This Data Processing Agreement (“DPA”) forms part of theService Agreement between Customer (“Controller”) and Blutag Inc. (“Processor”or “Blutag”). This DPA governs the Processing of Personal Data by Blutag onbehalf of Customer in accordance with GDPR, CCPA/CPRA, and applicable U.S.state privacy laws.
Definitions follow GDPR and U.S. privacy laws: “Controller,”“Processor,” “Personal Data,” “Processing,” “Data Subject,” “Service Provider,”“Sell,” and “Share.”
Customer is the Controller. Blutag is the Processor/ServiceProvider and shall process Personal Data solely on documented instructions fromCustomer and not for any independent purpose.
Blutag shall:
• Process Personal Data only to provide the Services.
• Not Sell, Share, or use Personal Data for advertising,analytics, profiling, or model training except to improve Customer’s instance.
• Not intercept or collect real-time keystrokes unlessrequired for the Services.
• Maintain appropriate technical and organizational securitymeasures.
• Ensure confidentiality among personnel with access.
Blutag shall not:
• Use Personal Data for independent analytics.
• Train generalized machine learning models using Customerdata.
• Combine Customer data with other clients except as legallypermitted.
Blutag may use sub-processors bound by terms no less protective than this DPA. Customer may object to new sub-processors with reasonable grounds.
Customer is responsible for obtaining consents, providing notices, fulfilling Data Subject rights requests, and determining the lawful basis for Processing.
Blutag shall assist Customer in handling rights requests under GDPR and U.S. privacy laws where commercially reasonable.
Blutag shall maintain industry-standard security controls,and make audit summaries available annually. Customer may conduct audits subject to scheduling and cost reimbursement.
Both parties shall promptly notify each other of any security incident affecting Personal Data and cooperate in investigation and response.
Upon termination, Blutag shall delete or anonymize PersonalData within 60 days unless legally required to retain it.
If applicable, transfers outside the EEA shall follow lawful mechanisms such as SCCs.
This DPA supersedes prior versions. Modifications require written agreement. Invalid provisions shall be replaced with enforceable terms approximating original intent.
