HeadshotPro - AI headshot generator for professional business portraits

Data Processing Agreement

This Data Processing Agreement outlines how HeadshotPro processes personal data on behalf of its customers.

DATA PROCESSING AGREEMENT

Last Updated: February 27, 2026

This Data Processing Agreement ("DPA") is between Headshot Pro Photography Pte. Ltd., 7 TEMASEK BOULEVARD, #12-07, SUNTEC TOWER ONE, SINGAPORE 038987 ("HeadshotPro," "Processor," "we," "us," or "our") and the customer who has entered into a Master Service Agreement, Order Form, or Terms of Service with HeadshotPro ("Customer," "Controller," or "you").

This DPA forms part of and is incorporated by reference into the agreement between the Parties governing Customer's use of the Service (the "MSA"). It applies to the extent that HeadshotPro processes Personal Data on behalf of Customer in the course of providing the Service.

Acceptance. By executing an MSA or Order Form that references this DPA, or by using the Service after this DPA has been published, Customer agrees to be bound by the terms of this DPA. Customers who wish to enter into a separately executed copy of this DPA may contact legal@headshotpro.com.

1. Definitions

Capitalised terms not defined herein have the meanings given in the MSA. In this DPA:

"Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the processing described in this DPA, including (where applicable) Regulation (EU) 2016/679 (the "GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and any national implementing legislation.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to a Data Subject that is processed by HeadshotPro on behalf of Customer in connection with the Service.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Processing" (and its cognates "Process," "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure or destruction.

"Processor" means the entity that processes Personal Data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor).

"Sub-processor" means any third party engaged by HeadshotPro to process Personal Data on behalf of Customer.

"Supervisory Authority" means an independent public authority established by an EU/EEA Member State pursuant to the GDPR.

"Technical and Organisational Measures" or "TOMs" means the technical and organisational security measures described in Annex II.

2. Scope, Roles and Processing Details

2.1. Roles. Customer is the Controller and HeadshotPro is the Processor with respect to the Personal Data processed under this DPA.

2.2. Scope. This DPA applies to the processing of Personal Data by HeadshotPro on behalf of Customer as described in Annex I and as necessary to provide the Service under the MSA.

2.3. Duration. This DPA shall remain in effect for the duration of the MSA and shall automatically terminate upon termination or expiry of the MSA, subject to Section 11 (Data Deletion/Return).

2.4. Processing Details. The subject matter, nature, purpose, duration, categories of Data Subjects, and types of Personal Data processed are set out in Annex I.

3. Processor Obligations

HeadshotPro shall:

3.1. Documented Instructions. Process Personal Data only on documented instructions from Customer (including as set out in the MSA and this DPA), unless required to do so by applicable law to which HeadshotPro is subject. In such a case, HeadshotPro shall inform Customer of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

3.2. Purpose Limitation. Process Personal Data solely for the purpose of providing the Service as described in the MSA and this DPA, and not for any other purpose including HeadshotPro's own purposes.

3.3. Prohibition on Marketing, Advertising and Profiling. HeadshotPro shall not use Personal Data for marketing, advertising, profiling, or any form of behavioural analysis, unless Customer has specifically requested and provided prior written consent for such processing. Any such consent may be withdrawn by Customer at any time, upon which HeadshotPro shall immediately cease the relevant processing.

3.4. Confidentiality. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.5. Security. Implement and maintain the Technical and Organisational Measures described in Annex II to ensure a level of security appropriate to the risk, including as appropriate:

  • (a) the pseudonymisation and encryption of Personal Data;
  • (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

3.6. Sub-processors. Comply with the conditions set out in Section 5 before engaging any Sub-processor.

3.7. Data Subject Rights. Taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligations to respond to requests for exercising Data Subjects' rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability and objection).

3.8. Assistance with Compliance. Assist Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security of processing, notification of breaches, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to HeadshotPro.

3.9. Deletion or Return. Upon termination or expiry of the MSA, at Customer's election, delete or return all Personal Data to Customer in accordance with Section 11, unless applicable law requires storage of the Personal Data.

3.10. Audit. Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, in accordance with Section 10.

3.11. Notification of Conflicting Instructions. Immediately inform Customer if, in HeadshotPro's opinion, an instruction from Customer infringes Applicable Data Protection Law.

3.12. Records of Processing Activities. Maintain records of processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR, including the categories of processing performed, any transfers to third countries, and a general description of the Technical and Organisational Measures. Such records are maintained as part of HeadshotPro's SOC 2 Type II programme and shall be made available to the competent Supervisory Authority upon request.

4. Customer Obligations

4.1. Customer shall comply with its obligations as Controller under Applicable Data Protection Law, including ensuring that it has a lawful basis for the processing of Personal Data and that it provides appropriate notice to Data Subjects.

4.2. Customer shall ensure that its instructions to HeadshotPro comply with Applicable Data Protection Law.

4.3. Customer is responsible for the accuracy, quality and lawful provision of Personal Data submitted to the Service and for ensuring it has the right to transfer such data to HeadshotPro for processing.

5. Sub-processors

5.1. General Authorisation. Customer provides a general written authorisation to HeadshotPro to engage Sub-processors to process Personal Data on Customer's behalf. The current list of Sub-processors is available at https://www.headshotpro.com/legal/sub-processors.

5.2. Notification of Changes. HeadshotPro shall notify Customer of any intended additions or replacements of Sub-processors at least thirty (30) days before engaging the new or replacement Sub-processor by sending an email to the address associated with Customer's account. The Sub-processor list at https://www.headshotpro.com/legal/sub-processors will also be updated accordingly.

5.3. Right to Object. If Customer reasonably objects in writing within thirty (30) days after receiving the notification described in Section 5.2 on documented privacy or security grounds, the Parties will confer in good faith to resolve the objection. If the objection is not resolved within thirty (30) days, Customer may terminate the affected Service upon written notice and receive a pro-rata refund of prepaid, unused fees for the terminated portion, as set forth in the MSA.

5.4. Sub-processor Agreements. HeadshotPro shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. HeadshotPro shall remain fully liable to Customer for the performance of each Sub-processor's obligations.

5.5. Emergency Changes. HeadshotPro may engage a new Sub-processor without prior notice only where strictly necessary to address an active security incident or to comply with a binding legal obligation. In such cases, HeadshotPro shall notify Customer within five (5) business days and Customer shall retain the right to object in accordance with Section 5.3.

6. International Data Transfers

6.1. Transfer Mechanism. To the extent that the processing of Personal Data involves a transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom or Switzerland to a country that has not been recognised as providing an adequate level of data protection, the Parties agree that such transfer shall be subject to the Standard Contractual Clauses as set out in Section 6.2.

6.2. Incorporation of SCCs. The Parties hereby incorporate by reference the Standard Contractual Clauses (Module Two: Controller to Processor) set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the official text is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj). The SCCs shall apply as follows:

  • (a) In Clause 7, the optional docking clause is included;
  • (b) In Clause 9(a), Option 2 (General written authorisation) applies; the time period for prior notice of Sub-processor changes shall be as set out in Section 5.2 of this DPA;
  • (c) In Clause 11, the optional language is not included;
  • (d) In Clause 13, the competent supervisory authority shall be the Data Protection Commission of Ireland (or such other supervisory authority as is competent under the GDPR with respect to Customer);
  • (e) In Clause 17, Option 1 applies and the SCCs shall be governed by the laws of Ireland;
  • (f) In Clause 18(b), disputes shall be resolved before the courts of Ireland;
  • (g) Annexes I, II and III of the SCCs shall be deemed completed with the information set out in the corresponding Annexes of this DPA.

6.3. UK Transfers. For transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, as issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018) ("UK Addendum") shall apply, completed as follows:

  • (a) Table 1 shall be completed with the relevant information in Annex I of this DPA;
  • (b) Table 2 shall reference the EU SCCs as set out in Section 6.2, Module Two (Controller to Processor);
  • (c) Table 3 shall be completed with the information in Annexes I, II and III of this DPA;
  • (d) In Table 4, neither Party may end the UK Addendum in accordance with Section 19 of the Mandatory Clauses; the Importer's country is Singapore; the competent supervisory authority is the UK Information Commissioner's Office (ICO).

In the event of a conflict between the UK Addendum and the SCCs, the UK Addendum shall prevail.

6.4. Swiss Transfers. For transfers subject to the Swiss Federal Act on Data Protection ("FADP"), the SCCs shall apply with the following modifications:

  • (a) references to "Regulation (EU) 2016/679" and the "GDPR" shall be read as references to the FADP;
  • (b) references to "EU," "Union" and "Member State" shall not be interpreted to exclude Data Subjects in Switzerland from exercising their rights;
  • (c) the competent supervisory authority under Clause 13 shall be the Swiss Federal Data Protection and Information Commissioner ("FDPIC");
  • (d) the SCCs shall be governed by the laws of Switzerland; and
  • (e) disputes shall be resolved before the courts of Switzerland.

6.5. Transfer Impact Assessment. HeadshotPro shall, upon Customer's reasonable request, provide information regarding the laws and practices in the country of destination relevant to the transfer, to assist Customer in conducting a transfer impact assessment.

6.6. Government and Law Enforcement Access Requests. HeadshotPro shall:

  • (a) promptly notify Customer if it receives a request from any government authority or law enforcement agency for access to or disclosure of Customer's Personal Data, unless such notification is prohibited by applicable law;
  • (b) where notification is legally prohibited, use reasonable efforts to obtain a waiver of the prohibition and, to the extent permissible, provide Customer with as much information as possible about the request;
  • (c) review the legality of each such request and challenge any request that it reasonably considers to be unlawful, overly broad, or otherwise disproportionate, including by seeking interim measures to suspend the effects of the request pending judicial review;
  • (d) disclose only the minimum amount of Personal Data necessary to comply with any request that is determined to be legally binding;
  • (e) not provide government authorities or law enforcement agencies with direct, bulk, or indiscriminate access to Personal Data; and
  • (f) document all government and law enforcement requests received and make a summary of such requests available to Customer on an annual basis, to the extent permitted by law.

7. Data Subject Rights

7.1. HeadshotPro shall promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Applicable Data Protection Law, and shall not respond to such request without Customer's prior written instructions unless required by applicable law.

7.2. HeadshotPro shall provide reasonable assistance to Customer in responding to Data Subject requests, taking into account the nature of the processing. Such assistance may include providing relevant data extracts, facilitating erasure or rectification requests, and supporting access requests.

7.3. To the extent that Customer is unable to independently address a Data Subject request through the Service, HeadshotPro shall, upon Customer's written request, provide reasonable cooperation. Customer shall reimburse HeadshotPro for reasonable costs incurred in providing such assistance beyond what is available through the Service's standard functionality.

8. Personal Data Breach Notification

8.1. Notification. HeadshotPro shall notify Customer without undue delay and in any event within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Customer's Personal Data, so as to enable Customer to fulfil its own notification obligations under Article 33 of the GDPR.

8.2. Content of Notification. Such notification shall include, to the extent then known:

  • (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  • (b) the name and contact details of HeadshotPro's point of contact from whom more information can be obtained;
  • (c) a description of the likely consequences of the Personal Data Breach;
  • (d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.3. Cooperation. HeadshotPro shall provide reasonable cooperation and updates as information becomes available, and shall take reasonable steps to contain and remediate the Personal Data Breach.

8.4. Record-Keeping. HeadshotPro shall maintain a record of all Personal Data Breaches, including the facts relating to each breach, its effects and the remedial action taken.

9. Data Protection Impact Assessments

9.1. HeadshotPro shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with Supervisory Authorities, where required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to HeadshotPro.

10. Audit Rights

10.1. Right to Audit. Customer may, no more than once per twelve (12) month period (unless a Personal Data Breach has occurred or a Supervisory Authority requires an additional audit), audit HeadshotPro's compliance with this DPA.

10.2. Audit Process. Customer shall provide at least thirty (30) days' prior written notice of any audit. Audits shall be conducted during normal business hours and shall not unreasonably interfere with HeadshotPro's operations. Customer shall comply with HeadshotPro's reasonable security and confidentiality requirements.

10.3. Third-Party Reports. HeadshotPro may satisfy audit requests by providing Customer with copies of relevant third-party audit reports or certifications (including SOC 2 Type II reports). If such reports do not reasonably address Customer's audit concerns, Customer may conduct a further audit as described above.

10.4. Cost Allocation. Customer shall bear its own costs associated with any audit. If an audit reveals a material breach of this DPA by HeadshotPro, HeadshotPro shall bear its own costs of remediation.

10.5. Confidentiality. Audit findings and any reports or certifications provided by HeadshotPro shall be treated as HeadshotPro's Confidential Information under the MSA.

11. Term, Termination, and Data Deletion/Return

11.1. Term. This DPA shall commence on the effective date of the MSA and shall remain in force for as long as HeadshotPro processes Personal Data on behalf of Customer.

11.2. Effect of Termination. Upon termination or expiry of the MSA:

  • (a) HeadshotPro shall, at Customer's written election within thirty (30) days of termination, either return all Personal Data to Customer in a commonly used, machine-readable format or securely delete all Personal Data;
  • (b) If Customer does not make an election within thirty (30) days, HeadshotPro shall securely delete all Personal Data;
  • (c) Input photos are automatically deleted thirty (30) days after gallery generation by default, as set forth in the MSA;
  • (d) HeadshotPro shall confirm deletion in writing upon Customer's request.

11.3. Retention Exceptions. HeadshotPro may retain Personal Data to the extent required by applicable law, provided that HeadshotPro shall maintain the confidentiality of such data and shall process it only for the purpose required by law.

12. Liability

12.1. Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the MSA.

12.2. For the avoidance of doubt, the aggregate liability of each Party under and in connection with this DPA (including the SCCs) shall be subject to the aggregate liability cap set out in the MSA.

12.3. Nothing in this DPA limits either Party's liability for claims by Data Subjects or Supervisory Authorities to the extent such limitation would be prohibited by Applicable Data Protection Law.

13. General Provisions

13.1. Governing Law. This DPA shall be governed by the laws of the Republic of Singapore, consistent with the MSA. The SCCs shall be governed as specified in Section 6.2(e).

13.2. Order of Precedence. In the event of a conflict between this DPA and the MSA, this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

13.3. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

13.4. Amendments.

  • (a) Non-material changes. HeadshotPro may update this DPA to reflect changes that do not materially reduce Customer's rights or HeadshotPro's obligations, such as: updates to reflect changes in applicable law or regulatory guidance, updates to Sub-processor details, corrections of typographical errors, or updates to contact information. Such changes will be communicated by email to Customer at least thirty (30) days before taking effect. If Customer reasonably considers that a change is material, Customer may object in writing within the thirty (30) day notice period, in which case the Parties shall confer in good faith to resolve the objection.
  • (b) Material changes. Changes that materially reduce Customer's data protection rights or HeadshotPro's obligations require Customer's affirmative consent. HeadshotPro shall notify Customer by email of any proposed material change at least sixty (60) days before the intended effective date. If Customer does not consent, Customer may terminate the affected Service upon written notice within that sixty (60) day period and receive a pro-rata refund of prepaid, unused fees.
  • (c) Individually executed DPAs. For individually executed DPAs, all amendments require written agreement of both Parties.

13.5. Entire Agreement. This DPA, together with the MSA and the SCCs, constitutes the entire agreement between the Parties with respect to data processing matters and supersedes all prior agreements on the subject.

13.6. Individually Executed DPAs. Where Customer and HeadshotPro have entered into a separately executed copy of this DPA, the executed version shall take precedence over this published version in the event of any conflict.

13.7. EU Representative. HeadshotPro is established outside the European Union and processes Personal Data of Data Subjects who are in the EU. In accordance with Article 27 of the GDPR, HeadshotPro has appointed the following entity as its representative in the European Union:

  • Name: iuro Rechtsanwälte GmbH t/a Prighter
  • Address: Schellinggasse 3, 1010 Vienna, Austria
  • Contact: support@prighter.com

The EU Representative may be contacted by Data Subjects and Supervisory Authorities on all issues related to the processing of Personal Data under the GDPR.

ANNEX I: DETAILS OF PROCESSING

A. List of Parties

Data Exporter (Controller):

  • Name: The Customer as identified in the applicable MSA or Order Form
  • Address: As set out in the applicable MSA or Order Form
  • Contact person: As set out in the applicable MSA or Order Form
  • Activities relevant to the data transferred: Use of HeadshotPro's AI headshot generation service for generating professional headshots of Data Exporter's personnel
  • Role: Controller

Data Importer (Processor):

  • Name: Headshot Pro Photography Pte. Ltd.
  • Address: 7 TEMASEK BOULEVARD, #12-07, SUNTEC TOWER ONE, SINGAPORE 038987
  • Contact person: Danny Postma, CEO, legal@headshotpro.com
  • Activities relevant to the data transferred: Provision of AI headshot generation services, including processing of uploaded photographs and generating AI-generated headshots
  • Role: Processor

EU Representative of the Data Importer (Article 27 GDPR):

  • Name: iuro Rechtsanwälte GmbH t/a Prighter
  • Address: Schellinggasse 3, 1010 Vienna, Austria
  • Contact: support@prighter.com

B. Description of Processing

Subject matter of processing: Processing of Personal Data as necessary to provide AI headshot generation services under the MSA.

Duration of processing: For the term of the MSA, plus the period until all Personal Data has been deleted or returned in accordance with Section 11 of this DPA.

Nature of processing: Collection, storage, organisation, use, AI-based image generation, transmission, and deletion of Personal Data. Specifically: receiving uploaded photographs from Customer, processing those photographs through AI models to generate professional headshots, storing generated outputs, and delivering results to Customer.

Purpose of processing: To provide, maintain, secure and support the AI headshot generation Service as described in the MSA.

Categories of Data Subjects:

  • Employees, contractors and agents of Customer whose photographs are uploaded
  • Other individuals designated by Customer for headshot generation

Categories of Personal Data:

  • Facial photographs (biometric-adjacent data)
  • Names and email addresses (used for account management, delivery of results, and authentication)
  • Payment-related metadata (processed by Stripe; HeadshotPro does not store full payment card data)
  • IP addresses and device identifiers (collected incidentally via web platform access)
  • AI-generated headshot images (derived from uploaded photographs)

Sensitive data (if any): HeadshotPro processes photographs solely for the purpose of generating AI headshots. Photographs are not processed for the purpose of uniquely identifying a natural person and therefore do not constitute biometric data within the meaning of Article 9(1) GDPR.

Frequency of processing: On a continuous basis during the term of the MSA, as initiated by Customer through use of the Service.

Retention period: As set out in HeadshotPro's Data Management and Retention Policy at https://www.headshotpro.com/legal/data-management-retention. Key defaults: input photographs are automatically deleted thirty (30) days after gallery generation; AI-generated headshots are retained for the duration of the MSA and exportable by Customer within thirty (30) days of termination.

C. Competent Supervisory Authority

The competent supervisory authority shall be the Data Protection Commission of Ireland, or such other supervisory authority as is competent under the GDPR with respect to the Data Exporter.

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES

HeadshotPro's complete technical and organisational security measures are described in HeadshotPro's Security Policy at https://www.headshotpro.com/legal/security-policy. These measures are maintained and updated in accordance with HeadshotPro's SOC 2 Type II programme and internal policies.

In accordance with Article 32(1) of the GDPR, HeadshotPro implements the following measures as appropriate to the risk:

(a) Pseudonymisation and encryption of Personal Data: All data is encrypted in transit using TLS/SSL with 256-bit encryption (100% HTTPS) and at rest using AES-256 encryption. Backups are encrypted in transit and at rest.

(b) Ongoing confidentiality, integrity, availability and resilience of processing systems and services: Cloud-based infrastructure hosted by Google Cloud Storage, Render and Vercel. Multi-factor authentication enforced for production infrastructure and systems that store or process Personal Data. Role-based access control with least-privilege principles. All personnel authorised to process Personal Data are bound by confidentiality obligations and undergo annual security training.

(c) Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident: Automated hourly backups with point-in-time recovery. Recovery objectives: RTO of two (2) hours, RPO of one (1) hour. Backup restoration tested at least quarterly.

(d) Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures: Regular penetration testing by qualified third parties. Continuous vulnerability scanning. Structured incident response framework with mandatory post-incident reviews. SOC 2 Type II programme for relevant processes.

ANNEX III: LIST OF SUB-PROCESSORS

An up-to-date list of Sub-processors, including entity names, purposes, data access tiers, and entity countries, is maintained at: https://www.headshotpro.com/legal/sub-processors.

Customer may subscribe to notifications of changes to the Sub-processor list by emailing legal@headshotpro.com.

Questions? — legal@headshotpro.com