Data Processing Agreement

This Data Processing Agreement and its Annexes (“DPA”) reflects the agreement between the parties regarding the processing of Personal Data by us on your behalf, under the Names & Faces Client Terms of Service (the “Agreement”).

This DPA is supplemental to the Agreement and takes precedence over it in case of any conflict. It follows the term of the Agreement. Terms not defined in this DPA have the meanings in the Agreement.

Structure of this DPA

  • Definitions

  • Client Responsibilities

  • Names & Faces Obligations

  • Data Subject Requests

  • Sub-Processors

  • Data Transfers

  • Additional Provisions for European Data

  • Additional Provisions for California Personal Information

  • General Provisions

  • Parties to this DPA

  • Annexes 1–3

1. Definitions

  • California Personal Information: Personal Data protected under the CCPA

  • CCPA: California Consumer Privacy Act of 2018

  • Controller / Processor: As defined under applicable Data Protection Laws

  • Data Protection Laws: Global privacy legislation incl. GDPR, POPIA, CCPA, etc.

  • Data Subject: The individual the data is about

  • Europe / European Data: EU, EEA, UK, Switzerland — and data covered by their laws

  • Instructions: Controller-issued, documented instructions for processing

  • Personal Data / Personal Data Breach / Processing: As defined under GDPR

  • Standard Contractual Clauses (SCCs): EU Commission’s 2021 SCCs

  • Sub-Processor: A third-party processor assisting Names & Faces

  • UK Addendum: ICO Addendum to SCCs

2. Client Responsibilities

a. Compliance with Laws

You are responsible for compliance with all applicable Data Protection Laws. This includes the lawfulness of data collection and transfer, transparency obligations, and accuracy of Client Data.

b. Controller Instructions

Your use of the Subscription Service and this DPA together constitute your complete instructions for processing.

c. Security

You must assess if our security standards meet your legal obligations and ensure secure usage of our services.

3. Names & Faces’ Obligations

a. Compliance with Instructions

We will process Personal Data only in accordance with this DPA and your lawful instructions.

b. Conflict of Laws

If local laws prevent compliance with your instructions, we’ll notify you (unless prohibited by law).

c. Security

We maintain appropriate security measures as described in Annex 2. These may change, but not in a way that reduces protection.

d. Confidentiality

Our personnel are bound by confidentiality obligations.

e. Personal Data Breaches

We will notify you without undue delay and assist with regulatory or data subject notifications if required.

f. Deletion or Return of Personal Data

We will delete or return Personal Data upon service termination, except where legally required to retain it.

4. Data Subject Requests

You are responsible for fulfilling Data Subject Requests via the Subscription Service. If you need help, we’ll assist at your request and may charge reasonable costs. If we receive such requests directly, we’ll refer them to you.

5. Sub-Processors

We may engage Sub-Processors for infrastructure, product features, and support. Sub-Processors are bound by protections equivalent to this DPA.
A full list is available at: namesandfaces.com/subprocessors

6. Data Transfers

You consent to Personal Data transfers worldwide, including to the U.S. (Names & Faces, Inc.) and other jurisdictions. All transfers will comply with applicable laws.

7. Additional Provisions for European Data

a. Scope

Applies only where data is subject to European Data Protection Laws.

b. Roles

You = Controller. Names & Faces = Processor.

c. Instruction Compliance

If we believe your instructions violate European law, we’ll notify you.

d. New Sub-Processors

You may object within 30 days of being notified. If no resolution is possible, you may suspend or terminate affected services.

e. Sub-Processor Agreements

We’ll share Sub-Processor terms to the extent allowed and reasonable.

f. Data Protection Impact Assessments

We’ll assist where you lack access to needed data for DPAs or regulatory consultations.

g. Transfer Mechanisms

We use the SCCs for EEA, UK, and Swiss data transfers. See full terms in the DPA body. Privacy Shield principles apply where relevant.

h. Demonstration of Compliance

We will make all relevant compliance information available to you and permit audits.

8. Additional Provisions for California Personal Information

a. Scope

Applies only to California Personal Information under the CCPA.

b. Roles

You = Business. Names & Faces = Service Provider.

c. Responsibilities

We will process data strictly for the Subscription Service and as permitted under the CCPA.

9. General Provisions

a. Amendments

We may update this DPA, with notice, in accordance with our general terms.

b. Severability

Invalid terms won’t affect the rest of the DPA.

c. Limitation of Liability

Liabilities are governed by the Agreement and apply to all Affiliates.

d. Governing Law

Governing law is as per the Agreement’s jurisdiction clause, unless otherwise required.

10. Parties to this DPA

a. Permitted Affiliates

This DPA applies to all Permitted Affiliates unless otherwise stated.

b. Authorization

You represent you have authority to bind your Affiliates to this DPA.

c. Remedies

Only the primary contracting Client may enforce the DPA.

d. Consolidated Audits

Where possible, you agree to group audit requests across Affiliates.

Annex 1 – Details of Processing

A. Parties

  • Data Exporter: You, the Client

  • Data Importer: Names & Faces, Inc., 2261 Market Street #4585, San Francisco, CA 94114, USA

B. Description of Transfer

  • Subjects: Your users (e.g. employees, contractors, clients)

  • Data: Contact info and any data you submit

  • Frequency: Continuous

  • Purpose: To deliver the Subscription Service

  • Retention: Duration of the Agreement

  • Supervisory Authority: As per GDPR

Annex 2 – Security Measures

A. Access Control

  • Hosted on secure outsourced infrastructure

  • SOC 2 and ISO 27001 compliant

  • Strict authentication and authorization protocols

  • API access via key or OAuth

B. Transmission Control

  • HTTPS enforced

  • Data encrypted at rest

C. Input Control

  • Centralised logging and anomaly detection

  • Incident response processes in place

D. Availability

  • ≥99% uptime

  • Backups and replication

  • Disaster recovery plans

Annex 3 – Sub-Processors

For the latest Sub-Processor list and purposes, visit:
namesandfaces.com/subprocessors

Gallery

Shooting RAW

Photoshop AI

Removing Objects

Gallery

Shooting RAW

Photoshop AI

Removing Objects

Field Notes

Field Notes

Field Notes

Photography

Photo Sets

Shooting RAW

Photoshop AI

Removing Objects

Field Notes

Latest Note

About

How I got here

Names & Faces

Get in touch

©

2025

Paul Galatis

Back to Top

Photography

Field Notes

About

©

2025

Paul Galatis

Back to Top

Photography

Field Notes

About

©

2025

Paul Galatis

Back to Top