πΎData Processing Addendum (DPA)
This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service or other agreement ("Agreement") between you (the "Customer," "Data Controller") and Blocko ("Blocko," "Data Processor," "we," "us") regarding the processing of personal data under applicable data protection laws.
By using Blocko's services, you agree to the terms of this DPA.
1. DEFINITIONS
The following terms have the meanings set forth below. Terms not defined here have the meanings given in applicable data protection laws or our Agreement:
"Data Protection Laws" means all applicable privacy and data protection laws, including the GDPR, UK GDPR, CCPA/CPRA, Singapore PDPA, and similar regulations worldwide.
"Personal Data" means any information relating to an identified or identifiable individual, as defined under applicable Data Protection Laws.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Sub-processor" means any third party engaged by Blocko to process Personal Data on your behalf.
"Data Subject" means the individual to whom Personal Data relates.
"Personal Data Breach" means unauthorized access, disclosure, alteration, or destruction of Personal Data.
2. ROLES AND SCOPE OF PROCESSING
2.1 Data Controller and Processor Relationship
You act as the Data Controller, determining the purposes and means of processing Personal Data. Blocko acts as your Data Processor, processing Personal Data solely according to your documented instructions.
2.2 Purpose of Processing
Blocko processes Personal Data only to provide our loyalty program services, including:
Managing customer loyalty accounts, points, and rewards
Processing transactions and redemptions
Facilitating referral campaigns and marketing
Providing customer support and analytics
Operating loyalty widgets and customer portals
2.3 Categories of Data
We may process the following categories of Personal Data:
Contact information (name, email, phone)
Account and transaction history
Loyalty program activity and preferences
Device and usage information
Communication records
3. YOUR OBLIGATIONS
As the Data Controller, you must:
Maintain lawful basis for sharing Personal Data with Blocko
Provide adequate privacy notices to your customers
Obtain necessary consents where required by law
Not provide sensitive personal data without prior written agreement
Ensure your instructions comply with applicable Data Protection Laws
4. OUR COMMITMENTS
4.1 Processing Instructions
We will process Personal Data only:
According to your documented instructions
As necessary to provide our services
To comply with applicable legal requirements
With your prior written consent for any other purpose
4.2 Security Measures
We implement appropriate technical and organizational security measures, including:
Encryption in transit and at rest
Access controls and authentication
Regular security audits and updates
Employee training and confidentiality obligations
Incident response procedures
4.3 Data Protection Principles
We adhere to core data protection principles:
Purpose limitation and data minimization
Accuracy and timely updates
Storage limitation
Confidentiality and integrity
5. SUB-PROCESSORS
5.1 Authorized Sub-processors
We use the following third-party Sub-processors to deliver our services:
Sub-processor
Purpose
Location
Google Cloud Platform
Infrastructure and data storage
United States
Firebase
Real-time backend services
United States
Mailgun
Email delivery
United States
Customer.io
Email automation
United States
Crisp
Customer support chat
European Union
PostHog
Analytics and performance
United States
5.2 Sub-processor Changes
We will notify you at least 30 days before adding new Sub-processors. You may object on reasonable data protection grounds within 14 days of notice.
5.3 Sub-processor Obligations
All Sub-processors are contractually required to provide equivalent data protection as outlined in this DPA.
6. DATA SUBJECT RIGHTS
6.1 Assistance with Rights Requests
We will assist you in responding to Data Subject requests, including:
Access to Personal Data
Correction of inaccurate data
Deletion of Personal Data
Data portability
Restriction of processing
6.2 Request Handling
If we receive direct requests from Data Subjects, we will promptly redirect them to you unless legally required to respond directly.
7. DATA BREACH NOTIFICATION
7.1 Notification Timeline
We will notify you within 24 hours of becoming aware of any Personal Data Breach affecting your data.
7.2 Breach Information
Our notification will include:
Nature and scope of the breach
Categories and number of affected individuals
Likely consequences and impact
Measures taken to address and mitigate the breach
7.3 Cooperation
We will provide reasonable assistance with breach assessment, regulatory notifications, and communication to affected individuals as required by law.
8. INTERNATIONAL DATA TRANSFERS
8.1 Transfer Safeguards
When Personal Data is transferred outside your jurisdiction, we ensure appropriate safeguards through:
Standard Contractual Clauses (SCCs) where required
Adequacy decisions by relevant authorities
Additional security measures as necessary
8.2 Current Transfers
Personal Data may be transferred to and processed in countries where our Sub-processors operate, primarily the United States and European Union.
9. DATA RETENTION AND DELETION
9.1 Data Retention
We retain Personal Data only as long as necessary to provide our services or as required by applicable law.
9.2 Data Return or Deletion
Upon termination of our Agreement or your written request, we will:
Delete or return all Personal Data within 30 days
Provide written confirmation of deletion upon request
Retain data longer only if required by applicable law
10. COMPLIANCE AND AUDITS
10.1 Documentation
We maintain records demonstrating compliance with this DPA and applicable Data Protection Laws.
10.2 Audit Rights
You may audit our compliance with this DPA upon reasonable notice, subject to confidentiality obligations and operational limitations.
10.3 Certifications
We may satisfy audit requirements through relevant third-party certifications and compliance reports.
11. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)
When applicable, Blocko acts as a Service Provider under California privacy laws and commits to:
Not selling or sharing Personal Information
Processing data only for agreed-upon business purposes
Not retaining or using Personal Information outside our service relationship
Providing the same level of privacy protection as required under California law
12. LIABILITY
Our liability under this DPA is subject to the limitation of liability provisions in our main Agreement. We will indemnify you against claims arising from our material breach of this DPA, subject to prompt notification and reasonable cooperation.
13. UPDATES TO THIS DPA
We may update this DPA from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes and post the updated version on our website. Continued use of our services constitutes acceptance of the revised DPA.
14. GOVERNING LAW
This DPA is governed by the laws of Singapore. However, where Data Protection Laws require specific governing law or jurisdiction, those requirements will take precedence.
15. CONTACT INFORMATION
For questions about this DPA or our data processing practices, contact us at:
Blocko Privacy Team
Email: [email protected]
Website: http://www.blocko.ai/
Last updated