Data Processing Agreement
Contents
1. Parties & scope 2. Categories of data & data subjects 3. Processor obligations 4. Technical & organisational measures 5. Sub-processors (current list) 6. International transfers 7. Breach notification 8. Data subject rights assistance 9. Audit & inspection 10. Term & deletion on termination 11. Liability 12. ContactThis Data Processing Agreement ("DPA") supplements the Terms of Service between you (the "Customer", acting as data controller) and your disposable camera (the "Processor"). It sets out the terms on which we process personal data on your behalf, in compliance with Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Act 2018.
This DPA applies automatically when you use our service to process personal data of guests at an event. If your organisation requires a counter-signed copy, contact hello@yourdisposable.com and we'll send one.
1. Parties & scope
The Customer is the data controller for all personal data processed in the service for their event.
The Processor is your disposable camera, trading from Ireland, processing personal data only on the Customer's documented instructions (which, for the avoidance of doubt, includes the Customer's use of the service).
2. Categories of data & data subjects
| Category | Type | Data subjects |
|---|---|---|
| Identification | Email address, optional name | Host (Customer's account holder) and opted-in guests |
| Authentication | Session tokens (Supabase) | Host |
| User-generated content | Photographs taken by guests at the event | Guests of the event and any subjects of those photographs |
| Technical metadata | IP address (logs, retained 30 days), browser user-agent, timestamps | All users of the service |
| Payment metadata | Stripe customer ID, payment amount, tier (no card data) | Customer (host) only |
We do not process special category data (Article 9 GDPR) as part of the contracted service. Photographs may incidentally contain identifiable individuals — the Customer is responsible for the lawful basis for such processing (see the Privacy Policy section on Children and Minors).
3. Processor obligations
We will:
- Process personal data only on the documented instructions of the Customer, including for transfers to a third country, except where required by Union or Irish law (in which case we will inform the Customer of that legal requirement before processing, unless prohibited from doing so).
- Ensure persons authorised to process the personal data have committed themselves to confidentiality.
- Implement appropriate technical and organisational measures (see section 4) to ensure a level of security appropriate to the risk.
- Assist the Customer in fulfilling its obligations to data subjects (see section 8).
- Make available all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits (see section 9).
4. Technical & organisational measures
Specific measures in place at all times:
- Encryption in transit: TLS 1.2+ on all endpoints, HSTS enabled on the public domain.
- Encryption at rest: AES-256 on the database and storage layer (Supabase / AWS infrastructure).
- Access control: Database access restricted to the service-role key, held only in server-side Edge Function environment variables. Row-Level Security (RLS) policies enforced on every table containing personal data — anonymous clients cannot read or modify other users' data.
- Authentication: Magic-link only (no passwords), 1-time use, 15-minute expiry.
- Network segregation: All infrastructure runs in EU regions (Ireland, eu-west-1). No data routed via US infrastructure.
- Backup: Daily encrypted backups, retained 7 days, restored within RPO of 24 hours.
- Logging: Access logs retained 30 days. Sensitive operations (deletes, RLS changes) audit-logged.
- Vulnerability management: Dependency updates applied within 30 days of CVE publication; critical CVEs within 7.
5. Sub-processors (current list)
The Customer authorises engagement of the sub-processors below. We will inform the Customer of any intended changes to this list, giving the Customer the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Hosted Postgres, authentication, file storage, Edge Functions | Ireland (eu-west-1, AWS) |
| Stripe Payments Europe Ltd | Payment processing | Ireland (EU primary) |
| Resend.com (Drift Software Inc.) | Transactional email delivery (reveal notifications, receipts) | US, with EU sub-processor routing |
| Netlify Inc. | Static asset hosting (marketing site only — no personal data) | US (CDN); does not process personal data on our behalf |
| Cloudflare Inc. | DNS resolution (via Netlify); does not see personal data payloads | Global CDN edge |
The full sub-processor list, including contact details and the lawful transfer mechanism for each (SCCs, adequacy decision, or other), is available on request to hello@yourdisposable.com.
6. International transfers
Our preferred posture is EU-only processing. Where a sub-processor (e.g. Resend) routes data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021) as the lawful transfer mechanism. We do not transfer personal data to countries lacking an adequacy decision without SCCs in place.
7. Breach notification
In the event of a personal data breach affecting Customer data, we will:
- Notify the Customer without undue delay after becoming aware, and in any event within 48 hours.
- Provide details of the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed.
- Assist the Customer (acting as controller) in meeting its own Article 33 notification obligations to the Irish Data Protection Commission within 72 hours.
8. Data subject rights assistance
We assist the Customer in responding to data subject requests under Articles 12–22 GDPR by:
- Providing tooling to export all data associated with a Customer film (Article 20 portability).
- Providing tooling to permanently delete a film and all associated data (Article 17 erasure), with cascading delete of photos in storage within 30 days including from backups.
- Operating a public takedown form at yourdisposable.com/takedown for individuals appearing in photos to request removal directly — we will action these without requiring controller authorisation.
- Responding to requests routed via the Customer within 30 calendar days.
9. Audit & inspection
We make available all information necessary to demonstrate compliance with Article 28 GDPR. For Customer audits, our preferred approach is a remote desk audit on reasonable notice (≥30 days), with the Customer covering our reasonable costs of preparation. We will respond to vendor security questionnaires within 15 working days.
10. Term & deletion on termination
This DPA applies for the duration of the service. On termination:
- The Customer may export all data via the in-app download tools for 30 days after termination.
- After 30 days we permanently delete all personal data, including from backups within a further 7 days.
- Audit logs and minimal billing records may be retained for the period required by Irish accounting law (currently 6 years).
11. Liability
Liability under this DPA is governed by the limitation of liability clause in the Terms of Service. Nothing in the DPA limits liability where prohibited by GDPR.
12. Contact
For DPA queries, sub-processor change notifications, or any other data-processing matter, contact:
your disposable camera
Data Protection Contact
hello@yourdisposable.com
For supervisory authority enquiries, our lead authority is the Irish Data Protection Commission (DPC), 21 Fitzwilliam Square, Dublin 2.
This document is a standard form DPA suitable for most use cases. We welcome bespoke clauses for enterprise customers — email us.