Data Processing Agreement
DATA PROCESSING AGREEMENT (DPA)
Date: 23 November 2025
Version: 1.3
1. Definitions and Applicability
1.1. This Data Processing Agreement (hereinafter: the "DPA") is an integral part of the Terms and Conditions between the Processor and the party using the Snapsale SaaS service (hereinafter: the "Customer" or the "Data Controller").
1.2. The Customer is the party responsible for the lawful processing of uploaded photos. The Processor is Westcube B.V., operating under the name Snapsale, located at Entrada 100, Amsterdam and registered with the Chamber of Commerce under number 75657457 (hereinafter collectively: the "Processor").
1.3. By agreeing to the Terms and Conditions, the Customer explicitly and irrevocably accepts the provisions of this DPA, thereby legally establishing the agreement between the Parties.
1.4. The terms used in this DPA have the meaning assigned to them in the General Data Protection Regulation (GDPR).
2. Nature, Purpose and Categories of Processing
| Subject | Specification |
|---|---|
| Subject of Processing | Digital editing of photos of real estate (interiors). |
| Duration of Processing | For the duration of the Customer's SaaS licence (subscription). |
| Nature of Processing | Hosting, storing, caching, technical editing (using presets, styles, and LLMs) and making edited photos available for download. |
| Purpose of Processing | Exclusively providing the functionality of the Snapsale SaaS service to the Customer. |
| Categories of Personal Data | Data relating to Real Estate, including interior photos, metadata (e.g., location data upon upload). No special categories of personal data are processed. |
| Categories of Data Subjects | The Customer, employees of the Customer, and potentially third parties whose photos are being processed (e.g., owners/residents of the photographed property). |
3. Obligations of the Processor (Westcube B.V. / Snapsale)
The Processor shall only process personal data according to the written instructions of the Customer, unless a legal provision requires otherwise.
3.1. Confidentiality
The Processor and its personnel shall keep the uploaded photos and the personal data contained therein confidential and shall not process them for purposes other than the performance of the Service.
3.2. Security
The Processor shall implement appropriate technical and organisational measures (TOMs) to protect personal data against loss, unlawful processing, and unauthorised access.
These measures include at minimum:
- Physical and logical access controls
- Pseudonymisation and encryption where appropriate
- Secure data storage within the European Economic Area (EEA)
The measures implemented include in any case:
- Encryption of data in transit (TLS 1.2+) and where possible at rest
- Multi-factor authentication for access to production systems
- Strict role-based access controls (RBAC)
- Logging and monitoring of access attempts
- Periodic security updates and vulnerability scans
- Separation between development, test, and production environments
- Backup policy with encrypted storage within the EEA
3.3. Deletion and Retention Period (Instruction)
The Processor guarantees that:
- Uploaded photos and edited results are stored for a maximum of 7 days after upload or editing.
- After this period, photos are automatically and permanently deleted.
- Backup copies are deleted as soon as the backup schedule overwrites them.
- Log files containing personal data are deleted after no more than 90 days, unless longer retention is necessary for security investigation.
3.4. Data Breaches
The Processor shall notify the Customer without delay upon discovery of a (suspected) data breach. The Customer is responsible for notifications to the Data Protection Authority and Data Subjects.
3.5. Assistance
The Processor provides — where reasonably possible and at a market-rate fee — assistance to the Customer in fulfilling their GDPR obligations.
3.6. Audit and Information Obligation
Upon request, the Processor shall provide all information to demonstrate compliance with the GDPR.
The Customer may conduct (or have conducted) an audit maximum once per year with 14 days' notice, provided this does not unreasonably disrupt business operations.
Costs are borne by the Customer, unless material shortcomings are identified.
3.7. Assistance with DPIAs
The Processor supports the Customer where reasonably possible with DPIAs and prior consultations, insofar as these relate to the Service and its processing activities.
4. Sub-processors
4.1. General Authorisation
The Customer grants general authorisation for the engagement of Sub-processors (such as hosting and LLM models).
4.2. Sub-processors
The Processor concludes written agreements with all Sub-processors with at least the same obligations as this DPA.
4.3. Training Purposes
The Processor guarantees that LLM models and other tooling do not use the photos for training or own purposes.
4.4. Notification of Intended Changes
The Customer is informed about changes to Sub-processors and may object if the change is unreasonably burdensome.
4.5. International Transfers
Personal data is only processed outside the EEA if appropriate safeguards are applied in accordance with GDPR articles 44–49 (such as SCCs).
The Processor informs the Customer in advance of any transfer outside the EEA.
5. Obligations of the Data Controller (Customer)
5.1. The Customer bears ultimate responsibility for the lawful processing of personal data.
5.2. The Customer warrants that the photos and manner of use comply with GDPR and relevant legislation.
5.3. The Customer is responsible for informing Data Subjects.
6. Final Provisions
6.1. Dutch law applies.
6.2. Acceptance of the Snapsale Terms and Conditions means acceptance of this DPA.
6.3. Precedence
In case of conflict between this DPA and the Terms and Conditions, this DPA prevails for privacy and data processing matters.
Last updated: 01-01-2025