Legal

Data Processing Agreement

Last updated: July 9, 2026

This Data Processing Agreement ("DPA") forms part of the Glassline Terms of Service between Bissekkou Karim-Julian & Weber Raphael GbR, trading as Cueing Ventures, Drachenseestr. 10, 81373 Munich, Germany ("Glassline"), and the customer accepting the Terms ("Customer"). It applies wherever Glassline processes Customer Personal Data on Customer's behalf, on all plans.

1. Definitions

Data Protection Legislation means the GDPR, UK GDPR and Data Protection Act 2018, Swiss FADP, ePrivacy rules, and successor laws where applicable. Controller, Processor, Data Subject, Processing, Personal Data Breach, and Supervisory Authority have the meanings given in the GDPR.

Customer Personal Data means personal data in galleries and customer-managed content that Glassline processes on Customer's behalf, including client contact details, gallery access data, photos of identifiable people, image metadata, comments, favorites, download/order activity, and support communications relating to customer content. Glassline's own account administration, billing, legal compliance, and security processing is described in the Privacy Policy.

2. Roles and Scope

Customer is the controller of Customer Personal Data. Glassline is the processor. If Customer processes data on behalf of another controller, Glassline acts as a subprocessor. Customer is responsible for ensuring a valid legal basis, required notices, and any required consents, including for identifiable people in photographs.

Glassline processes Customer Personal Data only on documented instructions from Customer, including product configuration, support requests, the Terms, this DPA, and applicable law. If Glassline believes an instruction infringes Data Protection Legislation, Glassline will inform Customer where legally permitted.

3. Confidentiality

Glassline ensures that persons authorized to process Customer Personal Data are bound by confidentiality or an appropriate statutory duty of confidentiality and have access only where needed to provide and secure the Service.

4. Security

Glassline implements technical and organizational measures appropriate to the risk, including the measures in Annex II. Customer remains responsible for securing its credentials, choosing appropriate gallery privacy settings, and controlling sharing configuration.

5. Personal Data Breach

Glassline will notify Customer without undue delay and, where feasible, within 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include available information on the nature of the breach, affected categories and approximate numbers, likely consequences, and mitigation steps. Information may be provided in phases.

Glassline will investigate, contain, mitigate, and reasonably assist Customer with Customer's own notification obligations.

6. Subprocessors

Customer grants Glassline general authorization to use subprocessors necessary to provide the Service. The current list is in Annex III and under Subprocessors. Glassline imposes data protection obligations on subprocessors by written contract and remains responsible for their performance.

Glassline will provide at least 30 days' prior notice of intended additions or replacements of subprocessors. Customer may object on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may terminate the affected Service as its sole remedy for that objection.

7. International Transfers

Glassline primarily uses EEA hosting and processing. For transfers to countries without an adequacy decision, the EU Standard Contractual Clauses apply by reference, including Module 2 for controller-to-processor transfers and Module 3 for processor-to-processor onward transfers. For UK data, the UK Addendum applies where required. For Swiss data, the SCCs are interpreted with Swiss amendments where required.

Glassline maintains transfer assessments where required and uses supplementary measures such as encryption, access controls, and government-access challenge and transparency processes where available.

8. Data Subject Requests and Assistance

Glassline will notify Customer of data-subject requests relating to Customer Personal Data where appropriate and will not respond except on Customer's instruction or as legally required. Taking into account the nature of processing, Glassline will reasonably assist Customer with data-subject requests and Customer's obligations under GDPR Articles 32 to 36.

9. Audits

Glassline will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits as required by Article 28 GDPR. Scope and timing must be agreed in advance, audits must occur during business hours with reasonable notice, and are limited to once per year unless required after a breach or by a Supervisory Authority. Customer bears its own costs and Glassline's reasonable costs.

10. Deletion and Return

After termination, at Customer's choice where technically feasible, Glassline will delete or return Customer Personal Data and delete copies within 30 days, unless Union or Member State law requires retention. Backups are retained only for security, continuity, and disaster-recovery purposes, are not used for ordinary service processing, and are overwritten or deleted on the routine backup retention cycle.

11. Liability and Miscellaneous

This DPA applies only where Customer Personal Data is subject to Data Protection Legislation. Liability is governed by the Terms. This DPA prevails over the Terms on data protection matters. The SCCs prevail where they conflict with this DPA. German law governs this DPA, subject to mandatory law.

Glassline may update this DPA for legal, technical, or service changes. Material changes will be communicated in advance.

Annex I - Details of Processing

Subject matterProvision of the Glassline photo gallery platform.
DurationTerm of the Terms plus deletion, export, backup, and legally required retention periods.
Nature and purposeHosting, storage, organization, display, sharing, delivery, backups, security, support, and gallery access.
Data subjectsCustomer account users and staff, Customer's clients, gallery visitors, and individuals depicted in photographs.
Personal dataClient contact data, access records, photos of identifiable people, image metadata, comments, favorites, download/order activity, and support communications related to customer content.
Special categoriesNot intentionally processed by Glassline; photos may incidentally reveal special category data. Customer is responsible for any required legal basis or consent.
FrequencyContinuous for the duration of the Service.

Annex II - Technical and Organizational Measures

  • Encryption in transit using TLS and photo encryption at rest.
  • Role-based least-privilege access controls.
  • Secure authentication and credential handling.
  • Network and application security controls.
  • Data minimization and pseudonymization where appropriate.
  • Backups, resilience, logging, and monitoring.
  • Vendor security due diligence.
  • Personnel confidentiality and training.
  • Documented incident response.

Annex III - Subprocessors

Transfers outside the EEA are covered by the relevant provider DPA, EU Standard Contractual Clauses, UK Addendum or Swiss amendments where applicable, and supplementary measures.

SubprocessorPurposeLocationTransfer mechanism
SupabaseAuthentication and database servicesSelected EU project regionSigned Supabase DPA and SCCs for non-EEA processing
Amazon Web ServicesPhoto and file storageEU regionAWS DPA and SCCs for non-EEA processing
Amazon CloudFrontGlobal image deliveryGlobal edge networkAWS DPA, SCCs, and supplementary measures
VercelWebsite and app hostingUnited States/globalVercel DPA and SCCs where applicable
PostHogAnalytics, feedback, error diagnostics, performance monitoringEU data centerPostHog DPA and SCCs where applicable
ResendTransactional and service emailsUnited StatesResend DPA, SCCs, and supplementary measures