PhotoTouch

Sub-Processor Disclosure

TriPrism, Inc. / PhotoTouch, Inc.

In the course of providing the PhotoTouch platform, TriPrism, Inc. engages certain third-party service providers ("sub-processors") that may process, store, or transmit data on behalf of our customers. This page lists all current sub-processors organized by category.

We maintain this list as part of our commitment to transparency and compliance with our SOC 2-aligned control framework, GDPR Article 28, CCPA/CPRA, and applicable data protection regulations.

Last updated: February 28, 2026  •  Customers are generally notified of material changes in advance (target: 30 days where practicable).

Platform Sub-Processors

These providers are integral to platform operations and process data for all accounts.

Liquid Web, LLC Infrastructure
Purpose
Cloud infrastructure hosting, managed databases, S3-compatible object storage
Data processed
All platform data including application databases, customer photo files, and media assets
Location
United States (Lansing, MI & Phoenix, AZ data centers)
Compliance
SOC 2 Type II, SOC 3   SOC 3 Report
Twilio, Inc. including SendGrid Communications
Purpose
Transactional email delivery (SendGrid SMTP), platform SMS for security verification codes and two-factor authentication
Data processed
Email content, recipient email addresses, phone numbers, delivery status events (bounces, opens, clicks)
Location
United States
Compliance
SOC 2 Type II, ISO 27001, GDPR DPA available
Stripe, Inc. Payments
Purpose
Platform billing — processing photographer subscription payments to TriPrism
Data processed
Photographer payment card data, billing amounts, transaction records
Location
United States
Compliance
PCI DSS Level 1, SOC 2 Type II, ISO 27001

Photographer-Enabled Services

These providers are engaged only when a photographer enables the corresponding feature. The photographer controls activation and may provide their own credentials.

AI Service Providers Artificial Intelligence Opt-In

When photographers enable AI-powered features (email template generation, customer service assistance), data is processed by one of the following providers at the photographer's discretion. Photographers may use platform-provided access or connect their own API credentials.

Provider Location Compliance
Anthropic, PBC (Claude) United States SOC 2 Type II, GDPR DPA available
OpenAI, LLC (ChatGPT / GPT) United States SOC 2 Type II, GDPR DPA available
Google LLC (Gemini) United States SOC 2 Type II, ISO 27001, GDPR DPA available

AI features process email template content and anonymized customer service context only. No customer photos, payment data, or personally identifiable information is sent to AI providers.

Customer Payment Gateways Payments Opt-In

Photographers select their preferred payment gateway for processing customer orders on their storefront. Each photographer enables one or more of the following:

Provider Data processed Compliance
PayPal, Inc. Customer payment card data, billing agreements, order amounts PCI DSS Level 1
Worldpay (FIS) Customer payment card data, transaction records PCI DSS Level 1
National Australia Bank (NAB) Customer payment card data, transaction records PCI DSS Level 1, APRA regulated
Customer SMS Providers Communications Opt-In

When photographers enable customer-facing text messaging (gallery notifications, marketing campaigns), messages are delivered via:

Provider Coverage Compliance
Twilio, Inc. Global (primary: United States, Canada) SOC 2 Type II, ISO 27001
CellCast Pty Ltd Australia & New Zealand Australian Privacy Act compliant
TaxJar a Stripe company Tax & Compliance Opt-In
Purpose
Real-time sales tax calculation at checkout
Data processed
Customer shipping address (zip code, state), order totals, product categories
Location
United States
Compliance
SOC 2 Type II (via Stripe)

Photographer-Configured Integrations

The PhotoTouch platform provides an API Integration Builder that allows photographers to create their own connections to third-party services (CRM systems, data warehouses, venue management platforms, analytics tools, etc.).

These integrations are configured, authorized, and controlled entirely by the photographer. TriPrism acts as the data conduit but does not select, manage, or maintain contractual relationships with these third-party services.

Photographers are responsible for establishing their own data processing agreements with any third-party services they connect via the API Integration Builder. All photographer-configured integrations include destination validation, data encryption in transit, per-record audit logging, and configurable annual compliance reviews.

Data Handling Practices

Security Controls
  • All data encrypted in transit (TLS 1.2+)
  • Credentials encrypted at rest
  • Role-based access control with granular permissions
  • Comprehensive audit logging on all data mutations
  • Two-factor authentication available for all users
  • Automated brute force and rate limiting protection
Privacy Controls
  • GDPR Right to Erasure tools available to photographers
  • GDPR Right of Access (data export) tools available
  • Per-photographer data isolation (multi-tenant)
  • Customer email suppression lists (auto-managed)
  • Configurable data retention policies
  • No customer photos shared with AI providers

Change Notification

TriPrism targets 30 days' advance notice where practicable before engaging a new platform sub-processor or making material changes to existing sub-processor relationships. Notifications are sent via email to all active account administrators.

Questions about our sub-processors or data handling?
Contact our compliance team at security@triprism.com or your dedicated account representative.

© 2026 TriPrism, Inc. All rights reserved.

Terms of Use  •  Privacy Policy  •  Back to Login