'%20fill='%23fff'%3e%3cpath%20d='M24%20364.337V24h141.909c25.481%200%2046.833%203.601%2064.056%2010.803%2017.222%207.191%2030.183%2017.279%2038.882%2030.24s13.049%2027.972%2013.049%2045.041c0%2012.961-2.72%2024.513-8.148%2034.645-5.429%2010.142-12.906%2018.534-22.431%2025.174-9.526%206.651-20.548%2011.299-33.069%2013.953v3.325c13.732.661%2026.451%204.383%2038.134%2011.134%2011.684%206.762%2021.077%2016.155%2028.168%2028.17%207.092%2012.025%2010.638%2026.231%2010.638%2042.628%200%2018.281-4.647%2034.601-13.952%2048.939-9.305%2014.35-22.762%2025.648-40.381%2033.908-17.607%208.248-38.992%2012.377-64.143%2012.377H24zm82.258-200.414h45.534c8.975%200%2016.947-1.497%2023.929-4.493s12.432-7.312%2016.374-12.961c3.931-5.65%205.902-12.466%205.902-20.439%200-11.409-4.041-20.384-12.135-26.926-8.082-6.53-18.995-9.801-32.738-9.801h-46.866v74.62zm0%20134.109h50.853c17.839%200%2030.987-3.381%2039.466-10.131%208.479-6.762%2012.708-16.178%2012.708-28.247%200-8.755-2.049-16.309-6.145-22.686-4.096-6.365-9.922-11.298-17.443-14.789-7.532-3.491-16.561-5.231-27.089-5.231h-52.339v81.095l-.011-.011zM388.865%2024v340.337h-81.256V24h81.256zm181.618%20230.159V109.082h81.091v255.255h-77.435v-47.529h-2.665c-5.649%2015.616-15.263%2028.004-28.829%2037.145-13.578%209.14-29.941%2013.71-49.102%2013.71-17.398%200-32.683-3.986-45.864-11.97-13.181-7.973-23.433-19.14-30.745-33.489s-11.023-31.165-11.133-50.437V109.082h81.256v146.739c.11%2013.854%203.766%2024.767%2010.968%2032.74s17.002%2011.96%2029.413%2011.96c8.082%200%2015.372-1.795%2021.847-5.407%206.486-3.601%2011.628-8.865%2015.45-15.781%203.821-6.927%205.737-15.318%205.737-25.174h.011zm224.376%20115.002c-26.704%200-49.718-5.286-69.044-15.869-19.337-10.583-34.181-25.703-44.532-45.371-10.362-19.668-15.537-43.069-15.537-70.215s5.208-49.445%2015.614-69.212c10.418-19.779%2025.096-35.174%2044.037-46.197s41.261-16.53%2066.962-16.53c18.17%200%2034.787%202.83%2049.851%208.48s28.08%2014.007%2039.048%2025.086%2019.501%2024.734%2025.591%2040.966%209.14%2034.81%209.14%2055.756v20.273H694.145v-47.199h146.226c-.11-8.633-2.159-16.342-6.145-23.104s-9.448-12.047-16.374-15.869-14.866-5.726-23.841-5.726-17.233%202.015-24.424%206.057c-7.202%204.052-12.906%209.537-17.112%2016.452-4.207%206.927-6.431%2014.757-6.652%2023.512v48.025c0%2010.417%202.049%2019.525%206.145%2027.332s9.911%2013.876%2017.454%2018.193c7.532%204.317%2016.506%206.486%2026.924%206.486%207.201%200%2013.731-1.002%2019.612-2.995%205.869-1.993%2010.912-4.923%2015.119-8.81%204.206-3.876%207.367-8.645%209.47-14.294l74.616%202.158c-3.105%2016.728-9.889%2031.264-20.361%2043.62s-24.182%2021.937-41.129%2028.743c-16.947%206.816-36.559%2010.219-58.825%2010.219l.011.033z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='A'%3e%3cpath%20fill='%23fff'%20transform='translate(24%2024)'%20d='M0%200h892v345.161H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Data Processing Agreement
This agreement outlines how Blue processes customer data in compliance with data protection regulations.
Last updated: April 12, 2026
This Data Processing Agreement (“DPA”) is entered into by and between: (1) Bloo, Inc., a Delaware corporation operating at https://www.blue.cc (“Processor” or “Blue”); and (2) The customer using Blue’s services (“Controller” or “Customer”). Each a “Party” and collectively the “Parties.”
This DPA is incorporated into and forms part of the Terms of Service (“Terms”) between Blue and Customer. By using the Service, Customer accepts this DPA. A countersigned copy of this DPA is available upon request to [email protected].
1. Definitions and Interpretation
In this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein have the meanings given to them in the Terms.
- “Company Personal Data” means any Personal Data processed by Blue on behalf of the Controller in connection with the Service.
- “Data Protection Laws” means the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable data protection and privacy legislation.
- “GDPR” means the EU General Data Protection Regulation 2016/679.
- “UK GDPR” means the Data Protection Act 2018 and the UK General Data Protection Regulation, as defined by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
- “Personal Data” has the meaning given to it in the GDPR.
- “Processing” has the meaning given to it in the GDPR, and “Process” and “Processed” shall be construed accordingly.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data.
- “Service” means the Blue platform and related services as defined in the Terms.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to countries outside the EEA.
- “Subprocessor” means any third party engaged by Blue to Process Company Personal Data on behalf of the Controller.
2. Roles and Responsibilities
2.1 Controller and Processor. The Customer is the Data Controller. Blue is the Data Processor. Blue Processes Company Personal Data solely on behalf of and in accordance with the documented instructions of the Controller.
2.2 No Joint Controller Arrangements. The Parties agree that no joint controller relationship exists under this DPA.
2.3 Processor Obligations. Blue shall:
- (a) Process Company Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case Blue shall inform the Controller of such legal requirement before Processing, unless prohibited from doing so by law);
- (b) inform the Controller if, in Blue’s opinion, an instruction from the Controller infringes applicable Data Protection Laws;
- © ensure that persons authorized to Process Company Personal Data are bound by appropriate confidentiality obligations;
- (d) implement and maintain appropriate technical and organizational security measures as set forth in Section 5;
- (e) comply with the conditions for engaging Subprocessors as set forth in Section 4;
- (f) assist the Controller in responding to data subject requests as set forth in Section 6;
- (g) assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to Blue;
- (h) at the Controller’s election, delete or return all Company Personal Data upon termination of the Service as set forth in Section 7; and
- (i) make available to the Controller all information necessary to demonstrate compliance with this DPA.
2.4 Controller Obligations. The Controller shall:
- (a) comply with all applicable Data Protection Laws in its use of the Service and its instructions to Blue;
- (b) ensure that it has obtained all necessary rights, consents, and authorizations for the Processing of Company Personal Data by Blue; and
- © be responsible for the accuracy, quality, and legality of Company Personal Data provided to Blue.
3. Processing Details
3.1 Subject Matter and Duration. Blue Processes Company Personal Data for the duration of the Agreement in order to provide the Service to the Controller.
3.2 Nature and Purpose of Processing. Blue Processes Company Personal Data for the purposes of:
- (a) providing, maintaining, and supporting the Service;
- (b) content scanning and compliance review for Terms of Service and Acceptable Use Policy enforcement, abuse detection, and platform safety, using AI service providers and human review;
- © analytics and product improvement (using aggregated and de-identified data only);
- (d) billing and account administration; and
- (e) any other purpose described in the Privacy Policy or as otherwise instructed by the Controller.
3.3 Categories of Data Subjects. Users and any individuals whose Personal Data is included in Customer Data uploaded to the Service.
3.4 Categories of Personal Data. The Processing involves:
- (a) account and contact information (names, email addresses, job titles, phone numbers);
- (b) billing and payment information;
- © content and files uploaded to the Service by Users;
- (d) usage data and log data generated through use of the Service;
- (e) device and browser information; and
- (f) any other Personal Data submitted by Users through the Service.
3.5 Special Categories of Data. The Controller shall not submit special categories of Personal Data (as defined in Article 9 of the GDPR) to the Service unless the Controller has entered into a separate agreement with Blue for such Processing (such as a Business Associate Agreement for HIPAA-regulated data).
4. Subprocessors
4.1 Authorized Subprocessors. The Controller provides general written authorization for Blue to engage Subprocessors. The current list of authorized Subprocessors is maintained at /legal/sub-processors, which is the canonical and authoritative source for this information.
4.2 Subprocessor Changes. Blue shall notify the Controller of any intended changes to Subprocessors by updating the list at /legal/sub-processors and notifying the Controller via email or through the Service with at least 30 days’ prior notice. The Controller may object to the appointment of a new Subprocessor within 14 days of receiving such notice. If the Controller reasonably objects and Blue cannot accommodate the objection, either Party may terminate the Agreement with respect to the affected Service.
4.3 Subprocessor Obligations. Blue shall:
- (a) enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set forth in this DPA; and
- (b) remain liable to the Controller for the acts and omissions of its Subprocessors to the same extent as if Blue had performed the Processing itself.
5. Security Measures
5.1 Technical and Organizational Measures. Blue shall implement and maintain appropriate technical and organizational measures to protect Company Personal Data against Security Incidents, including:
- (a) encryption of Personal Data at rest and in transit;
- (b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems;
- © role-based access controls and authentication requirements;
- (d) regular testing and assessment of the effectiveness of security measures;
- (e) employee training on data protection and security; and
- (f) incident response and disaster recovery procedures.
5.2 Data Residency. All Company Personal Data, including files, databases, and backups, is stored and Processed within the European Union (Germany). AI content scanning is performed using EU-based endpoints. No Company Personal Data is stored outside the EU.
6. Data Subject Rights and Assistance
6.1 Data Subject Requests. Blue shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under Data Protection Laws. Blue shall not respond to such request directly unless authorized to do so by the Controller.
6.2 Assistance. Blue shall assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller’s obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
6.3 Data Protection Impact Assessments. Blue shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and taking into account the nature of Processing and the information available to Blue.
7. Data Retention and Deletion
7.1 Retention. Blue shall retain Company Personal Data only for as long as necessary to provide the Service and fulfill the purposes described in this DPA, the Terms, and the Privacy Policy.
7.2 Post-Termination. Upon termination of the Agreement, Blue shall:
- (a) make Company Personal Data available for export by the Controller for a period of 30 days following termination;
- (b) after such 30-day period, delete all Company Personal Data from active systems within 90 days; and
- © delete Company Personal Data from backups within 90 days of deletion from active systems, unless retention is required by applicable law.
7.3 Legal Holds. Notwithstanding the foregoing, Blue may retain Company Personal Data as required by applicable law, regulation, or legal process, provided that Blue shall limit such retention to the data and duration required and shall notify the Controller to the extent permitted by law.
8. Security Incidents
8.1 Notification. Blue shall notify the Controller of any Security Incident without undue delay and in any event within 72 hours of becoming aware of such incident.
8.2 Content of Notification. Such notification shall include, to the extent reasonably available:
- (a) the nature of the Security Incident, including the categories and approximate number of data subjects and records concerned;
- (b) the likely consequences of the Security Incident;
- © the measures taken or proposed to address the Security Incident; and
- (d) the contact point for further information.
8.3 Cooperation. Blue shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
9. International Data Transfers
9.1 EU Data Residency. All Company Personal Data is stored and Processed within the European Union.
9.2 Limited Transfers. To the extent any Company Personal Data is transferred outside the European Economic Area, Blue shall ensure that such transfer is subject to appropriate safeguards, including:
- (a) Standard Contractual Clauses as approved by the European Commission (Commission Implementing Decision (EU) 2021/914); or
- (b) any other valid transfer mechanism under applicable Data Protection Laws.
9.3 UK Transfers. For transfers of Personal Data from the United Kingdom, Blue shall rely on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
9.4 Additional Safeguards. Blue shall implement supplementary measures where necessary to ensure that the level of protection of Personal Data is not undermined by the transfer, taking into account the laws and practices of the destination country.
10. Audits
10.1 Audit Rights. Blue shall make available to the Controller, on request, all information necessary to demonstrate compliance with this DPA. The Controller may conduct, or appoint a qualified third-party auditor to conduct, an audit of Blue’s compliance with this DPA, subject to reasonable advance notice (not less than 30 days) and conducted during normal business hours.
10.2 Satisfaction by Third-Party Audit Report. Blue may satisfy its obligations under this Section 10 by providing the Controller with a recent independent third-party audit report (such as SOC 2 Type II or ISO 27001) covering the relevant scope. Where such a report is available and responsive to the Controller’s request, the Controller shall accept it in lieu of an on-site or bespoke audit.
10.3 Scope and Frequency. Audits shall be limited to once per year unless required by a supervisory authority or in connection with a Security Incident.
10.4 Costs and Reimbursement. The Controller shall bear all costs of any audit, including its own auditor fees, travel, and expenses. In addition, the Controller shall reimburse Blue for all reasonable time and expenses incurred by Blue in connection with any audit, including Blue personnel time at Blue’s then-current professional services rates. As of the Effective Date, Blue’s professional services rate is USD $300 per hour, with a minimum engagement of four (4) hours. Blue may update this rate from time to time and will provide the current rate on request.
10.5 Confidentiality. Any information obtained by the Controller through an audit shall be treated as Blue’s Confidential Information under the Terms.
11. Liability
11.1 Liability Cap. Each Party’s liability under this DPA is subject to the limitations of liability set forth in the Terms.
11.2 Allocation. Each Party shall be liable for damages caused by its breach of this DPA or applicable Data Protection Laws in accordance with the allocation of responsibility set forth in such laws.
12. General Terms
12.1 Governing Law. This DPA is governed by the laws of the State of Delaware, without regard to conflict of law provisions. To the extent required by Data Protection Laws, the provisions of such laws shall prevail. This choice of law applies to contractual disputes between the Parties and does not affect regulatory obligations or data subject rights under applicable Data Protection Laws.
12.2 Precedence. In the event of any conflict between this DPA and the Terms, this DPA shall prevail with respect to the Processing of Company Personal Data.
12.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
12.4 Amendments. Blue may update this DPA from time to time to reflect changes in legal requirements or Processing practices. Changes to this DPA are governed by Section 19 of the Terms of Service. Material changes to data Processing obligations will be communicated with at least 30 days’ notice.
12.5 Effective Date. This DPA is effective upon the Controller’s use of the Service.
12.6 Countersigned Copy. A countersigned copy of this DPA is available upon request to [email protected].