Data Processing Agreement

Last Updated: December 12, 2025

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Agreement between Blueberry and Customer. This DPA sets forth Customer’s instructions for the processing of Personal Data in connection with the Services and the rights and obligations of both Parties. 

1. Definitions.

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Services Agreement. All other terms in this DPA not otherwise defined in the Services Agreement shall have the corresponding meanings given to them in Privacy Laws.

1. “Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time. 

2. “EU/UK Privacy Laws” means, as applicable: (i) the General Data Protection Regulation 2016/679 (the “GDPR”); (ii) the Privacy and Electronic Communications Directive 2002/58/EC; (iii) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (iv) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time. 

3. “Personal Data” means any information Blueberry processes on behalf of Customer to provide the Services that is defined as “personal data” or “personal information” under any Privacy Law. 

4. “Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

5. “Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

6. “Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time. 

7. “US Privacy Laws” means, as applicable, the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and any similar law of any other US state related to the processing of Personal Data.

2. Amendments. The Parties agree to negotiate in good faith modifications to this DPA if changes are required for Blueberry to continue to process the Personal Data as contemplated by the Services Agreement, any Order Form or this DPA in compliance with Privacy Laws, or to address the legal interpretation of the Privacy Laws.

3. Roles of the Parties. The Parties acknowledge that for purposes of Privacy Laws, Customer is the controller, business, or any similar term provided under Privacy Laws, and Blueberry is the service provider, processor, contractor, or any similar term provided under Privacy Laws. 

4. Details of Processing. The Parties agree that the details of processing are as described in Annex 1.

5. Customer Obligations. Customer shall comply with all Privacy Laws in providing Personal Data to Blueberry in connection with the Services. Customer represents and warrants that: (a) the Privacy Laws applicable to Customer do not prevent Blueberry from fulfilling the instructions received from Customer and performing Blueberry’s obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Customer has a lawful basis for disclosing or making available the Personal Data to Blueberry and enabling Blueberry to process the Personal Data as set out in this DPA. Customer shall notify Blueberry without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, Blueberry shall not be required to continue processing such Personal Data. 

6. Processing of Personal Data. In processing Personal Data under the Agreement, Blueberry shall:

   1. only process Personal Data on documented instructions from Customer, for the limited and specific purpose described in Annex 1, and at all times in compliance with Privacy Laws, unless required to process such Personal Data by applicable law to which Blueberry is subject; in such a case, Blueberry shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; 

   2. notify Customer (i) without undue delay if it makes a determination that it can no longer meet its obligations under applicable US Privacy Laws, and (ii) immediately if Blueberry, in its opinion an instruction of Customer infringes applicable EU/UK Privacy Laws;

   3. to the extent required by US Privacy Laws, and upon reasonable written notice that Customer reasonably believes Blueberry is using Personal Data in violation of Privacy Laws or this DPA, grant Customer the right to take reasonable and appropriate steps to help ensure that Blueberry uses the Personal Data in a manner consistent with Customer’s obligations under Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and

   4. require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data.

7. Anonymized Data. Blueberry may aggregate and/or anonymize Personal Data such that it no longer constitutes Personal Data under Privacy Laws and process such data for its own purposes. To the extent Blueberry receives de-identified data (as such term is defined under applicable US Privacy Laws) from Customer, Blueberry shall: (a) take commercially reasonable measures to ensure that the data cannot be associated with an identified or identifiable individual; (b) maintain and use the data only in a de-identified form and not attempt to re-identify the data; and (c) otherwise comply with applicable US Privacy Laws with respect to such de-identified data.

8. Prohibitions. To the extent required by applicable US Privacy Laws, and except to the extent permitted by such US Privacy Laws, Blueberry is prohibited from: 

   1. selling the Personal Data or sharing the Personal Data for cross-context behavioral advertising purposes; 

   2. retaining, using, or disclosing the Personal Data outside of the direct business relationship between Blueberry and Customer and for any purpose other than for the specific purpose of performing the Services; and 

   3. combining the Personal Data received from, or on behalf of, Customer with any Personal Data that may be collected from Blueberry’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources, except to perform a business purpose or as otherwise permitted by Privacy Laws. 

9. Use of Subcontractors. To the extent Blueberry engages any subcontractors to process Personal Data on its behalf:

   1. Customer hereby grants Blueberry general written authorization to engage the subcontractors set in Annex 2, subject to the requirements of this Section 9.

   2. If Blueberry appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor, it shall provide Customer with 30 days’ prior written notice, during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Privacy  Laws (and if Customer does not so object, Blueberry may proceed with the appointment or replacement).

   3. Blueberry shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant subcontractor than the obligations on Blueberry under this DPA.

   4. In the event Blueberry engages a subcontractor to carry out specific processing activities on behalf of Customer pursuant to EU/UK Privacy Laws, where that subcontractor fails to fulfil its obligations, Blueberry shall remain fully liable under applicable EU/UK Privacy Laws to Customer for the performance of that subcontractor’s obligations.

10. Assistance. To the extent required by Privacy Laws, and taking into account the nature of the processing, Blueberry shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide reasonable assistance to Customer, through appropriate technical and organizational measures, in entering into this DPA and: 

    1. responding to requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible; 

    2. implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure; 

    3. notifying relevant competent authorities and/or affected individuals of Personal Data breaches; and

    4. conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities.

11. Security Measures. Blueberry shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 3, or otherwise agreed and documented between Customer and Blueberry from time to time. To the extent required by Privacy Laws, Blueberry shall without undue delay notify Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, with further information about the breach provided in phases as more details become available.

12. Access and Audits. Upon reasonable request of Customer, Blueberry shall make available to Customer such information in its possession as is reasonably necessary to demonstrate Blueberry’s compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer and reasonably accepted by Blueberry. Customer shall be permitted to conduct such an assessment, at Customer’s expense, no more than once every 12 months, upon 30 days’ advance written notice to Blueberry, and only after the Parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. As an alternative to an audit performed by or at the direction of Customer, to the extent permitted by Privacy Laws, Blueberry may arrange for a qualified and independent auditor to conduct, at Blueberry’s expense, an assessment of Blueberry’s policies and technical and organizational measures in support of its obligations under Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment, and will provide relevant extracts of the report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall Blueberry be required to give Customer access to information, facilities or systems to the extent doing so would cause Blueberry to be in violation of confidentiality obligations owed to other customers or its legal obligations.

13. Deletion of Personal Data.  At Customer’s written direction, Blueberry shall delete or return all Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law.

14. Data Transfers. To the extent Blueberry processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, Blueberry shall comply with the data importer’s obligations and Customer shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and: 

    1. for the purposes of Annex I or Part 1 (as relevant), Customer is a controller and Blueberry is a processor, and the parties, contact person’s details and processing details set out and referenced in the ‘notice’ provisions of the Services Agreement, this DPA and Annex 1 shall apply and the Start Date is the effective date of this Agreement;

    2. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 14;

    3. for the purposes of Annex II or Part 1 (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by Blueberry to assist Customer, as each are set out in Annex 3, shall apply; and 

    4. if applicable, for the purposes of: (i) Clause 9, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 9 shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be Ireland; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be Ireland; (vi) Part 1, Blueberry as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum. 

Customer acknowledges and agrees that Blueberry may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Blueberry shall comply with Privacy Laws in relation to that appointment (including where applicable executing the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer).

Annex 1: Details of Processing

Nature of the processing

• Access, use, disclosure, storage, organization of Personal Data by Blueberry in connection within its provision of the Services to Customer as set out in the Services Agreement

Purpose(s) of the processing

• The provision of the Services by Blueberry to Customer as set out in the Services Agreement 

Categories of individuals whose Personal Data is processed

• Individuals who engage with Customer content or other content relating to Customer

Categories of Personal Data processed

• Name; email address, telephone number and other contact details; user account information; social media profiles; user preferences; user engagement with Customer; other data publicly available about individual related to Customer or Customer market segment used for the provision of the Services

Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws

• N/A

Frequency (e.g. one-off or continuous) and duration of the processing

• Personal Data is processed on a continuous basis, for the duration of the term of the Agreement and any post-termination retention period as set out in the Services Agreement

The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 9 is as set out in this Annex 1 and in Annex 2.

Annex 2: Authorized Subcontractors

• Convex, Inc. (USA): Backend and serverless database provider for Blueberry’s AI-powered marketing platform, including web services, application runtimes, background workers, and model inference.

• Clerk, Inc. (USA): Provides user authentication services, including user authentication, token issuance, and role-based access control for the platform.

• Cloudflare, Inc. (USA): Provides content delivery, DDoS protection, and global edge routing for frontend assets and API traffic.

• Datadog, Inc. (USA): Aggregates application logs, audit trails, and event data to support troubleshooting, monitoring, and compliance. Collects metrics, health checks, and alerts to ensure availability and performance, and supports incident response and SLA monitoring.

• Google LLC (Google Cloud Platform – BigQuery & Gemini) (USA): Provides cloud infrastructure and AI services, including BigQuery as a data warehouse for campaign analytics, and Gemini models for LLM inference (generation, analysis, and summarization of marketing content and customer conversations).

• Langfuse GmbH / Finto Technologies Inc. (“Langfuse”) (USA): Collects traces and metrics from LLM calls to support observability and monitoring.

• Functional Software, Inc. d/b/a Sentry (USA): Provides reporting on application stack traces and exceptions within the codebase.

• Vercel, Inc. (USA): Hosts the Next.js / React frontend, providing the user interface for brand users to configure campaigns, review conversations, and manage social integrations.

• OpenAI OpCo, LLC / OpenAI, L.L.C. (“OpenAI”) (USA): LLM inference provider used for generating, analyzing, and summarizing marketing content and customer conversations.

• Anthropic PBC (“Anthropic”) (USA): LLM inference provider used for generating, analyzing, and summarizing marketing content and customer conversations.

• PostHog, Inc. (USA): Product analytics platform used to collect and analyze usage events, feature adoption, and user behavior within the Blueberry application.

• Plus Five Five, Inc. d/b/a Resend (USA): Email delivery service used to send transactional and product-related emails to authorized Blueberry platform users (e.g., account, security, and product notifications).

• Stripe, Inc. (USA): Payment processing and billing platform used to collect and manage subscription fees and other payments from Blueberry customers, including processing of customer contact information and payment details.

Annex 3: Security Measures

Technical and Organizational Measures

1. Physical Access Control

Measures to establish the identity of authorized persons and prevent unauthorized access to Blueberry’s premises and facilities where personal data is processed, including:
• All entrances are locked and accessible only with appropriate keys or chip cards
• Windows and doors are protected by an alarm system
• All visitors are required to present identification and are signed in by authorized staff
• Visitors are accompanied by Blueberry personnel at all times

2. System Entry Control

Measures to prevent unauthorized access to data processing systems, including:
• User and administrator PCs are automatically locked during idle times
• Principle of least privilege enforced, granting users only the access necessary to perform their job functions
• Any access beyond least privilege requires appropriate authorization
• IT access privileges are reviewed regularly (at least quarterly) by authorized personnel
• Two-factor authentication (e.g., RSA 2FA) in place for remote connections
• Vulnerability scanning and remediation processes in place
• Data center and website penetration testing programs in place

3. Data Access Control

Measures to prevent unauthorized activities within data processing systems outside the scope of granted authorizations, including:
• Role-based access control (RBAC) model governing user and administrator access
• Authorization concepts enforcing access on a strict “need-to-know” basis
• Administration of user rights managed by system administrators
• Number of administrators limited to the absolute minimum required
• Internal control audits conducted on a regular basis

4. Data Transfer Control

Measures to ensure that personal data cannot be read, copied, altered, or removed by unauthorized persons during transmission, transport, or storage, including:
• Data storage devices and physical documents are locked when not in use (clean desk policy)
• Secure transfer modes and encryption methods are regularly reviewed and kept state-of-the-art
• Secure communication sessions established using HTTPS and SFTP protocols for business-critical applications and services
• Encrypted certificates used for authentication between web clients and web servers across all websites

5. Input Control

Measures to ensure it is possible to verify and establish whether and by whom personal data has been entered, modified, or deleted, including:
• Access to electronic documents and applications logged via auditable log files
• Access to physical documents documented via formal protocols
• Logging of data entry, modification, and deletion actions using individual user identifiers

6. Control of Instructions

Measures to ensure personal data processed on behalf of Party A is handled only in accordance with Party A’s instructions, including:
• Clear and binding internal policies containing formalized data processing instructions
• Use of unambiguous contractual language governing data processing obligations
• Careful selection of contractors, with particular attention to data security practices
• Internal quality monitoring processes that include compliance with contractual requirements
• Regular third-party audits that include review of contractual compliance
• Regular staff training to maintain awareness of data protection and contractual obligations
• Periodic risk assessments focusing on the control and monitoring of insider access

7. Availability Control

Measures to protect personal data against accidental destruction or loss, including:
• At least weekly full backups and daily incremental backups of critical systems
• Off-site backup storage with multiple redundancy points, protected by encryption and secure key management
• Documented data recovery measures and emergency response plans, regularly tested
• Use of state-of-the-art backup methods such as data mirroring and physically separated backups
• Redundant storage of data across multiple devices
• Regular integrity verification of stored data using checksums

8. Separation and Purpose Control

Measures to ensure that personal data collected for different purposes is processed separately, including:
• Physical documents stored separately for each customer and clearly labeled
• Implementation of an authorization concept to restrict access by purpose
• Logical separation of electronically stored customer data at the application and database layers using tenant-specific identifiers and access controls, ensuring isolation between customers

9. Additional Security Controls

Additional measures to further strengthen information security, including:
• Active management of all enterprise assets (end-user devices, networks, servers, etc.)
• Secure configuration standards for enterprise assets and software
• Collection, retention, review, and alerting on audit logs relevant to security incidents
• Comprehensive network monitoring and defense against security threats
• Ongoing security awareness training for employees
• Security lifecycle management for in-house developed, hosted, or acquired software
• Documented incident response program
• Regular penetration testing to identify and remediate infrastructure weaknesses