Data Processing Agreement (DPA)

Last updated: 14 October 2025

---

This Data Processing Agreement (“Agreement”) is made between FolioDen Ltd. (“FolioDen”, “we”, “us”) and the Photographer ("you"). It forms part of our Terms of Service, defining the terms under which we process personal data on your behalf.

1. Definitions

• Data Protection Laws: All applicable privacy and data protection laws, including the UK GDPR, EU GDPR, and equivalents.
• Controller: The party which determines the purposes and means of processing personal data.
• Processor: The party which processes personal data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Sub-Processor: A third party appointed by the Processor to carry out processing activities.
• Security Incident: Any breach or event involving accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of Personal Data.

2. Roles and Scope

Under this Agreement, you act as the Controller of Photographer Data, and FolioDen acts as the Processor. We will process your Photographer Data only to provide the services under the Terms of Service and in accordance with your instructions.

3. Instructions and Limitation

We will only process your data on documented instructions from you, unless required by law. We will not use your data for other purposes. You may revoke or change your instructions in writing, subject to applicable laws.

4. Sub-Processing

You authorise FolioDen to engage Sub-Processors (e.g. cloud providers, print labs) provided we impose data protection obligations on them comparable to this Agreement. You may object to a new Sub-Processor by notifying us within 30 days; if unresolved, we may suspend services or terminate.

5. Technical & Organisational Measures

Taking into account the nature of processing and risks, FolioDen will maintain appropriate security measures — e.g. encryption, access control, regular testing — to protect your data from unauthorised or unlawful processing.

6. Your Rights & Requests

If a Data Subject (your client or individual) submits a request (access, rectification, erasure, etc.), we will notify you promptly and assist you in fulfilling the request as required by law.

7. Security Incidents

In the event of a Security Incident affecting your data, we shall notify you without undue delay, investigate, mitigate damage, and cooperate with you and any regulators as required.

8. Audit & Records

We will maintain records of our processing activities and permit audits by you or your auditor (once per year) upon reasonable notice, subject to confidentiality and minimal disruption.

9. International Transfers

If any transfers of data occur outside the UK/EEA to a country lacking adequacy status, such transfers will be governed by standard contractual clauses or other lawful safeguards in line with Data Protection Laws.

10. Term, Termination & Deletion

This DPA remains in effect while we process your data. Upon termination, we will either delete or return your data (as you choose), unless legal obligations require retention.

11. Liability & Conflicts

In case of conflict between this DPA and the Terms of Service, this DPA prevails regarding data processing matters. Our liability is subject to the limits in the Terms of Service.

12. General Provisions

• Each party acts independently; nothing creates a partnership.
• If any provision is invalid, the remainder still applies.
• This Agreement is governed by the laws of England & Wales.

For any questions, contact us at: dpo@folioden.com