DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is hereby entered by and between Pic-Time Ltd. (collectively “ Company”) and the Photographer. Each a "party" and collectively, the "parties", and is an integral part of the Terms of Service executed between the parties (“Terms”). Capitalized terms used herein and not defined herein shall have the respective meanings given to them in the Terms. This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties and under the Terms.

1. DEFINITIONS
1. “Adequate Country ” is a country that received an adequacy decision from the European Commission (e.g., Israel ).
2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
3. "Controller," "Processor," "Data Subject," "Personal Data," "Processing" (and "Process"), “Personal Data Breach” and " Special Categories of Personal Data" shall all have the meanings given to them in EU Data Protection Law. The terms “Business,” “BusinessPurpose,” “Consumer,” “California Consumer,” “Service Provider,” " Sale" and “Sell” shall have the same meanings ascribed to them in the CCPA. “Data Subject” shall also mean and refer to a “Consumer,” as such term is defined in the CCPA. “Personal Data” shall also mean and refer to “ Personal Information,” as such term is defined in the CCPA.
4. “Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, the Israeli Law, the EU Data Protection Law, the UK GDPR and the CCPA as may be amended or superseded from time to time.
5. "EU Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“ GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended ( e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) - (iii); and (iv) any legislation replacing or updating any of the foregoing.
6. “Israeli Law” means the Israeli Privacy Protection Regulations (Data Security) 5777-2017, the Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.
7. “Photographer Data” means any and all Personal Data uploaded by the Photographer to the Service, including any photographs of the Customers, all as detailed in Annex I.
8. “Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
9. "Standard Contractual Clauses" mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference:

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN .

1. ”UK GDPR” means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419
2. “UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK.

2. RELATIONSHIP OF THE PARTIES
1. The parties acknowledge that in relation to all Photographer Data, as between the parties, Photographer is the Controller of Photographer Data, and that the Company is the Processor on behalf of the Photographer. For the purpose of the CCPA (and to the extent applicable), Photographer is the Business and the Company is the Service Provider.
2. The Company is also a Controller of certain Personal Data related to the Photographer, such as (without limitation) Photographer’s registration data, the contact details of Photographer’s personnel or the Photographer’s contact information (in the event the Photographer contacts the Company via email, its website or when the Photographer signs up to receive the Company’s email marketing materials) (“Company Data”). The Company Data is subject to the Company’s Privacy Policy available at: https://www.pic-time.com/?locale=en#PrivacyPolicy and this DPA does not apply to the processing of such Company Data. This DPA will solely apply to the Processing by the Company of the Photographer Data during the provision of the Service.
3. The purpose, subject matter and duration of the Processing carried out by the Company on behalf of the Photographer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.

3. REPRESENTATIONS AND WARRANTIES
1. The Photographer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law; (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data and all applicable CCPA provisions; and (iii) due to the nature of the Service, the Company does not monitor or control the data uploaded to the Platform and thus, the type of Personal Data or Categories of the Data Subjects processed by it is subject to the Photographer’s sole discretion.
2. The Company represents and warrants that it: (i) shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Photographer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Company’s written instructions including the Terms and this DPA; (ii) in the event the Company is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Personal Data other than as instructed by Photographer, the Company shall inform the Photographer of such requirement prior to Processing such Personal Data, unless prohibited under applicable law; and; (iii) provide reasonable cooperation and assistance to Photographer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of Personal Data and to consult with the supervisory authority (as applicable).
3. If the EU Data Protection Law, UK GDPR or the CCPA do not apply to the Photographer, then Photographer must abide by any other Data Protection Law and data security laws and regulations that are applicable to it, and at a minimum Photographer shall: (i) obtain and maintain any and all authorizations, permissions and consents, as may be necessary under applicable laws and regulations, in order to allow the Processor to lawfully collect, handle, retain, process and use the processed data within the scope of the Service; and (ii) substantiate the legal basis and legitimize, pursuant to applicable law, any and all Personal Data or personally identifiable information transferred through the Service.

4. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW

The Photographer hereby accepts and agrees that the Company does not have a direct relationship with the Data Subject (i.e., the Customers). The Photographer therefore undertakes to obtain a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and display relevant notices and adhere to any and all applicable privacy requirements in order to allow the Company to Process Personal Data as set out herein and for the transferring of Personal Data to the Company or otherwise, where applicable.

5. RIGHTS OF DATA SUBJECTS AND THE PARTIES' COOPERATION OBLIGATIONS

It is agreed that where the Company receives a request from a Data Subject or an applicable authority in respect to the Photographer Data Processed by Company, where relevant, the Company will direct the Data Subject or the applicable authority to the Photographer in order to allow the Photographer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law and applicable law.

6. COMPANY PERSONNEL

Company shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.

7. DO NOT SELL PERSONAL INFORMATION

It is hereby agreed that any sharing of Personal Information between the parties is made solely in order to fulfill a Business Purpose and the Company does not receive or process any Personal Information as consideration for the Service. Thus, such Processing of Personal Information shall not be considered a Sale under the CCPA.

8. SUB-PROCESSOR
1. The Photographer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Photographer hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. The Company may continue to use those Sub-Processors already engaged by the Company, as listed in ANNEX III, and the Company may engage an additional or replace an existing Sub-Processor to process Personal Data, subject to the provision of a 30-day prior notice to the Photographer. In case the Photographer has not objected to the adding or replacing of a Sub-Processor, such Sub-Processor shall be considered as approved by the Photographer. In the event the Photographer objects, its sole remedy is to terminate the Terms.
2. The Company shall, where it engages any Sub-Processor, impose, through a legally binding contract between the Company and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. The Company shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.
3. The Company shall remain fully responsible to the Photographer for the performance of the Sub-Processor’s obligations in accordance with the Terms. The Company shall notify the Photographer of any failure by the Sub-Processor to fulfil its contractual obligations.

9. TECHNICAL AND ORGANIZATIONAL MEASURES
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, the Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and in accordance with best industry practices to protect data from a Security Incident. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
2. The security measures are further explained in ANNEX II.

10. SECURITY INCIDENT
1. The Company will notify the Photographer upon becoming aware of any confirmed Security Incident involving the Photographer Data in the Company’s possession or control, as determined by the Company in its sole discretion. The Company will, in connection with any Security Incident affecting the Photographer Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Photographer and provide the Photographer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Photographer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Photographer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Photographer and assist Photographer with the Photographer's obligation to notify affected individuals in the case of a Security Incident.
2. Company’s notification regarding or response to a Security Incident under this Section 10 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident.

11. AUDIT RIGHTS
1. Company shall respond promptly and adequately with respect to any inquiries from the Photographer regarding the Processing of Personal Data in accordance with this DPA. Company shall make available to the Photographer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Law.
2. The Company shall make available, solely upon prior written notice and no more than once per year (except for in the case of a Security Incident), information necessary to reasonably demonstrate compliance with this DPA to a reputable auditor nominated by the Photographer, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Photographer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Photographer in the event the Company reasonably believes that the auditor is not suitably qualified or independent, is a competitor of the Company or otherwise unsuitable (“Objection Notice”). The Photographer will appoint a different auditor (who will also need to be approved by the Company) or conduct the Audit itself upon its receipt of an Objection Notice from the Company. Photographer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately. Such Audit shall be applicable solely with respect to EU Data Subject and EU Data Protection Laws.

12. DATA TRANSFER
1. The Company is a global company that may access, transfer and Process the Photographer Data in countries outside the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”). Therefore, Photographer Data that includes Personal Data of EEA, Switzerland or UK Data Subject (“Transferred Photographer Data”) is subject to this Section 12.
2. The parties acknowledge that transfer of the Transferred Photographer Data to an Adequate Country is permitted (“ Permitted Transfers”) and that any transfer of the Transferred Photographer Data which is not exempt under Article 49 of the GDPR or is not a Permitted Transfer, are hereby restricted (“Restricted Transfer”). The following shall apply solely to Restricted Transfers:
1. In order to maintain the integrity, security and confidentiality of the Transferred Photographer Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which event Company shall be deemed as the Data Importer and the Photographer shall be deemed as the Data Exporter.
2. The purpose and description of the transfer shall be detailed in ANNEX I.
3. The UK SCC shall incorporate ANNEX I, II and III herein.
3. The Photographer further agrees that where Company engages a Sub-Processor, and those processing activities include a Restricted Transfer, the Company and the Sub-Processor shall be bound by the Standard Contractual Clauses in which event Company shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Company and the Sub-Processor will enter into Module III of the Standard Contractual Clauses .
4. Subject to Clause 13 of the Standard Contractual Clauses , the Company agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses . Notwithstanding the above the UK SCCs shall be governed by the laws of England and Wales.
5. Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) are further detailed in ANNEX II.
13. CONFLICT

In the event of a conflict between the terms and conditions of this DPA and the Terms, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Terms shall remain in full force and effect.

14. TERM & TERMINATION
1. This DPA shall be effective upon Photographer’s registration for the Service and shall remain in force until the termination of the Terms. The Photographer shall be entitled to suspend the Processing of Photographer Data in the event the Company is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority.
2. The Company shall be entitled to terminate this DPA or terminate the Processing of the Photographer Data in the event the Processing of Personal Data under the Photographer’s instructions or this DPA infringe applicable legal requirements.
3. Following the termination of this DPA, Company shall, at the choice of the Photographer, delete all of the Photographer Data processed on behalf of the Photographer and certify to the Photographer that it has done so, or, return all the Photographer Data to the Photographer and delete existing copies unless applicable law or regulatory requirements requires that the Company continue to store the Photographer Data. Until the Photographer Data is deleted or returned, Company shall continue to ensure compliance with this DPA.

AnneX I

DETAILS OF PROCESSING AND TRANSFERRING OF PHOTOGRAPHER PERSONAL DATA

This Annex I include certain details of the Processing and transferring of Personal Data as required by Article 28(3) GDPR and the transferring Personal Data subject to the Standard Contractual Clauses.

Categories of data subjects whose personal data is processed or transferred:

• Customers
• Photographers

Categories of personal data processed and transferred:

• Customer photographs and contact information.
• Photographer contact information if applicable.

Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:

• Nude Customer photographs, if any.
• Child Customer photographs, if any.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Continuous and one-off depending on the transfer.

Nature of Purpose(s) for the processing and transferring on behalf of the controller:

Storage and providing the Service as set forth in the Terms.

Duration of the processing:

For the duration of the Service in accordance with the Terms and the period from the end of the termination of the Terms until the deletion of all of the Photographer Data.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The sub-processors are mainly storage providers, all of the above is applicable to the sub-processors.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

(I) General Background:

This Technical and Organizational Measures Annex sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission.

(II) Specification

System Access Control

Access to the Company’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. The Company has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. The Company uses automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.

Physical Access Control

The Company ensures the protection of the data servers which store the Personal Data for the Company from unwanted physical access.

The data processed by the Company is stored on Microsoft Azure's servers which are located in the EU, the US and Australia and MongoDB’s servers. Please see Azure’s security measures here and MongoDB’s security measures here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. The Company also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company’s offices by using security locks and an alarm system, amongst other measures as well.

Data Access Control

User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. The Company revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.

Organizational and Operational Security

The Company puts a lot of effort and invests a lot of its resources into ensuring that the Company’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, the Company has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software.

Transfer Control

The Company will conduct transfer impact assessments (“TIA ”) if required by applicable law with respect to all transfers of Personal Data and is able to share the TIA upon a Photographer’s or Customer’s request. The purpose of a transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of such Personal Data or during its transportation or storage in the applicable data center. Furthermore, any and all transfers of the Personal Data (either between the Visitors, the Photographers, the Customers, the Company’s service providers and the Company’s servers) is secured and encrypted. Default encryption is implemented in transit and at rest.

Availability Control

The Company maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, the Company’s servers include an automated backup procedure. The Company also conducts regular controls of the condition and labelling of data storage devices for data security. The Company ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.

Data Retention

Personal Data is retained for as long as needed for us to provide our Service or as required under applicable laws.

Job Control, Third-Party Contractors And Service Provider

All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company implements certain repercussions in order to ensure compliance with the Company’s policies. In addition, prior to the Company’s engagement with third party contractors, the Company undertakes diligence reviews of such third-party contractors. The Company agrees with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of the Company. The Company ensures that it enters into data protection agreements with all of its clients and service providers.

Data Subject Request

The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), furthermore, the Company has implemented internal policies to handle DSRs, subject to applicable data protection laws and contractual obligations.

Contractual Obligations

The Company has ensured all documents, including without limitations, agreements (including online agreements) and privacy policies are compliant with applicable Data Protection Regulation, including, by implementing Data Processing Agreements and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).

Additional Safeguards

Measures and assurances regarding U.S. government surveillance (“ Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“ Schrems II”), these measures include the following:

• encryption both in transit and at rest;
• As of the date included in the “Last Updated” header above, the Company has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
• No court has found the Company to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
• The Company will not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
• The Company will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
• The Company will notify Photographer (if required and as applicable) if it can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

Annex III

List of Sub-Processors