Data Processing Agreement

This DPA is part of the Terms of Service and governs personal data that blipee processes on behalf of the Customer (Controller) when delivering the service.

Term: same as the main contract.

The Customer is the data controller.

GRNL, Lda. ("blipee"), with registered office at Rua Teixeira de Pascoais, 1, Estoril, tax number 517262100, is the processor.

Where blipee determines means and purposes for its own use (e.g. billing data or aggregated operational metrics), it acts as an independent controller — covered by the Privacy Policy.

blipee only processes personal data on documented instructions from the Customer — captured in the contract and the platform configuration.

Ad-hoc instructions go in writing to dpa@blipee.com.

If an instruction breaks applicable law, blipee will let the Customer know without undue delay.

Every blipee employee with access to personal data is bound by an NDA with confidentiality obligations that survive after they leave.

Access is audited and follows least-privilege.

The current list of subprocessors — with the identity, location and purpose of each one — is available in our Trust center and forms part of this DPA.

We notify the Customer of any change to the list at least 30 days in advance, during which the Customer can object on reasonable data-protection grounds. Absent objection within that period, the change is deemed accepted.

We contractually require each subprocessor to meet obligations equivalent to ours.

Personal data is hosted in the European Union (EEA).

Where, exceptionally, subprocessors operate outside the EU/EEA, we use the European Commission’s Standard Contractual Clauses (Decision 2021/914) plus additional safeguards where required.

When we receive a request directly from a data subject concerning data we process on behalf of the Customer, we do not respond directly and we forward the request to the Customer without undue delay.

Requests concerning data that blipee processes as an independent controller follow the Privacy Policy.

We give the Customer in-platform tools and APIs to handle access, rectification, erasure and portability requests.

We notify the Customer of any personal data breach without undue delay after becoming aware of it, so as to allow the Customer to meet its own notification deadlines to the supervisory authority.

The notification covers the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.

The Customer may audit compliance with this DPA once a year, with 30 days’ notice.

Alternatively we accept audits by an independent third party under NDA.

Once the SOC 2 report is complete, it will be made available under NDA to cover most audit requests.

After the contract ends: data exported in standard formats within 30 days, on request.

Permanent deletion (backups included) within 90 days of contract end, except where retention is required by law.