Selfish Software Ltd. - Data Processing Agreement (DPA)

Last updated: July 18, 2025

This DPA is between Selfish Software Ltd. ("Processor") and the Event Host ("Controller") and is incorporated into the Selfish Terms of Service ("Principal Agreement").

1. SUBJECT-MATTER, NATURE, AND PURPOSE OF PROCESSING

  • Subject-Matter: Processor's provision of the Services to the Controller.
  • Nature and Purpose: To process images containing Personal Data uploaded by the Controller. This processing includes using facial recognition technology to create and store a secure index of biometric identifiers from said images and comparing them against Guest-provided selfies to provide personalized photo galleries, all as instructed by the Controller through their use of the Services.
  • Duration: For the term of the Principal Agreement, with data retention as specified therein.
  • Categories of Data Subjects: Individuals depicted in the User Content uploaded by the Controller.
  • Types of Personal Data: Images, and stored biometric identifiers derived from those images.

    • 2. PROCESSOR'S OBLIGATIONS

    Processor agrees to:

    a. Process Personal Data only on the documented instructions of the Controller.

    b. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.

    c. Implement the technical and organizational security measures detailed in our Privacy Policy.

    d. Obtain the Controller's prior general written authorization for engaging sub-processors. The current authorized sub-processor is Amazon Web Services. Controller will be notified of any changes.

    e. Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights.

    f. Assist the Controller in ensuring compliance with security and data breach notification obligations under GDPR.

    g. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies in line with the retention policy in the Principal Agreement.

    h. Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller.

    3. CONTROLLER'S OBLIGATIONS

    Controller represents and warrants that:

    a. It has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to the Processor.

    b. It has a valid legal basis (e.g., consent) for all processing activities related to the User Content it uploads to the Service. This explicitly includes having the lawful right to instruct the Processor to create, store, and utilize a biometric index from the User Content for the purpose of providing the Services. The Controller is solely responsible for obtaining all necessary consents and providing all required notices.

    This DPA is effective as of the date the Controller first uses the Service.

    Go back to the homepage