This Data Processing Addendum ("DPA") forms part of and is subject to the terms and conditions of the Master Subscription Agreement or Terms of Service (the "Agreement") between Bleanx Inc. ("Bleanx," "we," "us," or "our") and the customer identified in the Agreement ("Customer," "you," or "your").
This DPA applies to the extent that Bleanx processes Personal Data on behalf of Customer in the course of providing the Services under the Agreement. This DPA is designed to ensure compliance with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("Swiss FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other applicable data protection laws.
By signing the Agreement or using the Services, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates.
1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 "Authorized Affiliate" means any of Customer's Affiliates that are permitted to use the Services pursuant to the Agreement but have not signed their own Agreement with Bleanx.
1.3 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.4 "Customer Data" means all data stored by or on behalf of Customer or at Customer's direction in the Services, including any Personal Data contained therein.
1.5 "Customer Personal Data" means any Personal Data that Bleanx Processes on behalf of Customer as a Processor in the course of providing the Services.
1.6 "Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including: (i) the GDPR; (ii) the UK GDPR and the UK Data Protection Act 2018; (iii) the Swiss FADP; (iv) the CCPA; and (v) any other applicable data protection or privacy laws.
1.7 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
1.8 "EEA" means the European Economic Area.
1.9 "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.10 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed.
1.11 "Processing" (including "Process" and "Processed") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.12 "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
1.13 "Standard Contractual Clauses" or "SCCs" means (i) the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); and (ii) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner ("UK Addendum").
1.14 "Subprocessor" means any Processor engaged by Bleanx to Process Customer Personal Data on behalf of Customer.
1.15 "Supervisory Authority" means an independent public authority which is established pursuant to applicable Data Protection Laws.
2.1 Scope. This DPA applies to the Processing of Customer Personal Data by Bleanx in connection with the provision of the Services under the Agreement.
2.2 Roles of the Parties. The parties acknowledge and agree that:
(a) Customer is the Controller of Customer Personal Data;
(b) Bleanx is the Processor of Customer Personal Data, Processing such data on behalf of Customer;
(c) Bleanx may also act as a Controller with respect to certain data, such as Account Information, as described in the Privacy Policy.
2.3 Customer's Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Customer shall ensure that any instructions given to Bleanx comply with Data Protection Laws. Customer is solely responsible for: (i) the accuracy, quality, and legality of Customer Personal Data; (ii) the means by which Customer acquired Customer Personal Data; and (iii) ensuring that it has all necessary rights and consents to provide Customer Personal Data to Bleanx for Processing in accordance with this DPA and the Agreement.
3.1 Customer Instructions. Bleanx shall Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Bleanx is subject; in such a case, Bleanx shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.2 Documented Instructions. The Agreement (including this DPA) constitutes Customer's complete and final documented instructions to Bleanx for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.
3.3 Details of Processing. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Schedule 1 (Details of Processing) attached hereto.
3.4 AI-Powered Features. Customer acknowledges that the Services include AI-Powered Features that may Process Customer Personal Data to generate Output. When Customer uses AI-Powered Features:
(a) Bleanx Processes Customer Personal Data as necessary to provide the AI-Powered Features;
(b) Customer Personal Data may be transmitted to Bleanx's AI Subprocessors for Processing;
(c) Bleanx and its AI Subprocessors do not use Customer Personal Data to train AI models shared with other customers without Customer's explicit consent;
(d) AI Subprocessors maintain data retention policies as described in Schedule 3.
4.1 Confidentiality Obligations. Bleanx shall ensure that persons authorized to Process Customer Personal Data:
(a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
(b) Process Customer Personal Data only on instructions from Customer, unless required by applicable law.
4.2 Personnel. Bleanx shall take reasonable steps to ensure the reliability of any personnel who have access to Customer Personal Data, ensuring that such personnel have received appropriate training on their data protection responsibilities.
5.1 Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Bleanx shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) The pseudonymization and encryption of Personal Data;
(b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
(c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5.2 Specific Security Measures. Bleanx's technical and organizational security measures are described in Schedule 2 (Technical and Organizational Measures) attached hereto.
6.1 Authorized Subprocessors. Customer provides general authorization for Bleanx to engage Subprocessors to Process Customer Personal Data. The current list of Subprocessors is available at https://www.bleanx.com/subprocessors and is incorporated into this DPA by reference.
6.2 Subprocessor Obligations. Bleanx shall:
(a) Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this DPA;
(b) Remain fully liable to Customer for the performance of each Subprocessor's obligations; and
(c) Ensure that each Subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures.
6.3 Changes to Subprocessors. Bleanx shall provide Customer with at least ten (10) days' prior notice of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Customer the opportunity to object to such changes. Customer may subscribe to receive Subprocessor change notifications by emailing privacy@bleanx.com with the subject line "Subscribe to Subprocessor Notifications."
6.4 Objection to Subprocessors. If Customer has a reasonable, documented objection to a new Subprocessor based on data protection concerns, Customer shall notify Bleanx in writing within ten (10) days of receiving notice. The parties shall work together in good faith to find a mutually acceptable resolution. If no resolution can be reached, Customer may terminate the affected Services without penalty by providing written notice to Bleanx.
7.1 Assistance with Data Subject Requests. Taking into account the nature of the Processing, Bleanx shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
7.2 Data Subject Requests. If Bleanx receives a request from a Data Subject in relation to Customer Personal Data, Bleanx shall:
(a) Promptly notify Customer of the request;
(b) Not respond to the request except on documented instructions from Customer or as required by applicable law; and
(c) Provide Customer with commercially reasonable cooperation and assistance in relation to handling of the request.
7.3 Costs. Customer shall reimburse Bleanx for any costs arising from Bleanx's assistance under this Section 7, except where such assistance is required due to Bleanx's breach of this DPA.
8.1 Notification. Bleanx shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall include, to the extent known:
(a) A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) The name and contact details of Bleanx's data protection officer or other contact from whom more information can be obtained;
(c) A description of the likely consequences of the Personal Data Breach; and
(d) A description of the measures taken or proposed to be taken by Bleanx to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2 Assistance. Bleanx shall provide reasonable assistance to Customer in ensuring compliance with Customer's obligations under Data Protection Laws with respect to security and Personal Data Breach notifications, taking into account the nature of Processing and the information available to Bleanx.
8.3 No Acknowledgment of Fault. Bleanx's notification of or response to a Personal Data Breach under this Section 8 shall not be construed as an acknowledgment by Bleanx of any fault or liability with respect to the Personal Data Breach.
9.1 Assistance. Taking into account the nature of the Processing and the information available to Bleanx, Bleanx shall provide reasonable assistance to Customer in ensuring compliance with Customer's obligations under Data Protection Laws in respect of data protection impact assessments and prior consultation with Supervisory Authorities.
10.1 Upon Termination. Upon termination or expiration of the Agreement, Bleanx shall, at Customer's election:
(a) Return all Customer Personal Data to Customer in a commonly used, machine-readable format; or
(b) Delete all Customer Personal Data.
10.2 Retention Period. Unless Customer requests return of Customer Personal Data within thirty (30) days of termination, Bleanx shall delete Customer Personal Data within a reasonable timeframe, except to the extent that Bleanx is required by applicable law to retain some or all of the Customer Personal Data.
10.3 Certification. Upon Customer's written request, Bleanx shall provide written certification of deletion of Customer Personal Data.
11.1 Information and Audit. Bleanx shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
11.2 Audit Procedures. Audits shall be conducted:
(a) Upon reasonable advance notice of at least thirty (30) days, unless a shorter period is required due to a Personal Data Breach or regulatory investigation;
(b) During normal business hours;
(c) In a manner that does not unreasonably disrupt Bleanx's business operations;
(d) Subject to reasonable confidentiality obligations.
11.3 Third-Party Certifications. Customer agrees that Bleanx may satisfy audit requests by providing:
(a) Relevant third-party certifications and audit reports (such as SOC 2 Type II reports);
(b) Written responses to reasonable information requests; or
(c) Other documentation demonstrating compliance with this DPA.
11.4 Costs. Customer shall bear the costs of any audit, except where an audit reveals a material breach of this DPA by Bleanx.
12.1 Data Transfers. Customer acknowledges that Bleanx may transfer and Process Customer Personal Data in countries outside of the EEA, the United Kingdom, and Switzerland, including the United States.
12.2 Transfer Mechanisms. To the extent that the Processing of Customer Personal Data involves a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, such transfers shall be made in accordance with one or more of the following mechanisms:
(a) EU-U.S. Data Privacy Framework: To the extent Bleanx is certified under the EU-U.S. Data Privacy Framework, the UK Extension thereto, and/or the Swiss-U.S. Data Privacy Framework;
(b) Standard Contractual Clauses: The EU SCCs and/or the UK Addendum, as applicable, which are incorporated into this DPA by reference and are set forth in Schedule 4;
(c) Other Mechanisms: Any other valid transfer mechanism under applicable Data Protection Laws.
12.3 Standard Contractual Clauses. Where Customer Personal Data is transferred from the EEA or UK to countries not recognized as providing an adequate level of protection:
(a) For transfers from the EEA, the EU SCCs (Module Two: Controller to Processor) shall apply;
(b) For transfers from the UK, the UK Addendum shall supplement the EU SCCs;
(c) For transfers from Switzerland, the EU SCCs shall apply with the modifications required by Swiss data protection law.
12.4 Supplementary Measures. Bleanx implements the technical and organizational measures described in Schedule 2 as supplementary measures to protect Customer Personal Data transferred internationally.
13.1 CCPA Compliance. To the extent the CCPA applies to Customer's use of the Services:
(a) Bleanx is a "Service Provider" as defined in the CCPA;
(b) Bleanx shall not sell or share Customer Personal Data;
(c) Bleanx shall not retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA;
(d) Bleanx shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Bleanx and Customer;
(e) Bleanx certifies that it understands the restrictions in this Section 13 and will comply with them.
13.2 Assistance. Bleanx shall assist Customer in responding to verifiable consumer requests under the CCPA, including requests to know, delete, or correct Personal Data.
14.1 Governing Law. This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, unless otherwise required by applicable Data Protection Laws.
14.2 Order of Precedence. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
14.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
14.4 Entire Agreement. This DPA, including its Schedules, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and representations.
14.5 Amendments. Bleanx may update this DPA from time to time to reflect changes in Data Protection Laws or Bleanx's data processing practices. Material changes will be notified to Customer in accordance with the Agreement.
14.6 No Third-Party Beneficiaries. This DPA is for the benefit of the parties and their permitted successors and assigns and is not intended to confer any rights or remedies on any third party, except as expressly provided in the Standard Contractual Clauses.
Data Exporter (Controller):
Data Importer (Processor):
ElementDescriptionSubject MatterProvision of AI-powered business planning SaaS platform and related servicesDurationFor the term of the Agreement plus any retention period required by law or as specified in the AgreementNature of ProcessingCollection, storage, organization, structuring, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Customer Personal Data in connection with providing the ServicesPurpose of ProcessingTo provide the Services as described in the Agreement, including: hosting and storing Business Plans; enabling collaboration features; providing AI-Powered Features for content generation and analysis; providing customer support; and ensuring security and integrity of the ServicesCategories of Data SubjectsCustomer's employees, contractors, consultants, business partners, clients, customers, prospective customers, and other individuals whose Personal Data is included in Customer DataTypes of Personal DataContact information (name, email, phone, address); professional information (job title, company, industry); account credentials; Business Plan content that may contain Personal Data; usage data; and any other Personal Data Customer chooses to include in Customer DataSensitive DataThe Services are not designed to process special categories of Personal Data. Customer is responsible for ensuring that any sensitive data included in Customer Data is processed in accordance with applicable Data Protection Laws.
Bleanx implements the following technical and organizational security measures:
The current list of Subprocessors is available at: https://www.bleanx.com/subprocessors
SubprocessorLocationPurposeData Retention[AI Provider 1][Location]AI model inference for content generation[Retention period][AI Provider 2][Location]AI embeddings and search[Retention period]
SubprocessorLocationPurposeAmazon Web Services (AWS)United StatesCloud hosting infrastructure[Payment Processor - Stripe]United StatesPayment processing[Email Provider][Location]Transactional email[Analytics Provider][Location]Service analytics
Note: This list is provided as an example. The current, complete list of Subprocessors is maintained at the URL above.
The EU SCCs (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) are hereby incorporated by reference. The parties agree to the following:
Module Two (Controller to Processor) applies where Customer is a Controller and Bleanx is a Processor.
Clause 7 (Docking Clause): The optional docking clause shall not apply.
Clause 9 (Use of Sub-processors): Option 2 (General written authorization) applies. Bleanx shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors at least 10 days in advance.
Clause 11 (Redress): The optional language shall not apply.
Clause 13 (Supervision): The supervisory authority of the EEA Member State in which the Data Exporter is established shall act as competent supervisory authority. Where the Data Exporter is not established in an EEA Member State, the Irish Data Protection Commission shall act as competent supervisory authority.
Clause 17 (Governing Law): Option 1 applies. The SCCs shall be governed by the law of Ireland.
Clause 18 (Choice of Forum and Jurisdiction): Disputes shall be resolved by the courts of Ireland.
Annexes: The information required for Annexes I, II, and III of the EU SCCs is contained in Schedules 1, 2, and 3 of this DPA, respectively.
For transfers of Personal Data from the United Kingdom, the UK Addendum to the EU SCCs is hereby incorporated by reference.
Table 1: The parties' details are as set forth in Schedule 1.
Table 2: The selected modules and clauses of the EU SCCs apply as described in Section A above.
Table 3: The Appendix Information is as set forth in Schedules 1, 2, and 3.
Table 4: Either party may end this DPA as set out in Section 19 of the UK Addendum.
For transfers of Personal Data from Switzerland, the EU SCCs apply with the following modifications:
For questions about this DPA or to exercise data protection rights, please contact:
Bleanx Inc.
Attn: Privacy Team
[Address Line 1]
Wilmington, DE [ZIP]
United States
Email: privacy@bleanx.com