Records of Processing Activities

This document is the consolidated Record of Processing Activities (“RoPA”) maintained by TriPrism, Inc. doing business as PhotoTouch, Inc. (“TriPrism”) under Article 30 of the EU General Data Protection Regulation (GDPR) and equivalent provisions of the UK GDPR.

TriPrism acts in two distinct capacities: as a controller of photographer-account data (Art. 30(1)) and as a processor of customer-side data on behalf of each photographer (Art. 30(2)). The two records are presented separately below.

Document Metadata

Controller Record — GDPR Art. 30(1)

TriPrism is the controller of personal data relating to photographer accounts and platform operations.

Processing Activities (Controller Record)

Version	1.0
Effective Date	June 1, 2026
Next Review Due	June 1, 2027 (annual cadence)
Document Owner	Director of Engineering (security@triprism.com)
DPO Appointment	Not appointed. No DPO appointed — Art. 37(1) thresholds not met (we do not engage in large-scale processing of special categories of data, and our core activities do not require regular and systematic monitoring of data subjects on a large scale). Named contact for data protection matters: security@triprism.com.
Supervisory Authority	TriPrism is established in the United States and does not have a lead EU supervisory authority. EU/EEA data subjects may contact their local supervisory authority. Requests from supervisory authorities should be directed to security@triprism.com.

Controller Name	TriPrism, Inc. dba PhotoTouch, Inc.
Address	San Diego, California, United States
Contact	security@triprism.com
EU Representative	Not appointed.

PA-01 Photographer Account Management

Creation, authentication, configuration, and administration of photographer accounts and sub-user accounts on the PhotoTouch platform.

Data Subjects	Photographer account owners Photographer sub-users (managers, location staff, customer service, finance, regional/area roles)
Personal Data Categories	Account contact details (name, email, phone, mailing address) Authentication credentials (one-way hashed passwords, 2FA secrets) Role and permission assignments Sub-user activity logs
Lawful Basis	Art. 6(1)(b) performance of contract (Terms of Use); Art. 6(1)(f) legitimate interests (account security and access control)
Purposes	Provide platform access to authorised photographer personnel Enforce role-based and geographic access controls Maintain account configuration and billing context
Recipients	Liquid Web (infrastructure hosting — United States) SendGrid (account email delivery) See /legal/subprocessors for the full Tier 1 platform list
International Transfers	United States: Hosted in the United States. EU/UK/Swiss transfers covered by Standard Contractual Clauses and the EU–U.S. Data Privacy Framework where applicable, per /legal/dpa §8.
Retention	Active for the life of the account. Upon account closure: 90 days for reactivation, then permanent deletion from production systems. Audit log references retained for 7 years per /legal/privacy §4.
Security Measures	TLS 1.2+ in transit AES-256 at rest Role-based access control (RBAC) with three-tier (R/W/X) permissions 2FA available; mandatory for TriPrism administrators See /legal/security §2 (Application Security) and §3 (Operational Security)

PA-02 Platform Billing

Generation, delivery, and reconciliation of subscription invoices and platform usage charges to photographer accounts.

Data Subjects	Photographer account owners Photographer billing contacts
Personal Data Categories	Billing contact details Invoice line items and totals Payment instrument tokens (no full card numbers stored on the platform) Payment history and ledger entries
Lawful Basis	Art. 6(1)(b) performance of contract; Art. 6(1)(c) legal obligation (tax and accounting record-keeping)
Purposes	Bill photographers for subscription and usage Maintain accounting records Reconcile payments to invoices
Recipients	Stripe (card storage and charge — payment processor, United States) PayPal (alternative payment processor, United States) Intuit / QuickBooks Online (accounting system of record for invoice and payment posting — United States) See /legal/subprocessors for the platform recipient list
International Transfers	United States: All recipients are United States entities. Card data is handled by PCI Level 1 certified processors; the platform stores only payment tokens. Accounting transfers to Intuit are covered by their data processing terms.
Retention	Invoice and payment records retained for 7 years to support tax and accounting obligations, consistent with /legal/privacy §4 (Audit Logs) and applicable tax law.
Security Measures	No card numbers stored on the platform — payment data delegated to PCI Level 1 certified processors Webhook signature verification on inbound payment notifications (Stripe, PayPal IPN with dedup ledger) Transaction and idempotency controls on billing writes See /legal/security §2 and §5

PA-03 Platform Security & Audit

Collection and retention of audit logs, access records, security telemetry, and incident artifacts to detect, investigate, and respond to security events.

Data Subjects	Photographer account owners Photographer sub-users TriPrism administrators Visitors who interact with authenticated platform endpoints
Personal Data Categories	Audit log records (who, what, when, where, outcome, risk classification) IP addresses and user-agent strings Authentication events (login, logout, failed attempts, MFA challenges) Administrative action history Security incident records
Lawful Basis	Art. 6(1)(f) legitimate interests (platform security, fraud prevention, accountability); Art. 6(1)(c) legal obligation where audit retention is required by contract or regulation
Purposes	Detect and investigate unauthorised access Support SOC 2-aligned access reviews and audit-log reviews Provide per-tenant activity visibility to photographer administrators Maintain a tamper-evident record of administrative activity
Recipients	Internal TriPrism security and operations personnel under least-privilege controls External auditors under NDA during attestation engagements Law enforcement only where compelled by valid legal process
International Transfers	United States: Logs are stored within the United States hosting region. No third-party log forwarding to non-US recipients in the default configuration.
Retention	Audit logs retained for a minimum of 7 years per /legal/privacy §4 and /legal/security §3. Security incident records retained for the life of the affected account plus 7 years.
Security Measures	Append-only audit log surface (admin and per-tenant) Risk-based classification with automated alerts for elevated/critical events See /legal/security §3 (Operational Security) and §4 (Incident Response)

PA-04 Platform Communications to Photographers

Account-level transactional and operational emails sent to photographers — service alerts, invoice notifications, password resets, security advisories, release notes, and system messages.

Data Subjects	Photographer account owners Photographer billing and notification contacts
Personal Data Categories	Account email addresses Communication preferences and suppression state Message delivery event history (sent, delivered, bounced, complaint)
Lawful Basis	Art. 6(1)(b) performance of contract (service operation); Art. 6(1)(f) legitimate interests (operational notice)
Purposes	Deliver transactional service notices Alert account owners to security or billing events Communicate platform release notes and operational status
Recipients	SendGrid (email delivery — United States) Twilio (SMS for security alerts, where opted in — United States) See /legal/subprocessors Tier 1
International Transfers	United States: SendGrid and Twilio are United States providers. EU/UK/Swiss data covered by their published transfer safeguards.
Retention	Delivery event records retained for 7 years to support audit-log review and deliverability investigations. Suppression list entries retained for the life of the account.
Security Measures	SPF / DKIM / DMARC configured on outbound domains Webhook signature verification on inbound delivery events Suppression list enforcement (bounce, complaint, opt-out) See /legal/security §5

PA-05 SOC 2 Compliance Operations

Operation of the compliance review programme — periodic access reviews, audit-log reviews, credential rotation reviews, platform integration audits, incident response drills, and policy review cadences.

Data Subjects	Photographer sub-users (subject to access review) TriPrism administrators Reviewers assigned to compliance tasks
Personal Data Categories	Access review evidence (who has what permission) Credential rotation logs Vulnerability scan results and remediation tracking Compliance review records (who reviewed, when, outcome) Incident response exercise artifacts
Lawful Basis	Art. 6(1)(f) legitimate interests (compliance and accountability); Art. 6(1)(c) legal obligation where reviews are required by regulation or contract
Purposes	Maintain SOC 2-aligned controls Demonstrate periodic review to auditors and regulators Drive remediation of identified findings
Recipients	Internal TriPrism compliance and engineering personnel External auditors under NDA during attestation engagements
International Transfers	United States: All compliance records are stored in the United States hosting region.
Retention	Compliance review records retained for 7 years to support SOC 2 reporting and audit history.
Security Measures	Compliance reviews tracked in the platform with SLA-based overdue alerts Access-review evidence drawn directly from the live ACL system See /legal/security §3 (Operational Security)

Processor Record — GDPR Art. 30(2)

TriPrism processes customer-side personal data on behalf of each photographer, who is the controller for that data. Detailed processor terms are in our Data Processing Agreement (admin.findyourpictures.com/legal/dpa).

Processing Activities (Processor Record)

Processor Name	TriPrism, Inc. dba PhotoTouch, Inc.
Address	San Diego, California, United States
Contact	security@triprism.com
Controllers Served	Each photographer account using the platform is an independent controller of the personal data it processes through PhotoTouch. The current list of controllers is maintained internally and is identifiable to supervisory authorities on request under Art. 30(2)(a).

PA-P1 Customer Gallery Hosting & Delivery

Hosting customer photographs and delivering them to authorised end-users via code-based gallery access, signed URLs, and download mechanisms configured by the photographer.

Data Subjects	Customers of photographers Parents and guardians Students and athletes Event attendees
Personal Data Categories	Photographs and image metadata Photo access codes and gallery credentials Email addresses (where used for gallery access) IP addresses and access timestamps (for security and audit)
Lawful Basis	Determined by the controller (photographer). Typically Art. 6(1)(b) performance of contract between the photographer and the customer, or Art. 6(1)(a) consent for marketing-driven delivery.
Purposes	Deliver galleries to customers as instructed by the photographer Enforce gallery access controls (codes, email allowlists) Audit gallery access for security
Recipients	Liquid Web (S3-compatible object storage — United States) Rackspace Cloud Files (secondary/legacy storage — United States) See /legal/subprocessors Tier 1
International Transfers	United States: EU/UK/Swiss transfers covered by SCCs and DPF where applicable, per /legal/dpa §8.
Retention	Controlled by the photographer via platform retention settings. Default: indefinite while the photographer account is active; 90 days after account closure. See /legal/privacy §4.
Security Measures	TLS 1.2+ in transit AES-256 at rest Signed URL access with configurable expiry Optional email allowlist enforcement on gallery codes See /legal/security §1–§2

PA-P2 Order Processing & Fulfilment

Acceptance of customer orders for prints, digital downloads, and related products on behalf of photographers; capture of payment via the photographer-configured processor; coordination of fulfilment.

Data Subjects	Customers placing orders Recipients of shipped products (where different)
Personal Data Categories	Order contact and shipping details (name, email, phone, address) Order line items Payment tokens (no full card numbers stored) Order status and fulfilment history
Lawful Basis	Determined by the controller. Typically Art. 6(1)(b) performance of contract between the photographer and the customer.
Purposes	Process customer orders on behalf of the photographer Capture payment via the controller-selected processor Coordinate fulfilment (digital delivery or print routing)
Recipients	Stripe, PayPal, WorldPay, NAB (Tier 2 opt-in payment processors per /legal/subprocessors) TaxJar (sales-tax calculation, where enabled) Photographer-configured print labs and fulfilment partners (controller-configured integrations are not TriPrism sub-processors — see /legal/dpa §5)
International Transfers	United States: United States hosting region. SCCs / DPF where applicable for EU/UK/Swiss data. Photographer-configured (varies): Controller-configured integrations operate under the controller's own transfer safeguards. TriPrism is not a sub-processor for these flows.
Retention	Order records retained while the photographer account is active. Tax-relevant records retained for 7 years where required by applicable law.
Security Measures	No card numbers stored on the platform Webhook signature verification on all payment provider callbacks CSRF protection and parameterised queries on order-write paths See /legal/security §2

PA-P3 Customer-Facing Email & SMS Dispatch

Queueing and delivery of customer-facing email and SMS messages on behalf of the photographer — gallery invitations, order confirmations, reminders, and marketing campaigns (where the controller has obtained consent).

Data Subjects	Customers of photographers Parents and guardians Event attendees who provided contact details
Personal Data Categories	Email addresses and phone numbers Message content and templates Delivery event history (sent, delivered, bounced, opened, clicked, complained) Suppression state (bounce, complaint, opt-out, STOP)
Lawful Basis	Determined by the controller. Transactional dispatch typically Art. 6(1)(b); marketing dispatch typically Art. 6(1)(a) consent, with the controller responsible for obtaining and recording consent.
Purposes	Deliver controller-authored messages to customers Maintain suppression and bounce-list integrity Provide deliverability analytics to the controller
Recipients	SendGrid (email delivery — United States) Twilio (SMS delivery — United States) CellCast (alternative SMS provider — Tier 2 opt-in)
International Transfers	United States: Provider transfer safeguards apply; SCCs / DPF where applicable.
Retention	Message metadata retained for 7 years to support deliverability investigations and audit. Message body content retained per the controller's retention configuration.
Security Measures	SPF / DKIM / DMARC on outbound domains Automatic suppression list management (bounce, complaint, opt-out, STOP) CAN-SPAM auto-footer and one-click unsubscribe See /legal/security §5

PA-P4 Event Registration Data Capture

Collection and storage of subject registration data (student rosters, athlete lists, attendee details) provided to the photographer at events, used to organise galleries and route deliveries.

Data Subjects	Students Athletes Event attendees Parents and guardians of minor data subjects
Personal Data Categories	Names School / team / group affiliations Email addresses Phone numbers Photo identifiers and assignment data Where collected by the controller: grade level, classroom, or roster metadata
Lawful Basis	Determined by the controller. Typically Art. 6(1)(b) performance of contract or Art. 6(1)(f) legitimate interests of the photographer; consent from parents/guardians where required for minors.
Purposes	Organise photographs by subject for gallery delivery Route order delivery to the correct recipient Support photographer reporting and customer service
Recipients	Liquid Web (storage) No third-party recipients in the default configuration. Photographer-configured integrations may receive subsets of this data under controller direction.
International Transfers	United States: Hosted in the United States.
Retention	Controlled by the photographer. The platform provides automatic PII redaction options (incognito mode) and configurable retention windows. See /legal/privacy §4.
Security Measures	RBAC scopes registration data to authorised photographer users Optional incognito mode auto-purges PII after a configurable window See /legal/security §2 and §3

PA-P5 Model Release Consent Capture & Storage

Capture, storage, and revocation of digital model-release consents signed by customers (or parents/guardians for minors) authorising the photographer's use of images.

Data Subjects	Customers who sign a model release Parents and guardians who sign on behalf of minors Subjects identified in the release
Personal Data Categories	Names and email addresses Signature timestamps and IP addresses Photo codes and image identifiers covered by the release Release scope and campaign identifiers Revocation timestamps where the customer has revoked
Lawful Basis	Art. 6(1)(a) consent (model release is a consent record).
Purposes	Maintain a tamper-evident record of consent for the photographer Apply the release to matching images Honour revocation when the customer withdraws consent
Recipients	Internal storage only — model release records are not shared with sub-processors beyond hosting.
International Transfers	United States: Hosted in the United States.
Retention	Retained for the life of the photographer account plus the period required to demonstrate consent under applicable law. Revoked releases retain the revocation record indefinitely.
Security Measures	Append-only consent records Revocation links provided to customers See /legal/security §3

PA-P6 Marketing Automation

Optional, controller-enabled marketing features — campaign queues, segmentation, A/B testing, personalised offers, lifecycle triggers — operated on behalf of the photographer.

Data Subjects	Customers who have provided contact details and consented to marketing Customers whose consent has been recorded by the controller
Personal Data Categories	Marketing consent state Campaign engagement history (sends, opens, clicks) Segment membership and lifecycle stage A/B variant exposure history Personalised offer presentation and click history
Lawful Basis	Art. 6(1)(a) consent. The controller is responsible for obtaining and documenting consent before triggering marketing dispatch; the platform enforces consent state on send.
Purposes	Send marketing communications on behalf of the controller Optimise campaign performance through A/B testing and segmentation Support lifecycle automation (post-event, abandoned cart, etc.)
Recipients	SendGrid (email) Twilio (SMS — opt-in) See /legal/subprocessors Tier 1
International Transfers	United States: Provider transfer safeguards apply; SCCs / DPF where applicable.
Retention	Engagement and consent records retained for the life of the photographer account. Suppression entries retained indefinitely to honour opt-out.
Security Measures	Hard-suppression enforcement at dispatch time CAN-SPAM auto-footer and one-click unsubscribe Per-tenant consent ledger See /legal/security §5

PA-P7 AI Feature Processing

Optional, controller-enabled AI features — image quality checks, automated tagging, send-time optimisation, customer-service assistance — that submit selected data to third-party AI providers under the controller's opt-in.

Data Subjects	Customers whose photographs are processed by AI features Customers whose tickets are routed through AI customer-service assistance
Personal Data Categories	Image content (where AI image processing is enabled) Ticket text and metadata (where AI customer service is enabled) Campaign performance data (where send-time AI is enabled)
Lawful Basis	Art. 6(1)(f) legitimate interests where the controller has determined AI processing is necessary to provide the service, or Art. 6(1)(a) consent where the controller has obtained it. AI features are opt-in per controller.
Purposes	Improve image quality and tagging accuracy Triage and assist on customer-service tickets Optimise marketing send timing
Recipients	Anthropic (Claude API — United States; Tier 2 opt-in) OpenAI (Tier 2 opt-in — United States) Google (Gemini API — Tier 2 opt-in — United States)
International Transfers	United States: AI providers operate under their published transfer safeguards (DPF / SCCs). Each provider's terms prohibit training on submitted data in the API tier used by the platform.
Retention	AI providers do not retain submitted data beyond their stated processing windows under the API terms in effect. Platform-side AI invocation logs are retained for 7 years per /legal/privacy §4.
Security Measures	Per-controller opt-in required before AI dispatch Provider API tiers selected to exclude training reuse See /legal/security §2 and §3, and /legal/subprocessors Tier 2

Article 30 requests / supervisory authority inquiries	security@triprism.com
Company	TriPrism, Inc. dba PhotoTouch, Inc.
Address	San Diego, California, United States

Document Metadata

Controller Record — GDPR Art. 30(1)

Processing Activities (Controller Record)

Processor Record — GDPR Art. 30(2)

Processing Activities (Processor Record)

Contact