ShotsDesk

Data Processing Agreement

The standard DPA between ShotsDesk and studios that process client data through the platform.

Last updated · 14 May 2026

When you use ShotsDesk to handle data about your clients, you act as the data controller and ShotsDesk acts as the data processor. This DPA sets out the terms of that relationship and is incorporated into our Terms of Service. It is automatically in force when you use the service — no signature is required.

# Data Processing Agreement (DPA)

Between **ShotsDesk** ("Processor") and the customer ("Controller", the photography studio).
Effective on first use of the ShotsDesk service.

## 1. Subject matter
The Processor processes personal data on behalf of the Controller solely to provide
the ShotsDesk service (galleries, bookings, invoicing, lead capture, file storage,
email delivery).

## 2. Duration
This DPA applies for as long as the Controller uses the service and any retention
period thereafter required by law.

## 3. Nature and purpose
- Hosting studio data (clients, leads, projects, bookings, invoices, photographs).
- Sending transactional and notification emails.
- Generating downloadable assets (invoices, gallery zips).
- Authentication and access control.

## 4. Categories of data subjects
- The Controller's clients (private individuals).
- The Controller's leads (prospective clients).
- The Controller's team members.

## 5. Categories of personal data
Name, email, phone, postal address, photographs and metadata, payment status,
correspondence, custom fields supplied by the Controller.

## 6. Obligations of the Processor
1. Process only on documented instructions of the Controller (the in-app actions and
   these terms constitute such instructions).
2. Ensure persons authorized to process the data are bound by confidentiality.
3. Implement appropriate technical and organisational measures (encryption in
   transit and at rest, row-level security, access logging, least privilege).
4. Engage sub-processors only with prior general authorization (listed in the
   [Privacy Policy](/privacy)) and impose equivalent obligations on them.
5. Assist the Controller in responding to data-subject requests using the in-app
   export and deletion features.
6. Notify the Controller without undue delay (and in any case within 72 hours) of
   becoming aware of a personal data breach.
7. On termination, delete all personal data within 30 days unless retention is
   required by law (e.g. invoices).
8. Make available all information necessary to demonstrate compliance and allow for
   audits, on request and subject to reasonable confidentiality.

## 7. Sub-processors
- Lovable Cloud / Supabase (EU hosting)
- Stripe (payments)
- Resend / Lovable Emails (email delivery)
- Cloudflare (edge runtime, CDN)

The Processor will inform the Controller of changes to sub-processors with at least
30 days notice. The Controller may object on reasonable grounds.

## 8. International transfers
Where data leaves the EEA, transfers are governed by EU Standard Contractual
Clauses (SCCs).

## 9. Liability
Liability under this DPA is subject to the limitations in the
[Terms of Service](/terms).

## 10. Governing law
This DPA is governed by the laws of the Netherlands.

---

Signed electronically by acceptance of the ShotsDesk Terms of Service.