BlinkMetrics Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service and Privacy Policy (together, the “Agreement”) entered into by and between BlinkMetrics, LLC (“Processor”) and its customer (“Controller”), collectively referred to as the “Parties.”

1. Purpose and Scope

This DPA reflects the Parties’ agreement with regard to the processing of Personal Data in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy laws. This DPA applies to all processing of Personal Data performed by the Processor on behalf of the Controller as outlined in the Agreement.

2. Definitions

  • “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act.
  • “Controller” means the entity that determines the purposes and means of the processing of Personal Data.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable individual as defined by applicable data protection laws.
  • “Processing” means any operation performed on Personal Data, including but not limited to collection, storage, use, disclosure, and deletion.
  • “Subprocessor” means a third party that processes Personal Data on behalf of the Processor.
  • “Standard Contractual Clauses” (“SCCs”) means the clauses adopted by the European Commission for the transfer of Personal Data to third countries.

3. Roles and Responsibilities

3.1 Controller Responsibilities

  • Ensure that all Personal Data provided to the Processor is collected and disclosed in compliance with applicable laws.
  • Provide clear instructions to the Processor regarding the processing of Personal Data.

3.2 Processor Responsibilities

  • Process Personal Data only on documented instructions from the Controller.
  • Maintain confidentiality and implement appropriate technical and organizational measures to ensure the security of Personal Data.
  • Assist the Controller in fulfilling obligations under applicable data protection laws, including responding to Data Subject rights requests.

4. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data as outlined in its Security Policy. These measures include, but are not limited to, encryption, access controls, and regular security assessments.

5. Subprocessors

The Processor uses third-party Subprocessors to provide its services. As of the effective date of this DPA, the Processor uses the following Subprocessors:

  • Google Cloud Platform (GCP)
  • PlanetScale

The Processor ensures that each Subprocessor complies with equivalent data protection obligations as outlined in this DPA, including implementing appropriate technical and organizational measures to safeguard Personal Data.

6. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests under applicable laws, including but not limited to rights of access, rectification, erasure, and data portability. Such assistance will be provided upon the Controller’s documented request and in accordance with the terms of the Agreement.

7. Breach Notification

Each Party shall notify the other without undue delay upon becoming aware of a Personal Data Breach. Notifications shall include the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to mitigate the breach.

8. Liability

Each Party shall be responsible for any damages caused by its own breach of this DPA or applicable data protection laws. The Processor shall indemnify the Controller for any claims arising directly from its failure to comply with this DPA, while the Controller remains responsible for ensuring the lawfulness of data collection and processing.

9. Cross-Border Transfers

The Processor shall ensure compliance with international data transfer requirements by implementing SCCs where applicable. The full text of the SCCs is integrated as follows:

Standard Contractual Clauses (SCCs)

Clause 1: Purpose and Scope

These Clauses set out appropriate safeguards for the transfer of Personal Data from the Controller (data exporter) to the Processor (data importer), in compliance with Regulation (EU) 2016/679.

Clause 2: Third-Party Beneficiaries

Data subjects may invoke and enforce these Clauses against the Parties as third-party beneficiaries.

Clause 3: Obligations of the Data Exporter

The data exporter warrants that:

  1. The transfer of Personal Data is lawful under applicable data protection laws.
  2. It has used reasonable efforts to ensure that the data importer can comply with the obligations under these Clauses.

Clause 4: Obligations of the Data Importer

The data importer shall:

  1. Process Personal Data only in accordance with these Clauses.
  2. Ensure appropriate technical and organizational measures to safeguard the data.
  3. Promptly notify the data exporter in case of non-compliance.

Clause 5: Liability

Each Party shall be liable for any material or non-material damages arising from its breach of these Clauses. Joint liability applies in cases where multiple Parties contribute to a breach.

Clause 6: Governing Law and Jurisdiction

These Clauses shall be governed by the laws of the Member State where the data exporter is established. Disputes shall be resolved in the competent courts of that Member State.

10. Termination and Data Return/Deletion

Upon termination of the Agreement, the Processor shall, at the Controller’s request, either delete or return all Personal Data within 30 days. Backup data shall be securely isolated and protected until it is deleted in accordance with the Processor’s retention policies.

11. Governing Law

This DPA shall be governed by the laws of the State of Delaware, USA. Disputes arising out of or in connection with this DPA shall be resolved in the courts of Delaware. For international data transfers governed by the SCCs, the governing law and jurisdiction provisions of Clause 6 of the SCCs shall apply.

12. Miscellaneous

This DPA constitutes the entire agreement between the Parties concerning the processing of Personal Data. It supersedes all prior agreements or understandings related to the subject matter. Any amendments must be made in writing and signed by authorized representatives of both Parties.

Appendices

Appendix 1: Data Processing Details

Nature of Processing: Provision of services as outlined in the Agreement.

Categories of Data Subjects: Employees, representatives, or users of the Controller.

Types of Personal Data: Names, email addresses, and other data as determined by the Controller.

Duration of Processing: For the term of the Agreement.

Appendix 2: Subprocessors

Authorized Subprocessors: 

  • Google Cloud Platform (GCP)
    Services Provided: Cloud hosting and infrastructure
    Location: United States
  • PlanetScale
    Services Provided: Managed database services
    Location: United States

This DPA is effective as of January 1, 2025

Last updated: March 21, 2025

I'm looking forward to meeting you and learning all about your business!