1.1 Data Protection Legislation: All applicable legislation relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), Nigeria Data Protection Regulation (NDPR), and any regulations which amend or replace them.

1.2 Data Controller: The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In this Agreement, you (the Photographer) are the Data Controller.

1.3 Data Processor: The natural or legal person which processes Personal Data on behalf of the Data Controller. In this Agreement, Peasier is the Data Processor.

1.4 Data Subject: An identified or identifiable natural person. This includes your clients and any individuals whose images or personal information are processed through the Peasier platform.

1.5 Personal Data: Information relating to an identified or identifiable individual. This includes but is not limited to:

• Names, email addresses, phone numbers
• Payment and billing information
• IP addresses and device identifiers
• Biometric data (facial recognition data from images)
• Photographs and videos containing identifiable individuals
• Client preferences and interaction data

1.6 Special Categories of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (facial recognition), health data, or data concerning a person's sex life or sexual orientation.

1.7 Sub-processor: Any third-party service provider engaged by Peasier to process Personal Data on behalf of the Photographer.

1.8 Processing: Any operation performed on Personal Data, including collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, erasure, or destruction.

1.9 Security Incident: Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2.1 Processor-Controller Relationship: The parties agree that you (the Photographer) are the Data Controller and that Peasier is the Data Processor in relation to all Personal Data processed through the Peasier platform.

2.2 Your Obligations: You shall comply at all times with Data Protection Legislation in respect of all Personal Data you provide to Peasier. You represent and warrant that:

• You have obtained all necessary consents, approvals, and authorizations required by Data Protection Legislation
• You have a lawful basis for processing Personal Data
• You have obtained explicit consent before enabling facial recognition features
• You have informed Data Subjects about the processing of their Personal Data

2.3 Peasier's Processing: Peasier will process Personal Data only for the purpose of providing the Services in accordance with the Agreement and your instructions (including instructions provided through your account settings and feature configurations).

2.4 Processing Details: The details of Personal Data processing are set out in Annex I to this DPA, including:

• Subject matter: Provision of photography gallery services
• Duration: As long as your Peasier account is active
• Nature and purpose: Storage, organization, and delivery of photographs; facial recognition; AI auto-tagging; client management
• Types of Personal Data: Contact information, images, biometric data, payment data, usage data
• Categories of Data Subjects: Your clients and their guests

2.5 Legal Requirements: If Peasier is required by law to process Personal Data for any purpose other than providing the Services, Peasier will notify you of this requirement before processing, unless prohibited by law.

3.1 Facial Recognition Features: Peasier offers facial recognition capabilities as part of the Services. These features process biometric data, which is considered a Special Category of Personal Data under GDPR and NDPR.

3.2 Your Responsibility: As the Data Controller, YOU are solely responsible for:

• Obtaining explicit consent from Data Subjects before enabling cloud-based facial recognition
• Ensuring you have a lawful basis for processing biometric data under applicable laws
• Informing Data Subjects about how their biometric data will be processed
• Providing Data Subjects with the ability to withdraw consent
• Complying with biometric data regulations in your jurisdiction

3.3 Peasier's Role: Peasier provides the technical tools for facial recognition but does not determine the purposes or means of biometric data processing. You control whether to:

• Enable or disable facial recognition features
• Use offline (browser-based) or cloud (server-based) facial recognition
• Set facial recognition preferences at workspace or gallery level

3.4 Facial Data Processing: When cloud-based facial recognition is enabled:

• Facial feature extraction (preprocessing) is performed on Peasier's servers in the EU region
• Face feature data (mathematical representations) is stored securely
• Original images are never sent to external AI providers for facial analysis
• All facial data is immediately and permanently deleted when the associated media is deleted

3.5 Offline Facial Recognition: When offline (browser-based) facial recognition is used, all processing occurs in the user's browser. No facial data is sent to Peasier's servers or stored anywhere.

4.1 Peasier will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected. Details of these measures are set out in Annex II.

4.2 Peasier will ensure that all Peasier personnel required to access Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this DPA.

4.3 Peasier will notify you promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to Personal Data. Peasier will also take action to investigate the incident and reasonably prevent or mitigate its effects.

5.1 You authorize Peasier to engage sub-processors to process Personal Data as listed in Annex III. Peasier has entered into data processing agreements with each sub-processor that include data protection obligations.

5.2 Sub-processors will be permitted to process Personal Data only to deliver the services Peasier has requested, and they shall be prohibited from using Personal Data for any other purpose.

5.3 Peasier remains responsible to you for the performance of sub-processor obligations under this DPA.

5.4 The current list of sub-processors is available in Annex III or upon request by emailing privacy@peasier.com.

6.1 Peasier will assist you in responding to requests from Data Subjects to exercise their rights under Data Protection Legislation.

6.2 As the Data Controller, you remain solely responsible for responding to Data Subject requests. If Peasier receives a request directly, we will promptly notify you and forward the request for your handling.

6.3 If assistance requests require significant time or resources beyond standard obligations, Peasier may charge reasonable fees.

7.1 Retention During Agreement: During the term of the Agreement, Peasier will retain Personal Data as necessary to provide the Services and as instructed by you through your account settings.

7.2 Deleted Media: When you delete media from your account:

• Watermarked versions are deleted immediately and permanently
• All associated facial recognition data is deleted immediately and permanently
• Original files are retained for 45 days to allow recovery (available only on paid plans)
• After the 45-day recovery window, original files are permanently deleted

7.3 Account Termination: Upon termination of the Agreement:

• You may request that Peasier delete all Personal Data or return it to you
• Peasier will comply with your deletion or return request within 30 days
• Peasier may retain Personal Data to the extent required by applicable law

7.4 Backup Systems: Personal Data stored in Peasier's backup systems will be deleted in accordance with Peasier's regular backup retention schedules.

7.5 Audit Logs: Audit logs containing Personal Data (such as IP addresses and access logs) may be retained for security and legal compliance purposes in accordance with Peasier's retention policies.

8.1 Upon request, Peasier will provide reasonable assistance for audits to verify compliance with this DPA. You must provide Peasier with at least 30 days' advance written notice. Prior to any audit, parties will agree on the scope, timing, and duration. Audits may be conducted no more than once per calendar year unless required by a supervisory authority.

8.2 Any auditor must be subject to confidentiality obligations. Peasier may object to an auditor who is a competitor or lacks relevant qualifications. You are responsible for all costs associated with the audit.

8.3 Nothing in this DPA requires Peasier to disclose or allow access to: data of other customers, internal accounting or financial information, trade secrets, or any information that could compromise security or privacy obligations.

9.1 Personal Data is processed and stored on servers located in the European Union region.

9.2 If Personal Data is transferred outside the European Economic Area, Peasier will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

9.3 Some sub-processors may be located outside the EEA. Where this occurs, Peasier ensures appropriate safeguards are in place as required by Data Protection Legislation.

10.1 Processor Status: Peasier is solely a Data Processor and does not determine the purposes or essential means of processing Personal Data. All processing is performed on your instructions.

10.2 Your Indemnification: You agree to indemnify, defend, and hold Peasier harmless from any claims, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

• Your failure to obtain required consents from Data Subjects
• Your failure to comply with Data Protection Legislation
• Your unlawful use of facial recognition or other biometric features
• Your violation of Data Subject rights
• Your processing instructions that violate applicable laws
• Claims brought by your clients or Data Subjects regarding your data processing practices

10.3 Peasier's Limitations: Peasier shall NOT be liable for:

• Data processing conducted in accordance with your lawful instructions
• Your failure to fulfill Data Controller obligations
• Unauthorized access to Personal Data beyond Peasier's reasonable control
• Accuracy or reliability of facial recognition or AI results
• Third-party claims arising from your data processing practices

10.4 Liability Cap: To the maximum extent permitted by applicable law, Peasier's total liability under this DPA shall be subject to the limitation of liability provisions in the main Terms of Service Agreement.

10.5 Mandatory Law: Nothing in this DPA shall exclude or limit either party's liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any other liability that cannot be excluded or limited under the law governing this DPA

11.1 This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates or as long as Peasier processes Personal Data on your behalf.

11.2 Peasier shall be entitled to terminate this DPA or cease the processing of Personal Data in the event that processing of Personal Data under your instructions or this DPA infringes applicable legal requirements and Peasier notified you of such infringement and you did not cure such infringement within ten (10) days from receiving the applicable notice from Peasier. Alternatively, Peasier may, in its sole discretion, suspend the processing of Personal Data until such infringement is cured without terminating this DPA.

11.3 Following the termination of this DPA, Peasier shall, at your choice, delete all Personal Data processed on your behalf and certify to you that it has done so, or return all Personal Data to you and delete existing copies, unless applicable law requires that Peasier continue to store Personal Data. Until the Personal Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Your choice shall be provided in writing to Peasier following the effect of termination.

11.4 In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

12.1 Peasier may amend this DPA from time to time to reflect changes in Data Protection Legislation, guidance from supervisory authorities, or changes to Peasier's data processing practices. Material amendments will be notified to you via email or through the Peasier platform.

12.2 This DPA shall be governed by the same laws as the main Agreement and is designed to comply with the EU General Data Protection Regulation (GDPR) and NDPR.

12.3 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

12.4 This DPA, together with the main Agreement and its annexes, constitutes the entire agreement between the parties concerning Personal Data processing.