Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between TAILORED. Systems GmbH ("Processor") and the customer entity ("Controller") and reflects the requirements of Art. 28 GDPR.
1 · Subject-matter and duration
The Processor processes product images, associated metadata, and account data solely to provide the virtual try-on service. Processing continues for the duration of the customer's active subscription and ceases on termination or expiry of the agreement.
2 · Nature and purpose of processing
Storage of uploaded product images, generation of synthetic try-on images, delivery of generated outputs to the Controller, and provision of workspace-management features. No processing is performed for any purpose other than service delivery to the Controller.
3 · Types of personal data and categories of data subjects
The data processed may include product images which could incidentally contain personal data (e.g. stylist photographs), as well as account information of the Controller's authorised users (name, e-mail address). All model images used in generation are AI-generated and contain no data relating to identifiable natural persons.
4 · Processor obligations
The Processor shall: (a) process personal data only on documented instructions from the Controller; (b) ensure that authorised personnel are bound by confidentiality; (c) implement appropriate technical and organisational security measures (Art. 32 GDPR); (d) assist the Controller in fulfilling obligations regarding data-subject requests, breach notification, and data protection impact assessments; (e) at the end of the service, delete or return all personal data and delete existing copies unless EU law requires storage.
5 · Sub-processing
The Controller grants general authorisation for the sub-processors listed at /subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. If the Controller objects, it may terminate the agreement within that notice period.
6 · International transfers
No transfers of personal data outside the EU/EEA take place. All processing, storage, and generation infrastructure operates exclusively within EU member states.
7 · Technical and organisational measures
Encryption of data in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, audit logging, strict tenant isolation, regular review and testing of TOMs, and documented incident-response procedures.
8 · Audit rights
The Controller may audit compliance with this DPA by written request with 30 days' notice. Audits are conducted at the Controller's cost and are limited to once per calendar year unless a breach is suspected.
Last updated 12 May 2026 · TAILORED. Systems GmbH, München