Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of these Terms of Service and applies where Data Bloo P.C. (“Data Bloo”, “we”, “us”, or “our”) processes Personal Data on behalf of a customer in connection with the use of Data Bloo data connectors and related services (“Services”).
This DPA is intended to meet the requirements of Article 28 of Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), and applies only to the processing of Personal Data carried out by Data Bloo as a processor on behalf of the customer.
1. Roles of the Parties
For the purposes of this DPA:
- The customer acts as the data controller or, where applicable, as a processor acting on behalf of another controller.
- Data Bloo acts as a data processor when it processes Personal Data through the Services on behalf of the customer.
- Where the customer acts as a processor for its own client, Data Bloo acts as a sub-processor.
The customer determines the purposes and means of processing Personal Data made available through third-party platforms, APIs, and data sources connected to the Services.
Data Bloo processes such Personal Data only to provide, maintain, secure, and support the Services in accordance with this DPA, the Terms of Service, and the customer’s documented instructions.
2. Definitions
For the purposes of this DPA:
“Customer Data” means data made available to Data Bloo through third-party platforms, APIs, or data sources connected by the customer when using the Services.
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
“Connection Data” means information required to operate the Services, including account identifiers, authentication tokens, API credentials, connector configuration, usage logs, error logs, billing information, and account-level metadata.
“Sub-processor” means any third-party service provider engaged by Data Bloo that may process Personal Data on behalf of the customer in order to provide the Services.
“Third-Party Platform” means any external platform, API, or service connected by the customer through the Services, including but not limited to WooCommerce, Google, Meta, TikTok, LinkedIn, and other supported data sources.
3. Subject Matter and Duration of Processing
The subject matter of the processing is the provision of Data Bloo’s data connectors and related functionality, including fetching, transmitting, formatting, and displaying Customer Data from Third-Party Platforms into destinations selected by the customer, such as Looker Studio.
The duration of processing is limited to the period during which the customer uses the Services, unless deletion or continued retention is required by applicable law, security obligations, or legitimate business record-keeping requirements related to Connection Data.
4. Nature and Purpose of Processing
Data Bloo processes Personal Data only as necessary to provide the Services requested by the customer.
The processing may include:
- connecting to Third-Party Platforms through APIs;
- authenticating and managing authorized connections;
- fetching Customer Data requested by the customer;
- transmitting Customer Data to Looker Studio or another customer-selected destination;
- maintaining and securing the Services;
- troubleshooting errors and responding to support requests;
- monitoring usage limits, abuse, security, and service performance.
For connectors operating on a passthrough basis, Data Bloo does not store, warehouse, or retain Customer Data beyond what is technically necessary to serve the request and provide the Services.
5. Types of Personal Data
The types of Personal Data processed depend on the Third-Party Platform connected by the customer and the fields selected or made available through that platform.
For ecommerce connectors (WooCommerce, Shopify), Personal Data may include:
- customer names;
- email addresses;
- billing or shipping details;
- order details;
- transaction details;
- product purchase data;
- customer identifiers;
- other ecommerce data made available through the connected API.
For marketing and analytics connectors (Facebook, Linkedin, TikTok), Personal Data may include:
- account identifiers;
- campaign, page, profile, or business account data;
- analytics or event data;
- user-generated or customer-controlled fields made available through the connected platform.
Data Bloo does not intentionally require or request special categories of Personal Data under Article 9 GDPR. The customer must not use the Services to process special categories of Personal Data unless this has been expressly agreed in writing with Data Bloo.
6. Categories of Data Subjects
The categories of data subjects may include:
- the customer’s users and authorized team members;
- the customer’s clients;
- the customer’s website visitors, leads, prospects, or end customers;
- ecommerce customers;
- individuals whose data is available through the Third-Party Platforms connected by the customer.
7. Customer Instructions
The customer instructs Data Bloo to process Personal Data only as necessary to provide the Services.
The customer’s use and configuration of the Services, including connecting data sources, selecting accounts, authorizing API access, and creating reports, constitutes the customer’s documented instructions to Data Bloo.
Data Bloo will not process Personal Data for any other purpose unless required by applicable law. If Data Bloo is required by law to process Personal Data outside the customer’s instructions, Data Bloo will inform the customer before doing so, unless prohibited by law.
If Data Bloo reasonably believes that an instruction infringes applicable data protection law, Data Bloo will inform the customer.
8. Customer Responsibilities
The customer is responsible for:
- ensuring that it has a valid legal basis for processing Personal Data through the Services;
- ensuring that it has the right to connect the relevant Third-Party Platform accounts;
- ensuring that its use of the Services complies with applicable data protection laws;
- providing any required notices to data subjects;
- obtaining any required consents or authorizations;
- ensuring that API credentials and connected accounts are lawfully created and used;
- configuring the Services appropriately, including selecting only the data sources and fields needed for its reporting purposes.
Data Bloo is not responsible for the accuracy, legality, or content of Customer Data made available through Third-Party Platforms connected by the customer.
9. Data Storage and Retention
Data Bloo does not store, warehouse, or retain Customer Data accessed through the connectors beyond what is technically necessary to provide the Services.
Customer Data is generally processed on a passthrough basis, meaning it is fetched from the relevant Third-Party Platform and transmitted to the customer-selected destination, such as Looker Studio, in response to a user request.
Data Bloo may store Connection Data necessary to operate the Services, including account information, connector settings, authentication tokens or API credentials, usage logs, error logs, billing records, and security logs.
Connection Data is retained only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and operate the customer account.
Upon termination of the Services or disconnection of a data source, Data Bloo will delete or disable relevant Connection Data in accordance with its retention practices, unless continued retention is required by applicable law or necessary for legitimate security, billing, fraud prevention, or legal purposes.
10. Confidentiality
Data Bloo will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.
Access to Personal Data is limited to personnel or service providers who need access for the purposes of providing, securing, maintaining, or supporting the Services.
11. Security Measures
Data Bloo will implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
These measures may include, as appropriate:
- restricted access to production systems;
- authentication and access controls;
- encryption or secure handling of credentials and tokens;
- secure transmission of data where supported;
- logging and monitoring for security and operational purposes;
- internal access limitation based on need-to-know;
- regular review of technical systems and security practices;
- measures to protect against misuse, abuse, or unauthorized access.
The customer acknowledges that no system can be guaranteed to be completely secure and that the security of the Services also depends on the customer’s own systems, credentials, users, connected platforms, and account configuration.
12. Sub-processors
The customer grants Data Bloo general authorization to engage sub-processors where necessary to provide, secure, maintain, bill, and support the Services.
Data Bloo ensures that sub-processors are bound by written obligations that provide an appropriate level of data protection and confidentiality.
Data Bloo’s current sub-processors are listed below:
| Sub-processor | Purpose | Transfer Safeguard |
|---|---|---|
| Google Cloud Platform | Hosting, infrastructure, server logs, error logs, security and service monitoring | Google provides a Cloud Data Processing Addendum and publishes sub-processor information. Where transfers outside the EEA apply, appropriate transfer safeguards such as SCCs may apply. |
| Stripe | Payments, billing, subscription management, invoices, payment status | Stripe provides a Data Processing Agreement and references SCCs for relevant EEA/Switzerland transfers. |
| Klaviyo | Email communications, product updates, onboarding emails, marketing emails | Klaviyo provides a DPA and states that it uses DPF and SCCs where applicable. |
| Crisp | Customer support, live chat, support messages | Transfer safeguards should be based on Crisp’s applicable DPA and sub-processor terms. Confirm exact transfer mechanism before publishing. |
Data Bloo may update this sub-processor list from time to time. Customers may object to a new sub-processor on reasonable data protection grounds by contacting Data Bloo within a reasonable period after being informed of the change.
13. International Data Transfers
Data Bloo P.C. is established in Greece, within the European Economic Area.
Where Data Bloo or its Sub-processors transfer Personal Data outside the EEA, Data Bloo will ensure that such transfer is made in accordance with applicable data protection laws.
Where required, Data Bloo will rely on an adequacy decision, the European Commission’s Standard Contractual Clauses, or another valid transfer mechanism under applicable data protection laws.
The European Commission issued modernized Standard Contractual Clauses on 4 June 2021 for transfers from controllers or processors in the EU/EEA to controllers or processors outside the EU/EEA.
14. Assistance to the Customer
Taking into account the nature of the processing and the information available to Data Bloo, Data Bloo will provide reasonable assistance to the customer in meeting its obligations under applicable data protection laws, including obligations relating to:
- data subject requests;
- security of processing;
- personal data breach notifications;
- data protection impact assessments;
- prior consultation with supervisory authorities, where required.
Where a data subject contacts Data Bloo directly regarding Personal Data processed on behalf of the customer, Data Bloo may refer the data subject to the customer, unless required otherwise by law.
15. Personal Data Breach
Data Bloo will notify the customer without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed by Data Bloo on behalf of the customer.
The notification will include available information reasonably necessary for the customer to meet its own breach notification obligations, to the extent such information is available to Data Bloo.
Data Bloo’s notification of a breach does not constitute an admission of fault or liability.
16. Deletion or Return of Personal Data
Because Data Bloo Connectors generally operate on a passthrough basis and do not store Customer Data, there may be no stored Customer Data to return or delete at the end of the Services.
Upon termination of the Services or upon the customer’s written request, Data Bloo will delete or disable relevant Connection Data associated with the customer’s connector account, unless retention is required by applicable law or necessary for legitimate security, billing, fraud prevention, dispute resolution, or legal purposes.
Where Customer Data has been temporarily processed for technical reasons, Data Bloo will delete such data in accordance with its technical and retention practices.
17. Audit and Compliance Information
Data Bloo will make available information reasonably necessary to demonstrate compliance with this DPA and applicable data protection obligations.
The customer may request reasonable information about Data Bloo’s data protection practices, security measures, and Sub-processors.
Any audit or inspection must be reasonable, limited to the processing covered by this DPA, subject to confidentiality, and conducted in a way that does not disrupt Data Bloo’s business operations or compromise the security or confidentiality of other customers.
Data Bloo may satisfy audit requests by providing written responses, documentation, policies, certifications, or other information reasonably demonstrating compliance.
18. Third-Party Platforms
The Services depend on Third-Party Platforms and APIs connected by the customer.
Data Bloo is not responsible for the privacy, security, availability, terms, API behavior, or data practices of Third-Party Platforms.
The customer is responsible for reviewing and complying with the terms, privacy policies, and data protection obligations of any Third-Party Platform it connects to the Services.
19. Limitation
This DPA does not apply where Data Bloo acts as an independent controller, including where Data Bloo processes account registration data, billing information, support communications, website analytics, marketing communications, or other business operations data for its own purposes. Such processing is governed by Data Bloo’s Privacy Policy.
20. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data on behalf of the customer, this DPA will prevail to the extent of the conflict.