Data Processing Agreement

1. The Parties

This Data Processing Agreement ("DPA") is entered into between:

2. Definitions

Terms used in this DPA have the meanings given in GDPR (EU) 2016/679. Additionally:

• "Personal Data" means any information relating to an identified or identifiable natural person, including event photos and biometric face vectors.
• "Biometric Data" means special category personal data consisting of facial feature vectors derived from photographs, as defined under GDPR Article 9.
• "Processing Services" means the facial recognition matching service provided by FindMePic as described in Annex I.
• "Sub-Processor" means any third party engaged by FindMePic to process Personal Data on your behalf.
• "SCCs" means the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries.

3. Subject Matter & Nature of Processing

FindMePic processes Personal Data solely to provide the facial recognition photo delivery service as described in Annex I. The nature of the processing includes:

• Ingesting event photos and generating facial feature vectors (Face Vectors).
• Temporarily processing attendee selfies to perform identity-matching searches.
• Storing Face Vectors in AWS Rekognition Collections for the duration configured by the Organizer.
• Delivering matched photo results to attendees.
• Processing liveness selfies for deletion requests.

4. Controller's Obligations

As Data Controller, you are solely responsible for:

• Ensuring a valid legal basis exists (including explicit consent under GDPR Art. 9(2)(a)) before uploading biometric data.
• Providing clear notice to all event attendees that facial recognition technology is in use, including physical signage and digital pre-event notices.
• Obtaining verified parental or guardian consent for any minors (under 16) whose data you upload.
• Configuring appropriate data retention settings within the platform.
• Responding to data subject requests that reach you directly as Controller, and forwarding to FindMePic any requests that require Processor action.
• Ensuring your use of the Service complies with all laws applicable in your jurisdiction.

5. Processor's Obligations (FindMePic)

FindMePic warrants that it will:

• Act only on documented instructions: Process Personal Data only as instructed by you (the Controller) and as described in this DPA. If we are required by EU or Member State law to process data beyond your instructions, we will inform you unless prohibited by law.
• Ensure confidentiality: Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate security: Maintain the technical and organisational security measures described in Annex II.
• Manage Sub-Processors: Only engage Sub-Processors as listed in Annex III, subject to the conditions in Section 6.
• Assist with data subject rights: Provide reasonable technical assistance to help you fulfil your obligations regarding data subject rights requests (access, erasure, portability, etc.).
• Assist with security obligations: Taking into account the nature of processing and information available, assist you in meeting your GDPR obligations under Articles 32–36 (security, breach notification, DPIAs).
• Delete or return data: Upon termination or your request, delete or return all Personal Data and delete existing copies, unless EU law requires retention.
• Enable audits: Make available all information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits and inspections by you or your mandated auditor. See Section 9.
• Never train AI models: Never use your data, photos, or Face Vectors to train, retrain, fine-tune, or improve any AI or machine learning model.

6. Sub-Processors

You grant FindMePic a general authorisation to engage the Sub-Processors listed in Annex III. FindMePic will inform you of any intended addition or replacement of Sub-Processors with at least 14 days' advance notice by email. If you object to a new Sub-Processor on reasonable data protection grounds, you may notify us within 14 days and we will work in good faith to find an alternative. If no alternative is feasible, either party may terminate the relevant services with 30 days' notice.

FindMePic imposes equivalent data protection obligations on all Sub-Processors via written contracts. FindMePic remains fully liable to you for the performance of Sub-Processors' obligations under this DPA.

7. International Data Transfers

Personal Data for European events is stored in AWS eu-west-1 (Dublin, Ireland), within the EEA. However, our Sub-Processors (including AWS, Stripe, and Resend) are US-headquartered entities. Transfers of Personal Data to these Sub-Processors are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914, specifically Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor) as applicable.

A copy of the applicable SCCs is available upon written request to support@findmepic.com.

8. Data Security

FindMePic implements the technical and organisational measures set out in Annex II. These include, at minimum:

• AES-256 encryption of all data at rest.
• TLS 1.3 encryption of all data in transit.
• Bcrypt hashing (min. 10 rounds) for passwords and API keys.
• Attendee selfies processed exclusively in RAM and never written to disk.
• Access controls limiting personnel access to Personal Data on a strict need-to-know basis.
• Regular security reviews and vulnerability assessments.

9. Data Breach Notification

In the event of a Personal Data breach, FindMePic will notify you without undue delay and no later than 24 hours after becoming aware of it, providing sufficient information to allow you to fulfil your own 72-hour notification obligation to the supervisory authority under GDPR Article 33.

The notification will include, to the extent available at the time:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
• The name and contact details of our Data Protection contact.
• A description of the likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

10. Audit Rights

You have the right to audit FindMePic's compliance with this DPA. In practice, this works as follows:

• Information requests: You may request written confirmation of compliance measures at any time by contacting support@findmepic.com. We will respond within 30 days.
• Third-party audits: Upon reasonable advance notice (minimum 30 days) and no more than once per calendar year, you may appoint a qualified, independent third-party auditor to audit our relevant systems, subject to execution of a non-disclosure agreement. Audit costs are borne by you unless the audit reveals a material non-compliance by FindMePic.
• Certifications: Where available, we will provide relevant third-party security certifications (e.g. ISO 27001, SOC 2) in lieu of an on-site audit.

11. Term & Termination

This DPA is effective from the date you accept the Terms of Service and remains in force for the duration of your use of the Service. Upon termination of your account, FindMePic will, at your election, delete or return all Personal Data within 30 days, and provide written confirmation of deletion upon request.

12. Governing Law

This DPA is governed by the laws of the Netherlands, consistent with GDPR requirements, without prejudice to the mandatory data protection provisions applicable to the processing.