Be part of the new Digital Era
Explore how you can bring more secure and convenient digital interactions to your users and partners.
This Data Processing Addendum (“Addendum”) is entered into by and between the Customer identified in the Agreement and Blerify Inc., a Delaware corporation (“Blerify”), and forms part of the Agreement between the parties. This Addendum governs the Processing of Customer Personal Data by Blerify on behalf of the Customer in the course of providing the Services, and is intended to ensure that such Processing is conducted in accordance with applicable Data Protection Laws.
This Addendum shall apply to the extent Blerify processes Customer Personal Data on behalf of the Customer as a Data Processor, Sub-Processor, or Service Provider under applicable law. In case of conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail to the extent of the conflict in relation to data protection matters.
1. Definitions
For the purposes of this Data Processing Addendum, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined in this Addendum shall have the meaning given to them in the Agreement.
1.1. “Agreement” means the main service agreement, terms of service, or any other binding arrangement between the Customer and Blerify governing the provision of the Services.
1.2. “Customer Personal Data” means any Personal Data that is Processed by Blerify on behalf of the Customer in connection with the Services.
1.3. “Data Protection Laws” means all applicable data protection and privacy laws and regulations to which the Customer Personal Data is subject, including but not limited to:
(i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”);
(ii) applicable data protection laws of the United States, including the California Consumer Privacy Act (“CCPA”) and similar state laws;
(iii) Law 81 of 2019 of the Republic of Panama; and
(iv) any other applicable legislation governing the protection of Personal Data in any relevant jurisdiction.
1.4. “Data Subject” means the identified or identifiable natural person to whom the Customer Personal Data relates.
1.5. “Personal Data” means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.
1.6. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
1.7. “Controller” (also referred to as “Data Controller” or “Responsible Party”) means the natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.8. “Processor” (also referred to as “Data Processor” or “Data Handler”) means the natural or legal person who Processes Personal Data on behalf of the Controller.
1.9. “Sub-processor” means any third party (including an affiliate of Blerify) appointed by or on behalf of Blerify to Process Customer Personal Data in connection with the provision of the Services.
1.10. “Cross-border Transfer” means the transfer of Personal Data to any country or territory outside the jurisdiction in which the Personal Data was originally collected, including transfers to countries that may not have an adequate level of data protection as determined by applicable Data Protection Laws.
1.11. “Services” means the services and products provided by Blerify under the Agreement, including web-based platforms, APIs, developer libraries, and other digital infrastructure that interacts with identity wallets, verifiable credentials, Points of Verification, digital notifications, vouchers, or related systems.
2. Roles of the Parties
2.1. Roles and Responsibilities. For the purposes of this Addendum and applicable Data Protection Laws, the Customer acts as the Data Controller (or equivalent term under applicable law), and Blerify acts as the Data Processor in relation to Customer Personal Data Processed through the Services. The Customer is solely responsible for ensuring that its collection and use of Customer Personal Data complies with applicable Data Protection Laws, including by determining the purposes and means of such Processing.
2.2. Instructions from the Customer. Blerify shall Process Customer Personal Data only on documented instructions from the Customer, including with respect to cross-border transfers, unless otherwise required to do so by applicable law. In such cases, Blerify will inform the Customer of the legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest.
2.3. Customer Obligations. The Customer shall:
(a) ensure that it has a valid legal basis for the Processing of Customer Personal Data and that it has provided all necessary notices or obtained all necessary consents (where applicable) for such Processing;
(b) not instruct Blerify to Process Customer Personal Data in a manner that would violate applicable law;
(c) be responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it was acquired; and
(d) ensure that its use of the Services complies with all applicable laws and regulations.
3. Confidentiality
3.1. Confidentiality Obligations. Blerify shall ensure that any person it authorizes to Process Customer Personal Data (including its personnel, agents, and Sub-processors) is subject to an appropriate duty of confidentiality—whether contractual or statutory—and is properly trained regarding their data protection obligations.
3.2. No Unauthorized Disclosure. Blerify shall not disclose Customer Personal Data to any third party except as expressly permitted by this Addendum, the Agreement, or where required by applicable law. If Blerify is required by a law, court order, or regulatory authority to disclose Customer Personal Data, it shall (unless prohibited by law) inform the Customer in advance and cooperate reasonably to allow the Customer to contest or limit the disclosure.
3.3. Protection of Customer Confidential Information. In addition to its obligations regarding Customer Personal Data, Blerify shall treat all other confidential information of the Customer received in connection with the Agreement with the same degree of care it uses to protect its own confidential information, and in no event less than reasonable care.
4. Security
4.1. Technical and Organizational Measures. Blerify shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage, in accordance with applicable Data Protection Laws. These measures shall include, at a minimum, access controls, encryption at rest and in transit, regular vulnerability assessments, and secure software development practices.
4.2. Customer’s Responsibility. The Customer is responsible for independently determining whether the Services meet its legal and regulatory obligations and its internal policies. The Customer shall implement and maintain appropriate safeguards for the use of the Services, including ensuring secure configuration, access controls, and appropriate key or credential management on its end.
4.3. No Assessment of Customer Data. Blerify does not access or monitor the content of Customer Personal Data hosted or transmitted through the Services, unless strictly necessary to provide support or comply with law. Therefore, Blerify shall not be responsible for determining whether such content is subject to any specific legal or regulatory obligations (e.g., HIPAA, FERPA, PCI DSS, etc.) that may apply to the Customer’s business.
4.4. Certification and Audits. Blerify may maintain third-party certifications or reports (e.g., ISO/IEC 27001, SOC 2) as evidence of its security practices. Upon reasonable request, Blerify shall provide Customer with a copy of its most recent summary audit report or certification relevant to the Services.
5. Sub-processing
5.1. Authorization to Use Sub-processors. Customer authorizes Blerify to engage third-party service providers (“Sub-processors”) to Process Customer Personal Data in connection with the provision of the Services. Sub-processors may include, without limitation, infrastructure, cloud hosting, analytics, and technical support providers.
5.2. Sub-processor Obligations. Blerify shall enter into written agreements with each Sub-processor that impose data protection obligations substantially similar to those set out in this Addendum. Blerify shall remain responsible for the performance of its Sub-processors.
5.3. Sub-processor List and Updates. Upon written request, Blerify shall provide the Customer with a current list of Sub-processors involved in the Processing of Customer Personal Data. Blerify may update this list from time to time. In the event of a material change, Blerify will provide Customer with reasonable prior notice (via email or other means) and give Customer the opportunity to object on reasonable data protection grounds.
5.4. Objection to New Sub-processors. If Customer has a reasonable objection to a new Sub-processor based on data protection concerns, and such concerns cannot be resolved through good-faith discussions between the parties, Customer may terminate the applicable Services with respect to only those functionalities materially impacted by the change, by providing written notice to Blerify.
6. International Data Transfers
6.1. Data Transfer Mechanism. Customer acknowledges and agrees that Blerify may transfer and process Customer Personal Data outside of the country in which it was collected, including to countries that may not provide an equivalent level of data protection as the applicable Data Protection Laws of the originating jurisdiction. Blerify shall ensure that all such transfers comply with applicable laws and are subject to appropriate safeguards.
6.2. Safeguards for Cross-Border Transfers. Where required by applicable Data Protection Laws (including, where relevant, the GDPR or the Panamanian Law 81 of 2019), Blerify shall implement appropriate safeguards for international transfers, which may include:
(a) entering into Standard Contractual Clauses or equivalent contractual mechanisms;
(b) transferring to jurisdictions recognized as providing an adequate level of protection; or
(c) relying on any other lawful basis permitted under applicable law.
6.3. General Compliance. Blerify undertakes to ensure that all international transfers of Customer Personal Data are carried out in accordance with the principles of lawfulness, transparency, purpose limitation, and data minimization, and with due regard to data confidentiality, integrity, and availability.
7. Security Measures
7.1. Technical and Organizational Measures. Blerify shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures shall be consistent with industry best practices and take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to individuals’ rights and freedoms.
7.2. Encryption and Access Control. Blerify applies encryption-at-rest and in-transit for all Customer Personal Data hosted in its infrastructure, and ensures that access to such data is restricted to authorized personnel only, following the principle of least privilege.
7.3. Customer Responsibilities. Customer is solely responsible for:
(a) determining the suitability of the Services for its data processing needs and compliance obligations;
(b) configuring the Services in a secure manner, including management of access controls;
(c) implementing appropriate backup, recovery, and retention policies within its use of the Services; and
(d) ensuring that its own users and personnel operate in compliance with applicable Data Protection Laws.
7.4. Confidentiality Obligations. Blerify ensures that all personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate training on data protection and information security.
7.5. Security Reviews. Upon reasonable request, and subject to reasonable confidentiality obligations, Blerify shall provide Customer with relevant information to demonstrate compliance with this Section, which may include security certifications, audit summaries, or relevant documentation.
8. Sub-processing
8.1. Authorization to Use Sub-processors. Customer hereby grants Blerify a general written authorization to engage Sub-processors for the Processing of Customer Personal Data as necessary to provide the Services.
8.2. Sub-processor Obligations. Blerify shall ensure that any Sub-processor it engages is subject to a written agreement imposing data protection obligations that are substantially equivalent to those set out in this Data Processing Addendum, in accordance with applicable Data Protection Laws.
8.3. Sub-processor List and Changes. Upon Customer’s written request, Blerify shall provide a current list of Sub-processors involved in the Processing of Customer Personal Data. Blerify shall notify Customer in advance of any intended addition or replacement of Sub-processors, thereby giving Customer the opportunity to object on reasonable grounds within thirty (30) days of such notification.
8.4. Current Sub-processors. Without limiting the generality of the above, Customer acknowledges and agrees that Blerify may engage trusted third-party infrastructure and service providers, such as cloud computing and database hosting services, for the secure and scalable operation of the Services. These may include, for example, Amazon Web Services (AWS), Google Cloud Platform (GCP), Firebase, or similar providers.
9. Data Subject Rights
To the extent required by applicable Data Protection Laws, Processor shall provide reasonable assistance to Controller, at Controller’s cost and upon written request, to enable Controller to fulfill its obligation to respond to requests from Data Subjects exercising their rights under such laws, including (where applicable) rights of access, rectification, erasure, restriction, objection, portability, and the right not to be subject to automated decision-making.
Processor shall not respond directly to any request from a Data Subject unless instructed in writing by Controller or required by applicable law. If Processor receives a request directly from a Data Subject relating to the Personal Data processed under this DPA, it shall promptly notify Controller and await further instructions, unless legally prohibited from doing so.
Controller is solely responsible for ensuring that appropriate mechanisms and legal bases are in place to collect, process, and respond to Data Subjects’ requests and to comply with all transparency and notice obligations under applicable law.
10. Personal Data Breach
In the event of a Personal Data Breach affecting Personal Data processed on behalf of the Controller, Blerify shall:
(a) Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach;
(b) Provide the Controller with all relevant information regarding the nature of the breach, including:
(c) Assist the Controller in complying with any legal obligations to notify the breach to supervisory authorities or affected Data Subjects, in accordance with applicable Data Protection Laws;
(d) Maintain internal records of all Personal Data Breaches as required under applicable Data Protection Laws.
Blerify shall not be liable for any delay in notification caused by the Controller’s failure to provide accurate or updated contact information.
11. General Terms
11.1. The aggregate liability of each party, including its Affiliates, arising out of or in connection with this Addendum—whether in contract, tort, or under any other theory of liability—shall be subject to the limitations and exclusions of liability set forth in the Agreement(s). Any reference to a party’s liability in such sections shall include its Affiliates and shall apply to this Addendum to the maximum extent permitted by applicable law, including data protection laws.
11.2. No modification, amendment, or waiver of any provision of this Addendum shall be effective unless made in writing and signed by duly authorized representatives of both parties.
11.3. Any ambiguity in the interpretation of this Addendum shall be resolved to permit the parties to comply with applicable data protection laws, including the GDPR, the U.S. data protection regulations, the Panamanian Law 81 of 2019, and other relevant laws as applicable.
11.4. This Addendum constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes any prior or contemporaneous understandings or agreements, oral or written, regarding the processing and protection of Personal Data. All other terms of the Agreement(s) not expressly modified by this Addendum shall remain in full force and effect, including, without limitation, provisions on governing law, jurisdiction, dispute resolution, and limitation of liability, provided they do not contradict mandatory requirements of applicable data protection laws.
11.5. If any provision of this Addendum is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced with a valid provision that best reflects the parties’ intent and complies with applicable law.
11.6. If the Processor determines that it can no longer meet its obligations under this Addendum or applicable data protection laws, it shall promptly notify the Controller and either cease the relevant Processing activities or implement appropriate measures to ensure compliance, as mutually agreed.
11.7. Any notices required under this Addendum shall be provided in accordance with the notice provisions of the Agreement(s). A copy of any such notice (for informational purposes only) shall also be sent to: [email protected]
Explore how you can bring more secure and convenient digital interactions to your users and partners.
