Between Controller and Processor
Pursuant to Art. 28 GDPR
Controller
The Customer (as identified in the primary Subscription Contract)
Processor
Reverchon Consulting GmbH, Am Gasteig 6, 82335 Berg, Germany
1.1 Preamble: This DPA is part of the Main Service Agreement (Terms & Conditions) regarding the use of the "TryYourWig" software.
1.2 Subject Matter: The Processor shall process personal data on behalf of the Controller. The processing involves the automated generation of wig simulation images using Artificial Intelligence.
1.3 Duration: The term of this DPA corresponds to the term of the Main Service Agreement. It ends automatically upon termination of the subscription and deletion of all data.
2.1 Nature of Processing: Collection, transfer to AI sub-processors, transient storage for computation, image synthesis, and deletion.
2.2 Purpose: Enabling the virtual visualization of wig products on end-user photographs.
2.3 Type of Data:
2.4 Categories of Data Subjects: Customers / End-users of the Controller.
3.1 The Controller is solely responsible for the admissibility of the processing under data protection laws (including obtaining necessary consent from end-users).
3.2 The Controller has the right to issue instructions concerning the data processing. The standard instructions are defined by the functionality of the SaaS platform (uploading and generating images).
The Processor warrants that:
4.1 Confidentiality: All persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Security: The Processor takes all necessary technical and organizational measures (TOMs) pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. This includes encrypted data transmission (SSL/TLS).
4.3 Data Deletion: The Processor guarantees a "Zero Retention" policy for biometric input data. Source images and generated results are deleted from the Processor's active servers immediately after the user session is closed or the generation process is completed.
5.1 The Controller authorizes the Processor to engage the following Sub-processors to carry out specific processing activities:
| Sub-processor | Location | Function |
|---|---|---|
| Google LLC (Gemini API) | USA / Global | AI Image Generation & Processing |
| Vercel Inc. / AWS | USA / Global | Cloud Hosting & Server Infrastructure |
| Stripe Inc. | USA / Global | Payment Processing |
5.2 International Transfers: If a Sub-processor is located outside the EU/EEA (e.g., USA), the Processor ensures compliance through the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs).
6.1 If a Data Subject (End-user) asserts claims for deletion, correction, or information against the Controller, the Processor shall support the Controller within the scope of its technical possibilities.
6.2 Since the Processor deletes data immediately (Zero Retention), requests for deletion are automatically fulfilled by the system design.
7.1 Amendments to this DPA must be in writing (text form is sufficient).
7.2 Should individual provisions be invalid, the validity of the remainder of the agreement remains unaffected.
7.3 This Agreement is governed by the laws of the Federal Republic of Germany.
Last Updated: January 2025