Data Processing Agreement
Last updated: 9 July 2026
Template.This Data Processing Agreement (“DPA”) reflects how ProofProtectprocesses End-User personal data on Customers’ behalf. To execute it, email support@guardedcontent.com.au with your studio name and we will countersign. It should be reviewed by your own counsel; it does not constitute legal advice.
1. Parties and scope
This DPA forms part of the agreement between the Customer (the photographer or studio holding a ProofProtect account — the controller) and GuardedContent Pty Ltd trading as ProofProtect (the processor) under our Terms of Service. It applies where we process End-User personal data — a Customer’s clients, gallery viewers, and buyers — on the Customer’s behalf, and where the GDPR, UK GDPR, or comparable law requires a written processing agreement (GDPR Article 28).
2. Details of processing
- Subject matter and duration— hosting, protection, and delivery of client galleries for as long as the Customer’s account and galleries exist, plus the retention periods in our Privacy Policy.
- Nature and purpose — storage and DRM-protected delivery of photographs; client account, selection, and purchase management; gallery visit and content-protection telemetry made available to the Customer.
- Categories of data subjects— the Customer’s clients and gallery visitors (End Users).
- Categories of personal data — names, email addresses, photographs depicting individuals, gallery activity (views, selections, purchases), device and usage data (IP address, browser/device type, viewing duration, content-protection events), and order/shipping details for print purchases.
3. Processor obligations
GuardedContent Pty Ltd will:
- process End-User personal data only on the Customer’s documented instructions (given through the Services’ features and settings), unless required otherwise by law — in which case we will inform the Customer unless prohibited;
- ensure persons authorised to process the data are bound by confidentiality;
- implement appropriate technical and organisational measures (GDPR Article 32), including encryption in transit, DRM and watermarking, access controls, audit logging, and the retention/erasure automation described in the Privacy Policy;
- assist the Customer, taking into account the nature of processing, in responding to data-subject requests (access, erasure, portability, restriction) — including via the in-product data export and account-deletion tooling;
- notify the Customer without undue delay after becoming aware of a personal data breach affecting End-User data, and provide the information reasonably required for the Customer’s own notification obligations;
- delete or return End-User personal data at the end of the services (gallery retention timers, account deletion, or written request), save where law requires continued storage;
- make available information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits conducted by the Customer or its mandated auditor, subject to reasonable notice and confidentiality.
4. Sub-processors
The Customer provides general authorisation for the sub-processors listed at /legal/subprocessors. We will update that page before engaging a new sub-processor and offer an email notification list; the Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith on a resolution (up to termination of the affected Services). We remain liable for our sub-processors’ performance.
5. International transfers
Where processing involves transfers of EU/UK personal data to countries without an adequacy decision, the parties rely on the European Commission’s Standard Contractual Clauses (Module 2 or 3 as applicable, and the UK Addendum), which are incorporated by reference into this DPA, or on the safeguards our sub-processors provide under their own DPAs.
6. Liability and governing law
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of New South Wales, Australia, except where the Standard Contractual Clauses require otherwise.
7. Execution
To execute this DPA, email support@guardedcontent.com.au from your account email with your legal entity name and address. The DPA takes effect when we confirm and countersign.