Skip to main content
Get A Demo

Data Protection Terms — Cloud Service Evaluation Agreement

These Data Protection Terms ("Data Protection Terms") apply to Evaluators who access Image Analyzer's Service under a Cloud Service Evaluation Agreement (the "Agreement") where the Evaluator submits images, video frames, or other data to the Platform that identify or could identify a living individual and the GDPR or other applicable data protection legislation governs that processing. These Data Protection Terms are incorporated into the Agreement by reference. Capitalised terms not defined here have the meanings given in the Agreement.

Roles

Image Analyzer processes personal data submitted to the Platform as a processor on behalf of the Evaluator. The Evaluator is the controller and determines the purposes and means of processing.

Image Analyzer will process personal data only on the Evaluator's documented instructions, unless required to do so by applicable law. If Image Analyzer is required by law to process personal data other than on the Evaluator's instructions, it will notify the Evaluator before doing so (unless that law prohibits notification).

Processing Details

The Service analyses images and video frames submitted by the Evaluator using Image Analyzer's proprietary AI models. The Service returns a probability score indicating whether the submitted content matches one or more classification categories. Image Analyzer does not store the submitted content. Each image or frame is processed in memory and discarded immediately after the classification result is returned.

The categories of personal data that may be processed include images and video frames containing identifiable individuals (including facial images), images of documents, and any other content from which a living individual could be identified. Where the Service is used for identification purposes, facial images may constitute biometric data and special category data under Article 9 of the GDPR. The Evaluator is responsible for determining whether its use of the Service involves the processing of special category data and for establishing a lawful basis for that processing. Data subjects are the individuals who appear in or are identifiable from the content submitted by the Evaluator.

Processing takes place for the duration of the Evaluation Period and for the purpose of providing the Service. Because Image Analyzer does not retain the submitted content, there is no personal data to delete or return at the end of the Evaluation Period.

Security

Image Analyzer will implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are proportionate to the nature, scope, and purposes of the processing and the risks to data subjects.

Image Analyzer will ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Sub-processors

The Evaluator authorises Image Analyzer to engage sub-processors for the purposes of providing the Service. As at the date of these Data Protection Terms, the Platform is hosted on Amazon Web Services (AWS) infrastructure located in the United States.

Image Analyzer will notify the Evaluator before engaging any new sub-processor or replacing an existing one. If the Evaluator objects to a new sub-processor on reasonable data protection grounds, Image Analyzer will work with the Evaluator to find an alternative solution. If no alternative is available, either party may terminate the Agreement on written notice.

Image Analyzer will impose data protection obligations on each sub-processor that are no less protective than those set out in these Data Protection Terms.

International Transfers

The Platform is hosted on infrastructure located in the United States. Where the Evaluator is established in the United Kingdom or the European Economic Area, or the personal data is otherwise subject to the GDPR, the transfer of personal data to the United States is governed by this section.

For transfers subject to the EU GDPR, the parties agree to the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), Module 2 (controller to processor). The Standard Contractual Clauses are incorporated by reference and form part of these Data Protection Terms. In the event of any conflict between the Standard Contractual Clauses and these Data Protection Terms, the Standard Contractual Clauses prevail. For the purposes of Clause 17 of the Standard Contractual Clauses, the Standard Contractual Clauses are governed by the law of Ireland. For the purposes of Clause 18, disputes are resolved before the courts of Ireland.

For transfers subject to the UK GDPR, the parties agree to the UK Addendum to the EU Standard Contractual Clauses (issued by the Information Commissioner under section 119A of the Data Protection Act 2018), which is incorporated by reference and prevails over these Data Protection Terms to the extent of any conflict.

For the purposes of the Standard Contractual Clauses, the Annexes are deemed completed as follows:

(a) Annex I.A (List of Parties): the data exporter is the Evaluator identified in the Schedule to the Agreement; the data importer is Image Analyser Limited as identified in the Schedule to the Agreement; each party's role is as described in the Roles section of these Data Protection Terms;

(b) Annex I.B (Description of Transfer): the categories of data subjects, categories of personal data, sensitive data (if any), frequency of transfer, nature and purpose of processing, and period of retention are as described in the Processing Details section of these Data Protection Terms;

(c) Annex I.C (Competent Supervisory Authority): the Irish Data Protection Commission;

(d) Annex II (Technical and Organisational Measures): as described in the Security section of these Data Protection Terms;

(e) Annex III (List of Sub-processors): as described in the Sub-processors section of these Data Protection Terms.

For the purposes of the UK Addendum, the tables in Part 1 of the UK Addendum are deemed completed as follows: Table 1 (Parties) as per Annex I.A above; Table 2 (Selected SCCs, Modules and Selected Clauses): the EU SCCs Module 2 (controller to processor) as incorporated above; Table 3 (Appendix Information): as per Annexes I to III above; Table 4 (Ending the Addendum when the Approved Addendum changes): either party may end the UK Addendum as set out in section 19 of the UK Addendum.

Where a sub-processor is certified under the EU-US Data Privacy Framework (or the UK Extension to it), that certification may serve as the transfer mechanism for personal data processed by that sub-processor, to the extent permitted by applicable law.

Breach Notification

Image Analyzer will notify the Evaluator without undue delay after becoming aware of a personal data breach affecting personal data processed under these Data Protection Terms. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

Image Analyzer will cooperate with the Evaluator and provide reasonable assistance to help the Evaluator meet its own breach notification obligations under applicable data protection legislation.

Data Subject Rights

Image Analyzer will assist the Evaluator in responding to requests from data subjects exercising their rights under applicable data protection legislation, to the extent that the Evaluator is unable to respond to such requests independently using the functionality of the Service.

Image Analyzer will provide reasonable assistance to the Evaluator in carrying out data protection impact assessments and prior consultations with supervisory authorities, in each case to the extent that the Evaluator requires such assistance and the assessment or consultation relates to the processing carried out under these Data Protection Terms.

Audit

Image Analyzer will make available to the Evaluator the information reasonably necessary to demonstrate compliance with these Data Protection Terms. On reasonable notice (and no more than once in any twelve-month period), Image Analyzer will allow and contribute to audits or inspections conducted by the Evaluator or an independent auditor appointed by the Evaluator, provided that the auditor is bound by confidentiality obligations acceptable to Image Analyzer. Audits are conducted at the Evaluator’s cost unless the audit reveals a material breach of these Data Protection Terms by Image Analyzer.

Moving to Production

If the Evaluator moves to production deployment, the parties will enter into a data processing agreement appropriate to the nature and scale of the production processing. That agreement will supersede these Data Protection Terms.

General

These Data Protection Terms are governed by the governing law stated in the Agreement.