Data Processing Agreement

Standard Contractual Clauses between Controllers and Processors

Effective January 1, 2026

Overview

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Lumasoft LLC Terms of Service / End User License Agreement (the "Agreement") between Lumasoft LLC ("Processor") and the customer ("Controller"). This DPA is effective as of the date the Controller first accesses or uses Lumasoft services.

This DPA sets out the terms under which personal data is processed by the Processor on behalf of the Controller pursuant to Article 28(3) and (4) of Regulation (EU) 2016/679 ("GDPR"), using the standard contractual clauses between controllers and processors adopted by the European Commission under Commission Implementing Decision (EU) 2021/915 of 4 June 2021 (the "Clauses").

The main body of the Clauses (Sections I–III) is incorporated by reference and is not reproduced here. The parties confirm they have read and agree to all provisions contained therein. The complete Annexes (I–IV) and supplementary terms are set out below.

By using Lumasoft services (dslrBooth, LumaBooth, LumaShare, fotoShare Cloud, or any related product) (the "Services"), the Controller accepts this DPA without the need for a separate signature. No separate signature is required from either party.
Order of precedence. If there is any conflict between (i) the Clauses, (ii) this DPA (including its Annexes), and (iii) the Agreement, the order of precedence is: (i) Clauses, then (ii) DPA, then (iii) Agreement. Nothing in this DPA limits or conflicts with any mandatory rights or obligations under the Clauses or applicable data protection law.

The Clauses are available from the European Commission and may be reviewed on request. Where required, the Clauses will be provided in a copy consistent with Commission Implementing Decision (EU) 2021/915.

Clause Selections & Supplementary Terms

Clause 1 — Purpose and scope

Option 1 selected — Article 28(3) and (4) of Regulation (EU) 2016/679 (GDPR). Option 2 (Regulation (EU) 2018/1725) is not applicable and is deselected.

Clause 5 — Docking clause

Not adopted.

Supplementary term — Processing instructions and scope
  1. Documented instructions. The Controller instructs the Processor to process Personal Data only as necessary to provide the Services and as further documented by: (a) the Agreement; (b) the Controller’s configuration and use of the Services (including privacy/retention settings); and (c) any additional written instructions agreed by the parties (including support tickets or emails).
  2. Out-of-scope instructions. The Processor is not required to comply with instructions that fall outside the scope of the Services, require custom development, or impose disproportionate technical or organizational burden, unless the parties agree separately in writing (including fees and timelines, if applicable).
  3. Unlawful instructions. If the Processor believes the Controller’s instruction infringes applicable law, the Processor will inform the Controller (unless prohibited by law). The Processor may suspend performance of the relevant instruction and/or processing to the extent necessary to avoid non-compliance, until the Controller modifies the instruction or confirms a lawful basis.
  4. No legal advice / legal basis. The Controller is solely responsible for establishing a lawful basis for processing and for determining whether consent, notices/signage, and any DPIA obligations apply. The Processor does not provide legal advice and does not monitor the Controller’s compliance with its own obligations.
  5. No limitation of Clauses. Nothing in this section limits the Processor’s mandatory obligations under the Clauses or applicable data protection law, including the Processor’s assistance and information obligations where required.
Clause 7.7(a) — Sub-processors

Option 2 selected — General Written Authorisation.

  1. Notice method. The Processor shall inform the Controller of any intended changes to the sub-processor list (addition or replacement) by (a) email to the contact address in the Controller’s account and/or (b) updating the published list at the URL referenced in Annex IV.
  2. Advance notice. Where practicable, notice will be provided at least 10 days in advance. If the Controller does not object in writing within 10 days of receiving notice, the change shall be deemed accepted.
  3. Urgent changes. The Processor may engage or replace a sub-processor immediately where necessary to (a) protect security, (b) address an incident, or (c) maintain service availability, with notice provided as soon as reasonably practicable thereafter.
  4. Objection and remedy. Objections must be based on reasonable data protection grounds and stated in writing. If the parties cannot resolve the objection within a reasonable period, the Controller may terminate the affected service(s) (or, if not separable, the Agreement) by written notice, without penalty for prepaid unused fees for the terminated period.
Clause 7.6(c)–(d) — Audits

The following supplementary terms apply to audits and inspections under these Clauses:

  1. Audits shall be limited to a maximum of once per calendar year.
  2. The Controller shall provide at least 30 days' prior written notice of any audit request, specifying the scope and purpose of the audit.
  3. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  4. All costs and expenses of any audit, including the Processor's reasonable internal costs for cooperation and preparation, shall be borne exclusively by the Controller.
  5. The Controller shall use an independent third-party auditor bound by written confidentiality obligations acceptable to the Processor. The Processor may object in writing to an auditor if the auditor is, in the Processor's reasonable opinion, not suitably qualified, not independent, or is a competitor of the Processor.
  6. The Processor may satisfy audit requests by providing: (a) current third-party audit reports, certifications, or compliance attestations; (b) detailed written responses to the Controller's written questions regarding data processing and security practices; or (c) summary reports of internal security reviews. Such documentation shall be accepted by the Controller in lieu of on-site audits, provided it is reasonably sufficient to demonstrate compliance.
  7. No intrusive testing. No penetration testing, source code review, vulnerability scanning, automated traffic generation, or similar intrusive testing of the Processor’s systems is permitted without the Processor’s prior written consent.
  8. All information disclosed during any audit (including reports and findings) is confidential information of the Processor and shall not be disclosed to any third party without the Processor's prior written consent, except as required by applicable law or a competent supervisory authority.
  9. The scope of any audit shall be limited to the processing activities and personal data covered by these Clauses and shall not extend to the Processor's proprietary systems, source code, trade secrets, or other confidential business information unrelated to the Controller's personal data.
Supplementary term — Liability
  1. To the maximum extent permitted by applicable law, and without prejudice to any liability that cannot be limited under the Clauses or mandatory data protection law, the Processor's total aggregate liability arising out of or in connection with these Clauses and this DPA, whether in contract, tort, or otherwise, shall not exceed the total fees actually paid by the Controller to the Processor in the 12-month period immediately preceding the event giving rise to the claim.
  2. The Processor shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, data (other than personal data), business opportunities, or goodwill, even if advised of the possibility of such damages.
  3. The Processor shall not be liable for any losses, damages, or claims arising from: (a) the Controller's failure to comply with its obligations under the GDPR, the Clauses, or this DPA; (b) the Controller's instructions to the Processor that the Processor has complied with in good faith; (c) any data processing performed on the Controller's own devices or systems outside the Processor's cloud infrastructure; or (d) actions or omissions of the Controller's guests, event attendees, venue staff, contractors, or other data subjects.
  4. The Controller shall indemnify and hold harmless the Processor from and against any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from or related to: (a) the Controller's breach of these Clauses, this DPA, or applicable data protection law; (b) the Controller's failure to obtain necessary consents or legal bases for processing; (c) the Controller's instructions that infringe applicable data protection law; or (d) any claim by a data subject or supervisory authority to the extent caused by the Controller's acts or omissions.
Supplementary term — Data subject requests
  1. The Processor shall promptly notify the Controller of any data subject request received relating to Personal Data processed under this DPA. The Processor shall not respond to any such request directly unless expressly authorized by the Controller or required by applicable law.
  2. The Controller shall be solely responsible for responding to data subject requests. The Processor shall provide reasonable assistance at the Controller's cost if such assistance requires effort beyond the Processor's standard self-service tools.
Supplementary term — International transfers (EEA/UK/Switzerland)
  1. EEA transfers. Where Personal Data originating from the EEA is transferred outside the EEA, the Processor will ensure that such transfer is subject to appropriate safeguards under Chapter V GDPR (e.g., an adequacy decision where applicable, or the EU standard contractual clauses for international transfers adopted under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, together with supplementary measures as appropriate).
  2. UK transfers (Addendum). Where the UK GDPR applies and UK-originating Personal Data is transferred outside the UK in a manner that is a “restricted transfer”, the parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (the “UK Addendum”) is incorporated by reference and forms part of this DPA for that restricted transfer.
    Deemed Addendum selections (to the extent required):
    • Parties. Exporter/Importer details are as set out in Annex I (Controller as exporter; Processor as importer), as updated in the Controller’s account records.
    • Effective date. The effective date is the effective date of this DPA (date of first access/use of the Services by the Controller).
    • Appendix information. The Appendix/Annex information is as set out in Annex II–IV of this DPA.
    • Governing law/jurisdiction. For UK restricted transfers only, the governing law and jurisdiction for the UK Addendum (and any UK-specific mandatory provisions) will be the law and courts required by the UK Addendum to make the transfer lawful, and otherwise this DPA remains governed as stated below.
  3. Swiss transfers. Where Swiss law applies and Swiss-originating Personal Data is transferred outside Switzerland in a manner requiring safeguards, the parties agree that the Clauses are deemed amended as necessary to comply with applicable Swiss data protection law, including: (i) references to the GDPR are interpreted to include the Swiss Federal Act on Data Protection (as applicable); and (ii) where required, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is recognized as the competent authority for Swiss transfers.
  4. Priority. To the extent the UK Addendum or Swiss mandatory amendments apply, they apply only to the relevant transfer and only to the minimum extent required by applicable law. Otherwise, the Clauses and this DPA remain unchanged.
Supplementary term — Government / law-enforcement requests
  1. Notice. If the Processor receives a legally binding request from a public authority (including law enforcement) for Personal Data processed under this DPA, the Processor will, to the extent permitted by applicable law, notify the Controller without undue delay. If the Processor is legally prohibited from notifying the Controller, the Processor will use reasonable efforts to seek permission to do so where appropriate.
  2. Minimization. The Processor will, to the extent permitted by law, disclose only the minimum amount of Personal Data required to comply with the request and will limit disclosure to the extent reasonably necessary.
  3. Challenge. Where permitted by law and reasonably appropriate, the Processor may challenge requests it reasonably believes are unlawful or overbroad. The Processor has no obligation to challenge any request, and will not be required to do so if it determines (acting reasonably) that a challenge would be unlikely to succeed, would create a material risk of violating law, or would create a material legal or operational risk for the Processor.
  4. Cost recovery. The Controller shall reimburse the Processor for reasonable costs incurred in responding to such requests (including legal review) to the extent permitted by law and to the extent such response requires effort beyond standard operational handling.
Supplementary term — Personal data breaches (definition and awareness)
  1. Personal Data Breach. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
  2. Becoming aware. The Processor is deemed “aware” of a Personal Data Breach when it has confirmed that a breach has occurred that affects Personal Data processed on behalf of the Controller under this DPA. Alerts, anomalies, and security events that are not yet confirmed as a Personal Data Breach do not constitute awareness.
  3. Notification mechanics. The Processor will notify the Controller without undue delay and, where feasible, within 72 hours after becoming aware, and may provide information in phases as it becomes available.
Supplementary term — Governing law and jurisdiction

Except as set forth below, the Agreement and this DPA are governed by the laws of the State of New Jersey, USA, without regard to conflict of laws provisions, and disputes shall be submitted to the exclusive jurisdiction of the courts of the State of New Jersey, USA.

Clauses. The Clauses are governed by, and disputes arising from the Clauses shall be resolved in, the manner required by the Clauses and any mandatory provisions of applicable data protection law.

Supplementary term — Notices

All notices under these Clauses and this DPA shall be in writing and sent by email to the contact addresses specified in Annex I (or as updated in the Controller’s account). Notices shall be deemed received on the business day following the date of transmission, provided no automated undeliverable/bounce notice is received.

Supplementary term — Limitation period
  1. To the maximum extent permitted by applicable law, any claim arising out of or in connection with this DPA or the Clauses must be brought within one (1) year after the date on which the claimant first became aware (or ought reasonably to have become aware) of the facts giving rise to the claim, regardless of when the cause of action accrued.
  2. This limitation period applies to all claims whether in contract, tort, statute, or otherwise, except to the extent a shorter or mandatory longer period is imposed by applicable law that cannot be contractually reduced.
  3. Mandatory rights carve-out. Nothing in this section limits or reduces any rights or claims that cannot be limited by the Clauses, mandatory data protection law, or (where applicable) any third-party beneficiary rights of data subjects under the Clauses.
Supplementary term — Force majeure

Neither party shall be liable for any delay or failure to perform its obligations under this DPA (other than payment obligations) to the extent that such delay or failure is caused by circumstances beyond the party’s reasonable control, including but not limited to: natural disasters, acts of government, pandemics, war, terrorism, riots, civil unrest, embargoes, power or telecommunications failures, internet or network outages, cyberattacks (including DDoS attacks), or failures of third-party cloud infrastructure providers. The affected party shall notify the other party without undue delay and use reasonable efforts to mitigate the effects of the event.

Supplementary term — No warranty on security measures

The technical and organisational measures described in Annex III are provided on an "as-is" basis and represent the Processor’s current security posture as of the effective date. While the Processor commits to maintaining reasonable and appropriate measures, the Processor does not warrant or guarantee that these measures will prevent every security incident, data breach, or unauthorized access. No security system is infallible. The Processor’s obligation is to implement and maintain measures that are appropriate to the nature, scope, and risks of the processing, taking into account the state of the art, the costs of implementation, and the nature of the personal data processed.

Supplementary term — Termination (sub-processor objection remedy)
  1. Agreement controls. Termination rights, procedures, and refunds are governed by the Agreement. Nothing in this DPA grants a general right to terminate for convenience or expands refund obligations beyond what the Agreement provides.
  2. Limited remedy. This section applies only where the Clauses (including Clause 7.7(a)) require the Processor to provide a termination remedy in connection with a sub-processor change objection that cannot be resolved within a reasonable period.
  3. Notice. Where the limited remedy applies, the Controller may terminate the affected service(s) (or, if not separable, the Agreement) by providing 30 days’ prior written notice to the Processor.
  4. Refunds. Any refund of prepaid fees (if any) will be handled in accordance with the Agreement, and in any event will not include amounts for periods already elapsed.
  5. No additional damages. The Processor shall not be liable for any additional damages, compensation, or costs arising from the Controller’s decision to terminate under this limited remedy, except to the extent such limitation is prohibited by the Clauses or mandatory law.
Supplementary term — Controller’s breach notification obligation
  1. The Controller shall notify the Processor without undue delay if the Controller becomes aware of any breach of this DPA, the Clauses, or applicable data protection law that may affect the processing of Personal Data by the Processor, including but not limited to: (a) unauthorized access to or compromise of the Controller’s account credentials; (b) a security incident on the Controller’s local devices or network that may have exposed Personal Data; or (c) any supervisory authority investigation, complaint, or enforcement action relating to the processing under this DPA.
  2. The Controller shall cooperate with the Processor in good faith to mitigate the effects of any such incident and to comply with any applicable reporting obligations.

Annex I — List of Parties

Controller
Name: The entity or individual that has accepted the Lumasoft Terms of Service.
Address: As provided in the Controller's Lumasoft account.
Contact: As provided in the Controller's Lumasoft account.
Effective date: Date of first access to or use of Lumasoft services.
Processor
Name: Lumasoft LLC (d/b/a dslrBooth / LumaBooth / fotoShare)
Address: 293 State Route 18 #123, East Brunswick, NJ 08816, USA
Contact: Legal Department
Data Protection contact: support.lumasoft.co

Where applicable, Lumasoft’s participation in the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF may be verified on the U.S. Department of Commerce Data Privacy Framework website at dataprivacyframework.gov.

Annex II — Description of the Processing

Categories of data subjects
  • Visitors and guests at events organized or hosted by the Controller
  • Event attendees who interact with photo booth, video booth, 360 booth, or other capture experiences operated using Lumasoft software
  • Individuals who access event galleries or microsites hosted on fotoShare Cloud, or who download or share media from events
  • The Controller's employees or contractors who operate the software and access the fotoShare Cloud dashboard
Categories of personal data processed
A. Media content captured at the Controller's events
  • Photographs (single-pose, multi-pose, photo strips in various print formats)
  • Videos (standard video, slow-motion, 360-degree video, boomerangs)
  • GIFs and animated content
  • AI-generated portrait transformations (where enabled by the Controller)
  • Images and videos with digitally replaced backgrounds (green screen / AI background removal)
  • Images and videos with beauty/glam filters applied (skin smoothing, black & white effects)
  • Print layouts combining captured media with templates, overlays, branding, text, and guest-provided content
B. Guest-provided data during booth interaction
  • Names and signatures (where the Controller configures the booth to collect these for print personalization)
  • Survey responses (where the Controller configures custom surveys)
  • Disclaimer acceptance records
C. Sharing and contact data
  • Email addresses (provided voluntarily by guests for sharing photos/videos via email)
  • Mobile phone numbers (provided voluntarily by guests for sharing via SMS or WhatsApp)
  • Social media identifiers (where guests choose to share to Instagram or other platforms)
D. Technical and analytics data
  • IP addresses of individuals accessing event galleries and microsites on fotoShare Cloud (fotoshare.co)
  • Device information and browser type (collected when accessing event galleries)
  • Unique session identifiers linking captured media to specific booth sessions
  • Event page analytics (page views, unique visitors, social referrers)
  • Sharing activity logs (record of which media was shared, via which channel, and when)
  • Customer support interaction data processed via Intercom (e.g., chat messages, support queries, email address)
E. Payment data (where the Controller enables cashless payment features)
  • Transaction records for pay-per-print or pay-per-download sessions (amount, status, timestamp)

Payment card data is processed exclusively by Stripe (PCI DSS Level 1 certified) and is never stored on or accessible to Lumasoft systems. Only transaction metadata is retained by Lumasoft.

Sensitive data processed (if applicable)

There is no intention to process sensitive data within the meaning of Article 9 of the GDPR. However, photographs and videos inherently capture visible physical characteristics of data subjects, which may incidentally reveal data relating to racial or ethnic origin, health conditions, or religious beliefs (e.g., visible religious attire).

Where the Controller enables AI portrait transformation features, the processing may involve transient analysis of facial features for the purpose of generating stylized images. This processing is performed solely to produce the creative output requested by the guest.

Applied restrictions and safeguards:
  • Media is captured and processed solely for the event experience as configured by the Controller
  • No automated profiling, categorization, or identification of individuals based on sensitive characteristics is performed
  • AI portrait features process data transiently for image generation only; no biometric templates, facial recognition databases, or facial embeddings are created or stored by Lumasoft for identification purposes
  • Retention of all media is limited as specified below and subject to deletion upon the Controller's request
  • Access to media is restricted to the specific event and configurable by the Controller via privacy settings (password protection, guest-only access)
  • The Controller is solely responsible for determining whether the processing of media content at its events requires a Data Protection Impact Assessment (DPIA) and for obtaining any necessary consents or legal bases from data subjects
Controller responsibilities (including local devices). The Controller is solely responsible for: (i) providing legally compliant notice/signage to attendees (including where minors may be present), (ii) obtaining and maintaining a valid legal basis (including consent where required) for capturing images/videos and collecting contact details, (iii) configuring gallery privacy and retention settings appropriately, and (iv) securing and controlling all local devices, networks, printers, and storage media used to capture, store, print, display, or transfer data outside the Processor’s cloud environment (including the booth computer/iPad, sharing station devices, routers/hotspots, USB drives, local folders, and any third-party integrations enabled by the Controller). The Processor is not responsible for the security of such local devices/systems or for any processing performed solely on them.
Nature of the processing

Lumasoft provides the Controller with software solutions for operating photo booth, video booth, 360 booth, GIF booth, mirror booth, and glam booth experiences at events. The software is provided as dslrBooth (for Windows PC), LumaBooth (for iPad, iPhone, and Mac), and associated companion applications. The processing includes:

  • Capture: Photographing, recording video, creating GIFs, boomerangs, slow-motion clips, and 360-degree videos of event guests using camera hardware controlled by Lumasoft software
  • Processing and editing: Applying filters, effects, overlays, templates, green screen / AI background removal, glam/beauty filters, and AI portrait transformations to captured media
  • Print generation: Assembling captured images into print layouts (2x6 strips, 4x6, 5x7, and other formats) with branding, text, guest signatures, and survey responses, and sending to connected printers
  • Cloud hosting: Uploading and storing captured and processed media on fotoShare Cloud (fotoshare.co) for guest access, download, and sharing via branded event microsites
  • Sharing and delivery: Distributing captured media to guests via email (AWS SES), SMS (Telnyx / Plivo), WhatsApp, QR codes, AirDrop, and social media integrations
  • LumaShare sharing station: Operating a separate sharing and print station application (on iPad, iPhone, Mac, or Android) that connects to the booth and allows guests to browse, select, share, and print their media
  • Event gallery management: Hosting branded event microsites on fotoShare Cloud with customizable design, privacy settings, embedded galleries, custom subdomains, and analytics
  • Slideshow display: Real-time display of captured media on connected screens via AirPlay, HDMI, or Mopria-compatible devices
  • Cashless payment processing: Facilitating QR code-based payment transactions for pay-per-print or pay-per-download sessions (payment card processing handled exclusively by Stripe)
  • Event synchronization: Syncing event settings, templates, backgrounds, overlays, and captured media across multiple devices belonging to the Controller
  • Disclaimer and survey collection: Presenting and recording guest acceptance of disclaimers and responses to custom surveys as configured by the Controller
  • Analytics and reporting: Providing the Controller with event analytics including page views, unique visitors, sharing statistics, social referrers, and payment transaction reports
  • Hashtag printing (HashPrinter): Where used by the Controller, monitoring a designated Instagram hashtag and printing hashtagged photos in a custom layout
  • Customer support: Providing customer support services via Intercom chat, email, and help center, which may involve processing of the Controller's contact and inquiry data
Purpose(s) for which the personal data is processed on behalf of the Controller

Providing and operating the software solutions and cloud services described above to enable the Controller to offer photo booth and related interactive media capture experiences at the Controller's events and venues, and to enable the Controller's guests to access, download, share, and print their captured media.

Duration of the processing

Processing shall take place for as long as the Controller maintains an active subscription or license for Lumasoft software and services. Upon termination or expiry, Lumasoft shall delete Controller Personal Data from active systems within 90 days, unless a longer period is required by applicable law, in accordance with Clause 10(d) of the Clauses. The Controller may request deletion of specific event data at any time during the contract term via the fotoShare Cloud interface or by contacting Lumasoft support.

Deletion from backups occurs on backup rotation/retention schedules. The Processor may retain limited data where required by law or for the establishment, exercise, or defense of legal claims, and may retain limited security/operational logs for abuse prevention, security, and service integrity purposes for reasonable periods.

Annex III — Technical and Organisational Measures

The following describes the technical and organisational measures implemented by Lumasoft LLC as of the date of this agreement to help ensure the security of the personal data processed under these Clauses. Lumasoft is committed to continuously improving its security posture and may update these measures as appropriate. Lumasoft does not currently hold ISO 27001 certification or SOC 2 attestation. The appropriateness of these measures should be assessed in light of the nature, scope, and purpose of the processing, which is limited to event photo/video capture, hosting, sharing, and related services as described in Annex II.

1. Encryption and pseudonymisation

  • Data transmitted between client applications (dslrBooth, LumaBooth, LumaShare) and Lumasoft cloud services is encrypted in transit using TLS 1.2 or higher
  • Web traffic to fotoshare.co and related services is served over HTTPS and protected via Cloudflare
  • Data stored on cloud infrastructure (AWS, Google Cloud, Backblaze B2) is encrypted at rest using provider-managed encryption features
  • Payment data is tokenized and processed exclusively by Stripe; Lumasoft does not receive, store, or have access to raw payment card data
  • Event media is organized by unique event and session identifiers rather than by personally identifiable information
  • CDN-delivered content (Cloudflare, Bunny.net) is served over HTTPS

2. Confidentiality, integrity, availability, and resilience

  • Cloud infrastructure is hosted on Amazon Web Services (AWS), Google Cloud Platform, and Backblaze B2, which provide redundancy and availability features per provider design
  • Backblaze B2 is designed for high durability per provider documentation
  • Cloudflare provides DDoS protection, web application firewall (WAF), and CDN services for public-facing endpoints
  • Bunny.net provides additional CDN capacity for media delivery performance and availability
  • Application monitoring, error tracking, and alerting is performed via Datadog
  • Software updates and security patches are applied on a risk-based schedule
  • Network access to production systems is restricted to authorized personnel

3. Backup and recovery

  • Automated backups of cloud-hosted data are performed on a scheduled basis
  • Backups are stored separately from primary infrastructure
  • Cloud provider backup and recovery mechanisms are utilized where applicable
  • Backup restoration procedures are maintained and tested periodically in accordance with internal procedures

4. Testing and evaluation of security measures

  • Continuous application monitoring via Datadog with automated alerting for anomalies and errors
  • Review of access permissions and credentials on a periodic basis
  • Periodic review of security configurations across cloud infrastructure
  • Security issues are triaged and addressed in accordance with internal processes

5. User identification and authorisation

  • User authentication via username and password for Lumasoft accounts (fotoshare.co, dslrBooth, LumaBooth)
  • Two-factor authentication is available for administrative and internal accounts
  • Unique credentials per user; shared accounts are not permitted for administrative access
  • Access to production systems and cloud infrastructure is limited to authorized personnel on a need-to-know basis
  • Access is revoked promptly when team members no longer require it
  • Event-level privacy controls allow Controllers to set password protection and other privacy settings

6. Protection of data during transmission

  • Data transmission between client applications and Lumasoft servers uses TLS 1.2 or higher
  • Web traffic is served over HTTPS, protected by Cloudflare
  • Email delivery uses secure connections via AWS SES
  • SMS delivery is transmitted via secure API connections to telephony providers (Telnyx, Plivo)

7. Protection of data during storage

  • Cloud-stored data is encrypted at rest using provider encryption mechanisms
  • Database access requires authentication and is not intended to be publicly accessible
  • Media files on CDN are accessible via event URLs configured with the Controller's privacy settings
  • Local data stored on the Controller's own devices remains under the Controller's control and is the Controller's responsibility

8. Physical security

  • Lumasoft does not operate its own data centers. Infrastructure is hosted on AWS, Google Cloud Platform, and Backblaze B2, which maintain physical security controls per their documentation
  • Administrative access to cloud infrastructure is performed remotely via encrypted connections

9. Event logging

  • Application-level logging of sharing activity (email, SMS, WhatsApp) with timestamps
  • Cloud provider access logging enabled on production infrastructure where applicable
  • Datadog captures application performance data and error logs
  • fotoShare Cloud provides per-event analytics accessible to the Controller

10. System configuration

  • Cloudflare WAF and security rules applied to public-facing services
  • Server configurations follow cloud provider security best practices
  • Software dependencies are updated on a risk-based schedule

11. IT security governance

  • Internal policies guide secure development and operations practices
  • Team members with access to personal data are bound by confidentiality obligations
  • Confidentiality obligations are included in contractor and employment agreements

12. Certifications and assurance

  • Where applicable, transfers to U.S.-based providers may rely on the EU-U.S. Data Privacy Framework (DPF) if the provider is listed, or otherwise on appropriate safeguards (e.g., SCCs)
  • Payment processing is handled by Stripe, which is PCI DSS Level 1 certified
  • Cloud infrastructure providers maintain relevant certifications per their published compliance documentation

Lumasoft itself does not currently hold ISO 27001 or SOC 2 certifications.

13. Data minimisation

  • Only data necessary for the booth experience and sharing features as configured by the Controller is collected
  • Guest contact information is collected only when voluntarily provided by the guest for sharing
  • Survey data and signatures are collected only when the Controller enables those features
  • Controllers can configure event privacy settings
  • AI portrait processing is designed to be transient for image generation; Lumasoft does not maintain biometric databases for identification purposes

14. Data quality

  • Guest-provided contact information may be validated at point of entry where enabled
  • Media files are verified for integrity during upload where applicable

15. Data retention

  • Event data is retained for the duration of the Controller's active subscription or license, subject to Controller configuration and deletion
  • Controllers can delete events and media via the fotoShare Cloud interface
  • Upon termination, Controller data is deleted from active systems within 90 days, subject to backup retention cycles and legal hold requirements
  • Transient processing data is not intended to be retained after the session

16. Accountability

17. Data portability and erasure

  • Controllers can download event media from fotoShare Cloud (subject to account access and configuration)
  • Captured media may also be stored locally on the Controller's own device(s), depending on setup
  • Controllers can delete events, media, and sharing data through the fotoShare Cloud interface
  • Lumasoft will execute deletion requests within a reasonable timeframe, subject to backup retention cycles and legal hold requirements

18. Measures to assist the Controller

  • Lumasoft provides event-level analytics and sharing reports to support the Controller's compliance obligations
  • Lumasoft will cooperate with the Controller in responding to data subject requests by providing or deleting relevant data within a reasonable timeframe, at the Controller's cost for effort beyond standard self-service tools
  • In the event of a Personal Data Breach affecting Controller Personal Data, Lumasoft will notify the Controller without undue delay and, where feasible, within 72 hours after becoming aware. Information may be provided in phases as it becomes available.

Annex IV — List of Sub-processors

As Option 2 (General Written Authorisation) has been selected under Clause 7.7(a), the Controller grants general authorisation for the engagement of the sub-processors listed below. Changes to this list will be communicated to the Controller in accordance with Clause 7.7(a) above.

Sub-processors engaged as of January 1, 2026:
Sub-processor Location Description of Processing Data Categories Transfer Safeguard
Amazon Web Services, Inc. (AWS) USA Cloud infrastructure, data storage, compute, email delivery (AWS SES) All categories DPF (if listed) / SCCs
Google Cloud (Google LLC) USA Cloud infrastructure, Firebase database, application hosting All categories DPF (if listed) / SCCs
Backblaze, Inc. (B2 Cloud Storage) USA Cloud object storage for media files and backups Media files, backups DPF (if listed) / SCCs
Cloudflare, Inc. USA / global CDN, DDoS protection, WAF, DNS, SSL/TLS Technical data, media files DPF (if listed) / SCCs
BunnyWay d.o.o. (Bunny.net) Slovenia (EU) CDN for media file delivery Media files EEA-based
Stripe, Inc. USA Payment processing for cashless pay-per-print / pay-per-download Payment transaction data DPF (if listed) / SCCs
Telnyx LLC USA SMS delivery for media sharing Phone numbers, message content DPF (if listed) / SCCs
Plivo, Inc. USA SMS delivery for media sharing (alternative provider) Phone numbers, message content DPF (if listed) / SCCs
Datadog, Inc. USA Application monitoring, logging, alerting Technical / operational data DPF (if listed) / SCCs
Intercom, Inc. USA Customer support chat, help desk, support communications Contact data, support queries DPF (if listed) / SCCs

Where Personal Data is transferred outside the EEA/UK/Switzerland, the Processor will ensure appropriate safeguards under Chapter V GDPR (and corresponding UK/Swiss requirements), such as reliance on an adequacy decision (including EU-U.S. DPF where applicable and where the recipient is listed) and/or Standard Contractual Clauses with supplementary measures as appropriate. Sub-processor status and locations may change; the current list is maintained at the URL below.

The current list of sub-processors is maintained at: dslrbooth.com/data-processing-agreement

Last updated: February 23, 2026 · Lumasoft LLC · East Brunswick, NJ, USA