Skip to content
Visit Captura Community

Captura Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Internet Master Services Agreement (the "Agreement") between Captura, LLC ("Captura") and the entity or individual agreeing to the Agreement ("Photographer"). This DPA applies to the extent that Captura Processes Personal Data on behalf of Photographer in connection with the Services. Capitalized terms not defined herein have the meanings set forth in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall govern with respect to matters relating to data protection and privacy.

By accepting the Agreement, Photographer also accepts this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its customers and end users.

  1. Definitions. In this DPA, the following terms have the meaning given to them below. All capitalized terms used but not defined herein shall have the meaning given to such terms in the Agreement.
    1. Data Protection Laws” means all data protection and privacy laws and regulations applicable to Captura with respect to its Processing of Personal Data on behalf of Photographer under the Agreement, including but not limited to applicable U.S. federal and state data protection and privacy laws.
    2. “Data Subject” means any individual whose Personal Data is Processed by Captura on behalf of Photographer under the Agreement, and includes “data subject” and “consumer” as such terms are defined in applicable Data Protection Laws.
    3. “Personal Data” means any information or data, in any form, that (i) identifies, relates to, or can be used to identify, a person, household or device; or (ii) is considered "personal data", "personal information," "personally identifiable information," or “consumer health data” under applicable Data Protection Laws.
    4. “Process” means to perform any operation or set of operations on Personal Data, and includes “process” as that term is defined in the Data Protection Laws, and "processes", “processing” and "processed" will be interpreted accordingly.
    5. “Security Incident” means a breach of security leading to (i) any accidental, unauthorized, or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, or other Processing of any Personal Data, or (ii) any unauthorized access to any systems used to store or access Personal Data.
    6. “Services” means the services provided by Captura to Photographer under the Agreement.
  2. Roles of the Parties. With respect to Personal Data of Photographer's customers Processed by Captura on behalf of Photographer in connection with the Services: (a) Photographer is the "business" or "controller" (as those terms are defined under applicable Data Protection Laws), responsible for determining the purposes and means of Processing Personal Data; and (b) Captura is a "service provider" or "processor" (as those terms are defined under applicable Data Protection Laws), Processing Personal Data on behalf of and pursuant to the instructions of Photographer. Notwithstanding the foregoing, the parties acknowledge that Captura may Process certain Personal Data as an independent controller only to the limited extent necessary to: (i) maintain, secure, and improve the Services; (ii) prevent fraud and abuse; (iii) comply with legal obligations; and (iv) generate Aggregated and De‑Identified Data.

All other Processing of Personal Data provided by or on behalf of Photographer shall be performed by Captura solely as a processor or service provider acting on Photographer’s documented instructions.

  1. Processing Instructions. Captura shall Process Personal Data of Photographer's customers only: (a) as necessary to provide the Services; (b) in accordance with Photographer's documented instructions; (c) as permitted in the Agreement; (d) as required by applicable law; or (e) as otherwise agreed in writing by the parties. Captura shall promptly inform Photographer if, in Captura's opinion, an instruction from Photographer infringes applicable Data Protection Laws.
  2. Photographer Responsibilities. Photographer represents and warrants that: (a) it has provided all necessary notices and obtained all necessary consents, permissions, and rights required under applicable Data Protection Laws to permit Captura to Process Personal Data as contemplated by the Agreement and this DPA, including those set forth in the Agreement; (b) all Personal Data provided to Captura is accurate, complete, and lawfully collected; (c) Photographer’s Processing instructions comply with applicable Data Protection Laws; and (d) Photographer has implemented appropriate security measures for any Personal Data in its possession or control. Captura shall not be liable for any claims, damages, or losses arising from Photographer’s breach of these representations and warranties.
  3. Consumer Rights Requests. Photographer shall be responsible for responding to consumer requests to exercise rights under applicable Data Protection Laws (including rights to access, correct, or delete Personal Data). Upon receipt of a consumer request, Captura shall promptly notify Photographer if the request is directed to Captura amnd reasonably cooperate with Photographer in responding to such requests. Photographer shall reimburse Captura for its reasonable costs and expenses incurred in connection with: (a) responding to Data Subject requests; (b) assisting Photographer with data protection impact assessments or prior consultations with supervisory authorities; (c) providing information or assistance beyond what is expressly required under this DPA; and (d) any changes to the Services requested by Photographer to comply with Data Protection Laws.
  4. Data Security. Captura shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, acquisition, destruction, use, modification, or disclosure. Such safeguards shall be appropriate to the nature and sensitivity of the Personal Data Processed.
  5. Data Breach Notification. In the event of a Security Incident, Captura shall: (a) notify Photographer without undue delay, and in no event later than seventy-two (72) hours after confirming such incident; and (b) provide Photographer with sufficient information to enable Photographer to fulfill any notification obligations under applicable law.
  6. Subprocessors. Photographer hereby authorizes Captura to engage third-party subprocessors to Process Personal Data in connection with the Services, provided that Captura: (a) maintains a list of subprocessors and makes such list available to Photographer upon request; (b) imposes data protection obligations on each subprocessor that are materially no less protective than those set forth in this DPA; and (c) remains liable to Photographer for the acts and omissions of its subprocessors.
  7. Data Retention and Deletion. Captura shall retain Personal Data only for as long as necessary to provide the Services or as otherwise required by applicable law. Upon termination or expiration of the Agreement, Captura shall retain Personal Data for a period of one hundred and eighty (180) days to allow Photographer to request export of such data, after which Captura shall delete or return such Personal Data in accordance with Photographer’s written instructions, unless retention is required by law or necessary to resolve pending disputes.
  8. Audit Rights. Captura shall make available to Photographer information reasonably necessary to demonstrate compliance with this DPA. If required by applicable law and Captura has not provided information sufficient to allow Photographer to comply with its obligations under applicable law, Photographer may, at its expense, conduct or commission an audit of Captura’s compliance with this DPA, subject to: (a) reasonable confidentiality obligations; (b) at least thirty (30) days’ advance written notice; (c) conduct during normal business hours in a manner that minimizes disruption to Captura’s operations; and (d) Photographer’s payment of Captura’s reasonable costs and expenses associated with such audit. Captura may satisfy audit requests by providing relevant third-party certifications, audit reports, or other documentation demonstrating compliance.
  9. Restrictions on Use. Captura shall not: (a) sell or share Personal Data of Photographer's customers (as those terms are defined under applicable Data Protection Laws); (b) retain, use, or disclose such Personal Data for any purpose other than providing the Services, except as otherwise permitted by applicable law; or (c) combine Personal Data received from Photographer with Personal Data received from other sources, except as necessary to provide the Services.
  10. Biometric Data. To the extent that Biometric Identifiers or Biometric Information (as defined under applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act) constitute Personal Data processed under the Agreement:
    1. Photographer‑Directed Processing. Where such biometric data is collected, used, or stored at the direction of Photographer through the Services, Photographer acts as the controller and Captura acts as a processor. Photographer is responsible for providing all required notices and obtaining all legally required consents prior to enabling such features.
    2. Captura‑Directed Processing. Where Captura directly offers or operates features that independently collect biometric data from individuals, Captura shall comply with its independent obligations under applicable biometric privacy laws, including notice, consent, retention, and deletion requirements.
    3. Use and Retention. Biometric data shall be used solely for the purposes for which it was collected and shall be permanently deleted when such purpose has been satisfied, or earlier upon valid deletion request, in accordance with applicable law.
  11. Term. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, provided that Captura's obligations with respect to Personal Data in its possession shall continue until such information is deleted or returned in accordance with Section 9.