Data Processing Agreement (DPA)

Last update: August 26, 2025

This Fillpics Data Processing Agreement and its Annexes ("DPA") establishes the parties' agreement regarding the Processing of Personal Data by us on behalf of you, the User, in connection with the Fillpics Services provided under the Fillpics Terms of Service ("Agreement").

This DPA is supplemental to and forms an integral part of the Agreement. It becomes effective upon its incorporation into the Agreement. In the event of any conflict or inconsistency, this DPA will take precedence over the Agreement to the extent of such conflict. The term of this DPA will run concurrently with the term of the Agreement. Terms not otherwise defined herein shall have the meaning set forth in the Agreement.

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

  • "DPA" means this Data Processing Agreement and all its Schedules.
  • "User Personal Data" means any Personal Data processed by a Contracted Processor on behalf of the User pursuant to or in connection with the Principal Agreement.
  • "Contracted Processor" means a Subprocessor.
  • "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including Spain's Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
  • "EEA" means the European Economic Area.
  • "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
  • "GDPR" means EU General Data Protection Regulation 2016/679.
  • "Data Transfer" means: (a) a transfer of User Personal Data from the User to a Contracted Processor; or (b) an onward transfer of User Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).
  • "Services" means the online tools and features for managing, editing, and sharing photos and digital content, made available to you on a software-as-a-service basis through https://www.google.com/search?q=Fillpics.com.
  • "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the User in connection with the DPA.
  • "Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of User Personal Data

2.1 Processor shall:

  • 2.1.1 comply with all applicable Data Protection Laws in the Processing of User Personal Data; and
  • 2.1.2 not Process User Personal Data other than on the relevant User's documented instructions.

2.2 The User instructs Processor to process User Personal Data.

3. Processor Personnel

3.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the User Personal Data, ensuring that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws. All such individuals must be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the User Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, particularly from a Personal Data Breach.

5. Subprocessing

5.1 You agree that we may engage Sub-Processors to Process Personal Data on your behalf. We have currently appointed, as Sub-Processors, the third parties listed in Annex 3 to this DPA.

5.2 Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors.

6. Liability

6.1 Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents. Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to, or in connection with, any culpable infringement by the respectively other party.

6.2 The Art. 82 GDPR stays unaffected.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, Processor shall assist the User by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the User's obligations, as reasonably understood by User, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 Processor shall:

  • 7.2.1 promptly notify User if it receives a request from a Data Subject under any Data Protection Law in respect of User Personal Data; and
  • 7.2.2 ensure that it does not respond to that request except on the documented instructions of User or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform User of that legal requirement before the Contracted Processor responds to the request.

8. Personal Data Breach

8.1 Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting User Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Processor shall co-operate with the Controller and take reasonable commercial steps as are directed by User to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8.3 Data Protection Impact Assessment and Prior Consultation: Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of User Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or Return of User Personal Data

9.1 Subject to this section 9 Processor shall and in any event within 30 business days of the date of cessation of any Services involving the Processing of User Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those User Personal Data.

10. Data Transfer

10.1 You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Service in accordance with the DPA, and that Personal Data may be transferred to and Processed by Fillpics in jurisdictions where Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

11. General Terms

11.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: disclosure is required by law; the relevant information is already in the public domain.

11.2 Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.

12. Governing Law and Jurisdiction

12.1 This Agreement is governed by EU Data Protection Laws and, specifically, Spanish law, including Organic Law 3/2018. The competent forum to resolve problems is the courts of Spain.

Annex 1 - Details of Processing

A. List of Parties

  • Data exporter:
    • Name: The User, as defined in the Fillpics Terms of Service.
    • Address: The User's address.
    • Contact person's name, position and contact details: The User's contact details, as set out in User's registration.
    • Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with User's use of https://www.google.com/search?q=Fillpics.com under the Fillpics Terms of Service.
    • Role (controller/processor): Controller
  • Data importer:
    • Name: Fillpics S.L.
    • Address: Calle de Madrid, 123, 28001 Madrid, Spain.
    • Contact person's name, position and contact details: [Insert Contact Details for Data Protection Officer or Legal Representative of Fillpics S.L.]
    • Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with User's use of https://www.google.com/search?q=Fillpics.com under the Fillpics Terms of Service.
    • Role (controller/processor): Processor

B. Description of Transfer

  • Categories of Data Subjects whose Personal Data is Transferred: Individuals who use the https://www.google.com/search?q=Fillpics.com service, including the User's contacts and other individuals visible in the uploaded content.
  • Categories of Personal Data Transferred: You submit Personal Data to the Services, and which include the following categories of Personal Data:
    • Name
    • Email
    • Uploaded Content (images, videos, metadata such as location, time, and date of creation, and facial recognition data if enabled by the user)
    • Other information you choose to provide when using our services, such as messages, preferences, or form inputs.
  • Sensitive Data transferred and applied restrictions or safeguards: The parties do not transfer sensitive data as defined by the GDPR.
  • Frequency of the transfer: Continuous.
  • Nature of the Processing: Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
    • Storage, hosting, and backup to provide and maintain the Services.
    • Processing for photo editing, organization, and sharing features.
    • Analysis to improve and personalize the user experience.
  • Purpose of the transfer and further processing: We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, including providing photo management, editing, and sharing tools.
  • Period for which Personal Data will be retained: Subject to the 'Deletion or Return of User Personal Data' section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

C. Competent Supervisory Authority
For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is the Agencia Española de Protección de Datos (AEPD).

Annex 2 - Security Measures

  • Confidentiality: No unauthorised access to Data Processing Facilities; Electronic Access Control; No unauthorised use of the Data Processing and Data Storage Systems; Internal Access Control (permissions for user rights of access to and amendment of data); No unauthorised Reading, Copying, Changes or Deletions of Data within the system; Isolation Control; The isolated Processing of Data, which is collected for differing purposes; Encryption; and, The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
  • Integrity: Data Transfer Control; No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport; Data Entry Control; and Intrusion Detection.
  • Availability and Resilience: Availability Control; Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning; and Rapid Recovery.
  • Procedures for regular testing, assessment and evaluation: Data Protection Management; Incident Response Management; Data Protection by Design and Default.

Annex 3 - List of Sub-Processors

  • Firebase (Google Cloud Platform) – Used for backend services including hosting, real-time database, authentication, and storage of user content. (US)
  • Simple Analytics – Used to understand anonymous user behavior on our marketing website. (EU - NL)
  • Mixpanel – Used for analytics to monitor feature usage, user flows, and to optimize onboarding and engagement. (US)
  • Mailgun – Used for sending transactional emails such as welcome emails, account verification, and event updates. (US)
  • Intercom – Used for customer support, in-app chat, and our knowledge base. (US)
  • Cloudflare – Used for content delivery (CDN), load balancing, and protecting Fillpics from malicious traffic and DDoS attacks. (EU - SE)
  • Paddle – Used for managing subscriptions, payment processing, invoicing, and acting as our merchant of record. (EU - UK)
  • Google Ads – Used for running and tracking our own marketing and advertising campaigns. Not for retargeting users without consent. (US)
  • Rewardful – Used for managing affiliate tracking, referrals, and calculating commission payments to our partners. (CA)

Annex 4 - Standard Contractual Clauses

SECTION I
Module Two: Transfer Controller to Processor (C2P)

Clause 1 - Purpose and scope

  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
  2. The Parties: (a) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and (b) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
  3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
  4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 - Effect and invariability of the Clauses

  1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
  2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 - Third-party beneficiaries

  1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: (a) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;(b) Clause 8 - Clause 8.1(b), 8.9(a), (c), (d) and (e);(c) Clause 9 - Clause 9(a), (c), (d) and (e);(d) Clause 12 - Clause 12(a), (d) and (f);(e) Clause 13;(f) Clause 15.1(c), (d) and (e); (g) Clause 16(e); (h) Clause 18 - Clause 18(a) and (b).
  2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4 - Interpretation

(a) In case this Agreement and its Annexes contain conflicting provisions, the clauses of this Annex (SCCs) shall prevail.
(b) Words not specifically defined herein shall carry the same meaning as in the General Data Protection Regulation (GDPR) or applicable data protection law.

Clause 5 - Hierarchy

If there is a contradiction between these Standard Contractual Clauses and any other agreements between the Parties, including the DPA, these Clauses shall take priority.

Clause 6 - Description of the Transfers

Details regarding the categories of data subjects, types of personal data, purpose of processing, and duration of processing are set out in Annex I of this Agreement.

Clause 7 - Docking Clause

  1. Additional controllers or processors may accede to these Clauses at any time, either as data exporters or data importers, by completing the Annexes and signing Annex I.A.
  2. Once Annex I.A is signed by all existing Parties, the new signatory shall become a Party to these Clauses with the same rights and responsibilities.
  3. The new Party does not affect the validity of the pre-existing agreement between the original Parties.

Clause 8 - Data Protection Safeguards

The data importer agrees to:

  • Purpose Limitation: Process the personal data only for the purposes set out in Annex I and strictly in accordance with documented instructions from the data exporter.
  • Transparency: Provide the data subjects with a copy of these Clauses or a description of their key elements upon request.
  • Accuracy: Inform the data exporter without undue delay if the importer becomes aware that personal data is inaccurate or outdated.
  • Data Minimization: Process only the data necessary for fulfilling the intended purpose.
  • Storage Limitation: Not retain personal data longer than necessary.
  • Security of Processing: Implement appropriate technical and organizational measures (as detailed in Annex II) to protect the data.
  • Special Category Data: Only process sensitive personal data with explicit safeguards.
  • Onward Transfers: Ensure any onward transfer complies with GDPR rules and is covered by equivalent safeguards.
  • Documentation & Compliance: Maintain documentation demonstrating compliance with these Clauses and make it available to supervisory authorities upon request.

Clause 9 - Use of Sub-processors

  1. (a) The data importer shall not appoint a sub-processor without prior written authorization from the data exporter.
  2. (b) If general authorization has been granted, the importer shall provide the exporter advance notice of intended changes, allowing the exporter to object.
  3. (c) The importer shall ensure sub-processors are bound by the same obligations as those in these Clauses.
  4. (d) In case of sub-processor default, the importer shall remain fully liable to the exporter.

Clause 10 - Data Subject Rights

  1. (a) The importer shall promptly notify the exporter if it receives a request from a data subject.
  2. (b) The importer shall assist the exporter in fulfilling requests related to access, rectification, erasure, restriction, portability, and objection.
  3. (c) If legally permitted, the importer may respond directly to the data subject, but shall always inform the exporter without delay.

Clause 11 - Redress

  1. (a) Data subjects may enforce these Clauses as third-party beneficiaries against both exporter and importer.
  2. (b) The importer shall inform data subjects of a contact point for complaints.
  3. (c) In case of dispute, data subjects may lodge complaints with supervisory authorities or pursue remedies in competent courts.

Clause 12 - Liability

  1. (a) Each Party is responsible for damages it causes by breaching these Clauses.
  2. (b) The importer is liable for the actions of its sub-processors.
  3. (c) Data subjects are entitled to compensation for material or non-material damage suffered due to a breach of these Clauses.

Clause 13 - Supervision

(a) The supervisory authority overseeing the exporter shall act as the competent authority for this transfer.
(b) The importer agrees to submit to the jurisdiction of this authority and comply with its decisions.

Clause 14 - Local Laws and Practices

(a) The importer confirms that it has no reason to believe that the laws and practices in its country prevent it from fulfilling these Clauses.
(b) The importer shall notify the exporter if changes in local laws are likely to have a material adverse effect on data protection.

Clause 15 - Obligations in Case of Access by Public Authorities

  1. (a) The importer shall notify the exporter promptly if it receives a legally binding request from a public authority to disclose personal data.
  2. (b) The importer shall challenge requests it considers unlawful or disproportionate.
  3. (c) The importer shall document and share relevant communications with the exporter, unless prohibited by law.

Clause 16 - Non-compliance and Termination

  1. (a) If the importer is unable to comply with these Clauses, it shall immediately notify the exporter.
  2. (b) The exporter may suspend the transfer of data or terminate the contract if compliance cannot be ensured.
  3. (c) Upon termination, the importer shall either return or securely delete all personal data.

Clause 17 - Governing Law

These Clauses shall be governed by the laws of the EU Member State where the data exporter is established.

Clause 18 - Choice of Forum and Jurisdiction

Any dispute arising from these Clauses shall be resolved before the courts of the EU Member State where the data exporter is established. Data subjects may also bring claims in their country of residence.

Copyright © 2025 FILLPICS. All rights reserved.| Designed & Developed by Rimik Technologies