Perjanjian Pengolahan Data

1. Introduction

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service ("Agreement") between MageXo s.r.o. ("MageXo", "Processor", "we", "us") and the entity or person accepting this DPA ("Customer", "Controller", "you"). This DPA applies when MageXo processes Personal Data on behalf of the Customer in connection with the PhotoneAI service available at photoneai.com (the "Service").

This DPA reflects the parties' commitment to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR"), and any applicable national data protection legislation, including but not limited to the Czech Act No. 110/2019 Coll. on the Processing of Personal Data.

MageXo s.r.o. Prosecká 855/68, 190 00 Praha 9, Czech Republic IČ (Registration No.): 24771406 Contact: info@photoneai.com, +420 739 698 038

---

2. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Where not defined here, terms have the meaning given to them in the GDPR (Article 4) or the Agreement.

• "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under this DPA, the Customer is the Controller.

• "Processor" means the natural or legal person which processes Personal Data on behalf of the Controller. Under this DPA, MageXo is the Processor.

• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

• "Personal Data" means any information relating to an identified or identifiable natural person.

• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

• "Sub-processor" means any third-party processor engaged by MageXo to process Personal Data on behalf of the Controller.

• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.

• "Service Data" means all data that the Controller or its authorized users submit to or generate through the Service, including but not limited to: product images, product URLs, product descriptions, website screenshots, brand analysis data, generated images, style configurations, scene data, and analysis results.

• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

---

3. Scope of Processing

MageXo processes Service Data solely to provide the PhotoneAI service as described in the Agreement. The scope of Processing includes:

• Receiving and storing product images and URLs submitted by the Controller or its authorized users
• AI-based image generation using product data and style configurations to produce lifestyle product photographs
• Brand and shop analysis including web scraping of e-commerce sites designated by the Controller to extract brand attributes, product information, and visual elements
• Style creation and management including analysis of reference images and URLs to derive photography parameters
• Image storage and delivery of generated images via secure cloud storage with time-limited availability
• Email notifications to authorized users regarding job completion, account activity, and service updates
• Credit and billing processing including tracking generation usage and facilitating payments through third-party payment processors

MageXo will not process Service Data for any purpose other than providing the Service, unless required by applicable law, in which case MageXo will inform the Controller of that legal requirement before Processing (unless prohibited by law from doing so).

---

4. Roles & Responsibilities

4.1 Controller Obligations

The Controller:

• Determines the purposes and means of Processing, including deciding which products to photograph, which URLs to analyze, which styles to create, and which users to authorize
• Is responsible for ensuring that it has a lawful basis for Processing Personal Data and for providing any required notices to Data Subjects
• Is responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired the Personal Data
• Shall comply with its obligations under applicable data protection law, including the GDPR

4.2 Processor Obligations

MageXo as the Processor:

• Processes Personal Data only on the Controller's documented instructions, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by EU or Member State law to which MageXo is subject
• Ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Takes all measures required pursuant to GDPR Article 32 (security of Processing)
• Respects the conditions for engaging Sub-processors as set out in Section 9
• Assists the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to Data Subject requests
• Assists the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36
• At the choice of the Controller, deletes or returns all Personal Data after the end of the provision of services, and deletes existing copies unless EU or Member State law requires storage
• Makes available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and allows for and contributes to audits and inspections

4.3 Instruction Compliance

If MageXo believes that an instruction from the Controller infringes the GDPR or other applicable data protection provisions, MageXo will promptly inform the Controller. MageXo is entitled to suspend the relevant Processing until the Controller confirms or modifies the instruction.

---

5. Data Categories & Data Subjects

5.1 Categories of Personal Data

5.2 Categories of Data Subjects

---

6. Processing Instructions

• MageXo processes Service Data only as necessary to provide the Service and in accordance with the Controller's documented instructions.
• The Controller's instructions are documented in and limited to the Agreement (Terms of Service), this DPA, and the standard functionality of the Service as described in the documentation at photoneai.com.
• Any additional or modified instructions require the prior mutual written agreement of both parties. MageXo reserves the right to charge additional fees if such instructions require significant changes to the Service or its infrastructure.
• The Controller acknowledges that certain Processing operations are inherent to the Service (e.g., transmitting product images to AI sub-processors for generation) and constitute documented instructions under this DPA.

---

7. Confidentiality

• MageXo ensures that all persons authorized to process Personal Data on its behalf are bound by appropriate confidentiality obligations, whether contractual or statutory.
• Access to Service Data is restricted to MageXo personnel who require such access for the performance of their duties in connection with the Service.
• MageXo maintains access controls and authentication mechanisms to enforce the principle of least privilege.
• The confidentiality obligations set out in this section survive the termination of this DPA.

---

8. Security Measures (Article 32)

MageXo implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, including:

• Encryption in transit — All data transmitted between the Controller, the Service, and Sub-processors is encrypted using TLS 1.2 or higher
• Encryption at rest — Service Data stored in databases and object storage is encrypted at rest via cloud provider encryption mechanisms
• Row-Level Security — PostgreSQL Row-Level Security (RLS) policies enforce per-tenant data isolation at the database level, preventing cross-tenant data access
• Password hashing — User credentials are hashed using bcrypt or Argon2 with appropriate work factors
• Content Security Policy — CSP headers restrict the execution of scripts and loading of resources to trusted origins
• SSRF protection — Server-Side Request Forgery protections block requests to private IP ranges for all user-submitted URLs
• Rate limiting — All API endpoints are subject to rate limiting to prevent abuse and denial-of-service attacks
• Role-based access controls — Administrative and user roles with distinct privilege levels
• HSTS enforcement — HTTP Strict Transport Security with a max-age of 63,072,000 seconds (2 years), including subdomains
• Security headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers configured to restrict attack surface
• Regular security assessment — Periodic review of security controls, dependencies, and configurations

The full details of technical and organizational measures are set out in Annex II to this DPA. MageXo will not materially reduce the overall level of security of the Service during the term of this DPA.

---

9. Sub-Processors

9.1 General Authorization

The Controller grants MageXo general written authorization to engage Sub-processors to carry out specific Processing activities on behalf of the Controller, subject to the conditions set out in this section.

9.2 Current Sub-Processors

A current list of Sub-processors is maintained and publicly available at /sub-processors. The Controller acknowledges and approves the Sub-processors listed at the date of entering into this DPA.

9.3 Notification of Changes

MageXo will notify the Controller of any intended addition or replacement of Sub-processors at least 30 days before the new Sub-processor begins Processing Personal Data. Notification will be provided via the email address associated with the Controller's account.

9.4 Objection Right

The Controller may object to a new Sub-processor by providing written notice to MageXo within 14 days of receiving notification. The objection must state reasonable grounds relating to data protection. The parties will discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached within 30 days of the objection, the Controller may terminate the portion of the Service that requires the use of the objected-to Sub-processor, without penalty.

9.5 Sub-Processor Obligations

MageXo imposes data protection obligations on all Sub-processors that are no less protective than those set out in this DPA. MageXo remains fully liable to the Controller for the performance of its Sub-processors' obligations.

---

10. International Data Transfers

10.1 MageXo Location

MageXo is established in the European Union (Czech Republic). Processing within the EU/EEA does not require additional transfer safeguards.

10.2 Transfers to Third Countries

Where Sub-processors are located outside the EU/EEA (including in the United States), MageXo ensures that appropriate transfer mechanisms are in place:

• EU-US Data Privacy Framework — For Sub-processors that are certified under the EU-US Data Privacy Framework, the certification serves as an adequate transfer mechanism pursuant to the European Commission's adequacy decision of 10 July 2023
• Standard Contractual Clauses (SCCs) — Where the Data Privacy Framework does not apply, transfers are governed by the Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914), supplemented by additional safeguards where required by transfer impact assessments
• UK International Data Transfer Agreement / UK Addendum — For transfers subject to UK GDPR, the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs (as applicable) is applied

10.3 Transparency

The Controller may request copies of the relevant transfer mechanisms, including executed SCCs (with commercial terms redacted where necessary to protect confidentiality), by contacting info@photoneai.com.

---

11. Data Subject Rights

11.1 Assistance with Requests

MageXo will assist the Controller, by appropriate technical and organizational measures and insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including rights of:

• Access (Article 15)
• Rectification (Article 16)
• Erasure ("right to be forgotten") (Article 17)
• Restriction of Processing (Article 18)
• Data portability (Article 20)
• Objection (Article 21)

11.2 Direct Requests

If MageXo receives a request directly from a Data Subject in relation to the Controller's Personal Data, MageXo will promptly notify the Controller and will not respond to the request directly unless authorized by the Controller or required by applicable law.

11.3 Costs

Assistance with standard Data Subject requests is included in the Service. MageXo reserves the right to charge reasonable costs for assistance with requests that are excessive, repetitive, or manifestly unfounded, or that require significant manual effort beyond the standard functionality of the Service.

---

12. Data Breach Notification

12.1 Notification Timeline

MageXo will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.

12.2 Notification Content

The notification will include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of MageXo's point of contact for further information
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

12.3 Cooperation

MageXo will cooperate with the Controller in investigating and remediating the Data Breach, and will assist the Controller in meeting its obligations under GDPR Articles 33 and 34, including notification to the Supervisory Authority and communication to affected Data Subjects where required.

12.4 Documentation

MageXo will document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and will make such documentation available to the Controller upon request.

---

13. Data Protection Impact Assessment

• MageXo will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments ("DPIAs") where the Controller's use of the Service is likely to result in a high risk to the rights and freedoms of natural persons, as required under GDPR Article 35.
• MageXo will assist the Controller with prior consultation with the competent Supervisory Authority under GDPR Article 36, where the outcome of a DPIA indicates that the Processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk.
• Such assistance will take into account the nature of the Processing and the information available to MageXo, and may include providing documentation of security measures, Processing activities, and Sub-processor arrangements.

---

14. Audit Rights

14.1 Right to Audit

The Controller (or an independent third-party auditor appointed by the Controller) may audit MageXo's compliance with this DPA.

14.2 Notice and Frequency

• Audits require at least 30 days' prior written notice to MageXo.
• Audits are limited to once per calendar year, unless a Supervisory Authority requires a more frequent audit, or following a confirmed Data Breach affecting the Controller's Personal Data.

14.3 Cooperation

MageXo will provide reasonable cooperation and access to relevant records, systems, and personnel during normal business hours. The Controller's auditor must comply with MageXo's reasonable security and confidentiality requirements.

14.4 Costs

The Controller bears all costs associated with audits it initiates, unless the audit reveals material non-compliance with this DPA, in which case MageXo will bear the reasonable costs of the audit.

14.5 Alternative Assurance

MageXo may, at its discretion, satisfy audit requirements by providing the Controller with:

• Relevant third-party certifications or audit reports (e.g., SOC 2 Type II, ISO 27001)
• Results of penetration tests conducted by independent security firms
• Detailed written responses to the Controller's audit questionnaire

Such alternative assurance measures are accepted by the Controller as a reasonable substitute for on-site audits, provided they adequately demonstrate compliance.

---

15. Data Return & Deletion

15.1 Data Export

Upon termination or expiration of the Service agreement, the Controller may export its Service Data through the Service's standard export functionality for a period of 30 days following the effective date of termination.

15.2 Deletion

After the 30-day retrieval period, MageXo will delete all Service Data in its possession and in the possession of its Sub-processors, except where retention is required by applicable law.

15.3 Automatic Deletion

The following automatic deletion mechanisms apply during and after the term of service:

• Generated images are automatically deleted 30 days after creation
• Guest session data expires after 30 days of inactivity

15.4 Legal Retention

The following data is retained beyond the Service term where required by law:

• Credit transaction records are retained for 7 years in accordance with Czech accounting legislation (Act No. 563/1991 Coll. on Accounting)
• Tax-related billing records are retained as required by Czech tax law

15.5 Confirmation

MageXo will provide written confirmation of deletion upon the Controller's written request, certifying that all Service Data (except legally required retention) has been securely destroyed.

---

16. Duration & Termination

16.1 Effective Date

This DPA is effective from the date the Controller accepts the Agreement (Terms of Service) and this DPA.

16.2 Duration

This DPA remains in effect for the duration of the Service agreement between the parties.

16.3 Termination

This DPA terminates automatically upon termination or expiration of the Service agreement, subject to the survival provisions below.

16.4 Survival

The following provisions survive termination of this DPA:

• Section 7 (Confidentiality)
• Section 12 (Data Breach Notification) — to the extent any breach is discovered after termination
• Section 15 (Data Return & Deletion) — until all data has been deleted or returned
• Section 17 (Liability)
• Section 18 (Governing Law)

---

17. Liability

17.1 Limitations

Liability under this DPA is subject to the limitations and exclusions set out in the Agreement (Terms of Service), except where such limitations are prohibited by applicable data protection law.

17.2 GDPR Liability

Each party is liable for damages caused by Processing that infringes the GDPR or this DPA, in accordance with GDPR Article 82:

• The Controller is liable for damages caused by Processing that does not comply with the GDPR or the Controller's obligations under this DPA
• MageXo is liable for damages caused by Processing where it has not complied with obligations of the GDPR specifically directed to Processors, or where it has acted outside or contrary to the Controller's lawful instructions

17.3 Indemnification

Each party agrees to indemnify the other party for any costs, claims, damages, or expenses (including reasonable legal fees) arising from the indemnifying party's breach of this DPA or violation of applicable data protection law.

---

18. Governing Law

18.1 Applicable Law

This DPA is governed by and construed in accordance with the laws of the Czech Republic, without regard to its conflict-of-law provisions, and subject to the mandatory provisions of the GDPR.

18.2 Jurisdiction

Any disputes arising out of or in connection with this DPA that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the competent courts of Prague, Czech Republic.

18.3 Regulatory Precedence

Nothing in this DPA limits the rights of a Supervisory Authority or Data Subject under applicable data protection law.

---

Annex I — Details of Processing

---

Annex II — Technical and Organizational Security Measures

The following measures are implemented by MageXo to protect Personal Data processed in connection with the Service, pursuant to GDPR Article 32.

1. Access Control

• Role-based access control (RBAC) with distinct admin and user roles, enforcing the principle of least privilege
• Row-Level Security (RLS) in PostgreSQL ensuring strict per-tenant data isolation at the database level, preventing any cross-tenant data access
• Service role keys restricted to server-side operations only; client-side operations use anonymous keys with RLS enforcement
• Session-based authentication via Supabase Auth with secure token management
• Middleware-enforced route protection verifying authentication and authorization on every request

2. Encryption

• TLS 1.2+ for all data in transit between clients, servers, and Sub-processors
• HTTP Strict Transport Security (HSTS) enabled with max-age of 63,072,000 seconds (2 years), including subdomains
• Data at rest encryption via cloud provider mechanisms (Supabase/AWS AES-256)
• Password hashing using bcrypt or Argon2 with industry-recommended work factors
• Secure cookie attributes (HttpOnly, Secure, SameSite) for session management

3. Network Security

• Content Security Policy (CSP) headers restricting script execution and resource loading to explicitly trusted origins
• SSRF protection blocking requests to private and reserved IP address ranges (RFC 1918, RFC 6598) for all user-submitted URLs
• X-Frame-Options: DENY preventing clickjacking attacks
• X-Content-Type-Options: nosniff preventing MIME-type sniffing
• Referrer-Policy: strict-origin-when-cross-origin limiting referrer information leakage
• Permissions-Policy disabling access to camera, microphone, and geolocation APIs

4. Input Validation

• URL validation and sanitization before any Processing, including scheme verification and domain validation
• File type validation restricted to JPEG, PNG, and WebP formats with a maximum file size of 10 MB
• HTML escaping in all email content to prevent injection attacks
• Rate limiting on all API endpoints to prevent abuse, brute-force attacks, and denial-of-service
• Bot detection via hCaptcha integration on authentication endpoints

5. Monitoring & Logging

• Structured JSON logging via structlog for consistent, parseable audit trails
• AI API call logging with cost tracking and usage monitoring
• Data minimization in logs — no PII beyond operational necessity (job IDs, truncated summaries); full product data and personal information are excluded from log entries
• Error monitoring and alerting for rapid detection and response to anomalies

6. Data Minimization

• Automatic image deletion — generated images are permanently deleted after 30 days
• Guest session expiry — guest session data is purged after 30 days of inactivity
• Image compression — product images are compressed before AI Processing (maximum dimension: 2048 pixels) to reduce data surface
• Prompt minimization — AI prompts contain summarized product attributes rather than full user-submitted data
• Purpose limitation — Service Data is processed only for the stated purposes and not retained beyond operational necessity

7. Incident Response

• 72-hour breach notification commitment aligned with GDPR Article 33
• Error monitoring and alerting with automated notification for critical failures
• Stuck job recovery — automated detection and reset of stalled Processing jobs after 300 seconds, preventing data from remaining in an indeterminate state
• Documented incident response procedures including escalation paths and communication templates

8. Sub-Processor Management

• Contractual data protection obligations imposed on all Sub-processors, no less protective than those in this DPA
• Regular compliance review of Sub-processor security practices and certifications
• Public Sub-processor registry maintained at /sub-processors with Processing details, data categories, and transfer mechanisms
• 30-day advance notification to Controllers before engaging new Sub-processors