Back

Data Processing Agreement

GDPR Article 28 Compliant

Version 1.0.0 - Effective: January 1, 2025

PartiesProcessing DetailsSecuritySub-processorsBreach NotificationData Deletion

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MikaMe ("Processor") and the Company subscribing to MikaMe services ("Controller"), collectively referred to as the "Parties".

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and reflects the Parties' agreement with regard to the processing of Personal Data by the Processor on behalf of the Controller.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ('data subject'), including Event Participants' photos, names, and contact information.

"Processing" means any operation performed on Personal Data, including collection, storage, transformation using AI, and deletion.

"Data Subject" means the identified or identifiable person to whom Personal Data relates, primarily Event Participants.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Special Category Data" means Personal Data revealing racial or ethnic origin, including facial images processed for AI transformation.

2. Parties and Roles

Controller: The Company using MikaMe services to process Event Participant data. The Controller determines the purposes and means of Personal Data processing.

Processor: MikaMe (Golden Brown AI Technologies), acting on behalf of the Controller to provide AI photo transformation services.

3. Subject Matter and Details of Processing

3.1 Subject Matter

The Processor will process Personal Data on behalf of the Controller for the purpose of providing AI-powered photo transformation services at corporate events.

3.2 Duration

Processing will continue for the duration of the service agreement. After each event concludes, Personal Data will be retained for 30 days to allow downloads, then automatically deleted.

3.3 Nature and Purpose of Processing

  • Collection of photos uploaded by Event Participants
  • AI transformation of photos using style presets
  • Storage of original and transformed photos
  • Display on event gallery and Live Wall
  • Enabling photo downloads by authorized users

3.4 Type of Personal Data

  • Facial images (biometric data under GDPR Article 9)
  • Name (if provided)
  • Phone number (for magic link access)
  • IP address and device information

3.5 Categories of Data Subjects

  • Event Participants (employees, guests, attendees)
  • Event Organizers (Company employees)

4. Controller's Obligations

The Controller shall:

  • Ensure a valid legal basis for processing (typically consent from Event Participants)
  • Inform Event Participants about the processing of their Personal Data
  • Obtain explicit consent for processing of biometric data (facial images)
  • Respond to Data Subject requests (access, deletion, portability)
  • Ensure instructions to the Processor are lawful
  • Notify the Processor of any changes to processing instructions

5. Processor's Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage another processor without prior authorization from the Controller
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with security obligations
  • Delete or return all Personal Data upon termination of services
  • Make available all information necessary to demonstrate compliance

6. Security Measures

The Processor implements the following technical and organizational measures to ensure appropriate security of Personal Data:

6.1 Technical Measures

  • Encryption of data in transit (TLS 1.3)
  • Encryption of data at rest (AES-256)
  • Firebase Authentication for access control
  • Firestore Security Rules for data isolation
  • Automatic deletion after 30-day retention period
  • Regular security updates and patches

6.2 Organizational Measures

  • Role-based access control
  • Employee confidentiality agreements
  • Security awareness training
  • Incident response procedures
  • Regular security assessments

7. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

Sub-processorPurposeLocation
Google Cloud PlatformInfrastructure, Storage (Firebase)USA (with EU SCCs)
Google AI (Gemini)AI Photo TransformationUSA (with EU SCCs)

The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller an opportunity to object to such changes.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.

The notification shall include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of records affected
  • Name and contact details of the data protection point of contact
  • Description of likely consequences
  • Description of measures taken or proposed to address the breach

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to:

  • Reasonable advance notice (minimum 30 days)
  • Audits during normal business hours
  • Confidentiality obligations on auditors
  • Audit costs borne by the Controller

10. Data Return and Deletion

Upon termination of the service agreement, or upon request by the Controller, the Processor shall:

  • Return all Personal Data to the Controller in a commonly used format, or
  • Delete all Personal Data and confirm deletion in writing

Automatic Deletion: Event photos and related Personal Data are automatically deleted 30 days after each event concludes.

Backup Retention: Backups containing Personal Data are deleted within 30 days of the primary data deletion.

11. International Data Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area only where appropriate safeguards are in place:

  • Adequacy decision by the European Commission
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules

Current transfers to Google Cloud (USA) are governed by Standard Contractual Clauses.

12. Liability and Indemnification

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.

The Processor shall indemnify the Controller for any damages arising from processing that is not in accordance with this DPA or the Controller's documented instructions.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Israel.

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Tel Aviv-Jaffa, Israel.

14. Contact Information

Data Protection Contact:
Email: barakkadabra@gmail.com

General Inquiries:
Email: barakkadabra@gmail.com

Terms of Service|Privacy Policy|Cookie Policy