BLUE.AI
Data Processing Agreement - EU

THIS DATA PROCESSING AGREEMENT (hereinafter the “DPA”) constitute a part of Terms and Conditions between Blue and its Customers (the “Main Agreement” or “Terms”) which come into effect on the effective date of the Main Agreement or as soon as the Processing of the Personal Data starts (hereinafter the “Effective Date”) by and between: 

Blue. Ai Holding Limited  

Address: registered office at Grigori Afxentiou, 81 Palaiometocho, 2682, Nicosia, Cyprus (Hereinafter referred to as “Blue”) 

and 

Customer (Hereinafter the “Customer”) 

each referred to as a “Party” and collectively referred to as the “Parties”. 

BACKGROUND 

A. WHEREAS, this DPA sets forth the terms and conditions relating to Processing of Personal Data by Blue. The Parties agree to comply with the terms and conditions in this DPA in connection with such Processing of Personal Data contained in Customer Data. 

B. WHEREAS, the Parties agree that Blue acts as Processor and Customer acts as Controller as those terms are defined under Data Protection Laws. In some cases where Customer acts as Processor for an end-user, Blue shall act as a sub-processor. 

C. WHEREAS, the Parties have agreed to enter into this DPA in order to address the compliance with the obligations imposed by the Data Protection Laws and other applicable Data Protection Laws in force in any country and under any jurisdiction relevant for the provision of the Service under the Main Agreement. 

NOW, THEREFORE, the Parties agree as follows: 

 

1. DEFINITIONS

Words and phrases used in this Agreement have the following meanings: 

“Agreement” shall mean the present Data Processing Agreement (DPA) and all Annexes hereto. 

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Term including UAE Data Protection Laws, and applicable in the GCC region including without limitation the Bahrain - Law No. (30) of 2018 with Respect to Personal Data Protection Law, Qatar - Law No. (13) of 2016 on the Protection of the Privacy of Personal Data, Oman - Royal Decree No. 6 / 2022 promulgating the Personal Data Protection Law, Kingdom of Saudi Arabia - Personal Data Protection Law issued by Royal Decree M/19 of 9/2/1443H and Qatar Financial Centre - Data Protection Regulations 2021. 

“DPA” shall mean this Data Processing Agreement including all its annexes as may be amended, supplemented or novated from time to time, in particular, but not limited to, Annex 1 hereto. 

“UAE Data Protection Laws” means (i) Federal Decree Law no. 45 of 2021 regarding the Protection of Personal data,  which ensures the confidentiality of information and protects the privacy of individuals in the UAE, it provides a proper governance for data management and protection and defines the rights and duties of all parties concerned; and (ii) Federal Decree Law no. 34 of 2021 on Combatting rumors and Cybercrimes it governs the misuse and abuse of online technologies and aims to enhance the level of protection from online crimes committed through the use of information technology, networks and platforms, iii) Dubai International Financial Centre - Data Protection Law DIFC Law No. 5 of 2020 and (iv) Abu Dhabi Global Market - Data Protection Regulations 2021, each as amended from time to time, and other applicable laws and regulations of the UAE, as well as applicable national implementations thereof (as may be amended, superseded or replaced).  

“Customer Data” means any Personal Data that Blue processes on behalf of Customer as a Processor in the course of providing Services, as more particularly described in this DPA.  

“Data Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Furthermore, Data Controller controls Personal Data, collecting consent, managing consent-revoking, enabling right to access to Data Subjects. 

“Data Subject” means the identified or identifiable person to whom Personal Data relates. 

“Personal Data” means any information contained in Customer Data that is protected under applicable Data Protection Laws and Regulations, such as information describing or relating to: (i) an identified or identifiable natural person or household or (ii) an identified or identifiable legal entity (where such information is protected as personal data or personally identifiable information under applicable Data Protection Laws and Regulations).  

"Services" shall mean the services provided by Blue via its online Platform/Website. 

“Processing” has the meaning of “process”, “processes” and “processed” shall be interpreted accordingly.  

“Processor” means the Party which Processes Personal Data on behalf of the Controller, including as applicable any “Service Provider” as that term is defined by the UAE Data Protection Laws. 

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.  

“Sub-Processor” shall mean a natural or legal person, public authority, agency, or other body which has been assigned by the Processor to process Personal Data according to this DPA, as far as this DPA allows to do so. 

 

2-S

3. OBLIGATIONS OF THE CONTROLLER / CUSTOMER

3.1 Customer shall, in Customer’s use of the Services, Process Personal Data in accordance with the requirements of all applicable Data Protection Laws and Regulations. Customer represents and warrants that Customer has established a lawful basis to Process Personal Data, Customer’s use of the Blue services will not violate the rights of any Data Subject, and Customer has the right to transfer, or provide access to, the Personal Data to Blue for Processing in accordance with the terms of the Terms (including this DPA). 

3.2 The Controller shall be solely responsible for determining the permissibility and lawfulness of the Personal Data it provides to the Processor for Processing, including the preservation of the rights of the relevant Data Subjects. As such, the Controller is responsible and expressly warrants that it shall demonstrably obtain the necessary and desirable consent of the relevant Data Subject, which shall in any event include the right of the Personal Data of the relevant Data Subject to be forwarded to and Processed by the Processor. 

3.3 Customer undertakes not to include in the Distribution Lists uploaded onto the Platform any Personal Data known as “sensitive” within the meaning provided for in the UAE Data Protection Laws. 

3.4 The Controller shall ensure that its instructions, upon which the Processor shall process Personal Data, are lawful, such that the Processor’s Processing of Personal Data for the provision of the Service will not cause the Processor to violate any applicable law, regulation or rule, including any applicable Data Protection Laws . 

3.5 The Controller shall indemnify and hold the Processor harmless and free from any liability or damages incurred by the Processor as a result of the breach of the Controller’s obligations under this DPA or applicable Data Protection Laws, subject in all cases to the limitation of liability provisions set forth in the Main Agreement. 

3.6 Customer shall inform Blue without undue delay if Customer is not able to comply with Customer’s obligations under this DPA or any applicable Data Protection Laws. For the avoidance of doubt, Blue is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to Blue. 

 

4. OBLIGATIONS OF THE PROCESSOR

The parties acknowledge and agree that (i) with regard to the Processing of Customer Data, Customer is the Controller and Blue is the Processor and (ii) Blue will engage Sub-Processors pursuant to the requirements set forth in Section 5 “SUB-CONRACTING AND SUB-PROCESSING” below. Blue may process Customer Data as a Controller in accordance with Blue’s Privacy Policy that Customer hereby acknowledges https://www.blue.ai/privacy-policy in order to manage the Customer’s account, provide billing, produce statistics, or defend its rights in court or in settlement.   

Purpose of Processing: The purpose of Blue’s Processing of Customer Data as Customer’s Processor is the provision of Blue’s standard Services to the Customer and the performance of Blue’s obligations to Customer and under applicable laws.  

Controller’s Instructions: Blue shall Process, retain, use, store, or disclose Customer Data only according to written, documented instructions issued by Customer to Blue to perform a specific or general action with regard to Customer Data for the purpose of providing the services to Customer pursuant to the Terms (Customer’s “Instructions”). The parties agree that the Terms (including this DPA), together with Customer’s use of Blue’s services in accordance with the Terms, constitute Customer’s complete and final Instructions to Blue in relation to the Processing of Customer Data. Blue shall inform Customer if, in Blue’s opinion, an Instruction violates applicable Data Protection Laws or Blue is unable to follow an Instruction and, where necessary, cease all Processing until Customer issues new Instructions with which Blue is able to comply. 

4.1 Notifications: 
a. Should an applicable provision of law prevent or hinder the Processor from acting in accordance with Section 4.2 hereof, or a change in the Processing processes of the Processor be required or mandated, then prior to the conduct of any further Processing, the Processor shall notify the Controller of such legal impediment and/or process change in writing (e-mail shall suffice), unless such notification would be contrary to objective security considerations, or would violate applicable law or an order issued by a court or a competent authority. 

b. Further, the Processor shall notify the Controller also if - in the Processor’s opinion - an instruction of the Controller violates applicable law(s), unless prohibited from so doing by applicable law. 

c. For the avoidance of doubt, it is expressly held for the record that the Processor has the right to suspend the provision of its services towards the Controller until a consensus with the Controller is reached on how to proceed further. 

4.2 Confidentiality:  Without prejudice to any existing arrangements between the Parties and the provisions of the Main Agreement, the Processor shall treat Personal Data provided to it as strictly confidential. This obligation shall remain valid for the term of this DPA or for as long as the Processor is in possession of the Personal Data provided by the Customer, whichever is the later. 

4.3 Data Access: The Processor shall ensure that the access to Personal Data is limited exclusively to those employees and contractors, whose access is necessary for the provision of the Service. The Processor shall furthermore ensure that any such employees and contractors having access to Personal Data are under appropriate confidentiality and data secrecy obligations, or are otherwise bound by the requirement of confidentiality by the provisions of applicable law prior to the Processing of Personal Data.

4.4 Data Security:  For the term of this DPA, the Processor shall ensure that it maintains appropriate and sufficient technical and organizational measures to protect Personal Data from accidental loss, destruction, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, as well as against all other unlawful forms of Processing. 

4.5 Without prejudice to any other security standards agreed upon by the Parties, the Processor shall take appropriate technical and organizational measures to ensure security of the Processing of Personal Data in compliance with the standards stipulated in Article 32 of Regulation 2016/679. These measures shall include in particular and as appropriate:  

• pseudonymization and encryption. 

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and the Service. 

• the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. 

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. 

4.6 The Processor is committed to continuously implement and enhance technical and organizational measures adopted by it in order to safeguard the security of Personal Data as well as preserve, identify and control any unauthorized or illegal access or use of Personal Data. 

4.7 Requests of Data Subjects: 

a. The Processor shall provide assistance to the Controller in order to allow the Controller to comply with its duties in relation to the rights of Data Subjects, such as the right to information, rectification, erasure, data portability or objection within the time limits prescribed by applicable Data Protection Law. As such, at the Controller’s request, the Processor shall provide the Controller with all data reasonably necessary for such purpose. 

b. In case a request exercising the right of a Data Subject is addressed to the Processor, then the Processor shall promptly forward (e-mail shall suffice) such request to the Controller for further action. 

c. In the event that in a request addressed to the Processor, a Data Subject mistakenly considers the Processor to be the Controller, then the Processor shall promptly forward (e-mail shall suffice) such request to the Controller for further action, and the Controller shall have the obligation to correct misconception of the Data Subject and inform them accordingly. 

4.8 Requests of Governmental Bodies and Supervisory Authorities:  Unless prohibited by applicable law, the Processor shall without any undue delay notify the Controller of any request made by a governmental body or a Supervisory Authority concerning Personal Data made available by the Controller. The Processor shall support and assist the Controller in its compliance in relation to the requirements imposed by the Data Protection Laws, and shall support the Controller in data protection audits conducted by the governmental bodies or Supervisory Authorities concerning Personal Data processed under this DPA. 

4.9 Inspections and Control: 

a. The Processor agrees to provide the Controller with all the information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and to allow for and contribute to inspections conducted by the Controller – or a Third Party designated by the Controller – at the Controller’s own expense. The Third Party entrusted by the Controller shall be under documented obligation to maintain confidentiality. 

b. The intent to conduct an audit shall be communicated to the Processor with at least 14 (fourteen) days’ prior written notice. The right to audit may generally be exercised only once per calendar year, during normal business hours, under the least disruption of the Processor’s business operations and subject to any reasonable requirements of the Processor as to confidentiality and/or security. The audit shall, furthermore, be performed on the basis of a mutually agreed audit plan. 

 

4.10 Personal Data Breach: The Processor shall notify the Controller in writing without any undue delay, but in any event no later than 72 (seventy-two) hours after the Processor has become aware of a Personal Data Breach. Such notification shall be sent to the e-mail address of the Controller indicated in Annex 1 hereto and shall as a minimum contain the following information: 

• Description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned. 

• Communicate the name and contact details of the Processor’s data protection officer or other point of contact from where more information can be obtained. 

• Description of the likely consequences of the Personal Data Breach. 

• Description of the measures taken (or proposed to be taken) by the Processor to address the Personal Data Breach, including (where appropriate) measures to mitigate its possible adverse effects. 

4.11 Unless required by applicable law, the Processor shall not disclose or publish any statement, communication, notice, press release or report regarding the Personal Data Breach, or notify any Data Subjects or Supervisory Authorities without the prior written consent (e-mail shall suffice) of the Controller.

 

5. SUB-CONRACTING AND SUB-PROCESSING

5.1 The Processor shall have the right to engage Sub-Processors for carrying out obligations regarding the Processing of Personal Data arising from this DPA. The sub-contracting of any Sub-Processor shall be subject to a written contract or other legal act according to applicable Data Protection Laws and imposing on a Sub-Processor substantially the same obligations as those set out in this DPA. 

5.2 The Processor shall be liable to the Controller for any failure of a Sub-Processor to fulfil such obligations and requirements. 

5.3 Prior to the commencement of any data Processing, the Processor shall ensure compliance with the obligations set out in this DPA on the part of the Sub-Processor, in particular the latter’s compliance with any agreed technical and organizational security measures. 

5.4 The Processor is expressly entitled to provide and/or forward Personal Data where such provision and/or forwarding of such Personal Data is directly related to and necessary in connection with the Service. 

5.5 In case the Processing of Personal Data by a Sub-Processor takes place outside of the UAE, the Processor shall undertake all reasonably required steps in order to ensure an adequate level of protection for such Personal Data in accordance with applicable Data Protection Laws. 

 

6. TERMS AND TERINATION

6.1 Blue shall Process Customer Data throughout the duration of the term of the Terms or any renewal thereof.  

6.2 Upon termination of the Services by either party, Blue shall cease processing Customer Data.  

6.3 Blue may use Customer Data for the purpose of creating statistics and improving its products and services in an anonymized or aggregated manner or to comply with legal obligations applicable to Blue in its role as a hosting provider. 

6.4 In case the Processor is in material breach of a material provision of this DPA, the Controller has the right to immediately terminate both this DPA as well as the Main Agreement on the responsibility of the breaching party, for just cause in accordance with the terms set out in the Main Agreement. 

 

7. RETURN OF PERSONAL DATA

7.1 Upon termination of this DPA and/or the contractual relationship and the Main Agreement for any reason, or at any other time upon express documented instruction of the Controller, the Processor shall - at the request of the Controller - delete or return to the Controller all the Personal Data and delete existing copies unless applicable law requires Processor to continue storing such Personal Data, or the deletion is practically not possible due to technical limitations, in which case the Personal Data will be blocked from further use. 

7.2 Where applicable, the Processor shall contractually ensure that any Sub-Processors engaged by it comply with the obligation set out in Section 7.1 hereof accordingly. 

 

8. GENERAL PROVISIONS

8.1 The following annex shall form an integral part of this DPA: 

• Annex 1 (Details of Personal Data Processing) 

8.2 Should any provision of this DPA be deemed to be invalid, illegal or incapable of being enforced, the validity of the other provisions shall not be affected and remain in full force and effect. The Parties shall undertake to immediately replace the ineffective provision by a provision that most closely reflects the commercial purpose of the ineffective provision and the intention of the Parties. 

8.3 This DPA shall be governed by the law applicable to the Main Agreement. Any dispute arising from this DPA shall be resolved according to the dispute resolution clause provided for in the Main Agreement. 

 

ANNEX (1) ONE 

DETAILS OF PERSONAL DATA PROCESSING 

 

1. Purpose of Processing 

The Processor Processes the Personal Data made available to it by the Controller for the sole purpose of the implementation of the contractual relationship for the provision of the Service, in particular 

• Storage of contact lists uploaded by Users 

• Sending messages by email or SMS or other means of electronic communications, whether automated or not 

• Retention and analysis of email deliverability data 

• Collection of unsubscriptions  

• Collection of consents (in the event that the User uses the Blue form to retrieve contact data from their own site) 

 

2. Data Subject and Personal Data Categories  

 Categories of Data Subjects: Users, and any individual: (i) whose email address and/or telephone number is included in the Customer distribution list; (ii) whose information is stored or collected via the Services, or (iii) to whom Users send emails or otherwise engage or communicate with via the Services. 

Subject matter: The subject-matter of data Processed under this DPA is Customer Data as described in the Terms and this DPA. 

(a) Customer and Users: identification and contact details (name, address, title, contact details, username, company/organization details, phone number); organization details (geographic location, website), sending information (email address, IP address, date and time).  

(b) Contact/recipient: identification and contact details as uploaded by the User (name, email address, telephone number, notes, imported file); IT information (IP addresses, open/click rate and events related), sending information (date and time). 

 

3. Duration of the Processing and Data Retention  

The Processor shall retain such Personal Data provided to it by the Controller only for as long as the relevant data set is required for the fulfillment of the contractual relationship for the provision of the Service, or to comply with legal/regulatory (in particular commercial and fiscal) or contractual (e.g., with Operators) obligations applicable to the Processor and its business, whichever is the longer.  

 

 

new'

 

 DATA PROCESSING AGREEMENT
THIS DATA PROCESSING AGREEMENT (hereinafter the “DPA”) constitute a part of Terms and Conditions between Blue and its Customers (the “Main Agreement” or “Terms”) which come into effect on the effective date of the Main Agreement or as soon as the Processing of the Personal Data starts (hereinafter the “Effective Date”) by and between:
Blue. Ai Holding Limited 
Address: registered office at Grigori Afxentiou, 81 Palaiometocho, 2682, Nicosia, Cyprus (Hereinafter referred to as “Blue”)
and
Customer (Hereinafter the “Customer”)
each referred to as a “Party” and collectively referred to as the “Parties”.
BACKGROUND
A.    WHEREAS, this DPA sets forth the terms and conditions relating to Processing of Personal Data by Blue. The Parties agree to comply with the terms and conditions in this DPA in connection with such Processing of Personal Data contained in Customer Data.
B.    WHEREAS, the Parties agree that Blue acts as Processor and Customer acts as Controller as those terms are defined under Data Protection Laws. In some cases where Customer acts as Processor for an end-user, Blue shall act as a sub-processor.
C.    WHEREAS, the Parties have agreed to enter into this DPA in order to address the compliance with the obligations imposed by the GDPR and other applicable Data Protection Laws.
NOW, THEREFORE, the Parties agree as follows:
1.    DEFINITIONS
Words and phrases used in this Agreement have the following meanings:
“Agreement” shall mean the present Data Processing Agreement (DPA) and all Annexes hereto.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Terms, including without limitation the GDPR and other EU Data Protection Laws and Regulations, each as amended from time to time. Such as Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and data protection laws and regulations in force in any country and under any jurisdiction relevant for the provision of the Service under the Main Agreement.
“DPA” shall mean this Data Processing Agreement including all its annexes as may be amended, supplemented or novated from time to time, in particular, but not limited to, Annex 1 hereto.
“EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector, and other applicable laws and regulations of the European Union, the European Economic Area and their member states, as well as applicable national implementations thereof (as may be amended, superseded or replaced). 
“GDPR” shall mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector. 
“Customer Data” means any Personal Data that Blue processes on behalf of Customer as a Processor in the course of providing Services, as more particularly described in this DPA. 
“Data Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Furthermore, Data Controller controls Personal Data, collecting consent, managing consent-revoking, enabling right to access to Data Subjects.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Personal Data” means any information contained in Customer Data that is protected under applicable Data Protection Laws and Regulations, such as information describing or relating to: (i) an identified or identifiable natural person or household or (ii) an identified or identifiable legal entity (where such information is protected as personal data or personally identifiable information under applicable Data Protection Laws and Regulations). 
"Services" shall mean the services provided by Blue via its online Platform/Website.
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly. 
“Processor” means the Party which Processes Personal Data on behalf of the Controller, including as applicable any “Service Provider” as that term is defined by the CCPA and comparable U.S. privacy laws.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data. 
“Sub-Processor” shall mean a natural or legal person, public authority, agency, or other body which has been assigned by the Processor to process Personal Data according to this DPA, as far as this DPA allows to do so.
Any term written in title case that is not expressly defined in this DPA shall have the meaning ascribed to them under either:
i.    the GDPR (such as, but not limited to, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, “Supervisory Authority”, “Third Party”, etc.), or
ii.    the Main Agreement.
2.    SUBJECT
2.1    This DPA forms an integral part of the “Main Agreement” between Blue and the Customer. 
2.2    The Parties shall both comply with their respective obligations, be it as a Controller or a Processor, under applicable Data Protection Laws in connection with any processing of Personal Data in connection with the Main Agreement and shall not knowingly do anything, or permit anything to be done, which might lead to a breach by itself or by the other Party of any applicable Data Protection Laws. This DPA governs the Processing of Personal Data provided to the Processor by the Controller in connection with the provision of the Service defined in the Main Agreement.
2.3    The Processing of Personal Data by the Processor (and any Sub-Processors accordingly) under this DPA shall be performed exclusively in accordance with the provisions of this DPA as well as the Controller’s instructions, having due regard to the nature, purpose and duration of the Processing, the type of Personal Data, the categories of Data Subjects and other aspects specified in this DPA and in Annex 1 hereto.
2.4    In the event and to the extent of any conflict, ambiguity, or inconsistency between the provisions of this DPA and those of the Main Agreement, then unless expressly stated otherwise, the provisions of this DPA shall prevail over the conflict, ambiguity or inconsistency.
2.5    Any claims brought under or in connection with this DPA shall be subject to the terms of the Terms, including but not limited to the exclusions and limitations set forth in the Terms. 
2.6    This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Terms, unless required otherwise by applicable Data Protection Laws.
2.7    This DPA applies where and only to the extent that Data Protection Laws are applicable to the processing of Customer Data. 
3.    OBLIGATIONS OF THE CONTROLLER / CUSTOMER
3.1    Customer shall, in Customer’s use of the Services, Process Personal Data in accordance with the requirements of all applicable Data Protection Laws and Regulations. Customer represents and warrants that Customer has established a lawful basis to Process Personal Data, Customer’s use of the Blue services will not violate the rights of any Data Subject, and Customer has the right to transfer, or provide access to, the Personal Data to Blue for Processing in accordance with the terms of the Terms (including this DPA).
3.2    The Controller shall be solely responsible for determining the permissibility and lawfulness of the Personal Data it provides to the Processor for Processing, including the preservation of the rights of the relevant Data Subjects. As such, the Controller is responsible and expressly warrants that it shall demonstrably obtain the necessary and desirable consent of the relevant Data Subject, which shall in any event include the right of the Personal Data of the relevant Data Subject to be forwarded to and Processed by the Processor.
3.3    Customer undertakes not to include in the Distribution Lists uploaded onto the Platform any Personal Data known as “sensitive” within the meaning of Article 9 of the GDPR.
3.4    The Controller shall ensure that its instructions, upon which the Processor shall process Personal Data, are lawful, such that the Processor’s Processing of Personal Data for the provision of the Service will not cause the Processor to violate any applicable law, regulation or rule, including any applicable Data Protection Laws or GDPR.
3.5    The Controller shall indemnify and hold the Processor harmless and free from any liability or damages incurred by the Processor as a result of the breach of the Controller’s obligations under this DPA or applicable Data Protection Laws, subject in all cases to the limitation of liability provisions set forth in the Main Agreement.
3.6    Customer shall inform Blue without undue delay if Customer is not able to comply with Customer’s obligations under this DPA or any applicable Data Protection Laws. For the avoidance of doubt, Blue is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to Blue.
4.    OBLIGATIONS OF THE PROCESSOR
The parties acknowledge and agree that (i) with regard to the Processing of Customer Data, Customer is the Controller and Blue is the Processor and (ii) Blue will engage Sub-Processors pursuant to the requirements set forth in Section 5 “SUB-CONRACTING AND SUB-PROCESSING” below. Blue may process Customer Data as a Controller in accordance with Blue’s Privacy Policy that Customer hereby acknowledges [TO ADD pp LINK] in order to manage the Customer’s account, provide billing, produce statistics, or defend its rights in court or in settlement.  
Purpose of Processing: The purpose of Blue’s Processing of Customer Data as Customer’s Processor is the provision of Blue’s standard Services to the Customer and the performance of Blue’s obligations to Customer and under applicable laws. 
Controller’s Instructions: Blue shall Process, retain, use, store, or disclose Customer Data only according to written, documented instructions issued by Customer to Blue to perform a specific or general action with regard to Customer Data for the purpose of providing the services to Customer pursuant to the Terms (Customer’s “Instructions”). The parties agree that the Terms (including this DPA), together with Customer’s use of Blue’s services in accordance with the Terms, constitute Customer’s complete and final Instructions to Blue in relation to the Processing of Customer Data. Blue shall inform Customer if, in Blue’s opinion, an Instruction violates applicable Data Protection Laws or Blue is unable to follow an Instruction and, where necessary, cease all Processing until Customer issues new Instructions with which Blue is able to comply.
4.1    Notifications:
a.    Should an applicable provision of law prevent or hinder the Processor from acting in accordance with Section 4.2 hereof, or a change in the Processing processes of the Processor be required or mandated, then prior to the conduct of any further Processing, the Processor shall notify the Controller of such legal impediment and/or process change in writing (e-mail shall suffice), unless such notification would be contrary to objective security considerations, or would violate applicable law or an order issued by a court or a competent authority.
b.    Further, the Processor shall notify the Controller also if - in the Processor’s opinion - an instruction of the Controller violates applicable law(s), unless prohibited from so doing by applicable law.
c.    For the avoidance of doubt, it is expressly held for the record that the Processor has the right to suspend the provision of its services towards the Controller until a consensus with the Controller is reached on how to proceed further.
4.2    Confidentiality:  Without prejudice to any existing arrangements between the Parties and the provisions of the Main Agreement, the Processor shall treat Personal Data provided to it as strictly confidential. This obligation shall remain valid for the term of this DPA or for as long as the Processor is in possession of the Personal Data provided by the Customer, whichever is the later.
4.3    Data Access: The Processor shall ensure that the access to Personal Data is limited exclusively to those employees and contractors, whose access is necessary for the provision of the Service. The Processor shall furthermore ensure that any such employees and contractors having access to Personal Data are under appropriate confidentiality and data secrecy obligations, or are otherwise bound by the requirement of confidentiality by the provisions of applicable law prior to the Processing of Personal Data.
4.4    Data Security:  For the term of this DPA, the Processor shall ensure that it maintains appropriate and sufficient technical and organizational measures to protect Personal Data from accidental loss, destruction, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, as well as against all other unlawful forms of Processing.
4.5    Without prejudice to any other security standards agreed upon by the Parties, the Processor shall take appropriate technical and organizational measures to ensure security of the Processing of Personal Data in compliance with the standards stipulated in Article 32 of Regulation 2016/679. These measures shall include in particular and as appropriate: 
-    pseudonymization and encryption.
-    the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and the Service.
-    the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
-    a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
4.6    The Processor is committed to continuously implement and enhance technical and organizational measures adopted by it in order to safeguard the security of Personal Data as well as preserve, identify and control any unauthorized or illegal access or use of Personal Data.
4.7    Requests of Data Subjects:
a.    The Processor shall provide assistance to the Controller in order to allow the Controller to comply with its duties in relation to the rights of Data Subjects, such as the right to information, rectification, erasure, data portability or objection within the time limits prescribed by applicable Data Protection Law. As such, at the Controller’s request, the Processor shall provide the Controller with all data reasonably necessary for such purpose.
b.    In case a request exercising the right of a Data Subject is addressed to the Processor, then the Processor shall promptly forward (e-mail shall suffice) such request to the Controller for further action.
c.    In the event that in a request addressed to the Processor, a Data Subject mistakenly considers the Processor to be the Controller, then the Processor shall promptly forward (e-mail shall suffice) such request to the Controller for further action, and the Controller shall have the obligation to correct misconception of the Data Subject and inform them accordingly.
4.8    Requests of Governmental Bodies and Supervisory Authorities:  Unless prohibited by applicable law, the Processor shall without any undue delay notify the Controller of any request made by a governmental body or a Supervisory Authority concerning Personal Data made available by the Controller. The Processor shall support and assist the Controller in its compliance in relation to the requirements imposed by the Data Protection Laws, and shall support the Controller in data protection audits conducted by the governmental bodies or Supervisory Authorities concerning Personal Data processed under this DPA.


4.9    Inspections and Control:
a.    The Processor agrees to provide the Controller with all the information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and to allow for and contribute to inspections conducted by the Controller – or a Third Party designated by the Controller – at the Controller’s own expense. The Third Party entrusted by the Controller shall be under documented obligation to maintain confidentiality.
b.    The intent to conduct an audit shall be communicated to the Processor with at least 14 (fourteen) days’ prior written notice. The right to audit may generally be exercised only once per calendar year, during normal business hours, under the least disruption of the Processor’s business operations and subject to any reasonable requirements of the Processor as to confidentiality and/or security. The audit shall, furthermore, be performed on the basis of a mutually agreed audit plan.
4.12    Personal Data Breach: The Processor shall notify the Controller in writing without any undue delay, but in any event no later than 72 (seventy-two) hours after the Processor has become aware of a Personal Data Breach. Such notification shall be sent to the e-mail address of the Controller indicated in Annex 1 hereto and shall as a minimum contain the following information:
-    Description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
-    Communicate the name and contact details of the Processor’s data protection officer or other point of contact from where more information can be obtained.
-    Description of the likely consequences of the Personal Data Breach.
-    Description of the measures taken (or proposed to be taken) by the Processor to address the Personal Data Breach, including (where appropriate) measures to mitigate its possible adverse effects.
4.13    Unless required by applicable law, the Processor shall not disclose or publish any statement, communication, notice, press release or report regarding the Personal Data Breach, or notify any Data Subjects or Supervisory Authorities without the prior written consent (e-mail shall suffice) of the Controller.
5.    SUB-CONRACTING AND SUB-PROCESSING
5.1    The Processor shall have the right to engage Sub-Processors for carrying out obligations regarding the Processing of Personal Data arising from this DPA. The sub-contracting of any Sub-Processor shall be subject to a written contract or other legal act according to applicable Data Protection Laws and imposing on a Sub-Processor substantially the same obligations as those set out in this DPA.
5.2    The Processor shall be liable to the Controller for any failure of a Sub-Processor to fulfil such obligations and requirements.
5.3    Prior to the commencement of any data Processing, the Processor shall ensure compliance with the obligations set out in this DPA on the part of the Sub-Processor, in particular the latter’s compliance with any agreed technical and organizational security measures.
5.4    The Processor is expressly entitled to provide and/or forward Personal Data where such provision and/or forwarding of such Personal Data is directly related to and necessary in connection with the Service.
5.5    In case the Processing of Personal Data by a Sub-Processor takes place outside of the European Economic Area, the Processor shall undertake all reasonably required steps in order to ensure an adequate level of protection for such Personal Data in accordance with applicable Data Protection Laws, in particular the standards set out in Articles 44 to 49 GDPR, which may include entering into the Standard Contractual Clauses set out in the European Commission’s Decision 2010/87/EU.
6.    TERMS AND TERINATION
6.1    Blue shall Process Customer Data throughout the duration of the term of the Terms or any renewal thereof. 
6.2    Upon termination of the Services by either party, Blue shall cease processing Customer Data. 
6.3    Blue may use Customer Data for the purpose of creating statistics and improving its products and services in an anonymized or aggregated manner or to comply with legal obligations applicable to Blue in its role as a hosting provider.
6.4    In case the Processor is in material breach of a material provision of this DPA, the Controller has the right to immediately terminate both this DPA as well as the Main Agreement on the responsibility of the breaching party, for just cause in accordance with the terms set out in the Main Agreement.
7.    RETURN OF PERSONAL DATA
7.1    DUpon termination of this DPA and/or the contractual relationship and the Main Agreement for any reason, or at any other time upon express documented instruction of the Controller, the Processor shall - at the request of the Controller - delete or return to the Controller all the Personal Data and delete existing copies unless applicable law requires Processor to continue storing such Personal Data, or the deletion is practically not possible due to technical limitations, in which case the Personal Data will be blocked from further use.
7.2    Where applicable, the Processor shall contractually ensure that any Sub-Processors engaged by it comply with the obligation set out in Section 7.1 hereof accordingly.
8.    GENERAL PROVISIONS
8.1    The following annex shall form an integral part of this DPA:
-    Annex 1 (Details of Personal Data Processing)
8.2    Should any provision of this DPA be deemed to be invalid, illegal or incapable of being enforced, the validity of the other provisions shall not be affected and remain in full force and effect. The Parties shall undertake to immediately replace the ineffective provision by a provision that most closely reflects the commercial purpose of the ineffective provision and the intention of the Parties.
8.3    This DPA shall be governed by the law applicable to the Main Agreement. Any dispute arising from this DPA shall be resolved according to the dispute resolution clause provided for in the Main Agreement.
















ANNEX (1) ONE
DETAILS OF PERSONAL DATA PROCESSING

1    Purpose of Processing
The Processor Processes the Personal Data made available to it by the Controller for the sole purpose of the implementation of the contractual relationship for the provision of the Service, in particular
•    Storage of contact lists uploaded by Users
•    Sending messages by email or SMS or other means of electronic communications, whether automated or not
•    Retention and analysis of email deliverability data
•    Collection of unsubscriptions 
•    Collection of consents (in the event that the User uses the Blue form to retrieve contact data from their own site)

2    Data Subject and Personal Data Categories 
 Categories of Data Subjects: Users, and any individual: (i) whose email address and/or telephone number is included in the Customer distribution list; (ii) whose information is stored or collected via the Services, or (iii) to whom Users send emails or otherwise engage or communicate with via the Services.
      Subject matter: The subject-matter of data Processed under this DPA is Customer Data as described in the Terms and this DPA.
(a) Customer and Users: identification and contact details (name, address, title, contact details, username, company/organization details, phone number); organization details (geographic location, website), sending information (email address, IP address, date and time). 
(b) Contact/recipient: identification and contact details as uploaded by the User (name, email address, telephone number, notes, imported file); IT information (IP addresses, open/click rate and events related), sending information (date and time).

3    Duration of the Processing and Data Retention 
The Processor shall retain such Personal Data provided to it by the Controller only for as long as the relevant data set is required for the fulfillment of the contractual relationship for the provision of the Service, or to comply with legal/regulatory (in particular commercial and fiscal) or contractual (e.g., with Operators) obligations applicable to the Processor and its business, whichever is the longer.