Data Processing Agreement

“Biometric Data” means any data generated from the automated processing of an individual’s physical characteristics for the purpose of uniquely identifying that individual, including but not limited to: facial geometry, facial feature vectors (embeddings), face templates, and any mathematical representations derived from facial images. This includes data classified as “biometric identifiers” or “biometric information” under Applicable Biometric Laws.

“Applicable Biometric Laws” means all laws, regulations, and requirements relating to the collection, use, storage, retention, disclosure, and destruction of Biometric Data, including but not limited to:

• Illinois Biometric Information Privacy Act, 740 ILCS 14 (BIPA)
• Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code Ann. § 503.001 (CUBI)
• Washington Biometric Identifier statute, RCW 19.375
• California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (CCPA/CPRA)
• EU General Data Protection Regulation 2016/679 (GDPR)
• UK General Data Protection Regulation (UK GDPR)
• Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Virginia Consumer Data Protection Act (VCDPA), and any other U.S. state privacy law regulating biometric data

“Controller” means the Client, which determines the purposes and means of processing Personal Data and Biometric Data.

“Data Subject” means any identified or identifiable natural person whose Personal Data or Biometric Data is processed under this DPA, including but not limited to athletes, team members, coaches, staff, event attendees, and any other individuals appearing in photographs uploaded to the GalleryID platform.

“Face Embedding” means a numerical vector generated from a facial image using machine learning models, which represents facial geometry as a mathematical representation for the purpose of facial comparison and matching.

“Facial Recognition Processing” means the automated processing of photographic images to detect faces, generate Face Embeddings, perform facial comparison against indexed reference images (headshots), and return match results for human review.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

“Processing” means any operation performed on Personal Data or Biometric Data, including collection, recording, storage, retrieval, use, comparison, matching, transmission, and deletion.

“Processor” means GalleryID, which processes Personal Data and Biometric Data solely on behalf of and under the instructions of the Controller.

“Sub-processor” means any third party engaged by GalleryID to process Personal Data or Biometric Data on behalf of the Controller.

2.1 Processing Activities. GalleryID provides AI-powered sports photography identification services. In connection with these services, GalleryID performs the following processing activities on behalf of the Controller:

• Face Detection: Automated detection of faces within uploaded photographs using industry-standard neural network models.
• Embedding Generation: Generation of Face Embeddings from detected faces using facial recognition models.
• Face Matching: Comparison of generated Face Embeddings against Controller-uploaded reference headshots using vector similarity search.
• Jersey Number Recognition: Optical character recognition (OCR) of jersey numbers in photographs.
• Match Result Storage: Storage of face match results for Controller review and action.
• XMP Metadata Writing: Writing approved person names into photograph metadata upon download.

2.2 Processor Role. GalleryID acts solely as a Processor of Personal Data and Biometric Data. GalleryID processes such data only on behalf of and in accordance with the documented instructions of the Controller. GalleryID does not determine the purposes or means of processing. GalleryID shall not process Personal Data or Biometric Data for any purpose other than providing the services described in the Service Agreement and this DPA.

2.3 No Training on Client Data. GalleryID does not and will not use Client’s Personal Data, Biometric Data, photographs, Face Embeddings, or any other Client content to train, improve, develop, or enhance GalleryID’s machine learning models, algorithms, or any other technology. The machine learning models used by GalleryID are pre-trained models that are not modified or retrained using Client data. Client data is processed solely for the purpose of delivering the contracted services to the Controller.

3.1 Notice Requirements. Before uploading any photographs or headshots to the GalleryID platform for Facial Recognition Processing, the Client shall:

• Provide legally adequate written notices to all Data Subjects whose photographs or headshots will be processed, informing them that:
  • Their facial geometry will be captured and converted into Face Embeddings
  • SmartLink Basics, LLC d/b/a GalleryID serves as the service provider performing such processing
  • The specific purpose of such processing (identification in sports photographs)
  • The retention schedule for Biometric Data (as described in Section 5)
  • Their rights regarding such data (as described in Section 7)
• Obtain informed, written consent from each Data Subject (or, for minors, from a parent or legal guardian) prior to the collection and processing of their Biometric Data, where required by Applicable Biometric Laws.
• Obtain explicit consent under GDPR Article 9(2)(a) where the Data Subject is located in the European Economic Area, United Kingdom, or Switzerland, or where EU/UK GDPR otherwise applies.
• Maintain records of all notices provided and consents obtained, and make such records available to GalleryID upon reasonable request.

3.2 Compliance Responsibility. The Client is solely responsible for determining whether Applicable Biometric Laws apply to its use of the GalleryID platform, and for ensuring full compliance with all such laws. GalleryID does not provide legal advice regarding the Client’s compliance obligations. Clients who fail to meet the requirements of this Section 3 may not use the Facial Recognition Processing features of the GalleryID platform.

3.3 Minors. Where Data Subjects include minors (individuals under the age of 18, or such other age as defined by applicable law), the Client shall obtain verifiable parental or guardian consent before uploading headshots or photographs of such minors for Facial Recognition Processing. The Client shall maintain records of such consent and provide them to GalleryID upon request.

4.1 Technical Measures. GalleryID implements and maintains appropriate technical and organizational measures to protect Personal Data and Biometric Data, including:

• Encryption in transit: All data transmitted between the Client and GalleryID infrastructure is encrypted using industry-standard transport layer encryption (TLS 1.2 or higher).
• Encryption at rest: All stored data, including Face Embeddings, is encrypted at rest using industry-standard encryption algorithms.
• Access controls: Multi-tenant architecture with database-level tenant isolation ensuring no Client can access another Client’s data.
• Authentication: Token-based authentication with tenant identity derived from verified credentials.
• Infrastructure isolation: Processing infrastructure is hosted on dedicated servers with restricted access.
• Embedding storage: Face Embeddings are stored as numerical vectors referenced by internal identifiers only, and do not contain personally identifiable information without cross-reference to Client-controlled data.

4.2 Organizational Measures.

• All personnel with access to Biometric Data are bound by written confidentiality obligations.
• Access to production systems is limited to authorized personnel on a need-to-know basis.
• Security practices are reviewed and updated at least annually.

5.1 Retention Policy. GalleryID retains Personal Data and Biometric Data only for as long as necessary to provide the contracted services to the Controller:

• Headshot Face Embeddings: Retained for the duration of the headshot’s existence in the Client’s account. Automatically deleted when the Client deletes the corresponding headshot from the platform.
• Photo Face Detections: Face detection data and match results are retained for the duration of the associated photograph’s existence in the Client’s account.
• Match Results: Retained until the Client deletes the associated photograph or gallery, or until account termination.

5.2 Deletion Upon Headshot Removal. When a Client deletes a headshot from the GalleryID platform, GalleryID shall delete the associated Face Embedding and all related Biometric Data within 30 days. This includes deletion from:

• The GalleryID PostgreSQL database (pgvector embedding and people records)
• Any backup systems within 90 days of the deletion request
• Any third-party infrastructure where such data may be stored (see Section 5.3)

5.3 Deletion from Third-Party Infrastructure. Where GalleryID utilizes third-party infrastructure (including but not limited to cloud storage providers) that stores any data associated with Biometric Data processing, GalleryID shall ensure such data is deleted in accordance with Section 5.2, even where such third-party systems store only non-identifying reference identifiers (UUIDs) associated with such Biometric Data.

5.4 Account Termination. Upon termination of the Service Agreement or the Client’s account, GalleryID shall:

• Delete or return all Personal Data and Biometric Data within 90 days of termination, at the Client’s election.
• Provide written certification of deletion upon Client request.
• Retain no copies of Biometric Data except where required by applicable law, in which case GalleryID shall notify the Client of such requirement and limit processing to storage and legal compliance only.

6.1 Authorized Sub-processors. The Client provides general authorization for GalleryID to engage Sub-processors for the processing of Personal Data and Biometric Data. A current list of Sub-processors is available upon written request to privacy@galleryid.ai.

6.2 Sub-processor Requirements. Before engaging any Sub-processor that will process Personal Data or Biometric Data, GalleryID shall:

• Enter into a written agreement with the Sub-processor imposing data protection obligations no less protective than those set out in this DPA.
• Ensure the Sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.
• Remain fully liable for the acts and omissions of its Sub-processors with respect to the processing of Personal Data and Biometric Data.

6.3 Notice of Changes. GalleryID shall provide the Client with at least 30 days’ prior written notice before engaging a new Sub-processor or replacing an existing Sub-processor. The Client may object to a new Sub-processor by providing written notice within 30 days of receipt of such notice. If the parties cannot resolve the objection within 30 days, the Client may terminate the affected services without penalty.

7.1 Client Responsibility. The Client, as Controller, is responsible for responding to Data Subject requests exercising rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2 GalleryID Assistance. GalleryID shall, taking into account the nature of the processing:

• Assist the Client by appropriate technical and organizational measures for the fulfillment of the Client’s obligation to respond to Data Subject requests.
• Promptly forward to the Client any Data Subject requests received directly by GalleryID, without responding to the Data Subject directly unless instructed by the Client.
• Provide the Client with tools to delete headshots, Face Embeddings, and associated Biometric Data through the GalleryID platform interface.

7.3 Direct Notification to GalleryID. If a Data Subject contacts GalleryID directly with a request to delete their Biometric Data, and the Data Subject can be verified, GalleryID shall: (a) notify the relevant Client within 24 hours, and (b) if the Client does not respond or provide contrary instructions within 48 hours, GalleryID shall proceed to delete the identified Biometric Data to comply with applicable law.

8.1 Notification Timeline. GalleryID shall notify the Client without undue delay, and in any event within 48 hours, after becoming aware of any Security Incident involving unauthorized access to, or unauthorized or unlawful processing, loss, destruction, or damage to, Personal Data or Biometric Data processed under this DPA.

8.2 Notification Content. The notification shall include, to the extent reasonably available:

• The nature of the Security Incident, including the categories and approximate number of Data Subjects and data records affected.
• The name and contact details of GalleryID’s designated point of contact.
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.

8.3 Cooperation. GalleryID shall cooperate with the Client and take reasonable steps to assist in the investigation, mitigation, and remediation of any Security Incident. GalleryID shall not notify any Data Subject directly about a Security Incident without the Client’s prior written consent, except where required by applicable law.

9.1 Data Location. Client data is processed and stored on servers located in the United States. The Client’s use of GalleryID services constitutes consent to the transfer of data to the United States.

9.2 Transfer Mechanisms. For transfers of Personal Data or Biometric Data from the European Economic Area, United Kingdom, or Switzerland to the United States, the parties agree to be bound by the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), as approved by the European Commission Decision 2021/914, which are incorporated by reference into this DPA. The UK International Data Transfer Addendum shall apply for UK-originated transfers.

9.3 Supplementary Measures. GalleryID implements supplementary technical measures to protect transferred data, including encryption in transit and at rest, access controls, and audit logging, in accordance with the recommendations of the European Data Protection Board.

10.1 Audit Rights. Upon reasonable written request (not more than once per calendar year unless required by a data protection authority or following a Security Incident), the Client may audit GalleryID’s compliance with this DPA. GalleryID shall make available all information reasonably necessary to demonstrate compliance and shall allow for and contribute to audits conducted by the Client or a qualified third-party auditor.

10.2 Data Protection Impact Assessments. GalleryID shall provide reasonable assistance to the Client in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, to the extent required under applicable data protection laws, taking into account the nature of the processing and the information available to GalleryID.

11.1 Liability Cap. THE AGGREGATE LIABILITY OF GALLERYID UNDER OR IN CONNECTION WITH THIS DPA SHALL NOT EXCEED THE TOTAL FEES PAID BY THE CLIENT TO GALLERYID DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

11.2 Exclusion of Damages. IN NO EVENT SHALL GALLERYID BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATED TO THIS DPA, REGARDLESS OF THE THEORY OF LIABILITY.

11.3 Exceptions. The limitations in Sections 11.1 and 11.2 shall not apply to: (a) either party’s indemnification obligations under Section 12; (b) liability arising from gross negligence or willful misconduct; or (c) liability that cannot be limited under applicable law.

12.1 Client Indemnification of GalleryID. The Client shall defend, indemnify, and hold harmless GalleryID, its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, penalties, fines, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to:

• The Client’s failure to provide legally adequate notices to Data Subjects as required by Section 3.
• The Client’s failure to obtain required consents from Data Subjects as required by Section 3.
• The Client’s failure to comply with Applicable Biometric Laws.
• The Client’s breach of this DPA or the Service Agreement.
• Any Data Subject claim arising from the Client’s use of the GalleryID platform, except to the extent such claim arises directly from GalleryID’s breach of this DPA.

12.2 GalleryID Indemnification of Client. GalleryID shall defend, indemnify, and hold harmless the Client from and against any claims, damages, losses, liabilities, and reasonable costs arising directly from GalleryID’s breach of its obligations under this DPA, including but not limited to: (a) unauthorized processing of Personal Data or Biometric Data beyond the Client’s documented instructions; (b) failure to implement the security measures described in Section 4; or (c) failure to delete data as required by Section 5.

This DPA shall remain in effect for the duration of the Service Agreement. Upon termination of the Service Agreement, the provisions of this DPA relating to data deletion (Section 5), confidentiality, indemnification (Section 12), and limitation of liability (Section 11) shall survive.

14.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of Oregon, without regard to its conflict of laws principles. For Data Subjects located in the European Economic Area, the provisions of the GDPR shall apply as mandatory law regardless of the governing law chosen.

14.2 Amendments. GalleryID may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or GalleryID’s processing activities. GalleryID shall provide the Client with at least 30 days’ notice of material changes. Continued use of the GalleryID platform after the effective date of such changes constitutes acceptance of the updated DPA.

14.3 Entire Agreement. This DPA, together with the Service Agreement and any applicable Standard Contractual Clauses, constitutes the entire agreement between the parties with respect to the processing of Personal Data and Biometric Data, and supersedes all prior or contemporaneous agreements on the subject matter.

14.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.5 No Waiver. The failure of either party to enforce any provision of this DPA shall not constitute a waiver of such provision or the right to enforce it at a later time.