This Data Processing Agreement (“DPA”) forms part of the Terms of Service and Privacy Policy (together, the “Agreement”) entered into by and between BlinkMetrics, LLC (“Processor”) and its customer (“Controller”), collectively referred to as the “Parties.”
1. Purpose and Scope
This DPA reflects the Parties’ agreement with regard to the processing of Personal Data in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy laws. This DPA applies to all processing of Personal Data performed by the Processor on behalf of the Controller as outlined in the Agreement.
2. Definitions
- “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act.
- “Controller” means the entity that determines the purposes and means of the processing of Personal Data.
- “Processor” means the entity that processes Personal Data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable individual as defined by applicable data protection laws.
- “Processing” means any operation performed on Personal Data, including but not limited to collection, storage, use, disclosure, and deletion.
- “Subprocessor” means a third party that processes Personal Data on behalf of the Processor.
- “Standard Contractual Clauses” (“SCCs”) means the clauses adopted by the European Commission for the transfer of Personal Data to third countries.
3. Roles and Responsibilities
3.1 Controller Responsibilities
- Ensure that all Personal Data provided to the Processor is collected and disclosed in compliance with applicable laws.
- Provide clear instructions to the Processor regarding the processing of Personal Data.
3.2 Processor Responsibilities
- Process Personal Data only on documented instructions from the Controller.
- Maintain confidentiality and implement appropriate technical and organizational measures to ensure the security of Personal Data.
- Assist the Controller in fulfilling obligations under applicable data protection laws, including responding to Data Subject rights requests.
4. Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data as outlined in its Security Policy. These measures include, but are not limited to, encryption, access controls, and regular security assessments.
5. Subprocessors
The Processor uses Google Cloud Platform as its sole Subprocessor. The Processor ensures that this Subprocessor complies with equivalent data protection obligations as outlined in this DPA.
6. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests under applicable laws, including but not limited to rights of access, rectification, erasure, and data portability. Such assistance will be provided upon the Controller’s documented request and in accordance with the terms of the Agreement.
7. Breach Notification
Each Party shall notify the other without undue delay upon becoming aware of a Personal Data Breach. Notifications shall include the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to mitigate the breach.
8. Liability
Each Party shall be responsible for any damages caused by its own breach of this DPA or applicable data protection laws. The Processor shall indemnify the Controller for any claims arising directly from its failure to comply with this DPA, while the Controller remains responsible for ensuring the lawfulness of data collection and processing.
9. Cross-Border Transfers
The Processor shall ensure compliance with international data transfer requirements by implementing SCCs where applicable. The full text of the SCCs is integrated as follows:
Standard Contractual Clauses (SCCs)
Clause 1: Purpose and Scope
These Clauses set out appropriate safeguards for the transfer of Personal Data from the Controller (data exporter) to the Processor (data importer), in compliance with Regulation (EU) 2016/679.
Clause 2: Third-Party Beneficiaries
Data subjects may invoke and enforce these Clauses against the Parties as third-party beneficiaries.
Clause 3: Obligations of the Data Exporter
The data exporter warrants that:
- The transfer of Personal Data is lawful under applicable data protection laws.
- It has used reasonable efforts to ensure that the data importer can comply with the obligations under these Clauses.
Clause 4: Obligations of the Data Importer
The data importer shall:
- Process Personal Data only in accordance with these Clauses.
- Ensure appropriate technical and organizational measures to safeguard the data.
- Promptly notify the data exporter in case of non-compliance.
Clause 5: Liability
Each Party shall be liable for any material or non-material damages arising from its breach of these Clauses. Joint liability applies in cases where multiple Parties contribute to a breach.
Clause 6: Governing Law and Jurisdiction
These Clauses shall be governed by the laws of the Member State where the data exporter is established. Disputes shall be resolved in the competent courts of that Member State.
10. Termination and Data Return/Deletion
Upon termination of the Agreement, the Processor shall, at the Controller’s request, either delete or return all Personal Data within 30 days. Backup data shall be securely isolated and protected until it is deleted in accordance with the Processor’s retention policies.
11. Governing Law
This DPA shall be governed by the laws of the State of California, USA. Disputes arising out of or in connection with this DPA shall be resolved in the courts of California. For international data transfers governed by the SCCs, the governing law and jurisdiction provisions of Clause 6 of the SCCs shall apply.
12. Miscellaneous
This DPA constitutes the entire agreement between the Parties concerning the processing of Personal Data. It supersedes all prior agreements or understandings related to the subject matter. Any amendments must be made in writing and signed by authorized representatives of both Parties.
Appendices
Appendix 1: Data Processing Details
Nature of Processing: Provision of services as outlined in the Agreement.
Categories of Data Subjects: Employees, representatives, or users of the Controller.
Types of Personal Data: Names, email addresses, and other data as determined by the Controller.
Duration of Processing: For the term of the Agreement.
Appendix 2: Subprocessors
Authorized Subprocessor: Google Cloud Platform (GCP).
This DPA is effective as of January 1, 2025
