This Bluesky Data Processing Addendum and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Bluesky Solutions (“Bluesky”) on behalf of the customer as identified in the applicable Order Form for the Bluesky Solutions (“Customer”). The applicable Order Form(s) is made pursuant to the Bluesky General Terms and Conditions for Bluesky Solutions available at https://www.getbluesky.io/legal/general-terms-and-conditions-for-bluesky-solutions and hereby forms the Agreement between the parties (referred to in this DPA as the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
“Account” means Customer’s account in the Bluesky Solutions in which Customer stores and processes Customer Data.
“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a party. As used in this definition, “control” means the poBlueskyr to direct the management or affairs of an entity and “ownership” means the beneficial ownership of more than fifty percent (50%) of the voting equity securities or other equivalent voting interests of an entity.
“Bluesky Solutions” has the meaning set forth in the Agreement.
“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.
“Customer Data” has the meaning set forth in the Agreement.
“Customer Personal Data” means any Customer Data that is Personal Data.
“Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
“Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
“Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
“Personal Data” means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.
“Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, and “Process”, “Processes” and “Processed” will be interpreted accordingly.
“Purposes” shall mean (i) Bluesky’s provision of the Bluesky Solutions as described in the Agreement, including Processing initiated by Users in their use of the Bluesky Solutions; and (ii) further documented, reasonable instructions from Customer agreed upon by the Parties.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
“Sub-processor” means any other Data Processors engaged by Bluesky to Process Customer Personal Data.
This DPA applies where and only to the extent that Bluesky Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the Bluesky Solutions.
3.1. Role of the Parties. As between Bluesky and Customer, Bluesky shall Process Customer Personal Data only as a Data Processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a “service provider” as defined therein, in each case regardless of whether Customer acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller (such third-party, the “Third-Party Controller”) with respect to Customer Personal Data. To the extent any Usage Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Laws, Bluesky is the Data Controller of such data and shall Process such data in accordance with the Agreement and applicable Data Protection Laws.
3.2. Customer Instructions. Bluesky will Process Customer Personal Data only for the Purposes. Customer shall ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The Parties agree that the Agreement (including this DPA) sets out the exclusive and final instructions to Bluesky for all Processing of Customer Personal Data, and (if applicable) include and are consistent with all instructions from Third-Party Controllers. Any additional requested instructions require the prior written agreement of Bluesky. Bluesky shall promptly notify Customer if, in Bluesky’s opinion, such instruction violates EU & UK Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller.
3.4. Processing of Personal Data. Each Party will comply with its respective obligations under Data Protection Laws. Customer agrees (i) it will use the Bluesky Solutions in a manner designed to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; and (ii) it has obtained all consents, permissions and/or rights necessary under Data Protection Laws for Bluesky to lawfully Process Customer Personal Data for the Purposes, including, without limitation, Customer’s sharing and/or receiving of Customer Personal Data with third-parties via the Bluesky Solutions.
3.5. Details of Data Processing.
(a) Subject Matter: The subject matter of the Processing under this DPA is the Customer Personal Data.
(b) Frequency and duration: Notwithstanding expiration or termination of the Agreement, Bluesky will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.
(c) Purpose: Bluesky will Process the Customer Personal Data only for the Purposes, as described in this DPA.
(d) Nature of the Processing: Bluesky will perform Processing as needed for the Purposes, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this DPA.
(e) Retention Period. The period for which Customer Personal Data will be retained and the criteria used to determine that period is determined by Customer during the term of the Agreement via Customer’s use and configuration of the Bluesky Solutions. Upon termination or expiration of the Agreement, Customer may retrieve or delete Customer Personal Data as described in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by Bluesky in accordance with Bluesky’s data retention policies.
(f) Categories of Data Subjects: The Bluesky Solutions are not intended to Process Customer Personal Data, as the meta data ingested by the Bluesky Solutions is primarily focused on Cloud Platform usage and query logic. To the extent that there are Data Subjects to which Customer Personal Data relate are determined and controlled by Customer in its sole discretion, these may include, but are not limited to: (i) Prospects, customers, business partners and vendors of Customer (who are natural persons); (ii) Employees or contact persons of Customer’s prospects, customers, business partners and vendors; and/or (iii) Employees, agents, advisors, and freelancers of Customer (who are natural persons).
(g) Categories of Personal Data: The Bluesky Solutions are not intended to Process Customer Personal Data, as the meta data ingested by the Bluesky Solutions is primarily focused on Cloud Platform usage and query logic. To the extent that there are types of Customer Personal Data, these are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: (i) Identification and contact data (name, address, title, contact details); (ii) IT information (IP addresses, cookies data, location data).
4.1. Authorized Sub-Processors. Customer provides Bluesky with a general authorization to engage Sub-processors, subject to Section 4.3 (Changes to Sub-processors), as of the effective date of this DPA and members of Bluesky. Bluesky’s current Sub-Processors are Snowflake, Inc. (Infrastructure) and Amazon Web Services, Inc. (Hosting and Infrastructure).
4.2. Sub-processor Obligations. Bluesky shall ensure each Sub-processor imposes data protection obligations no less protective of Customer Personal Data as Bluesky’s obligations under this DPA to the extent applicable to the services provided by the Sub-processor; and remains liable for each Sub-processor’s compliance with the obligations under this DPA.
4.3. Changes to Sub-processors. Bluesky shall update or change Sub-Processors from time to time, and will provide reasonable notice of Customer in such event. If it can be reasonably demonstrated to Bluesky that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Bluesky cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Order Form(s) with respect to only those aspects which cannot be provided by Bluesky without the use of the new Sub-processor by providing advance written notice to Bluesky of such termination. Bluesky will refund Customer any prepaid unused fees of such Order Form(s) following the effective date of such termination.
5.1. Security Measures. Bluesky shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data (“Bluesky Security Policies”). Bluesky may review and update its Bluesky Security Policies from time to time, provided that any such updates shall not materially diminish the overall security of the Bluesky Solutions or Customer Personal Data.
5.2. Confidentiality of Processing. Bluesky shall ensure that any person who is authorized by Bluesky to Process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3. No Assessment of Customer Personal Data by Bluesky. Bluesky shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for making an independent determination as to whether its use of the Bluesky Solutions will meet Customer’s requirements and legal obligations under Data Protection Laws.
6.1. Upon written request and at no additional cost to Customer, Bluesky shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Bluesky’s compliance with its obligations under this DPA in the form of the relevant audits or certifications listed in the Bluesky Security Policies (“Reports”).
6.2. Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with Bluesky prior to any review of Reports or an audit of Bluesky, and Bluesky may object in writing to such Auditor, if in Bluesky’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Bluesky. Any such objection by Bluesky will require Customer to either appoint another Auditor or conduct the audit itself. Any expenses incurred by an Auditor in connection with any review of Reports or an audit shall be borne exclusively by the Auditor. For clarity, the exercise of audit rights under a Transfer Mechanism shall be as described in this Section 6 (Customer Audit Rights) and Customer agrees those rights are carried out on behalf of Customer and all relevant Third-Party Controllers, subject to the confidentiality and non-use restrictions of the Agreement.
Customer acknowledge and agree that Bluesky may access and Process Customer Personal Data on a global basis as necessary to provide the Bluesky Solutions in accordance with the Agreement, and in particular that Customer Personal Data may be transferred to and Processed by Bluesky in the United States and to other jurisdictions where Bluesky and Sub-Processors have operations. Wherever Customer Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
7.1 Additional Provisions for European Data
a. Scope. This 'Additional Provisions for European Data' section will apply only with respect to European Data.
b. Roles of the Parties. When Processing European Data in accordance with Customer instructions, the parties acknowledge and agree that Customer is the Controller of European Data and Bluesky is the Processor.
c. Instructions. If Bluesky believes that Customer’s instructions infringe European Data Protection Laws (where applicable), Bluesky will inform Customer without delay.
d. Objection to New Sub-Processors. Bluesky will give Customer the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Customer Personal Data within 30 days of notifying Customer in accordance with this DPA.
e. Sub-Processor Agreements. For the purposes of Clause 9(c) of the Standard Contractual Clauses, Customer acknowledge that Bluesky may be restricted from disclosing Sub-Processor agreements but Bluesky will use reasonable efforts to require any Sub-Processor Bluesky appoints to permit it to disclose the Sub-Processor agreement to Customer and will provide (on a confidential basis) all information Bluesky reasonably can.
f. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to us, and Customer does not otherwise have access to the required information, Bluesky will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities (for example, the French Data Protection Agency (CNIL), the Berlin Data Protection Authority (BlnBDI) and the UK Information Commissioner's Office (ICO)) or other competent data privacy authorities to the extent required by European Data Protection Laws.
g. Transfer Mechanisms for Data Transfers.
(A) Bluesky will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Customer Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Customer Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
(B) Customer acknowledges that in connection with the performance of the Bluesky Solutions, Bluesky is a recipient of European Data in the United States. Subject to sub-sections (C) and (D), the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:
(C) Where the Bluesky contracting entity under the Agreement is not Bluesky, such contracting entity (not Bluesky) will remain fully and solely responsible and liable to Customer for the performance of the Standard Contractual Clauses by Bluesky, and Customer will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity. If Bluesky cannot comply with its obligations under the Standard Contractual Clauses or is breach of any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and Customer intend to suspend the transfer of European Data to Bluesky or terminate the Standard Contractual Clauses ,or UK Addendum, Customer agree to provide us with reasonable notice to enable us to cure such non-compliance and reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If Bluesky have not or cannot cure the non-compliance, Customer may suspend or terminate the affected part of the Bluesky Solutions in accordance with the Agreement without liability to either party (but without prejudice to any fees Customer have incurred prior to such suspension or termination).
(D) Although Bluesky does not currently rely on the EU-US Privacy Shield as a legal basis for transfers of European Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as Bluesky is self-certified to the Privacy Shield Bluesky Inc will process European Data in compliance with the Privacy Shield Principles and let Customer know if it is unable to comply with this requirement. In the event that Bluesky adopts an alternative transfer mechanism (including any new or successor version of the EU-US Privacy Shield) for transfers of European Data to Bluesky, such alternative transfer mechanism will apply automatically instead of the Standard Contractual Clauses described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and Customer agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
h. Demonstration of Compliance. Bluesky will make all information reasonably necessary to demonstrate compliance with this DPA available to Customer and allow for and contribute to audits, including inspections conducted by or Customer auditor in order to assess compliance with this DPA. Customer acknowledges and agrees that Customer will exercise Customer audit rights under this DPA and Clause 8.9 of the Standard Contractual Clauses by instructing us to comply with the audit measures described in this 'Demonstration of Compliance' section. At Customer written request, Bluesky will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer necessary to confirm our compliance with this DPA, provided that Customer will not exercise this right more than once per calendar year unless Customer have reasonable grounds to suspect non-compliance with the DPA.
7.2. Additional Provisions for California Personal Information
a. Scope. The 'Additional Provisions for California Personal Information' section of the DPA will apply only with respect to California Personal Information.
b. Roles of the Parties. When processing California Personal Information in accordance with Customer Instructions, the parties acknowledge and agree that Customer is a Business and Bluesky is a Service Provider for the purposes of the CCPA.
c. Responsibilities. The parties agree that Bluesky will Process California Personal Information as a Service Provider strictly for the purpose of performing the Bluesky Solutions and Consulting Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA.
8.1. Security Incident Reporting.If Bluesky becomes aware of a Security Incident, Bluesky shall notify Customer without undue delay, and in any case, where feasible, notify Customer within seventy-two (72) hours after becoming aware. Bluesky’s notification shall be sent to the email registered by Customer within the Bluesky Solutions for such purposes, and where no such email is registered, Customer acknowledges that the means of notification shall be at Bluesky’s reasonable discretion and Bluesky’s ability to timely notify shall be negatively impacted. Bluesky shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
8.2. Security Incident Communications. Bluesky shall provide Customer timely information about the Security Incident, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Bluesky to mitigate or contain the Security Incident, the status of Bluesky’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Bluesky personnel may not have visibility to the content of Customer Personal Data, it is unlikely Bluesky can provide information as to the particular nature of the Customer Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of Bluesky with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Bluesky of any fault or liability with respect to the Security Incident.
9.1. Data Subject Requests. Bluesky shall promptly notify Customer if Bluesky receives a request from a Data Subject that identifies Customer Personal Data or otherwise identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). The Bluesky Solutions provides Customer with a number of controls that Customer may use to assist it in responding to Data Subject Requests and, subject to the next sentence, Customer will be responsible for responding to any such Data Subject Requests. To the extent Customer is unable to access the relevant Customer Personal Data within the Bluesky Solutions using such controls or otherwise, Bluesky shall (upon Customer’s written request and taking into account the nature of Bluesky’s Processing) provide commercially reasonable cooperation to assist Customer in responding to Data Subject Requests.
9.2. Data Protection Impact Assessments. Bluesky shall provide reasonably requested information regarding the Bluesky Solutions to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
9.3. Government & Law Enforcement Inquiries. If Bluesky receives a demand to retain, disclose, or otherwise Process Customer Personal Data from law enforcement or any other government and/or public authority (“Third-Party Demand”), then Bluesky shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that Bluesky can provide information to such third-party to the extent reasonably necessary to redirect the Third-Party Demand to Customer. If Bluesky cannot redirect the Third-Party Demand to Customer, then Bluesky shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy. This section does not diminish Bluesky’s obligations under any applicable Transfer Mechanisms with respect to access by public authorities.
10.1. The Parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Bluesky and Customer may have previously entered into in connection with the Bluesky Solutions. Bluesky may update this DPA from time to time, with such updated version posted to this webpage or a successor website designated by Bluesky; provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
10.2. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. Notwithstanding the foregoing, and solely to the extent applicable to any Customer Personal Data comprised of patient, medical or other protected health information regulated by HIPAA, if there is any conflict between this DPA and a business associate agreement between Customer and Bluesky, then the business associate agreement shall prevail solely with respect to such Customer Personal Data.
10.3. Notwithstanding anything to the contrary in the Agreement or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Transfer Mechanisms, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the Parties’ obligations under the Agreement, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Customer Personal Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce the incurring party’s liability under the Agreement as if it were liability to the other Party under the Agreement.
10.4. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data subjects under Data Protection Laws or this DPA (including the Transfer Mechanisms).
10.5. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.