This Data Processing Agreement ("DPA") is entered into as of the Effective Date by and between: (1) Bloo Inc, a business entity operating at https://www.blue.cc ("Processor", "Blue"); and (2) The customer using Blue's services ("Controller"). Each a "Party" and collectively the "Parties."
1.1 Definitions: "Agreement" means this Data Processing Agreement and all Schedules; "Company Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of the Controller; "Contracted Processor" means a Subprocessor; "Data Protection Laws" means GDPR and, to the extent applicable, other relevant data protection laws; "GDPR" means the EU General Data Protection Regulation 2016/679; "Services" means the software, analytics, and storage services provided by Blue to the Controller.
2.1. Controller and Processor: The Customer is the Data Controller, and Blue is the Data Processor. 2.2. No Joint Controller Arrangements: The Parties agree that no joint controller relationship exists. 2.3. Processor Obligations: Blue shall process personal data only on documented instructions from the Controller and ensure that employees handling personal data are bound by confidentiality obligations.
3.1. Categories of Personal Data: The processing involves standard personal data, including but not limited to user identifiers, contact details, and metadata. No special categories of data under Article 9 GDPR are processed.
3.2. Processing Activities: Blue processes data for the purposes of storage, analytics, and rendering software services on behalf of the Controller.
4.1. Authorized Subprocessors: Blue engages the following subprocessors: Amazon (Infrastructure) Apple (iOS & App Store Data) AppSignal (System Monitoring) Cloudflare (DNS, Web Analytics) Customer.io (Email Services) Facebook (Advert Attribution Tracking) Gitlab (Infrastructure) Google (Fabric Crash Reporting, Location Services, Google Play Store, Analytics) Microsoft (Website Analytics) OpenAI (AI Services) Render (Infrastructure) Stripe (Payment & Subscription Data) Paddle (Subscription Analytics) Telegram (Notification to Team Blue)
4.2. Subprocessor Authorization Mechanism: Updates to subprocessors will be posted to Blue's online Terms of Service.
4.3. Restrictions on Subprocessors: Blue shall ensure that subprocessors comply with obligations equivalent to those set out in this DPA.
5.1. Security Controls: Blue shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: Encryption of personal data; Measures to ensure data confidentiality, integrity, and availability; Procedures for regularly testing and assessing security effectiveness. 5.2. Data Subject Rights Assistance: Blue shall assist the Controller in responding to data subject requests, including access, rectification, erasure, and objection requests. 5.3. Breach Notification: Blue shall notify the Controller of any data breach within 14 days of becoming aware of it, providing sufficient information for the Controller to comply with regulatory obligations. 5.4. Cross-Border Data Transfers: The Parties acknowledge that data may be transferred outside the European Economic Area (EEA) to the United States and Singapore. Such transfers shall be governed by the Standard Contractual Clauses (SCCs) as approved by the European Commission or any other transfer mechanism permitted under GDPR. Blue shall implement additional safeguards if SCCs become insufficient.
6.1. Data Retention: Personal data will be retained only as long as necessary for the purposes of processing. 6.2. End of Agreement: Upon termination of services, Blue shall delete or return all personal data unless legal requirements mandate storage.
7.1. Country-Specific Requirements: No additional country-specific requirements apply as standard. 7.2. Liability Cap: Liability is limited to the total amount paid by the Controller to Blue under the terms of service.
8.1. Standalone Agreement: This DPA is a standalone agreement and is not an addendum to any existing contract. 8.2. Governing Law: This DPA is governed by the GDPR and applicable data protection laws, with general legal interpretation subject to the laws of Delaware. 8.3. Effective Date: This DPA is effective upon the Controller's use of Blue's services.