1. Parties and Roles

Controller: The Merchant who has entered into the Master B2B SaaS Agreement with Anproba GmbH.

Processor: Anproba GmbH, Bremen, Germany.

This DPA forms part of and supplements the Master B2B SaaS Terms of Service between the parties. In the event of conflict between this DPA and the Master Terms, this DPA takes precedence with respect to data protection matters.

2. Subject Matter and Duration

The subject matter of the processing is: generating Digital Twin Payloads (DTPv3) for the purpose of virtual garment try-on on the Merchant's platform. The duration of processing is the term of the Master B2B SaaS Agreement.

3. Nature and Purpose of Processing

Anproba processes personal data on behalf of the Merchant for the sole purpose of providing the Virtual Try-On service. Processing activities include: (a) receiving and processing consumer body images via Module B; (b) generating and encrypting DTPv3 payloads; (c) storing encrypted payloads in AWS S3; (d) providing DTPv3 decryption to the consumer's own device via Module C; (e) generating sizing recommendations via SIEv1.

4. Type of Personal Data and Categories of Data Subjects

Type of personal data: Biometric data (body images, derived 3D body mesh — GDPR Article 9 special category), device identifiers, session data, consent timestamps.

Categories of data subjects: End consumers of the Merchant's e-commerce platform who have opted in to the Virtual Try-On feature.

5. Processor Obligations (Art. 28(3) GDPR)

Anproba, as Processor, shall:

Process personal data only on documented instructions from the Controller (the Merchant), unless required to do so by Union or Member State law.
Ensure that all personnel authorised to process personal data are bound by confidentiality obligations.
Implement appropriate technical and organisational security measures (TOMs) as described in Annex 2.
Not engage sub-processors without prior specific or general written consent of the Controller. Current sub-processors are listed in Annex 3.
Taking into account the nature of the processing, assist the Controller in fulfilling obligations to respond to data subject requests under Arts. 15–22 GDPR.
Assist the Controller in ensuring compliance with Arts. 32–36 GDPR, including security obligations, breach notification, and DPIAs.
Upon termination, delete or return all personal data, at the Controller's choice, and delete existing copies unless EU or Member State law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits.

6. Technical and Organisational Measures (Annex 2)

Anproba implements the following TOMs:

Encryption at rest: AES-256-GCM with per-user AWS KMS Customer Managed Keys (CMKs). Key never leaves KMS.
Encryption in transit: TLS 1.3 minimum for all data in motion.
Access control: Role-based access control (RBAC); MFA required for admin access; principle of least privilege enforced.
Network isolation: Module B biometric enclave runs in a dedicated VPC subnet with no outbound internet access except to an explicit allowlist.
Logging and monitoring: AWS CloudTrail, CloudWatch, and application audit logs retained for 7 years in append-only (WORM) storage.
Vulnerability management: Snyk and Trivy scans on every CI build; annual penetration testing by independent third party.
Incident response: Documented incident response procedure; breach notification to Controller within 72 hours of awareness.
Data minimisation: Master photographs deleted 30 days after DTPv3 generation.
No AI training: Contractual prohibition on using consumer data for model training.

7. Sub-Processors (Annex 3)

Amazon Web Services EMEA SARL — Infrastructure, S3 storage, KMS, CloudFront CDN — Processing location: EU (Frankfurt, eu-central-1) + EU (Ireland, eu-west-1)
Stripe Payments Europe, Ltd. — Payment processing — Processing location: EU
Clerk, Inc. — Authentication and identity management — SCCs in place

Anproba will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object within this period.

8. International Transfers

All personal data is processed within the European Economic Area. No personal data is transferred to third countries without adequate safeguards. Where sub-processors are based outside the EEA, Standard Contractual Clauses (EU SCCs, 2021 version) are in place.

9. Governing Law

This DPA is governed by German law. Disputes are subject to the exclusive jurisdiction of the courts of Bremen, Germany.

10. Contact

Data protection enquiries: privacy@anproba.de

1. Parties and Roles

Controller: The Merchant who has entered into the Master B2B SaaS Agreement with Anproba GmbH.

Processor: Anproba GmbH, Bremen, Germany.

3. Nature and Purpose of Processing

5. Processor Obligations (Art. 28(3) GDPR)

Anproba, as Processor, shall:

Process personal data only on documented instructions from the Controller (the Merchant), unless required to do so by Union or Member State law.

Ensure that all personnel authorised to process personal data are bound by confidentiality obligations.

Implement appropriate technical and organisational security measures (TOMs) as described in Annex 2.

Not engage sub-processors without prior specific or general written consent of the Controller. Current sub-processors are listed in Annex 3.

Taking into account the nature of the processing, assist the Controller in fulfilling obligations to respond to data subject requests under Arts. 15–22 GDPR.

Assist the Controller in ensuring compliance with Arts. 32–36 GDPR, including security obligations, breach notification, and DPIAs.

Upon termination, delete or return all personal data, at the Controller's choice, and delete existing copies unless EU or Member State law requires storage.

Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits.

6. Technical and Organisational Measures (Annex 2)

Anproba implements the following TOMs:

Encryption at rest: AES-256-GCM with per-user AWS KMS Customer Managed Keys (CMKs). Key never leaves KMS.

Encryption in transit: TLS 1.3 minimum for all data in motion.

Access control: Role-based access control (RBAC); MFA required for admin access; principle of least privilege enforced.

Network isolation: Module B biometric enclave runs in a dedicated VPC subnet with no outbound internet access except to an explicit allowlist.

Logging and monitoring: AWS CloudTrail, CloudWatch, and application audit logs retained for 7 years in append-only (WORM) storage.

Vulnerability management: Snyk and Trivy scans on every CI build; annual penetration testing by independent third party.

Incident response: Documented incident response procedure; breach notification to Controller within 72 hours of awareness.

Data minimisation: Master photographs deleted 30 days after DTPv3 generation.

No AI training: Contractual prohibition on using consumer data for model training.

7. Sub-Processors (Annex 3)

Amazon Web Services EMEA SARL — Infrastructure, S3 storage, KMS, CloudFront CDN — Processing location: EU (Frankfurt, eu-central-1) + EU (Ireland, eu-west-1)

Stripe Payments Europe, Ltd. — Payment processing — Processing location: EU

Clerk, Inc. — Authentication and identity management — SCCs in place

Anproba will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object within this period.

Data Processing Agreement (DPA)

1. Parties and Roles

2. Subject Matter and Duration

3. Nature and Purpose of Processing

4. Type of Personal Data and Categories of Data Subjects

5. Processor Obligations (Art. 28(3) GDPR)

6. Technical and Organisational Measures (Annex 2)

7. Sub-Processors (Annex 3)

8. International Transfers

9. Governing Law

10. Contact

Data Processing Agreement (DPA)

1. Parties and Roles

2. Subject Matter and Duration

3. Nature and Purpose of Processing

4. Type of Personal Data and Categories of Data Subjects

5. Processor Obligations (Art. 28(3) GDPR)

6. Technical and Organisational Measures (Annex 2)

7. Sub-Processors (Annex 3)

8. International Transfers

9. Governing Law

10. Contact