue Saint Honoré and registered on the Paris Trade and Companies Register under number 853 059 384, represented by its President (hereinafter “Photoroom”), and :

  2. Your company or organization, as identified for this purpose in your Photoroom Account (hereinafter “Client”).

Client and Photoroom are sometimes referred to herein individually as a “Party” and together as the “Parties”. The provision of services (the “Services”) available on https://www.photoroom.com/ website and the Photoroom application (the “Platform”) involves the processing of personal data by Photoroom, as a processor on behalf of the Client.

Any use of the Platform as a professional client is governed by this Data Processing Agreement for the data processing.

  1. DEFINITIONS

    All capitalized terms used in this Agreement will have the following meanings:

    1. Agreement: means this Data Processing Agreement.

    2. Client data: means all personal data that are sent to the Platform by or for Client through the use of the Services and/or which are hosted in the Platform at the request of Client or for Client.

    3. Data Protection Laws and Regulations: means the "European Regulation 2016/679, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC" ("General Data Protection Regulation" or "GDPR") and any laws and regulations relating to the protection of Personal Data applicable under the Agreement.

    4. Data Controller, Data Processor, Data Security Breach, Data Subject, Personal Data and Processing, Supervisory Autority: have the meaning given in the GDPR.

    5. Sub-Processor: means any Data Processor appointed by Photoroom.

  2. ROLE OF THE PARTIES AND PURPOSE OF THE PROCESSING

    1. Client is the Data Controller and Photoroom is the Data Processor with respect to the Processing detailed in this Agreement and Appendix 1 in particular.

    2. Photoroom processes Personal Data on behalf of Client when Client uses the Photoroom Platform.

  3. OBLIGATIONS OF DATA PROCESSOR

    1. 3.1. The Parties agree that the subject-matter and duration of Processing performed by Photoroom under this Agreement, the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, are as described in this Agreement and in Appendix 1.

    2. For clarification purposes, the obligations of Photoroom under this Agreement are best efforts obligations. When providing the Services, Photoroom makes the following commitments:

      1. Photoroom shall process Personal Data only on Client's documented instructions as set out in this Agreement or as otherwise necessary to provide the Services. In this regard, such instructions may be provided by Client to Photoroom by email, or via the use of the Services.

      2. Photoroom shall ensure that Photoroom staff members have committed themselves to confidentiality of Personal Data and that Sub-Processors are under confidentiality obligations ;

      3. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Photoroom shall implement and maintain appropriate technical and organizational measures to protect Personal Data from any Data Security Breach and shall provide Client with commercially reasonable assistance to implement and maintain appropriate technical and organizational measures to protect Personal Data against any Data Security Breach;

      4. Taking into account the nature of the Processing and the information available to Photoroom, this latter shall notify Client without undue delay and where feasible not later than seventy-two (72) hours after having become aware of a Data Security Breach; if necessary, Photoroom shall provide Client with commercially reasonable assistance to mitigate or remediate the Data Security Breach. Such obligation of notification to Client will not apply to Photoroom if the Data Security Breach is unlikely to result in a risk for the rights and freedoms of natural persons. Notification of any Data Security Breach will be delivered by email;

      5. Upon Client’s written request, taking into account the nature of the Processing and the information available to Photoroom, this latter shall provide Client with commercially reasonable assistance with respect to Client’s compliance with its obligation to communicate the Data Security Breach to Data Subjects, when required by Data Protection Laws and Regulations;

      6. Photoroom has no obligation to assess Client Data in order to identify if they are subject to any specific legal requirements.

      7. Photoroom’s notification of or response to a Data Security Breach under this Section will not be construed as an acknowledgement by Photoroom of any fault or liability with respect to the Data Security Breach.

      8. Without prejudice to Photoroom’s obligations under this Section, and elsewhere in the Agreement, Client is responsible for its use of the Services and its storage of any copies of Client Data outside Photoroom’s or Photoroom’s Subprocessors’ systems, including: (a) ensuring a level of security appropriate to the risk to the Client Data when using the service; (b) securing the account authentication credentials, systems and devices Client uses to access the Services; and (c) backing up or retaining copies of Client Data as appropriate;

      9. Upon Client’s written request, taking into account the nature of the Processing and the information available to Photoroom, this latter shall provide Client with commercially reasonable assistance to conduct a data protection impact assessment and to conduct a prior consultation with a Supervisory Authority when required by Data Protection Laws and Regulations;

      10. Taking into account the nature of the Processing, Photoroom shall provide Client with commercially reasonable assistance (by appropriate technical and organizational measures) with respect to the fulfilment of Client’s obligation to respond to requests from Data Subjects to exercise their rights under the Data Protection Laws and Regulations (a “Data Subject Request”). In the event Photoroom receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Client in the first instance. Client will be responsible for responding to any such request.

      11. However, in the event Client is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Photoroom and on Client’s request, Photoroom, shall address the Data Subject Request, as required under the Data Protection Laws and Regulations;

    3. Photoroom shall immediately inform Client if, in its opinion, Client’s Processing instruction infringes the Data Protection Laws and Regulations. In such event, Photoroom is entitled to refuse to perform the Processing of Personal Data that it believes to be in violation of the Data Protection Laws and Regulations.

  4. USE OF SUB-PROCESSORS

    1. Client hereby provides a prior and general authorization allowing Photoroom to appoint any Sub-Processors to assist it in the provision of the Services and in the Personal Data Processing, in accordance with the terms provided in this Agreement.

    2. Photoroom commits that Sub-Processors (i) are to fulfil obligations at least equivalent to those set out in this Agreement with respect to Personal Data protection; (ii) provide guarantees regarding Personal Data protection at least equivalent to those presented by the measures implemented by Photoroom. Photoroom remains liable to Client for the fulfilment by the Sub-Processors of their contractual obligations towards Photoroom.

    3. Client hereby agrees that Photoroom may appoint Sub-Processors from the list of Sub-Processors in Appendix 2 of this Agreement. Photoroom shall update the list of any Sub-Processor to be appointed at least thirty (30) days prior to the date on which the Sub-Processor shall commence the Processing of Personal Data.

    4. In the event Client objects to the Processing of its Personal Data by any newly appointed Sub-Processor as described in this “Use of Sub-Processors” Section, it will inform Photoroom immediately. In such event, Photoroom will allow Client to terminate this Agreement under the terms of Client’s subscription.

    5. In connection with the use of such Sub-Processors, Client expressly authorizes Photoroom to transfer personal data outside the European Economic Area. Photoroom will put in place an appropriate transfer instrument.

  5. AUDIT

    1. For the purpose of this Section, “Auditor” will have the meaning of either Client or the third party auditor mandated by Client under this Section in order to conduct an audit or inspection as mentioned in the Section “Obligations of the Data Processor”.

    2. Photoroom will make available to Auditor the information necessary to reasonably demonstrate compliance with this Agreement, under the following conditions:

      1. Client demonstrates that Auditor is subject to strict confidentiality obligations;

      2. Client demonstrates that Auditor is not a competitor of Photoroom;

      3. The procedure described below is followed:

        1. Client gives Photoroom a thirty (30)-days prior written notice of such audit or inspection (hereafter “Audit”);

        2. During this thirty (30)-days period of time, Client and Photoroom mutually agree in writing upon the scope, timing and duration and starting date of the Audit.

      4. Client ensures that the Audit will not impact Photoroom’s organization or Photoroom’s activities. Client will indemnify Photoroom for any damage resulting from the Audit.

      5. Photoroom will not give access to its premises for the purposes of the Audit:

        1. to an Auditor’s employee who does not provide Photoroom with reasonable evidence of identity and authority; or

        2. to any Auditor’s employee who requests access to Photoroom’s premises outside regular business hours;

      6. Photoroom will not give access to premises other than its corporate site; for example, Photoroom will not provide access to Sub-Processors’ premises.

      7. the Audit is conducted by the Auditor in a reasonable manner and in good faith

      8. All costs relative to the Audit will be at the charge of the Client.

  6. OBLIGATIONS OF DATA CONTROLLER

    As part of Client using the Services, Client agrees to the following:

    1. Client is solely responsible for the accuracy of Personal Data and the means by which such Personal Data is acquired in compliance with the Data Protection Laws and Regulations. Client is solely responsible for providing Photoroom with instructions that comply with this Agreement and the Data Protection Laws and Regulations;

    2. Client undertakes to document in writing any additional instructions regarding the Processing by Photoroom;

    3. Client guarantees that the Processing is carried out in accordance with the provisions of the Data Protection Laws and Regulations and in particular that the Data Subjects are informed of the Processing and have given their consent if applicable;

    4. Client expressly prohibits the Processing of special categories of Personal Data;

    5. the performance by Photoroom of any of its obligations (including with respect to audit) provided for in this Agreement will be subject to an additional fee if such performance requires Photoroom to spend more than two hours of time during the term of the subscription. Such additional fee will be invoiced based on the hourly rate of 100 euros ex-VAT.

  7. RETURN AND DESTRUCTION OF PERSONAL DATA

    Upon the termination of Client’s access to and use of the Service, Photoroom will, up to thirty (30) days following such termination, permit Client to export its Client Data, at its expense, in accordance with the capabilities of the Services. Following such period, Photoroom shall delete all Service Data processed by Photoroom on behalf of Client in accordance with Photoroom’s deletion policies and procedures. Client acknowledges and accepts that Client Data will no longer be accessible upon the expiry of the thirty (30) day period.

  8. DURATION

    This Agreement will remain in force as long as Client uses the Platform.

  9. JURISDICTION CLAUSE

    ANY DISPUTE ARISING FROM THIS AGREEMENT WILL BE RESOLVED BY THE COMPETENT COURTS OF PARIS, FRANCE.

  10. LIMITATION OF LIABILITY

The liability of each party under this Agreement shall be limited to the amount of 10,000 euros or the amount paid by the Customer to Photoroom for the last 12 months for the Services, whichever is lower.

Appendix 1 to the DPA

Detail of Processing

  1. DURATION OF PROCESSING

    Personal Data shall be processed for the duration of the Services.

  2. SUBJECT-MATTER OF PROCESSING

    The subject-matter of the Processing is the modification, editing and storage of photos with the use of artificial intelligence.

  3. PURPOSE OF PROCESSING

    The purpose of the Processing of Personal Data is to provide photo editing Services,

  4. DATA SUBJECTS

    Client may, at its sole discretion, submit Personal Data to the Services, which may include, but is not limited to, the following categories of Data Subjects: employees, client, any person depicted in the images supplied by Client.

  5. CATEGORIES OF PERSONAL DATA

    Client may, at its sole discretion, submit Personal Data to the Service(s) which may include, but is not limited to, the following categories of data: contact details information, photos of people.

  6. CONTACT DETAILS

For any query or question with respect to Client Data in relation with this Agreement, Client may contact Photoroom at the following email address: [email protected]

Appendix 2 to the DPA

Sub-Processors List

Company name

Services

Localization

Amazon Web Services (AWS)

Cloud infrastructure provider

Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109 United States

Cloudflare Inc.

Content delivery services

101 Townsend St., San Francisco, California 94107, USA

Google LLC (Google Cloud, Firebase, Workspace)

Cloud infrastructure provider

Google LLC , 1600 Amphitheatre Parkway, Mountain View, California 94043, USA.

Intercom

Messaging

Intercom, 55 2nd Street, 4th Floor, San Francisco, United States

Appendix 3 to the DPA

Security Policy

Photoroom shall implement and continuously improve adequate technical and organizational measures following commonly accepted standards to manage the security of information and IT services and to defend against cybersecurity incidents.

The measures taken by Photoroom are provided in detail at the following link: https://trust.photoroom.com/?tab=securityControls#ACCESS_CONTROL_AND_AUTHORIZATION

Sell faster with studio‑quality product visuals

Drive sales with professional visuals you can create in minutes, with brand consistency and control.

Start free trial
Contact sales