Zenfolio Data Processing Agreement
Welcome to Zenfolio!
Terms of Service Zenfolio | Terms of Service PhotoBooker | Privacy Policy | Copyright Policy | Cookie Policy | Open Source Fonts | Data Processing Addendum | Data Privacy Framework | API Terms
Last Updated: February 19, 2026
This Data Processing Addendum (“DPA”) sets forth the terms and conditions in which Zenfolio, Inc. (“Zenfolio,” “we,” “us,” “our”) will process personal data on the behalf of photographers (“you” or “Photographer”) who purchase or otherwise use our Photographer Services.
ANY AND ALL DISPUTES, COMPLAINTS, OR CLAIMS ARISING FROM THIS DPA SHALL, TO THE MAXIMUM EXTENT PERMITTED BY LAW, BE SUBJECT TO THE DISPUTE RESOLUTION AND LIMITATIONS OF LIABILITY PROVISIONS, CRITERIA, AND REQUIREMENTS SET FORTH IN THE ZENFOLIO TERMS OF SERVICE.
1. Definitions
1.1. Applicable Data Protection Law means all laws, statutes, and regulations applicable to the Processing of Photographer Personal Data under the Terms of Service, including (when applicable) the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act of 2018 and UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), and comprehensive US state privacy laws applicable to Photographer Services (including California, Virginia, Colorado, Connecticut, Utah, and other substantially similar state privacy statutes as they come into force), together with implementing regulations.
1.2. California Consumer Privacy Act (“CCPA”) means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights and Enforcement Act of 2020 and any other applicable amendments (codified at § Cal. Civ. Code 1798.100 et seq.), and includes any and all implementing regulations.
1.3. Data Subject means an identified or identifiable individual whose Personal Data is being Processed by Zenfolio.
1.4. European Union (EU) Standard Contractual Clauses means standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.5. General Data Protection Regulation (“GDPR”) means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and all applicable European Union (EU) Member State legislation implementing the same.
1.6. Personal Data means any information or data that, alone or in combination with other information or data, can be used to reasonably identify a particular individual, household, or device, and is subject to, or otherwise afforded protection under, an Applicable Data Protection Law.
1.7. Photographer Personal Data means the Personal Data that Zenfolio Processes on behalf of Photographer.
1.8. Photographer Services shall have the meaning ascribed in the Zenfolio the Terms of Service.
1.9. Photographer Site Content shall have the meaning ascribed in the Zenfolio the Terms of Service.
1.10. Subprocessor means any third-party organization engaged by Zenfolio to Process Photographer Personal Data on its behalf.
1.11. United Kingdom (UK) Addendum/IDTA means the International Data Transfer Addendum to the European Commission Standard Contractual Clauses issued by the UK Information Commissioner under the s.119A(1) of the Data Protection Act 2018, as amended or replaced from time to time. IDTA means the standalone UK International Data Transfer Agreement issued by the UK Information Commissioner, as amended or replaced from time to time.
The terms “controller,” “data controller,” “processor,” “data processor,” “processing,” “process,” “data breach,” and “personal data breach” shall have the meanings given in the Applicable Data Protection Law and may be capitalized in this DPA to show that they are defined terms. Any other term that is capitalized but not otherwise defined herein shall be ascribed the meaning in the Zenfolio Terms of Service.
2. Scope. You acknowledge that the Photographer Services are designed and provided for the primary purpose of enabling you to exhibit, organize, print, sell, exchange, and share digital images, videos and related products, and not for the primary purpose of storage, management or Processing of Personal Data.
3. Processing. You expressly acknowledge that: (i) you are the Controller of Personal Data included in the Photographer Site Content; (ii) you hereby appoint Zenfolio as a Processor to Process the Personal Data included in the Photographer Site Content; and (iii) Zenfolio shall Process Personal Data as a Processor as necessary to perform its obligations under this DPA and strictly in accordance with your instructions as documented in this DPA, except where otherwise required by any applicable law. Photographer shall be responsible for complying with all requirements that apply to it under Applicable Data Protection Law. Photographer acknowledges and agrees that it will be solely responsible for the accuracy, quality, and legality of Photographer Personal Data, and for complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Law for the collection and use of the Photographer Personal Data, including obtaining any necessary consents and authorizations from Data Subjects. For the avoidance of doubt, Photographer hereby represents to Zenfolio that Photographer has the legal authority and appropriate business purpose to provide Zenfolio with any and all Photographer Personal Data in conjunction with the Photographer Services, and when legally required, has obtained the consent from all applicable Data Subjects concerning the Processing described herein. Each party shall inform the other party, without undue delay (and in any event within seventy-two (72) hours) if it is not able to comply with its responsibilities set forth in this DPA. Photographer is solely responsible for reviewing the Photographer Services, including any available security documentation and features, to determine whether they satisfy Photographer’s requirements, business needs, and legal obligations.
3.1. Processor Obligations. As required by the Applicable Data Protection Law, Zenfolio shall: (a) process Photographer Personal Data only on documented instructions from Photographer, including with respect to transfers, unless required to do so by law; (b) ensure persons authorized to process Photographer Personal Data are subject to an appropriate duty of confidentiality; (c) implement appropriate technical and organizational measures meeting the requirements of Section 5 and Exhibit II; (d) assist Photographer with reasonable technical and organizational measures for Data Subject requests or inquiries from any governmental, regulatory or supervisory authorities, in each case solely in relation to processing Photographer Personal Data and taking into account information available to Zenfiolio; (e) provide reasonable assistance with data protection impact assessments; (f) at Photographer’s choice, delete or return all Photographer Personal Data at termination of the Services and delete existing copies unless retention is required by law or Zenfolio’s retention policy; (g) make available information necessary to demonstrate compliance and allow and contribute to audits in accordance with Section 8; and (h) flow down equivalent obligations to Subprocessors as required by this DPA.
3.2. Combining and Use Restrictions. Zenfolio shall not combine any Photographer Personal Data with information it receives from another source provided that Zenfolio may combined Photographer Personal Data as authorized by Applicable Data Protection Law. Zenfolio shall not process Photographer Personal Data for cross-contextual behavioral advertising, targeted advertising, or profiling in furtherance of decisions producing legal and similarly significant effects on individuals, except as expressly permitted by Applicable Data Protection Law and solely for the business purposes of providing the Photographer Services. For the avoidance of doubt, this DPA does not apply to any data related to Photographer’s use of the Services unless it is Photographer Personal Data (e.g., this does not apply to Service analytics, activity logs, use patterns, etc.).
3.3. Instructions Conflict. If Zenfolio considers that an instruction from Photographer violates Appliable Data Protection Law, Zenfolio shall promptly inform Photographer.
4. CCPA Disclaimer. For purposes of the CCPA, Photographer shall be considered a “Business” and Zenfolio shall be considered a “Service Provider.” With regard to any Personal Information provided by Photographer to Zenfolio pursuant to this DPA, Zenfolio hereby acknowledges and agrees that it shall not (i) “Sell” or “Share” the Personal Information, (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Photographer Services, or (iii) retain, use, or disclose Personal Information outside of the direct business relationship with Photographer. Without limiting the foregoing, each party acknowledges and agrees that the provision of Personal Information from Photographer to Zenfolio does not constitute, and is not the intent of either party for such provision of Personal Information to constitute, a “Sale” of Personal Information, and if valuable consideration, monetary or otherwise, is being provided by Photographer pursuant to the DPA, such valuable consideration, monetary or otherwise, is so being provided for the Photographer Services being rendered and not for the provision of Personal information. For purposes of this Section only, the terms “Business,” “Service Provider,” “Personal Information,” “Sale,” “Sell” and “Share” shall have the same meaning as set forth in the CCPA (Cal. Civ. Code § 1798.140). The limitations set forth in this Section shall not be interpreted to prevent Zenfolio from complying with an applicable law, statute, regulation, or a binding order of a governmental or regulatory body.
4.1. Additional US State Requirements. Where Photographer Personal Data is subject to other US state privacy laws, Zenfolio will act as a processor and shall: (a) process Photographer Personal Data only on documented instructions (including this DPA); (b) assist with security and breach notifications consistent with Section 9; require Subprocessors via written contract to meet the requirements in this Section; (d) upon reasonable required, provide information necessary to demonstrate compliance; (e) enable and support deletion and return at termination; and (f) prohibit processing for targeted advertising, sales, or profiling in furtherance of decisions producing legal or similarly significant effects, except as permitted by Applicable Data Protection Law and this DPA.
5. Confidentiality and Security. Zenfolio shall maintain the confidentiality of all Photographer Personal Data and ensure that individuals who are authorized to Process Photographer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Zenfolio shall implement and maintain appropriate technical and organizational measures for its own systems to comply with data privacy in order to ensure a level of data protection appropriate to the risk resulting from the Processing of Photographer Personal Data under this DPA, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the severity and likelihood of realization of risks for the rights and freedoms of Data Subjects. Upon termination or expiration of your Zenfolio account, Zenfolio shall delete Photographer Personal Data from Zenfolio’s custody and control within sixty (60) business days, subject to any legal retention obligations, and it is your responsibility to retrieve any data it requires prior to deletion and as permitted by Applicable Data Protection Law.
6. Requests; Assistance. Zenfolio shall, to the extent legally permitted, promptly notify Photographer if Zenfolio receives a request from (i) a government or regulatory authority regarding the Processing of Photographer Personal Data (a “Government Access Request”) or (ii) a Data Subject seeking to exercise a data protection right or privilege (a “Data Subject Request”), and Zenfolio shall, to the extent practicable, seek to direct the requestor to Photographer. Taking into account the nature of the Processing, Zenfolio shall assist Photographer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Photographer’s obligation to respond to a Government Access Request or a Data Subject Request. In addition, to the extent Photographer, in its use of the Photographer Services, does not have the ability to address the Government Access Request or the Data Subject Request, Zenfolio shall, upon Photographer’s request, furnish commercially reasonable efforts to assist Photographer in responding to such requests, to the extent Zenfolio is legally required to do so. Photographer shall be responsible for any costs arising from Zenfolio’s provision of such assistance described herein. For the avoidance of doubt, Photographer shall be fully responsible and liable for timely and appropriately responding to a Government Access Request or a Data Subject Request.
7. Impact Assessments; Consultation. Upon Photographer’s request, Zenfolio shall (at Photographer’s sole cost and expense) provide Photographer with commercially reasonable cooperation and assistance (i) needed to fulfil Photographer’s obligation under Applicable Data Protection Law to undertake a data protection impact assessment related to Photographer’s use of the Photographer Services, to the extent Photographer does not otherwise have access to the relevant information, and to the extent such information is available to Zenfolio, and (ii) with respect to a consultation with a governmental or regulatory authority.
8. Audit. At your sole cost and expense, and subject to your compliance with this DPA, you may (no more than once per year) audit Zenfolio’s compliance with its data protection obligations, provided you furnish Zenfolio at least thirty (30) days advance written notice of the same, with such notice to include a detailed proposed audit plan. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Zenfolio will review the proposed audit plan and provide you with any concerns or questions and work cooperatively with you to agree on a final audit plan. Zenfolio will contribute to such audits by providing the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to your use of the Photographer Services where such records are not otherwise available to you through the Photographer Services. The audit must be conducted during regular business hours, may not unreasonably interfere with Zenfolio business activities, and be conducted subject to the agreed final audit plan and Zenfolio’s internal policies. You will provide Zenfolio any audit reports generated as part of any audit unless Applicable Data Protection Law prohibits it. You may use the audit reports only for the purpose of meeting your regulatory audit requirements. The audit reports are confidential information of the parties under this DPA. Where assistance requested of Zenfolio in conjunction with such audit requires the use of resources different from or in addition to those required of Zenfolio under this DPA, you shall pay for such additional resources at Zenfolio’s then-current rates.
9. Security Event. Upon confirming a Personal Data Breach, Zenfolio shall: (i) taking into account the nature of Processing of Photographer Personal Data and the information available to Zenfolio, notify Photographer of the Personal Data Breach within seventy-two hours (72), or in accordance with the time frame set forth in Applicable Data Protection Law, (ii) provide timely information to Photographer relating to the Personal Data Breach as it becomes known or as is reasonably requested by Photographer, and (iii) promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach. Photographer acknowledges that Zenfolio will not assess the contents of Photographer Personal Data in order to identify information subject to any specific Data Breach notification legal requirements, and Photographer is solely responsible to comply with Data Breach notification laws applicable to Photographer and to fulfill any third-party notification obligations related to any Personal Data Breach. Unless otherwise required by an Applicable Data Protection Law, the parties agree: (i) Zenfolio shall not provide notice of a Personal Data Breach to any third party or otherwise make any public statement on the same, and (ii) to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant supervisory authorities. Zenfolio’s notice obligations set forth herein shall not be interpreted or construed, in any manner or in any form, as an admission of guilt, negligence, or wrongdoing.
10. Subprocessors. To the extent necessary for Zenfolio fulfill its contractual obligations under this DPA, you hereby authorize Zenfolio to engage and continue to use the Subprocessors identified at Exhibit III (the “Subprocessor List”). Zenfolio will notify applicable Photographers of any changes to such list by updating the Subprocessor List and will give them the opportunity to object to the engagement of the new Subprocessor on reasonable grounds relating to the protection of Personal Data within thirty (30) days after updating the Subprocessor List. If the Photographer does notify Zenfolio of such an objection, the parties will discuss Photographer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Zenfolio will, at its sole discretion, either not appoint the new Subprocessors, or permit the Photographer to suspend or terminate the affected Services in accordance with the termination provisions of this DPA. Zenfolio shall impose obligations on Subprocessors that are no less protective than those set out in this DPA and shall remain fully liable to Photographer for each Subprocessor’s performance of such obligations.
11. International Data Transfers
11.1. Data Transfers (EU Standard Contractual Clauses). To the extent Photographer Personal Data originates in the European Economic Area (EEA), the parties shall comply with the EU Standard Contractual Clauses with regard to the transfer and Processing of such Photographer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.1 of this DPA, their provisions will be deemed incorporated by reference into this DPA. To the extent required by the applicable data protection regulations, the parties shall enter into and execute the EU Standard Contractual Clauses as a separate document. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to this Section 11.1 of this DPA, then the following shall apply:
11.1.1 The EU Standard Contractual Clauses shall be governed by the Module Two (Transfer Controller to Processor) clauses in all applicable instances, and the Photographer and/or Photographer’s EU affiliates shall be the data exporter and Zenfolio shall be the data importer.
11.1.2. Each party acknowledges and agrees that Clause 7 (Optional – Docking Clause) of the EU Standard Contractual Clauses shall be deemed incorporated therein and applicable to the parties and third parties.
11.1.3. For purposes of Clause 9(a) (Use of sub-processors) of the EU Standard Contractual Clauses, the parties agree that Option 2 (General Written Authorization) shall apply to the parties, and shall be enforced in accordance with Section 10 and Exhibit III of this DPA.
11.1.4. For purposes of Clause 11 (Redress) of the EU Standard Contractual Clauses, the parties agree that the optional wording shall not be incorporated therein and therefore shall not be applicable to the parties.
11.1.5. For purposes of Clause 17 (Governing law) of the EU Standard Contractual Clauses, the parties agree that the EU Standard Contractual Clauses shall be governed by the law of Ireland and select Clause 17, “Option 1” to this effect.
11.1.6. For purposes of Clause 18 (Choice of forum and jurisdiction) of the EU Standard Contractual Clauses, the parties agree that any dispute arising from the EU Standard Contractual Clauses shall be resolved by the Courts of Ireland.
11.1.7. Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit I to this DPA.
11.1.8. Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit II to this DPA.
11.1.9. Annex III of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit III to this DPA and replacement Subprocessors shall be agreed upon in accordance with Section 10 of this DPA. Zenfolio shall not transfer Photographer Personal Data received under the EU Standard Contractual Clauses (nor permit such Photographer Personal Data to be transferred) to a Subprocessor outside the EEA, unless the Subprocessor (i) is established in a country which the European Commission has granted an adequacy status, or (ii) has obtained Photographer’s prior written consent with respect to such transfer and implements and maintains such measures as necessary to ensure the transfer is in compliance with Applicable Data Protection Law, and such measures may include (without limitation) the Subprocessor’s obtaining Binding Corporate Rules authorization in accordance with Data Protection Law, or the execution by a Subprocessor and Zenfolio of the EU Standard Contractual Clauses, Module 3 (Processor to Processor).
11.1.10. Transfer Risk Assessments. Where required, Zenfolio shall document and make available a transfer risk assessment aligned to Clause 14 of the EU Standard Contractual Clauses upon reasonable request, subject to confidentiality.
11.2. UK Transfers. To the extent Photographer Personal Data originates in the UK, the parties undertake to apply the UK Addendum to the EU Standard Contractual Clauses or, where appropriate, the IDTA to the transfer and Processing of such Photographer Personal Data and hereby incorporate the applicable UK transfer mechanism by reference into this DPA. In case the parties can no longer rely on selected UK transfer mechanism as an appropriate data transfer mechanism, the parties will conclude an alternative data transfer mechanism to replace the then-applicable mechanism, at the choice of Photographer, without undue delay. If the parties apply and incorporate the UK Addendum or IDTA pursuant to this Section 11.2 of this DPA, then the following shall apply:
11.2.1. Under the applicable UK mechanism, the parties agree that governing law shall be that of England and Wales.
11.2.2. For purposes of the “Additional commercial clauses” of the UK Standard Contractual Clauses, the optional “Indemnification” clause is deemed incorporated therein and shall apply to the parties.
11.2.3. Annexes 1 and 2 of the UK applicable UK mechanism shall be deemed completed with the information set forth in, as applicable, Section 11.1 of this DPA and Exhibits I through III of this DPA.
11.2.4. Zenfolio shall not transfer any Photographer Personal Data received under the UK Addendum or IDTA (nor permit such Photographer Personal Data to be transferred) to a Subprocessor outside the UK, unless the Subprocessor (i) is established in a country which the UK authorities have granted an adequacy status, or (ii) has obtained Photographer’s prior written consent with respect to such transfer and it implements and maintains such measures as necessary to ensure the transfer is in compliance with Applicable Data Protection Law, and such measures may include (without limitation) the Subprocessor’s obtaining Binding Corporate Rules authorization in accordance with Data Protection Law, or the execution by a Subprocessor and Zenfolio of the Standard Contractual Clauses adopted or approved by the UK Secretary of State or the UK Information Commissioner (and approved by the UK Parliament).
11.3. Switzerland Transfers. To the extent Photographer Personal Data originates in Switzerland, the parties undertake to apply the provisions of the EU Standard Contractual Clauses, as set forth in Section 11.1 of this DPA, to the transfer and Processing of such Photographer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.3, their provisions will be deemed incorporated by reference into this DPA. If the parties apply and incorporate the EU Standard Contractual Clauses (as set forth in Section 11.1 of this DPA) pursuant to this Section 11.3, then the following shall apply, where required by the Swiss Federal Act on Data Protection (FADP):
11.3.1. References to the GDPR in the EU Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not the GDPR.
11.3.2. The term “member state” in the EU Standard Contractual Clauses shall not be interpreted in such a manner as to exclude Data Subjects in Switzerland from enforcing their rights in Switzerland in accordance with Clause 18(c) of the EU Standard Contractual Clauses, provided Switzerland is their habitual residence.
11.3.3. For purposes of Annex I(C) of the EU Standard Contractual Clauses, (i) where the data transfer is subject exclusively to the Swiss FADP (and not the GDPR), the supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (ii) where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority set forth in Exhibit I of this DPA insofar as the transfer is governed by the GDPR.
11.4. Other Transfers. To the extent Photographer Personal Data originates outside of the EEA, Switzerland, or the UK, and the parties seek to transfer and Process such Photographer Personal Data across national borders, the parties shall also undertake to apply, as appropriate, the provisions of the EU Standard Contractual Clauses or UK Addendum/IDTA to such transfer and Processing, provided that the EU Standard Contractual Clauses or UK Addendum/IDTA are legally required and sufficient to meet the requirements of the Applicable Data Protection Law for the transfer and Processing of Personal Data across national borders.
11.4.1. Data Privacy Framework. Where Zenfolio maintains a valid certification under the EU-US, UK Extension to the EU-US, or Swiss-US Data Privacy Framework and the transfer falls within the scope of such certification, the parties may rely on the applicable Framework as a transfer mechanism, without prejudice to either party’s ability to rely on the EU Standard Contractual Clauses and/or the UK Addendum/IDTA.
11.5. Surveillance Disclaimers. Zenfolio represents that it will maintain policies and procedures reasonably designed to assess and, where applicable, document government access requests and to challenge unlawful or disproportionate requests, to the extent permitted by law. Nothing in this DPA requires information that would compromise security or violate law enforcement restrictions.
Exhibit I (Data Processing Activities)
A. List of parties:
| Name (Data Exporter) | The Photographer |
| Address | As set forth in the Photographer’s account |
| Contact person’s name, position and contact details | As set forth in the Photographer’s account |
| Activities relevant to the data transferred under these Clauses | Set forth below (Section B. Description of Transfer) |
| Signature and date | By executing the Terms of Service of which this DPA forms an integral part |
| Role (Controller / Processor) | Photographer is the Data Controller |
| Name (Data Importer) | Zenfolio, Inc. |
| Address | 303 Twin Dolphin Dr, 6th Flr, Redwood City, CA 94065 |
| Contact person’s name, position and contact details | [email protected] |
| Activities relevant to the data transferred under these Clauses | Set forth below (Section B. Description of Transfer) |
| Signature and date | By executing the Terms of Service of which this DPA forms an integral part |
| Role (Controller / Processor) | Zenfolio is a Data Processor |
B. Description of the Processing and Transfer: Unless otherwise set forth in a statement of work, order form, or similar documentation, the description of the Personal Data transferred is as follows:
| Photogragher Services | Access to and use of the Zenfolio Platform and related services in accordance with the Terms of Service. |
| Categories of data subjects whose Personal Data is being transferred: | Photographer solely determines the categories of Data Subjects whose Personal Data is subject to Zenfolio Processing, which includes the following categories of Data Subjects: Photographer’s employees, contractors, and end-users of the Photographer Services, including individuals captured on Photographer’s images and photographs. |
| Categories of Personal Data transferred: | Any Personal Information provided to Zenfolio via the Photographer Services, whether by (or at the direction of) Photographer or its Data Subjects. Personal Information may also be provided to Zenfolio by the providers of third-party products in order to facilitate integrations between the Photographer Services and the third-party products (e.g., Google may provide name, email address and other account information of Users if Google Photo and Google Calendar integrations are enabled). Personal Information could include, without limitation: Name; Contact information (phone number, address, email address, etc.); Information related to Data Subjects obtaining Photographer’s photography services (address, recipient, shipping and fulfillment details, device information, etc.);Payment information used to facilitate purchases from Photographer’s gallery; General Services account information (account access credentials, IP address (for login audits), payment and billing information, etc.); and Third-party product account information. |
| Sensitive Data Transferred? If yes, applicable restrictions and safeguards that will be taken: | None, unless Photographer or Photographer’s Data Subjects elect in their sole discretion to provide Sensitive Data to Zenfolio via the Services. Such sensitive data may include biometric data (if such feature is utilized in the Photographer’s sole discretion) and individuals depicted in Photographer’s images and photographs. See Annex II for safeguards that will be taken. |
| Frequency of the Transfer: | Continuous |
| Nature of the Processing: | Zenfolio will process Personal Information for purposes of: (i) providing the Photographer Services in accordance with the Terms of Service and this DPA (namely, providing Photographer with an online platform that enables Photographer and Photographer’s Data Subjects (customers, site visitors and other users) to browse, exhibit, organize, store, sell, exchange, and share photographs); (ii) providing related technical support for the Photographer Services; (iii) enabling and supporting integrations between the Services and third-party products; (iv) allow and facilitate Photographer’s Data Subjects’ use of the Services, including, without limitation, making purchases; and (v) to improve our Photographer Services. |
| Purpose of the Transfer and Processing: | Personal data is being transferred and processed to enable Zenfolio to provide the Services to Photographer in accordance with Terms of Service and this DPA. |
| The period for which the personal data will be retained: | For the duration of the Terms of Services and for the termination and transition period thereafter, as set forth in the Terms of Services. |
| For transfers to subprocessors, the subject matter, nature and duration of the processing: | The subject matter, nature, and duration of the Processing of Personal Information by Subprocessors shall be as set forth in Section 10 and Exhibit III of this DPA. |
| Competent Supervisory authority | As specified in Section 11. |
* * * * * * * * *
Exhibit II (Security Controls)
Zenfolio shall implement and maintain appropriate technical and organizational measures to ensure a level of data protection appropriate to the risk resulting from the Processing of Photographer Personal Data under this DPA, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the severity and likelihood of realization of risks for the rights and freedoms of Data Subjects, which shall include the following:
- Encryption of Personal Data.
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services.
- Measures for ensuring the ability to restore the availability and access to Photographer Personal Data in a timely manner in the event of a physical or technical incident.
- Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing.
- Measures for the protection of data during storage.
- Measures for ensuring physical security of locations at which Photographer Personal Data is retained.
- Measures for ensuring system configuration, including default configuration.
- Measures for internal IT and IT security governance and management.
- Measures for certification/assurance of processes and products.
- Measures for ensuring limited data retention.
- Measures for ensuring accountability.
- Measures for allowing data portability and ensuring erasure.
Obligations with respect to Subprocessors are set forth in the DPA.
* * * * * * * * *
Exhibit III (Subprocessor List)Zenfolio’s Subprocessor List is available at https://zenfolio.com/third-party-providers/.
