Data Processing Agreement (DPA)

Last updated: May 2026

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Self-Serve Subscription Agreement and the Terms of Use between Picspace (operated by Matthias Grieder, sole trader), Kirchengasse 36/10, 1070 Vienna, Austria ("Picspace", "Processor", "we") and the customer accepting these terms ("Customer", "Controller", "you"). It applies whenever Picspace processes personal data on behalf of the Customer in the course of providing the Services.

By using the Services, the Customer enters into this DPA on its own behalf and, where applicable, on behalf of its Affiliates. If the Customer requires a counter-signed copy, contact privacy@picspace.io.

1. Definitions

Terms used but not defined in this DPA have the meaning set out in Regulation (EU) 2016/679 (the "GDPR") and, where applicable, the UK GDPR and Swiss FADP. "Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", "Processing" and "Personal Data Breach" have the meaning given in Art. 4 GDPR.

"Customer Personal Data" means Personal Data that Customer or its end users (including the natural persons depicted in photos) submit to or generate through the Services, and that Picspace processes on Customer's behalf.

2. Roles and dual-controller model for AI features

2.1 Standard processing

For ordinary use of the Services (account, storage, sharing, billing), Picspace acts as Controller in respect of administrative and security data and as Processor in respect of Customer Personal Data uploaded by the Customer (e.g., photos of identifiable persons that Customer manages on behalf of its own clients).

2.2 AI metadata generation — platform credits

Where AI features (auto-tags, titles, descriptions) are invoked using Picspace's own OpenAI account ("platform credits"), Picspace is Controller of the inference call and OpenAI acts as Picspace's Sub-processor under OpenAI's data processing addendum.

2.3 AI metadata generation — Bring Your Own Key (BYOK)

Where the Customer has stored a personal OpenAI API key in account settings, AI calls are made on the Customer's OpenAI account. In that configuration:

• The Customer is the Controller of the AI inference and contracts directly with OpenAI;
• Picspace acts solely as a technical conduit on the Customer's documented instruction (the act of saving the key + uploading a photo constitutes the instruction under Art. 28(3)(a) GDPR);
• OpenAI is not a sub-processor of Picspace in this configuration;
• Picspace remains Controller (or Processor on Customer's behalf, as applicable) for the storage of the resulting metadata in the Customer's space.

3. Subject matter and details of processing

4. Processor obligations

Picspace shall:

(a) process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law to which Picspace is subject;

(b) ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations;

(c) implement the technical and organisational measures set out in Annex 2 (TOMs) and Art. 32 GDPR;

(d) assist the Customer, taking into account the nature of processing, in fulfilling its obligation to respond to Data Subject requests under Articles 15–22 GDPR;

(e) assist the Customer with security, breach notification, data protection impact assessments, and prior consultation under Articles 32–36 GDPR;

(f) at the Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, save where retention is required by law (see §7);

(g) make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer (see §6).

5. Sub-processors

The Customer provides general written authorisation for Picspace to engage sub-processors. The current list of sub-processors is published at https://picspace.io/legal/subprocessors. Picspace will notify the Customer of any intended addition or replacement of a sub-processor with at least 30 days' notice, during which the Customer may object on reasonable data-protection grounds. If the parties cannot reach agreement, the Customer may terminate the affected portion of the Services without penalty.

Picspace will impose on each sub-processor data-protection obligations no less protective than those in this DPA, in particular providing sufficient guarantees of appropriate technical and organisational measures (Art. 28(4) GDPR). Picspace remains liable to the Customer for the performance of each sub-processor's obligations.

6. Audits

The Customer may, at its own cost and on at least 30 days' written notice, audit Picspace's compliance with this DPA no more than once per calendar year (and additionally following a Personal Data Breach) by reviewing reasonably available documentation and, where reasonably necessary, by an independent third-party auditor under appropriate confidentiality obligations. Audits must not unreasonably interfere with Picspace's operations.

7. Return or deletion at end of services

Upon termination or expiry of the Subscription Agreement, Picspace will make Customer Personal Data available for export for a period of thirty (30) days, after which Picspace may delete it. Customer may instead instruct Picspace in writing to delete Customer Personal Data immediately. Picspace may retain Personal Data to the extent required by EU or Member State law, in which case it remains subject to the confidentiality and security obligations of this DPA.

8. International transfers

Where Picspace transfers Customer Personal Data outside the European Economic Area, transfers are made on the basis of (i) an adequacy decision under Art. 45 GDPR; or (ii) the European Commission's Standard Contractual Clauses adopted under Art. 46(2)(c) GDPR (the "SCCs"), with the relevant Module incorporated by reference (Module 2 Controller-to-Processor; Module 3 Processor-to-Sub-processor); together with any supplementary measures appropriate in light of the destination country.

9. Personal Data Breach

Picspace will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide the information referred to in Art. 33(3) GDPR as it becomes available. Picspace will reasonably assist the Customer with notification to supervisory authorities and Data Subjects where required.

Where Customer Personal Data is rendered unintelligible by encryption (e.g., the AES-256-GCM encryption of stored OpenAI API keys), and the encryption key remains intact, the parties may apply Recital 83 GDPR to the breach analysis, but Picspace will still provide notice as set out above.

10. Liability and term

The liability of the parties under this DPA is subject to the liability cap and exclusions in the Subscription Agreement. This DPA takes effect on the Customer's acceptance of the Subscription Agreement and remains in force for the duration of the Subscription Agreement and any period during which Picspace processes Customer Personal Data thereafter.

11. Order of precedence

In case of conflict between this DPA and other terms in the Subscription Agreement or the Terms of Use, this DPA prevails to the extent the conflict relates to data protection.

Annex 1 — Sub-processors

The current list of authorised sub-processors is published and maintained at https://picspace.io/legal/subprocessors and is incorporated by reference into this DPA.

Annex 2 — Technical and Organisational Measures (TOMs)

Picspace implements measures appropriate to the risk in accordance with Art. 32 GDPR, including:

• Encryption. TLS 1.2+ in transit; AES-256 at rest for object storage; AES-256-GCM for sensitive secrets (e.g., stored OpenAI API keys), with the encryption key held in a separate secrets store from the encrypted blob.
• Access controls. Role-based access; least-privilege production access limited to the runtime role; multi-factor authentication for human administrative access.
• Network and platform security. Hosting in EU regions where feasible; isolated network segments; managed databases with point-in-time recovery; managed object storage with versioning.
• Logging and monitoring. Application and platform logs centralised; alerting on authentication anomalies, error spikes, and infrastructure availability.
• Backup and recovery. Multi-AZ database replication, point-in-time recovery (≥7 days), versioned object storage with non-current-version retention, documented recovery procedures.
• Personnel. Confidentiality obligations; security awareness training; incident response procedures.
• Sub-processor management. Written agreements with each sub-processor incorporating Art. 28(3) GDPR clauses.
• Data subject rights. Documented procedures for export, rectification, and deletion supporting Art. 15–22 GDPR.

Annex 3 — Standard Contractual Clauses (incorporation)

Where required for an international transfer (see §8), the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) are incorporated into this DPA. The Customer is the data exporter and Picspace is the data importer; the relevant Module applies based on the parties' roles. The optional docking clause (Clause 7) applies. Clause 9(a) — general written authorisation — applies with the 30-day notice period set out in §5. Clause 17 — governing law — Austrian law. Clause 18 — choice of forum and jurisdiction — courts of Vienna, Austria.

Contact

Questions about this DPA: privacy@picspace.io Picspace (operated by Matthias Grieder, sole trader), Kirchengasse 36/10, 1070 Vienna, Austria.