Data Protection Agreement

Last Updated: December 2023

  1. This Data Protection Agreement (“DPA”) is incorporated into the Agreement by reference from the Order Form and forms part of the Agreement between Blink and the Customer for the provision of the Services by Blink to Customer, and sets out the terms on which Blink may process personal data comprised in: (a) Blink Controller Data as a controller; and (b) Customer Personal Data as a processor for or on behalf of the Customer (who is the Controller of Customer Personal Data).
  2. 1. DEFINITIONS AND RULES OF INTERPRETATION
  3. 1.1. Terms not otherwise defined in this DPA shall have the meaning given to them elsewhere in the Agreement and all rules of interpretation as set out in elsewhere in the Agreement shall apply in this DPA.
  4. 1.2. The following additional definitions shall apply in this DPA:
  5. Blink Controller Data: means the categories of personal data set out in Blink’s Privacy Policy from time to time, processed by Blink as a controller in connection with Blink’s business and/or the Agreement.
  6. Business Contact: means an individual working on behalf of Customer who acts as Blink's business relationship contact with Customer and/or otherwise manages, discusses and/or signs the Agreement with Blink.
  7. Customer Personal Data: means the categories of personal data set out at Schedule 1 processed by Blink as a processor in connection with the Agreement.  
  8. Data Protection Legislation: means the UK GDPR, the EU GDPR, the FADP, the Australian Privacy Act 1988, and any other applicable laws relating to the processing of personal data and privacy as amended from time to time in each case to the extent applicable to the relevant processing by either party in connection with the Agreement.
  9. End-user: means Allocated Users and Authorised Users (excluding Admin Users to the extent they are using the Services via an administrator account).
  10. EU GDPR: means the General Data Protection Regulation ((EU) 2016/679).
  11. EU Personal Data: means Customer Personal Data which is processed subject to Data Protection Legislation of the EU, a Member State of the EU, or the European Economic Area.
  12. FADP: means the Swiss Federal Act on Data Protection.
  13. Personal Data: means the Customer Personal Data and the Blink Controller Data.
  14. Personal Data Breach: means any accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to the Customer Personal Data.
  15. Protected Area: means:
  16. a) in the case of EU Personal Data, the members states of the EU and the European Economic Area and any country, territory, sector, or international organisation in respect of which an adequacy decision under Art.45 EU GDPR is in force;
  17. b) in the case of UK Personal Data, the UK and any country, territory, sector, or international organisation in respect of which an adequacy decision under UK adequacy regulations is in force; or
  18. c) in the case of Swiss Personal Data, any country, territory, sector, or international organisation which is recognised as adequate under the laws of Switzerland.
  19. Swiss Personal Data: means Customer Personal Data to which the FADP is applicable.
  20. UK GDPR: means the EU GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).
  21. UK Personal Data: means Customer Personal Data which is processed subject to Data Protection Legislation of the UK.
  22. controller, processor, sub-processor, process and processing, data subject, special category data, and personal data shall have the meanings ascribed to those terms in Data Protection Legislation.
  23. 2. ROLES OF THE PARTIES
  24. 2.1. The parties acknowledge that for the purposes of Data Protection Legislation:
  25. a) the Customer is the controller and Blink is the processor in respect of Customer Personal Data; and
  26. b) the Customer and Blink each act as independent controllers (or, as applicable, Blink acts solely as a data controller) of the Blink Controller Data.
  27. 2.2. The provisions of clauses 3.2 to 3.8 shall apply to Blink’s processing of Customer Personal Data.
  28. 2.3. The provisions of clause 3.9 shall apply to each party’s processing of Blink Controller Data and each party shall remain responsible for its own compliance with Data Protection Legislation.
  29. 3. OBLIGATIONS OF THE PARTIES
  30. General
  31. 3.1. The Customer shall, in respect of any personal data it provides or makes available to Blink:
  32. a) ensure that relevant data subjects are provided with clear and sufficient information about the collection and processing of personal data under this Agreement in accordance with Data Protection Legislation, including an explicit reference to Blink as an entity with whom Customer Personal Data is shared;
  33. b) ensure it has a legal basis for processing the Customer Personal Data as required by and in accordance with Data Protection Legislation, taking into account the sharing or making available of such Customer Personal Data with Blink and the subsequent processing of such Customer Personal Data by Blink; and
  34. c) not cause Blink, Blink's affiliates, or Blink's sub-processors to be in breach of their respective obligations under Data Protection Legislation by reason of an act or omission of the Customer.
  35. 3.2. Each party agrees that it will comply with the Australian Data Protection Terms set out in Schedule 3 to this Agreement whenever and to the extent that the Data Protection Legislation of Australia is applicable to it, either because it is itself subject to such Data Protection Legislation or because it is processing Personal Data on behalf of a party to whom such Data Protection Legislation apply.
  1. Customer Personal Data
  1. 3.3. The subject-matter of Blink's processing of the Customer Personal Data is the provision of the Services by Blink to Customer, and the Customer's rights and obligations are set out in the Agreement. Schedule 1 sets out the nature, duration, and purpose of the processing of the Customer Personal Data, the categories of Customer Personal Data processed, and the relevant categories of data subjects.
  2. 3.4. Blink shall, in relation to any Customer Personal Data processed in connection with the performance by Blink of its obligations under the Agreement and solely to the extent required by applicable Data Protection Legislation:
  3. a) process that Customer Personal Data only on the written instructions of the Customer unless Blink is required by applicable law to process that Personal Data for any other purpose, in which case Blink shall notify the Customer of this before performing the processing required by the applicable law, unless that applicable law prohibits Blink from so notifying the Customer on important grounds of public interest. Blink shall immediately notify the Customer if, in its opinion, an instruction given under this clause 3.4(a) infringes Data Protection Legislation, it being acknowledged that Blink shall not be obliged to undertake additional work to determine if the Customer’s instructions are compliant;
  4. b) ensure that (relative to its business) it has in place appropriate technical and organisational measures  to protect against unauthorised or unlawful processing of or modification of or access to Customer Personal Data and against accidental loss or destruction of, misuse, interference or damage to,  Customer Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
  5. c) ensure that all personnel who have access to and/or process Customer Personal Data are obliged to keep the Customer Personal Data confidential;  
  6. d) assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  7. e) notify the Customer without undue delay on becoming aware of a Personal Data Breach in relation to the Customer Personal Data;
  8. f) at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless required by applicable law to store the Customer Personal Data; and
  9. g) maintain complete and accurate records and information during the term of the Agreement to demonstrate its compliance with this clause 3.4, and permit audits to demonstrate such compliance, providing that any such audit (i) is requested not more than once annually; (ii) on a minimum of 30 days written notice; (iii) is undertaken by the Customer's designated independent auditor; and (iv) at the Customer's cost. If theCustomer's request for information or audit relates to a sub-processor or information held by a sub-processor, the Customer acknowledges that access to that sub-processor’s premises or information is subject to agreement from that sub-processor, and that Blink cannot guarantee access to that sub-processor's premises or information at any particular time, or at all.
  10. 3.5. The Customer hereby authorises Blink to transfer Customer Personal Data outside of the Protected Area in connection with the Agreement, which shall be in accordance with an appropriate transfer mechanism under Data Protection Legislation.
  11. 3.6. The Customer hereby gives its general written authorisation to Blink appointing sub-processors in accordance with this clause 3.6 for the purpose of processing Customer Personal Data in connection with the Agreement. The sub-processors approved by the Customer as at the date of this Agreement are (i) Blink's affiliates and (ii) the third-party sub-processors listed in Schedule 2. Blink can at any time appoint a new sub-processor provided that, where notice and an objection right is so required by Data Protection Legislation, the Customer is given 30 days prior notice, and the Customer does not reasonably object within that timeframe. If the Customer does reasonably object within that timeframe (to the extent the objection right is applicable as above), Blink shall use reasonable efforts to make available to the Customer a change in the services to avoid the processing of Customer Personal Data by the objected-to sub-processor. If Blink is unable to make available such change within a reasonable period of time, or the Customer does not approve any such changes proposed by Blink, the Customer may (to the extent the objection right is applicable as above), by providing written notice to Blink, terminate the relevant portion of the services provided that the Customer must promptly pay all correctly due sums to the point of termination to Blink.
  12. 3.7. To the extent required by applicable Data Protection Legislation, Blink confirms that it has entered or (as the case may be) will enter with such third-party sub-processors into written agreements which contain obligations substantially similar to the obligations relating to Customer Personal Data under this DPA.
  13. 3.8. Blink shall remain fully liable for all acts and omissions of any third-party sub-processor appointed by it pursuant to this DPA.
  14. Blink Controller Data
  1. 3.9. In respect of the Blink Controller Data, each party will:
  1. a) provide the other party with such assistance and co-operation as it reasonably requests to enable the requesting party to comply with Its obligations under Data Protection Legislation;
  2. b) promptly notify the other party in writing if:
  3. i) any data subject request or notice, correspondence, or other communication from a regulator or supervisory body it receives relates in whole or part to the other party's processing, taking into account the required timeframe for responding to such request or communication, and including a copy of such relevant request or communication in such notification; and
  4. ii) action required to be taken by that party as a result of a data subject request might reasonably be expected to affect the other party's processing, in which case the parties shall co-operate in good faith to mitigate any adverse business impact of responding to such a request.
  1. 3.10. In regard to Blink’s use of Blink Controller Data, Blink’s Privacy Policy shall apply and in regard to Customer’s use of personal data comprised in Blink Controller Data, Customer’s own privacy notice from time to time shall apply, which it shall be solely responsible for providing to data subjects.

Schedule 1

  1. CUSTOMER PERSONAL DATA
  2. Categories of data subject
  3. The Customer Personal Data concerns the following categories of data subjects:
  4. • End-users
  5. • Admin Users
  6. Nature and purpose of processing operations
  7. The Customer Personal Data will be processed as follows:
  8. In respect of End-users and Admin Users:
  9. • in order to make the Services available to End-users/Admin Users, including:
  10. o to personalise the Services to their needs;
  11. o to allow them to participate in interactive features of the Services, when they choose to do so;
  12. o to enable messaging between End-users or between Admin Users and End-users via the Blink Apps;
  13. o to allow them to connect to, or link through to Customer’s own services and websites or Third Party Services via the Blink Apps (for example, third party payslip providers); and
  14. o to ensure that the Blink Apps are presented in the most effective manner for them and for their device;
  1. • to send End-users/Admin Users service and administrative in-app communications and email messages which are necessary for Blink to make the Services available to them, such as those reminding them that they have messages waiting, or those notifying them about changes to the Services (but excluding any promotional material);
  2. • to provide End-users/Admin Users with support related to the Services;
  3. • to keep the Services safe and secure; and
  4. • where requested by Customer and in accordance with applicable law, to provide Customer with chat messages and feed posts & comments from the Blink Apps in connection with Customer's moderation activities.
  5. In addition, in respect of Admin Users:
  6. • to provide and support Admin Users with enhanced functionality in the Blink Apps, for example the ability to request Blink to amend the Services’ settings.
  7. Categories of data
  8. The Customer Personal Data concerns the following categories of personal data:
  9. In respect of both End-users and Admin Users:
  10. • Name
  11. • Employee id
  12. • Contact Details
  13. o Email address
  14. o Phone number
  15. • Social media handles
  16. • Profile Photo
  17. • IP Address
  18. • Chat Messages
  19. • Feed Posts & Comments
  20. • Device Details
  21. • Device ID
  22. o OS & version
  23. o Browser version details
  24. In addition, in respect of Admin Users:
  25. • Content of customer support messages between the Admin Users and Blink in relation to enhanced functionality in the Blink Apps.    
  26. Special categories of data
  27. To the extent End-users choose to input special category data as part of their responses to the diversity & inclusion survey modules hosted by the Blink Apps then this will be processed by Blink as Customer Personal Data on Customer's behalf. The categories of special category data included in such survey responses will be dependent on Customer's configuration of relevant survey but may include (for example) data concerning racial or ethnic origin, health, sex, or sexual orientation.
  28. Duration of Processing
  29. The Customer Personal Data shall be processed for the term of the Agreement or for such longer or shorter period as Blink provides data processing services under the Agreement. Following the termination of the Agreement, Blink will, at the Customer’s request, remove all Customer Personal Data within 30 days, unless required by applicable law to store the Customer Personal Data.
  30. API log data (including source IP addresses) is maintained for 90 days for the purpose of threat detection and analysis.

Schedule 2

APPROVED SUB-PROCESSORS

Amazon Web Services EMEA SARL
38 avenue John F. Kennedy, L-1855  
Luxembourg

Service: Core cloud network, compute & storage.
Scope: hosting and infrastructure of Blink services.

Google  LLC 1600  
Amphitheatre Parkway  Mountain View, CA 94043 USA 

Service:Mobile error reporting.
Scope: Forerror reporting, Google stores some device information and Blink user ids, butno other personal data.
Service:Offsite Backups 
Scope:Back-ups of data input into Blink services. 
Service: Android PushNotifications (Encrypted) 
Scope: Where consentis provided, it notifies the user of activity in the Blink App.

Apple Inc. 
One  Apple Park Way, Cupertino, California 95014, USA 

Service:  Translation Services.Scope:  Automatic in-app translation of content on the Blink Apps to a set of  available languages. This is on a per End-user basis.

Microsoft Ireland Operations Limited
1 Microsoft Plc, Leopardstown South County Business Park Dublin 18, D18 P521 Ireland

Service: Core cloud network, compute & storage.
Scope: hosting and infrastructure of Blink services.

Functional Software Inc., T/A Sentry 
132 Hawthorne Street, San Francisco, California, 94107, USA

Service:  Web / Desktop error reporting 
Scope:  Sentry stores some device information related to the error and the Blink user  id, but no other personal data 

Twilio 
375 Beale Street, Suite 300 San Francisco, CA 94105, USA

Service: SMS Delivery 
Scope: SMS invitations for End-users to join Blink where customer chooses to send out invitations via phone numbers.  

The Rocket Science Group, LLC T/A Mailchimp 
675 Ponce de Leon Ave NE Suite 5000. Atlanta, GA 30308 USA

Service: Transactional emails
Scope: End-user email invitations and reminders, email verification, one time password notifications, password reset and missed content emails.  

Mixpanel 
One Front Street, 28th Floor, San Francisco, CA 94111 USA

Service: app usage analytics 
Scope: Mixpanel contains Blink user IDs, device details and linked app actions to assist with troubleshooting and support.

HubSpot 
25 First Street, 2nd Floor Cambridge, MA 02141 USA

Service: Customer relationship management  
Scope: launch and implementation rollout plans; newsletters with product and feature updates to Admins; outage updates.

Intercom
552nd St. 4th Floor, San Francisco, CA 94105 U.S.A.

Service: Support ticketing system 
Scope: email and chat support for admins and specific End-users (when an End-user submits a support request).

Schedule 3

Australian Data Protection Terms

  1. 1.1 When this Schedule 3 applies the following terms are taken to have the following meanings:
  1. (a) "data subject" includes "individual" as defined in s6 of the Privacy Act;
  2. (b) "Personal Data Breach" includes "eligible data breach" as defined in s6 of the Privacy Act;
  3. (c) "Personal Data" includes "personal information" as defined in s6 of the Privacy Act;
  4. (d) "process" includes “collect”, "disclose", "hold" and "use" (as the context requires), as defined in section 6 of the Australian Privacy Act;
  5. (e) "Protected area" for the purpose of processing Personal Data in accordance with this schedule, includes Australia and its external territories and any country where Blink reasonably believes that the law or binding scheme that has the effect of protecting the Personal Data in that country is substantially similar to the way the Australian Privacy Act protects Personal Data and mechanisms can be accessed by Blink to enforce the protection of that law or binding scheme; and
  6. (f) “Privacy Act” means the Privacy Act 1988 (Cth).
  1. 1.2 Each party must comply with the Privacy Act when undertaking its obligations under or in connection with this agreement.
  2. 1.3 The Customer warrants that it has obtained from all data subjects the necessary consents and rights required to disclose the Personal Data to Blink in order for Blink to use that Personal Data in accordance with the Agreement, and has provided data subjects with any requisite notifications, as required under applicable Data Protection Laws and Regulations.
  3. 1.4 Nothing in this agreement:
  1. (a) excludes, restricts, or modifies any obligations that a party has under the Privacy Act; or
  2. (b) limits or affects a person’s right to request access to or the correction of their Personal Data.