Blended Insights logo

Data Processing Agreement

Our commitment to lawful and secure data processing on behalf of our clients.

This Data Processing Agreement ("DPA") forms part of the contractual agreements between Blended Insights ("Processor" or "we") and our clients ("Controller" or "you") when we process personal data on your behalf in connection with our services.

This DPA is designed to help you comply with your obligations under applicable data protection laws, including the General Data Protection Regulation (GDPR), when you engage our services that involve the processing of personal data of data subjects in the European Economic Area (EEA).

1. Definitions

For the purposes of this DPA, the terms "personal data," "data subject," "processing," "controller," "processor," and "supervisory authority" shall have the meanings given to them in the GDPR.

2. Subject Matter and Duration

2.1 Subject Matter

This DPA applies to the processing of personal data by the Processor on behalf of the Controller as part of the services provided under our main agreement. The processing activities, categories of personal data, data subjects, and purposes of processing are specified in Appendix 1 to this DPA.

2.2 Duration

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller under the main agreement.

3. Obligations of the Processor

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 4 of this DPA.
  • Respect the conditions for engaging another processor as set forth in Section 5 of this DPA.
  • Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights under the GDPR.
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:

  • The pseudonymization and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

5. Sub-processors

5.1 General Authorization

The Controller hereby provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

5.2 Sub-processor Obligations

Where the Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that sub-processor by way of a contract, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

Where the sub-processor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations.

6. Data Subject Rights

The Processor shall promptly notify the Controller of any request received from a data subject under any data protection law in respect of personal data processed on behalf of the Controller and shall not respond to such request except on the documented instructions of the Controller or as required by applicable laws.

The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a supervisory authority for information or cooperation concerning the processing of personal data under this DPA.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting the personal data processed on behalf of the Controller. Such notification shall:

  • Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • Describe the likely consequences of the personal data breach;
  • Describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. International Transfers

The Processor shall not transfer personal data to a country outside the EEA without the prior written consent of the Controller, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Where the Controller authorizes a transfer of personal data outside the EEA, the Processor shall ensure that appropriate safeguards are in place in accordance with the GDPR, such as:

  • Standard Contractual Clauses approved by the European Commission;
  • Binding Corporate Rules;
  • Approved codes of conduct or certification mechanisms, together with binding and enforceable commitments of the recipient;
  • Other legal transfer mechanisms approved under the GDPR.

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions of the Union or Member States.

10. Return or Deletion of Data

Upon termination of the services or at the Controller's request, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless Union or Member State law requires storage of the personal data.

11. Liability and Indemnity

The Processor shall be liable to the Controller for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

The Processor shall indemnify the Controller against all claims, liabilities, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs and all other reasonable professional costs and expenses) suffered or incurred by the Controller arising out of or in connection with a breach by the Processor of its obligations under this DPA.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of California without regard to its conflict of law principles. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of California.

13. Modifications

This DPA may only be modified by a written amendment signed by both parties.

14. Severability

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability shall remain in full force and effect.

Appendix 1: Details of Processing

Nature and Purpose of Processing

The Processor will process personal data as necessary to provide the services outlined in the main agreement between the parties, which may include consulting, implementation, and technical support services.

Categories of Data Subjects

The personal data processed may concern the following categories of data subjects:

  • The Controller's employees, contractors, and temporary workers
  • The Controller's clients, customers, or users
  • Other individuals whose personal data is processed by the Controller and shared with the Processor as part of the services

Categories of Personal Data

The personal data processed may include the following categories:

  • Contact information (such as name, address, email address, phone number)
  • Business information (such as job title, department, company name)
  • Authentication data (such as username, password, security questions)
  • Device and usage data (such as IP address, browser type, operating system)
  • Other personal data processed by the Controller and shared with the Processor as part of the services

Duration of Processing

The personal data will be processed for the duration of the main agreement, unless otherwise agreed between the parties in writing.

Contact Us

If you have any questions about this Data Processing Agreement, please contact us at:

Email: legal@blendedinsights.com

Last Updated: March 28, 2025

Have Questions About Data Processing?

We're committed to ensuring compliant and secure data processing. Contact us to discuss your specific requirements.

Contact Us