Data Processing Agreement (DPA)

Last updated: February 2026

1. Purpose

This DPA supplements our Terms of Service and governs the processing of personal data that you (the Controller) entrust to RR (the Processor) in connection with the photo editing services.

2. Scope of Processing

We process image files and associated metadata (file names, order instructions) solely for the purpose of fulfilling your editing orders. No personal data contained in images is used for any other purpose.

3. Sub-Processors

We use Supabase (database & auth), Cloudflare R2 (object storage), and Vercel (hosting) as sub-processors. An up-to-date list is maintained at our security page. We will notify you before adding new sub-processors.

4. Data Retention

Draft uploads for abandoned orders are retained up to 72 hours and then deleted. Delivered originals are retained for 30–90 days, and edited outputs for 90–180 days. Metadata (order records) is retained for 12 months for audit purposes. Enterprise contracts may specify custom retention.

5. Security Measures

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Tenant-level access isolation via row-level security
• Signed delivery URLs with time-limited tokens
• Regular access audits and logging

6. Data Subject Requests

If we receive a request from a data subject regarding your data, we will redirect the request to you and assist as reasonably necessary.

7. Breach Notification

In the event of a data breach affecting your data, we will notify you within 72 hours of becoming aware of the breach, including details of the incident and remediation steps.

8. Audit Rights

You may audit our compliance with this DPA once per year with 30 days' written notice. We will provide reasonable access to relevant documentation and systems.