Data Processing Agreement

• Personal Data: any information relating to an identified or identifiable natural person processed by StackBlaze on behalf of the Customer
• Processing: any operation performed on Personal Data, including storage, retrieval, disclosure, or deletion
• Controller: the Customer, who determines the purposes and means of processing
• Processor: StackBlaze, who processes data on the Controller's behalf
• Sub-processor: a third party engaged by StackBlaze to assist in processing Customer Personal Data
• Data Subject: the individual whose Personal Data is being processed
• Applicable Law: GDPR, UK GDPR, CCPA, and any other applicable data protection legislation

Nature and Purpose

StackBlaze processes Personal Data only to the extent necessary to provide the cloud deployment platform as described in the Terms of Service. Processing includes: hosting, storing, transmitting, and managing containerised workloads and associated databases as configured by the Customer.

Types of Personal Data

The categories of Personal Data processed depend on what the Customer chooses to deploy on StackBlaze. StackBlaze does not inspect or categorise Customer Personal Data; the Customer is solely responsible for ensuring the lawfulness of processing.

Restricted Use

• StackBlaze will not process Customer Personal Data for any purpose other than providing the contracted service
• StackBlaze will not combine Customer Personal Data with data from other customers
• StackBlaze will not use Customer Personal Data for advertising or profiling
• StackBlaze employees are prohibited from accessing Customer workloads except as necessary for support (with Customer consent) or security incident response

StackBlaze commits to:

Confidentiality

• Ensure all personnel with access to Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to employees who need it to perform their job

Security Measures

• Implement and maintain appropriate technical and organisational measures as described on our Security page
• Conduct annual penetration testing by an independent third party
• Maintain encryption at rest (AES-256) and in transit (TLS 1.3) for all Customer data
• Operate a vulnerability disclosure programme and patch critical vulnerabilities within 30 days

Data Subject Requests

• Promptly notify the Customer of any data subject requests received from Data Subjects relating to Customer Personal Data
• Provide reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests
• Not respond directly to Data Subjects on the Customer's behalf without prior written authorisation

Audits

• Maintain records of all processing activities for a minimum of 3 years post-termination
• Make available information necessary to demonstrate compliance with this DPA upon reasonable request
• Allow for and contribute to audits conducted by the Customer or a mandated third-party auditor, on 30 days' notice

StackBlaze engages the following categories of sub-processors to provide the service. A current list of named sub-processors is maintained at stackblaze.com/subprocessors.

• Infrastructure: bare-metal hosting providers in the EU and US
• Payments: Stripe, Inc. (payment processing and invoicing)
• Observability: log aggregation and metrics platform
• Support: customer support ticketing system
• Email: transactional email delivery

New Sub-processors

StackBlaze will provide at least 10 days' notice before authorising a new sub-processor that will have access to Customer Personal Data. Notice will be given by email and via our sub-processor changelog. Customers may object to new sub-processors on reasonable data protection grounds within the notice period.

In the event of a personal data breach affecting Customer Personal Data, StackBlaze will:

• Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed
• Cooperate with the Customer in its obligations to notify supervisory authorities and Data Subjects

Breach notifications will be sent to the security contact email address on the Customer's account.

Where Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland, StackBlaze will ensure an adequate level of protection using one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs), EU Commission Decision 2021/914 (Module 2: Controller to Processor)
• UK International Data Transfer Addendum to the EU SCCs
• Swiss Federal Act on Data Protection equivalent mechanisms

Customers who require SCCs to be formally executed should contact legal@stackblaze.com.

Upon termination of the StackBlaze subscription or upon written request:

• The Customer has 30 days to export all Customer Personal Data using the platform's data export tools
• After the 30-day window, StackBlaze will securely delete all Customer Personal Data from active systems within 14 days
• Backup copies will be purged within 90 days of deletion from active systems
• StackBlaze will provide a written confirmation of deletion upon request
• Anonymised aggregated usage statistics are not considered Personal Data and may be retained

For DPA execution requests, questions about our sub-processors, or data protection enquiries:

• Email: legal@stackblaze.com
• Address: StackBlaze, Inc., 1234 Cloud Drive, San Francisco, CA 94107, USA

EU/EEA and UK customers may also contact our EU Representative at the address above, marked “Attn: EU Representative”.