Data Processing Agreement.

You determine why and how client personal data in published galleries is processed — for example access rules, download permissions, and notification settings. Holdstill provides hosting, transcoding, delivery, optional AI-assisted sequencing when you enable it, operational logging, and support access under least privilege. Where Holdstill processes personal data for its own account administration, analytics, or security as described in the Privacy Policy, Holdstill acts as an independent controller for those limited purposes. This DPA only covers processing we perform on your documented instructions as processor for gallery delivery workflows.

Processing continues for the term of your subscription and up to thirty days thereafter to allow export and orderly deletion, unless a longer period is required by law or an agreed migration statement of work. Subject matter includes digital assets you upload, metadata you attach, access credentials you configure for visitors, and communications metadata necessary to deliver invitations or alerts you trigger. If you suspend a gallery, processing necessary to enforce your suspension settings continues until you delete or republish.

Operations include storage and retrieval, generation of resized renditions, encrypted transfer to clients, enforcement of passwords or signed links where you enable them, recording events you choose to log such as downloads, optional AI inference producing draft orderings or highlights that you must approve before publication impact, and migration assistance when you request it. Purposes are strictly limited to providing the service you purchased and complying with law. We will not repurpose client personal data for unrelated advertising or resale.

Data subjects may include your studio users, gallery visitors, and recipients of transactional emails you initiate through the product. Categories may include identifiers (email addresses, names you collect), online identifiers (IP addresses in short-lived logs if you enable certain telemetry), content (photographs), and usage data you configure to collect. We do not require health data or other special categories to operate core features; if you upload such imagery, you warrant appropriate lawful bases as controller.

Primary instructions are the configuration of the product: gallery visibility, passwords, expirations, branding, and download rules. Additional instructions may be conveyed through support tickets when you ask us to perform specific technical actions on your account data. If we believe an instruction infringes GDPR or other EU law, we will inform you promptly unless prohibited from doing so on important grounds of public interest. We document common instruction patterns in our help centre to speed reviews.

Personnel authorised to process personal data are bound by confidentiality obligations or professional rules. Access is granted on a need-to-know basis and reviewed periodically. Remote access to production systems requires strong authentication and device posture controls proportionate to risk.

We implement encryption in transit and at rest where appropriate, role-based access control, separation of environments, logging and monitoring, vulnerability management, and incident response playbooks. We test controls on a schedule proportionate to risk and retain summaries suitable for vendor security questionnaires. Detailed architecture diagrams are available under NDA for enterprise customers preparing DPIAs.

We maintain a written list of sub-processors with their functions and locations. We will notify you of material additions or replacements with reasonable advance notice so you may object on documented data-protection grounds. If we cannot accommodate a reasonable objection related to a new sub-processor essential to continued service, you may terminate the affected portion of the service in line with the Terms. Current categories typically include EU cloud infrastructure, transactional email delivery, and optional AI inference providers bound by equivalent obligations.

When individuals contact us directly about data for which you are controller, we will forward the request to you unless we are legally required to act ourselves. We will provide reasonable technical assistance for access, rectification, erasure, restriction, and portability requests that pass through our systems, including export formats where available. Response timelines may depend on your timely instructions.

On request, we will provide information necessary for you to carry out a data protection impact assessment regarding our processing, acknowledging that the ultimate responsibility for the assessment remains with you as controller. We will cooperate with good-faith questionnaires from your counsel or enterprise security teams within reasonable limits.

We will notify you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf, describing the nature of the breach, likely consequences, and measures taken or proposed. We will coordinate with you regarding communications to supervisory authorities and data subjects where Article 33 or 34 GDPR may apply to your processing relationship.

By default, personal data processed under this DPA remains in the EU. If processing in a third country becomes necessary, we will ensure appropriate safeguards such as Standard Contractual Clauses with supplementary technical measures, and we will document transfer impact assessments where required. We will not circumvent residency commitments through undisclosed routing.

On termination of services, at your choice we will delete or return personal data we process on your behalf within thirty days except where EU or member state law requires retention of certain records. Certificates of deletion are available on request where technically feasible. Backup systems are purged on documented schedules aligned with deletion events.

Once per calendar year, we will provide a written summary of security controls and recent tests upon reasonable request. On-site audits for regulated studios may be available under a confidentiality agreement for Signature-tier customers, subject to scheduling and scope caps. Generic third-party audit reports may be shared when available under redistribution terms.

Where competent supervisory authorities request information within the scope of processing under this DPA, we will cooperate in good faith subject to lawful process and any applicable confidentiality duties to you. We will not voluntarily broaden scope beyond what law requires, and we will notify you of non-exempt requests directed at your client data where legally permitted so you can participate in responses.

If this DPA is incorporated by reference into an order form or enterprise agreement, the order form controls for commercial terms while this DPA controls for GDPR Article 28 processing specifics unless explicitly overridden in writing. We may update this DPA to reflect changes in law or product architecture; material reductions in protection will be notified in advance. Continued use after notice constitutes acceptance except where you terminate within the cure window described in the Terms.