Data Processing Agreement

For the purposes of this DPA, the following terms have the following meanings. Capitalised terms not defined here have the meaning given in the Terms of Service.

• “Operator” — the photo booth business that has entered into the Terms of Service with BoothZen and that determines the purposes and means of the processing of Personal Data. The Operator acts as the Data Controller.
• “BoothZen” (or “we”, “us”) — the SaaS provider that processes Personal Data on the Operator's behalf. BoothZen acts as the Data Processor.
• “Data Subject” — the natural person whose Personal Data is processed. Typically this is the Operator's end-customer who books or enquires about a photo booth via the Service.
• “Personal Data” — any information relating to an identified or identifiable Data Subject that is processed by BoothZen on the Operator's behalf via the Service.
• “Sub-Processor” — any third party engaged by BoothZen to process Personal Data on its behalf in connection with the Service.
• “Applicable Data Protection Law” — the UK GDPR, the EU GDPR (Regulation (EU) 2016/679), the UK Data Protection Act 2018, and any other applicable data protection or privacy law.
• “Personal Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• “Standard Contractual Clauses” or “SCCs” — the European Commission's Standard Contractual Clauses approved by Implementing Decision (EU) 2021/914, or the UK's International Data Transfer Agreement / IDTA Addendum, as applicable.

Subject matter: the processing of Personal Data by BoothZen on behalf of the Operator in order to provide the Service.

Duration: for the term of the Operator's subscription to the Service, plus any post-termination period required to return or delete Personal Data in accordance with this DPA.

Nature of processing: hosting, storage, transmission, retrieval, organisation, structuring, consultation, use, restriction and erasure of Personal Data via a multi-tenant SaaS booking-management platform, including transactional notifications, payment processing, calendar coordination, and customer-portal functionality.

Purpose of processing: to enable the Operator to manage bookings, customers, payments, contracts, communications and related photo-booth operations using the Service.

Categories of Data Subjects:

• The Operator's end-customers (booking enquirers, confirmed bookers, portal users).
• The Operator's contacts (venues, planners, suppliers).
• The Operator's staff and team members invited to the Service.

Types of Personal Data processed:

• Identification data: name, email address, phone number.
• Contact & address data: billing address, event/venue address, postcode.
• Booking data: event date, event type, package, extras, notes, special requirements, signed agreements.
• Communications data: email and SMS message content sent or received via the Service.
• Payment data: payment method tokens, transaction references, invoice line items (no full card data is stored by BoothZen).
• Technical data: IP address, user-agent, login timestamps, audit-log entries.

BoothZen does not require Operators to upload special-category personal data (Article 9 GDPR). Operators must not use the Service to collect special-category data without an appropriate lawful basis.

BoothZen, in its capacity as Processor, undertakes to:

• Process Personal Data only on documented instructions from the Operator, including with regard to international transfers, except where required by law (in which case BoothZen shall inform the Operator unless the law prohibits such notice).
• Confidentiality: ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Security measures: implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex 2.
• Sub-processor commitments: only engage Sub-Processors in accordance with section 5 below, and impose data protection obligations on Sub-Processors that are no less protective than those in this DPA.
• Assistance with data-subject requests: taking into account the nature of the processing, assist the Operator by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligations to respond to requests for exercising Data Subject rights (access, rectification, erasure, restriction, portability, objection).
• Assistance with security & impact assessments: assist the Operator in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation).
• Personal Data Breach notification: notify the Operator without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Operator's data, providing the information required by Article 33(3) GDPR to the extent available.
• Deletion or return at end of processing: at the choice of the Operator, delete or return all Personal Data after the end of the provision of services relating to processing, and delete existing copies unless storage is required by law.
• Audit rights: make available to the Operator all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Operator or another auditor mandated by the Operator. Audits shall be conducted no more than once per year (except in the event of a Personal Data Breach), with reasonable advance notice, during business hours, and subject to confidentiality obligations.

The Operator gives general written authorisation for BoothZen to engage Sub-Processors to assist in the provision of the Service. The current list of authorised Sub-Processors is set out in Annex 3 and is also published at /sub-processors.

BoothZen will provide the Operator with at least 30 days' prior notice of any intended addition or replacement of a Sub-Processor (the “Notice Period”), via email to the Operator's registered email address and via a banner on the operator dashboard. The Operator may object to such an addition or replacement on reasonable data-protection grounds during the Notice Period. If the parties cannot agree on a resolution within a further 30 days, the Operator may terminate the affected portion of the Service without penalty.

BoothZen shall remain fully liable to the Operator for the performance of any Sub-Processor's obligations.

Where Personal Data is transferred from the United Kingdom or the European Economic Area to a country that is not subject to an adequacy decision, the parties shall rely on appropriate safeguards under Applicable Data Protection Law. By default, the parties agree to incorporate the Standard Contractual Clauses (Module 2: Controller-to-Processor) as approved by Commission Implementing Decision (EU) 2021/914, and the UK International Data Transfer Addendum issued by the UK Information Commissioner, into this DPA by reference, with BoothZen as “data importer” and the Operator as “data exporter”.

Where a Sub-Processor is located outside the UK / EEA, BoothZen shall ensure that an appropriate transfer mechanism (such as SCCs, the UK IDTA, or an applicable adequacy decision) is in place between BoothZen and that Sub-Processor.

BoothZen implements and maintains the technical and organisational measures set out in Annex 2, including:

• Encryption at rest for sensitive customer data (phone, address, geographic data) using AES-256-CBC via Laravel's encrypted casts.
• TLS 1.2 or higher required for all data in transit, with HTTPS enforced platform-wide.
• Access controls based on least privilege, with role-based authorisation, multi-tenant scoping, and SSH-key-only access to production infrastructure.
• Audit logs capturing security-relevant events, with access restricted to authorised personnel.
• Backup encryption — backups are encrypted before they leave the primary infrastructure.
• Incident response procedure defining detection, triage, containment, notification and post-incident review.

BoothZen reviews these measures regularly and may update them, provided that the level of protection is not materially decreased.

BoothZen will notify the Operator without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Operator's Personal Data. The notification shall include, to the extent reasonably available:

• The nature of the breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and to mitigate its possible adverse effects.
• The name and contact details of the BoothZen point of contact for further information.

BoothZen will cooperate reasonably with the Operator's investigation and remediation of any Personal Data Breach, including providing further information as it becomes available.

Each party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Terms of Service, which is incorporated here by reference. For the avoidance of doubt, in no event shall either party's liability arising out of or related to this DPA exceed the limits and exclusions set out in the Terms of Service.

Each party shall indemnify the other against any administrative fines or compensation paid to a Data Subject to the extent attributable to the indemnifying party's breach of this DPA or Applicable Data Protection Law, subject to the liability cap in the Terms of Service.

This DPA takes effect on the date the Operator accepts the Terms of Service and remains in force for the duration of the Operator's use of the Service. On termination of the Service, BoothZen will, at the choice of the Operator and in accordance with the Terms of Service, return or delete all Personal Data within the post-termination data-retention windows described in the Privacy Policy.

Sections relating to confidentiality, liability, audit and any other provision that by its nature should survive termination shall survive termination of this DPA.

This DPA is governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction over any disputes arising from or relating to this DPA, save where Applicable Data Protection Law mandates a different forum.

Categories of Data Subjects: Operator's end-customers, Operator's contacts (venues, planners, suppliers), and Operator's staff invited to the Service.

Categories of Personal Data: identification data (name, email, phone), address data, booking data, communications data, payment tokens, technical data (IP, user-agent, audit logs).

Sensitive data: none required by the Service. Operators must not upload special-category data without an appropriate lawful basis.

Frequency: continuous, for the duration of the Service.

Nature of processing: hosted SaaS storage, transmission, retrieval, organisation, automated notifications, payment facilitation.

Purpose: to provide the BoothZen Service to the Operator.

Retention: Personal Data is retained while the Operator's account is active; deleted within 30 days of account closure, with encrypted backups purged within 90 days, except where retention is required by law (e.g. financial records).

• Encryption at rest: AES-256-CBC for sensitive fields (phone, address, geographic data) via Laravel's encrypted casts; integration credentials encrypted at the application layer.
• Encryption in transit: TLS 1.2+ enforced platform-wide for the operator dashboard, customer-facing booking forms, webhooks and the API.
• Access control: per-tenant data isolation enforced by an automatic global query scope; role-based authorisation; multi-factor authentication available; SSH-key authentication only for production servers; principle of least privilege for staff access.
• Network & perimeter: Cloudflare DDoS protection and Web Application Firewall in front of the Service; OpenLiteSpeed origin behind the CDN.
• Logging & monitoring: security-relevant audit logs retained for an appropriate period; monitoring of error and failure conditions.
• Backups: regular database and file backups; backups encrypted before leaving primary infrastructure.
• Incident response: documented procedure for detection, triage, containment, communication, remediation and post-incident review of Personal Data Breaches.
• Vendor management: Sub-Processors are reviewed before engagement and bound by contractual data-protection obligations no less protective than those in this DPA.
• Personnel: staff with access to Personal Data are subject to confidentiality obligations and receive guidance on data protection.
• Disposal: deletion of Personal Data upon account closure within 30 days, with encrypted backups purged within 90 days.

The following Sub-Processors are authorised by the Operator under section 5. The most current version of this list, together with a subscribe-to-changes form, is published at /sub-processors.

Sub-processor list last updated: 2026-05-07.