Data Processing Agreement
1. Scope and Term.
1.1 Roles of the Parties.
(a) Subscriber Personal Data. Blue J Legal Inc. (“Blue J”) will Process Subscriber Personal Data as Subscriber’s Processor in accordance with Subscriber’s instructions as outlined in Section 2.1 (Subscriber Instructions).
(b) Blue J Account Data. Blue J will Process Blue J Account Data as a Controller for the following purposes: (i) to provide and improve the Product; (ii) to manage the Subscriber relationship (communicating with Subscriber and Users in accordance with their account preferences, responding to Subscriber inquiries and providing technical support, etc.), (iii) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and (iv) to carry out core business functions such as accounting, billing, and filing taxes.
(c) Blue J Usage Data. Blue J will Process Blue J Usage Data as a Controller for the following purposes: (i) to provide, optimize, secure, and maintain the Product; (ii) to optimize user experience; and (iii) to inform Blue J’s business strategy.
(d) Description of the Processing. Details regarding the Processing of Personal Data by Blue J are stated in Schedule 1 (Description of Processing).
1.2 Term of the DPA. The term of this Data Processing Agreement (“DPA”) terminates upon the date on which Blue J ceases all Processing of Subscriber Personal Data.
2. Processing of Personal Data.
2.1 Subscriber Instructions. Blue J must Process Subscriber Personal Data in accordance with the documented lawful instructions of Subscriber as stated in this DPA as necessary to (i) enable the use of various features and functionalities in the Product and (ii) comply with its legal obligations. Blue J will Process Subscriber Personal Data only on documented instructions from Subscriber, including with regard to transfers of such Subscriber Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Law to which Blue J is subject; in such a case, Blue J shall inform Subscriber of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Blue J will promptly inform Subscriber if it becomes aware that Subscriber's Processing instructions infringe Applicable Data Protection Law.
2.2 Confidentiality. Blue J must treat Subscriber Personal Data as Subscriber’s Confidential Information (as defined in the Blue J Terms of Use that are found at www.bluej.com/terms-of-use/ and that may be modified by Blue J from time to time as specified therein). Blue J must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.
3. Security.
3.1 Security Measures. Blue J has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Subscriber Data and protect against Security Incidents. Subscriber is responsible for using features and functionalities made available by Blue J to maintain appropriate security in light of the nature of Subscriber Data. Blue J’s current technical and organizational measures (the “Security Measures”) are described at www.bluej.com/security. Subscriber acknowledges that the Security Measures are subject to technical progress and development and that Blue J may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Product during a Subscription Term.
3.2 Security Incidents. Blue J must notify Subscriber without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Blue J must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Blue J’s reasonable control. Upon Subscriber’s request and taking into account the nature of the Processing and the information available to Blue J, Blue J must assist Subscriber by providing information reasonably necessary for Subscriber to meet its Security Incident notification obligations under Applicable Data Protection Law. Blue J’s notification of a Security Incident is not an acknowledgment by Blue J of its fault or liability.
4. Sub-processing
4.1 General Authorization. By entering into this DPA, Subscriber provides general authorization for Blue J to engage Sub-processors to Process Subscriber Personal Data. Blue J must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Subscriber Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this DPA; and (ii) remain liable to Subscriber if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement.
4.2 Notice of New Sub-processors. Blue J maintains an up-to-date list of its Sub-processors at www.bluej.com/security. Blue J will provide notice at least seven (7) days before allowing any new Sub-processor to Process Subscriber Personal Data (the “Sub-processor Notice Period”).
4.3 Objection to New Sub-processors. Subscriber may object to Blue J’s appointment of a new Sub-processor during the Sub-processor Notice Period. If Subscriber objects, Subscriber, as its sole and exclusive remedy, may terminate the DPA.
5. Assistance and Cooperation Obligations.
5.1 Data Subject Rights. Taking into account the nature of the Processing, Blue J must provide reasonable and timely assistance to Subscriber to enable Subscriber to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Subscriber Personal Data.
5.2 Cooperation Obligations. Upon Subscriber’s reasonable request, and taking into account the nature of the applicable Processing, Blue J will provide reasonable assistance to Subscriber in fulfilling Subscriber’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that Subscriber cannot reasonably fulfill such obligations independently with help of available documentation.
5.3 Third Party Requests. Unless prohibited by Law, Blue J will promptly notify Subscriber of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling Blue J to disclose Subscriber Personal Data. Blue J will follow its process set out in the Blue J Terms of Use in responding to such requests. In the event that Blue J receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Subscriber Personal Data, Blue J will redirect such inquiries to Subscriber, and will not provide any information unless required to do so under applicable Law.
6. Deletion and Return of Subscriber Personal Data.
6.1 During Term. During the term of this DPA, Subscriber and its Users may, through the features of the Product or through request to Blue J, access, retrieve or delete Subscriber Personal Data.
6.2 Post Termination. Following expiration or termination of the DPA, Blue J will delete all Subscriber Personal Data upon request. Notwithstanding the foregoing, Blue J may retain Subscriber Personal Data (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Blue J will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Subscriber Personal Data and not further Process it except as required by Applicable Data Protection Law.
7. Audit.
7.1 Audit Reports. Blue J is regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that Subscriber has entered into an applicable non-disclosure agreement with Blue J, Blue J will supply a summary copy of relevant audit report(s) (“Report”) to Subscriber, so Subscriber can verify Blue J’s compliance with the audit standards against which it has been assessed, and this DPA. If Subscriber cannot reasonably verify Blue J’s compliance with the terms of this DPA, Blue J will provide written responses (on a confidential basis) to all reasonable requests for information made by Subscriber related to its Processing of Subscriber Personal Data, provided that such right may only be exercised no more than once every twelve (12) months.
7.2 On-site Audits. Only to the extent Subscriber cannot reasonably satisfy Blue J’s compliance with this DPA through the exercise of its rights under Section 7.1 above, or where required by Applicable Data Protection Law or a regulatory authority, Subscriber, or its authorized representatives, may, at Subscriber’s expense, conduct audits (including inspections) during the term of the Agreement to assess Blue J’s compliance with the terms of this DPA. Any audit must (i) be conducted during Blue J’s regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or a regulatory authority requires a shorter notice period); (ii) be subject to reasonable confidentiality controls obligating Subscriber (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iii) occur no more than once every twelve (12) months; and (iv) restrict its findings to only information relevant to Subscriber.
8. Definitions.
“Applicable Data Protection Law” means all Laws applicable to the Processing of Personal Data under the Agreement. Where Personal Data is subject to the laws of one the following regions, the definition of “Applicable Data Protection Law” includes:
(a) Canada: the Canadian Personal Information Protection and Electronic Documents Act;
(b) Europe, which includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area: (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time (“EU Data Protection Law”);
(c) Switzerland: the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time (“Swiss FADP”);
(d) The United Kingdom: the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time (“UK Data Protection Law”); and
(e) The United States: all state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act (“US State Privacy Laws”).
“Blue J Account Data” means Personal Data relating to Subscriber’s relationship with Blue J, including: (i) Users’ account information (e.g. name or email address); (ii) billing and contact information of individual(s) associated with Subscriber’s Blue J account (e.g. billing address, email address, or name); (iii) Users’ device and connection information (e.g. IP address); and (iv) content/description of technical support requests.
“Blue J Usage Data” means Personal Data relating to or obtained in connection with the use, performance, operation, support or use of the Products. Blue J Usage Data may include event name (i.e. what action Users performed), event timestamps, browser information, and diagnostic data. For clarity, Blue J Usage Data does not include Subscriber Personal Data.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Laws” means all applicable laws, regulations, conventions, decrees, decisions, orders, judgments, codes and requirements of any government authority (federal, state, local or international) having jurisdiction.
“Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.
“Processing” (and “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Product” means Ask Blue J, the generally commercially available hosted software-as-a-service offering for which the Subscriber is granted access.
“Security Incident'' means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Subscriber Data Processed by Blue J and/or its Sub-processors.
“Sub-processor” means any third party (including any affiliate of) engaged by Blue J to Process Subscriber Personal Data.
“Subscriber” means the person or entity who has access to use the Product and is a signatory to this DPA;
“Subscriber Data” means any data, content or materials provided to Blue J by or at the direction of Subscriber or its Users.
“Subscriber Personal Data'' means Personal Data contained in Subscriber Data that Blue J Processes under the Agreement solely on behalf of Subscriber. For clarity, Subscriber Personal Data includes any Personal Data included in the attachments provided by Subscriber or its Users in any technical support requests.
Schedule 1 Description of Processing
1. Categories of data subjects whose Personal Data is Processed: Subscriber and its Users.
2. Categories of Personal Data Processed: Blue J Account Data, Blue J Usage Data, and Subscriber Personal Data.
3. Sensitive data transferred: Blue J Account Data and Subscriber Usage Data do not contain data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or (iii) relating to criminal convictions and offences (altogether “Sensitive Data”).
4. The frequency of the transfer: Continuous.
5. Nature of the Processing: Blue J will Process Personal Data in order to provide the Product and related support in accordance with the Agreement, including this DPA.
6. Purpose(s) of the Processing:
6.1. Subscriber Personal Data: Blue J will Process Subscriber Personal Data as Processor in accordance with Subscriber’s instructions as set out in Section 2.1 (Subscriber Instructions).
6.2. Blue J Account Data and Blue J Usage Data: Blue J will Process Blue J Account Data and Blue J Usage Data for the limited and specified purposes outlined in Section 1.1 (Roles of the Parties).
7. Duration of Processing:
7.1. Subscriber Personal Data: Blue J will Process Subscriber Personal Data for the term of the DPA as outlined in Section 6 (Deletion and Return of Subscriber Personal Data).
7.2. Blue J Account Data and Blue J Usage Data: Blue J will Process Blue J Account Data and Blue J Usage Data only as long as required (a) to provide the Product and related support to Subscriber in accordance with the DPA; (b) for Blue J’s legitimate business purposes outlined in Section 1.1 (Roles of the Parties); or (c) by applicable Law(s).
8. Transfers to (Sub-)processors: Blue J will transfer Subscriber Personal Data to Sub-processors as permitted in Section 4 (Sub-processing).
Subscriber acknowledges that Blue J may transfer and Process Subscriber Personal Data to and in the United States, Canada and anywhere else in the world where Blue J or its Subprocessors maintain data processing operations. Blue J shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.