The parties agree that this Block Protocol Data Protection Agreement (“DPA”) sets forth their obligations with respect to the processing and security of Personal Data and, where explicitly stated in the DPA Terms, Customer Data in connection with the Online Services provided by HASH, Inc. ("the Block Protocol" and "Block Protocol").
The DPA (including its Appendix and Attachments) is between the Block Protocol and any customer receiving Online Services from the Block Protocol based on the Block Protocol Customer Agreement (“Customer”), and is incorporated by reference into the Block Protocol Customer Agreement.
In the event of any conflict or inconsistency between the DPA Terms and any other terms in the Block Protocol Customer Agreement, the DPA Terms will prevail. The provisions of the DPA Terms supersede any conflicting provisions of the Block Protocol Privacy Statement that otherwise may apply to processing of Personal Data. For clarity, the Standard Contractual Clauses prevail over any other term of the DPA Terms.
When Customer renews or purchases a new subscription to an Online Service, the then-current DPA Terms will apply and will not change during the term of that new subscription for that Online Service.
Notwithstanding the foregoing limits on updates, when the Block Protocol introduces features, supplements or related software that are new (i.e., that were not previously included with the subscription), the Block Protocol may provide terms or make updates to the DPA that apply to Customer’s use of those new features, supplements or related software. If those terms include any material adverse changes to the DPA Terms, the Block Protocol will provide Customer a choice to use the new features, supplements, or related software, without loss of existing functionality of a generally available Online Service. If Customer does not use the new features, supplements, or related software, the corresponding new terms will not apply.
Notwithstanding the foregoing limits on updates, the Block Protocol may modify or terminate an Online Service in any country or jurisdiction where there is any current or future government requirement or obligation that (1) subjects the Block Protocol to any regulation or requirement not generally applicable to businesses operating there, (2) presents a hardship for the Block Protocol to continue operating the Online Service without modification, and/or (3) causes the Block Protocol to believe the DPA Terms or the Online Service may conflict with any such requirement or obligation.
The Block Protocol may provide Customer with information and notices about Online Services electronically, including via email, or through a web site that the Block Protocol identifies. Notice is given as of the date it is made available by the Block Protocol.
The DPA Terms provide terms for Online Services that are currently available. For earlier versions of the DPA Terms, Customer may contact its reseller or Block Protocol Account Manager.
Capitalized terms used but not defined in this DPA will have the meanings provided in the Block Protocol Customer Agreement. The following defined terms are used in this DPA:
Lower case terms used but not defined in this DPA, such as “personal data breach”, “processing”, “controller”, “processor”, “profiling”, “personal data”, and “data subject” will have the same meaning as set forth in Article 4 of the GDPR, irrespective of whether GDPR applies. The terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.
For clarity, and as detailed above, data defined as Customer Data, Diagnostic Data, Service Generated Data, and Professional Services Data may contain Personal Data. For illustrative purposes, please see the chart below:
|Type of data
|May contain Support Data
|May contain Personal Data
|“provided” by Customer
|“collected” or “obtained” from software installed by Customer
|Service Generated Data
|“generated” or “derived” by the Block Protocol
|Professional Services Data
|“provided” by Customer in connection with "Professional Services”
|“provided” by Customer in connection with technical support
|“information relating to an identified or identifiable natural person”
The above table outlines the various data types defined in the DPA. All Personal Data is processed as a part of one of the other data types (all of which also include non-personal data). Support Data is a sub-set of Professional Services Data. Except where explicitly stated otherwise, the DPA Terms exclusively apply to Personal Data.
The Block Protocol will comply with all laws and regulations applicable to its provision of the Online Services, including security breach notification law and Data Protection Requirements. However, the Block Protocol is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable to information technology service providers. The Block Protocol does not determine whether Customer Data includes information subject to any specific law or regulation. All Security Incidents are subject to the Security Incident Notification terms below.
Customer must comply with all laws and regulations applicable to its use of Online Services, including laws related to biometric data, confidentiality of communications, and Data Protection Requirements. Customer is responsible for determining whether the Online Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the Online Services in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of an Online Service, such as a request to take down content under the U.S. Digital Millennium Copyright Act, including in accordance with the HASH Copyrighted Materials (DMCA) Policy, or other applicable laws.
This section of the DPA includes the following subsections:
The DPA Terms apply to all Online Services.
Previews may employ lesser or different privacy and security measures than those typically present in the Online Services. Unless otherwise noted, Customer should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in this DPA do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and California Consumer Privacy Act.
Except as otherwise stated in the DPA Terms, the Block Protocol will use and otherwise process Customer Data and Personal Data as described and subject to the limitations provided below (a) to provide Customer the Online Service in accordance with Customer’s documented instructions, and/or (b) for the Block Protocol’s legitimate business operations incident to delivery of the Online Services to Customer. As between the parties, Customer retains all right, title and interest in and to Customer Data. The Block Protocol acquires no rights in Customer Data other than the rights Customer grants to the Block Protocol in this section. This paragraph does not affect the Block Protocol’s rights in software or services the Block Protocol licenses to Customer.
For purposes of this DPA, “to provide” an Online Service consists of:
When providing Online Services, the Block Protocol will use or otherwise process Personal Data only on Customer’s behalf and in accordance with Customer’s documented instructions.
For purposes of this DPA, “the Block Protocol’s legitimate business operations” consist of the following, each as incident to delivery of the Online Services to Customer: (1) billing and account management; (2) compensation (e.g., calculating employee commissions and partner incentives); (3) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, abuse, cybercrime, or cyber-attacks that may affect the Block Protocol or Online Services; (5) improving the core functionality of accessibility, privacy or energy-efficiency; (6) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Processed Data outlined below); (7) the creation or management of end user accounts and profiles by the Block Protocol for individual users of Customer (except where Customer creates, manages or otherwise controls such end user accounts or profiles itself); and (8) other purposes pertaining to Personal Data not provided by Customer for storage in Block Protocol projects, workspaces, repositories or in connection with Professional Services.
When processing for the Block Protocol’s legitimate business operations, the Block Protocol will not use or otherwise process Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, (c) data selling or brokering, or (d) any other purpose, other than for the purposes set out in this section.
The Block Protocol will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by law. For purposes of this section, “Processed Data” means: (a) Customer Data; (b) Personal Data and (c) any other data processed by the Block Protocol in connection with the Online Service that is Customer’s confidential information under the Block Protocol Customer Agreement. All processing of Processed Data is subject to the Block Protocol’s obligation of confidentiality under the Block Protocol Customer Agreement.
The Block Protocol will not disclose or provide access to any Processed Data to law enforcement unless required by law. If law enforcement contacts the Block Protocol with a demand for Processed Data, the Block Protocol will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose or provide access to any Processed Data to law enforcement, the Block Protocol will promptly notify Customer and provide a copy of the demand, unless legally prohibited from doing so.
Upon receipt of any other third-party request for Processed Data, the Block Protocol will promptly notify Customer unless prohibited by law. The Block Protocol will reject the request unless required by law to comply. If the request is valid, the Block Protocol will attempt to redirect the third party to request the data directly from Customer.
The Block Protocol will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Processed Data; (b) platform encryption keys used to secure Processed Data or the ability to break such encryption; or (c) access to Processed Data if the Block Protocol is aware that the data is to be used for purposes other than those stated in the third party’s request.
In support of the above, the Block Protocol may provide Customer’s basic contact information to the third party.
All Personal Data processed by the Block Protocol in connection with the Online Services is obtained as part of either Customer Data, Professional Services Data (including Support Data), Diagnostic Data, or Service Generated Data. Personal Data provided to the Block Protocol by, or on behalf of, Customer through use of the Online Service is also Customer Data. Pseudonymized identifiers may be included in Diagnostic Data or Service Generated Data and are also Personal Data. Any Personal Data pseudonymized, or de-identified but not anonymized, or Personal Data derived from Personal Data is also Personal Data.
To the extent the Block Protocol is a processor or sub-processor of Personal Data subject to the GDPR, the GDPR Related Terms in Attachment 3 govern that processing and the parties also agree to the following terms in this sub-section (“Processing of Personal Data; GDPR”):
Customer and the Block Protocol agree that Customer is the controller of Personal Data and the Block Protocol is the processor of such data, except (a) when Customer acts as a processor of Personal Data, in which case the Block Protocol is a sub-processor; or (b) as stated otherwise in the Block Protocol Customer Agreement or this DPA. When the Block Protocol acts as the processor or sub-processor of Personal Data, it will process Personal Data only on Customer’s behalf and in accordance with documented instructions from Customer. Customer agrees that its Block Protocol Customer Agreement (including the DPA Terms and any applicable updates), along with the product documentation and Customer’s use and configuration of features in the Online Services, are Customer’s complete documented instructions to the Block Protocol for the processing of Personal Data. Information on use and configuration of the Online Services can be found at blockprotocol.org/docs or a successor location.
Any additional or alternate instructions must be agreed to according to the process for amending Customer’s Block Protocol Customer Agreement. In any instance where the GDPR applies and Customer is a processor, Customer warrants to the Block Protocol that Customer’s instructions, including appointment of the Block Protocol as a processor or sub-processor, have been authorized by the relevant controller.
To the extent the Block Protocol uses or otherwise processes Personal Data subject to the GDPR for the Block Protocol’s legitimate business operations incident to delivery of the Online Services to Customer, the Block Protocol will comply with the obligations of an independent data controller under GDPR for such use. The Block Protocol is accepting the added responsibilities of a data “controller” under the GDPR for processing in connection with its legitimate business operations to: (a) act consistent with regulatory requirements, to the extent required under the GDPR; and (b) provide increased transparency to Customers and confirm the Block Protocol’s accountability for such processing. The Block Protocol employs safeguards to protect Personal Data in processing, including those identified in this DPA and those contemplated in Article 6(4) of the GDPR. With respect to processing of Personal Data under this paragraph, the Block Protocol makes the commitments set forth in the Standard Contractual Clauses set forth in Attachment 1 or Attachment 2 (as applicable); for those purposes, (i) any Block Protocol disclosure of Personal Data, as described in Annex IV to Attachment 1, that has been transferred in connection with the Block Protocol’s legitimate business operations is deemed a “Relevant Disclosure” and (ii) the commitments in Annex IV to Attachment 1 apply to such Personal Data.
The parties acknowledge and agree that:
The Block Protocol will make available to Customer, in a manner consistent with the functionality of the Online Service and the Block Protocol’s role as a processor of Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the GDPR. If the Block Protocol receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an Online Service for which the Block Protocol is a data processor or sub-processor, the Block Protocol will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Online Service. The Block Protocol shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.
To the extent the GDPR requires the Block Protocol to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to the Block Protocol and keep it accurate and up-to-date. the Block Protocol may make any such information available to the supervisory authority if required by the GDPR.
The Block Protocol will implement and maintain appropriate technical and organizational measures and security safeguards against accidental or unlawful destruction, or loss, alteration, unauthorized disclosure of or access to, Customer Data and Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Online Services. The Block Protocol will regularly monitor compliance with these measures and safeguards and will continue to take appropriate steps throughout the term of the Block Protocol Customer Agreement. Appendix A – Security Safeguards contains a description of the technical and organizational measures and security safeguards implemented by the Block Protocol.
Customer is solely responsible for making an independent determination as to whether the technical and organizational measures and security safeguards for an Online Service meet Customer’s requirements, including any of its security obligations under applicable Data Protection Requirements. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Customer Data and Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons) the technical and organizational measures and security safeguards implemented and maintained by the Block Protocol provide a level of security appropriate to the risk with respect to its Customer Data and Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.
The Block Protocol will provide security compliance reporting such as external SOC1, type 2 and SOC2, type2 audit reports upon Customer request. Customer agrees that any information and audit rights granted by the applicable Data Protection Requirements (including, where applicable, Article 28(3)(h) of the GDPR) will be satisfied by these compliance reports, and will otherwise only arise to the extent that the Block Protocol's provision of a compliance report does not provide sufficient information, or to the extent that Customer must respond to a regulatory or supervisory authority audit or investigation.
Should Customer be subject to a regulatory or supervisory authority audit or investigation or carry out an audit or investigation in response to a request by a regulatory or supervisory authority that requires participation from the Block Protocol, and Customers’ obligations cannot reasonably be satisfied (where allowable by Customer’s regulators) through audit reports, documentation, or compliance information that the Block Protocol makes generally available to its customers, then the Block Protocol will promptly respond to Customer’s additional instructions and requests for information, in accordance with the following terms and conditions:
If the Block Protocol becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Online Services (each a "Security Incident"), the Block Protocol will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
Notification(s) of Security Incidents will be delivered to one or more of Customer's administrators by any means the Block Protocol selects, including via email. It is Customer's sole responsibility to ensure it maintains accurate contact information with the Block Protocol and that Customer's administrators monitor for and respond to any notifications. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.
The Block Protocol will make reasonable efforts to assist Customer in fulfilling Customer's obligation under GDPR Article 33 or other applicable law or regulations to notify the relevant regulatory or supervisory authority and individual data subjects about a Security Incident.
The Block Protocol’s notification of or response to a Security Incident under this section is not an acknowledgement by the Block Protocol of any fault or liability with respect to the Security Incident.
Customer must notify the Block Protocol promptly about any possible misuse of its accounts or authentication credentials or any Security Incident related to an Online Service.
Personal Data that the Block Protocol processes on behalf and in accordance with the documented instructions of Customer in connection with the Online Services may not be transferred to, or stored and processed in a geographic location except in accordance with the DPA Terms and the safeguards provided below in this section. Taking into account such safeguards, Customer appoints the Block Protocol to transfer Personal Data to the United States or any other country in which the Block Protocol or its Sub-processors operate and to store and process Personal Data to provide the Online Services, except as may be described elsewhere in these DPA Terms.
All transfers of Personal Data out of the European Union, European Economic Area, or Switzerland to provide the Online Services shall be governed by the Standard Contractual Clauses(EU/EEA) in Attachment 1. All transfers of Personal Data out of the United Kingdom to provide the Online Services shall be governed by the Standard Contractual Clauses (UK) in Attachment 2. For the purposes of the Data Protection Law of Switzerland, Standard Contractual Clauses (EU/EEA) in Attachment 1, shall be interpreted as follows:
i. references to the “European Union,” “EU,” “European Economic Area,” “EEA” or a “Member State” shall be interpreted to refer to “Switzerland”
ii. references to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the “Data Protection Law of Switzerland”.
iii. References to “supervisory authority” shall be interpreted to refer to the “Swiss FDPIC”.
The Block Protocol will abide by the requirements of applicable European Union, European Economic Area, United Kingdom and Swiss data protection law, and other Data Protection Requirements, in each case regarding the transfer of Personal Data to recipients or jurisdictions outside such jurisdiction. All such transfers of Personal Data will, where applicable, be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.
Subject to the safeguards described above, the Block Protocol may transfer, store and otherwise process Personal Data to or in jurisdictions and geographic locations worldwide as it, subject to its sole discretion, considers reasonably necessary in connection with the Online Services.
Upon Customer's reasonable request, unless prohibited by law, the Block Protocol will return or destroy all Customer Data and Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Online Services at all locations where it is stored within 30 days of the request, provided that it is no longer needed for providing the Online Services or the purposes for which a data subject had authorized the processing of their Personal Data. The Block Protocol may retain Customer Data or Personal Data to the extent required by the applicable Data Protection Requirements or other applicable law, and only to the extent and for such period as required by the applicable Data Protection Requirements or other applicable law, provided that the Block Protocol will ensure that the Customer Data or Personal Data is processed only as necessary for the purpose specified in the applicable Data Protection Requirements or other applicable law and no other purpose, and the Customer Data or Personal Data remains protected by the Applicable Data Protection Requirements or other applicable law.
The Block Protocol will ensure that its personnel engaged in the processing of Customer Data and Personal Data on behalf of Customer in connection with the Online Services (i) will process such data only on instructions from Customer or as described in this DPA, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. The Block Protocol shall provide periodic and mandatory data privacy and security training and awareness to its employees with access to Customer Data and Personal Data in accordance with applicable Data Protection Requirements or other applicable law and industry standards.
The Block Protocol may hire Sub-processors to provide certain limited or ancillary services on its behalf. Customer consents to this engagement and to the Block Protocol Affiliates as Sub-processors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by the Block Protocol of the processing of Personal Data if such consent is required under applicable law, the Standard Contractual Clauses or the GDPR Related Terms. The Block Protocol is responsible for its Sub-processors’ compliance with the Block Protocol’s obligations in this DPA. The Block Protocol makes available information about Sub-processors on the Sub-processors page on the Block Protocol website (or a successor location). When engaging any Sub-processor, the Block Protocol will ensure via a written contract that the Sub-processor may access and use Customer Data or Personal Data only to deliver the services the Block Protocol has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. The Block Protocol will ensure that Sub-processors are bound by written agreements that require them to provide at least the level of data protection required of the Block Protocol by the DPA, including the limitations on disclosure of Personal Data. The Block Protocol agrees to oversee the Sub-processors to ensure that these contractual obligations are met.
From time to time, the Block Protocol may engage new Sub-processors. The Block Protocol will give Customer notice (by updating the Sub-processors page on the Block Protocol website (or a successor location) and providing Customer with a mechanism to obtain notice of that update) of any new Sub-processor in advance of providing that Sub-processor with access to Customer Data. If the Block Protocol engages a new Sub-processor for a new Online Service, the Block Protocol will give Customer notice prior to availability of that Online Service.
If Customer does not approve of a new Sub-processor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the relevant notice period, written notice of termination. Customer may also include an explanation of the grounds for non-approval together with the termination notice, in order to permit the Block Protocol to re-evaluate any such new Sub-processor based on the applicable concerns. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite.
After termination, the Block Protocol will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.
If Customer is an educational agency or institution subject to the regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), or similar state student or educational privacy laws (collectively “Educational Privacy Laws”), Customer shall not provide Personal Data covered by such Educational Privacy Laws to the Block Protocol without obtaining the Block Protocol’s prior, written and specific consent and entering into a separate agreement with the Block Protocol governing the parties’ rights and obligations with respect to the processing of such Personal Data by the Block Protocol in connection with the Online Services.
Subject to the above, if Customer intends to provide to the Block Protocol Personal Data covered by FERPA, the parties agree and acknowledge that, for the purposes of this DPA, the Block Protocol is a “school official” with “legitimate educational interests” in the Personal Data, as those terms have been defined under FERPA and its implementing regulations. Customer understands that the Block Protocol may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any student or parental consent for any end user’s use of the Online Services that may be required by applicable law and to convey notification on behalf of the Block Protocol to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Personal Data in the Block Protocol’s possession as may be required under applicable law.
Except with the Block Protocol’s prior, written and specific consent, Customer shall not provide to the Block Protocol any Personal Data:
If and to the extent the Block Protocol is processing Personal Data on behalf and in accordance with the documented instructions of Customer within the scope of the CCPA, the Block Protocol makes the following additional commitments to Customer. The Block Protocol will process the Personal Data on behalf of Customer and will not:
If Customer believes that the Block Protocol is not adhering to its privacy or security commitments, Customer may contact Block Protocol customer support.
For the fastest response time, Customer may contact the Block Protocol via the online form located at blockprotocol.org/contact. We will respond promptly.
Our mailing addresses is:
HASH, Inc. Attn: Block Protocol Privacy Team 2109 Broadway Unit 1141 New York, NY 10023 United States
David Wilkinson is the Block Protocol’s data protection representative for the European Economic Area. The privacy representative of the Block Protocol can be reached at the following address:
David Wilkinson Attn: Block Protocol EU/EEA Data Protection Representative Unit 2, 1 Shelton Street London, WC2H 9JN United Kingdom
The Block Protocol has implemented and will maintain for Customer Data and Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Block Protocol services the following technical and organizational measures and security safeguards, which in conjunction with the security commitments in this DPA (including the GDPR Related Terms), are the Block Protocol's only responsibility with respect to the security of that data:
|Organization of Information Security
|Security Ownership The Block Protocol has appointed one or more security officers responsible for coordinating and monitoring the security policies and procedures.
Security Roles and Responsibilities. Block Protocol personnel with access to Customer Data and Personal Data are subject to confidentiality obligations.
Risk Management Program. The Block Protocol performs an annual risk assessment. The Block Protocol retains its security documents pursuant to its retention requirements after they are no longer in effect.
Vendor Management. The Block Protocol has a vendor risk assessment process, vendor contract clauses and additional data protection agreements with vendors.
|Asset Inventory. The Block Protocol maintains an inventory of all media on which Customer Data and Personal Data is stored. Access to the inventories of such media is restricted to Block Protocol personnel authorized to have such access.
|Human Resources Security
|Security Training. The Block Protocol requires all new hires to complete security and privacy awareness training as part of initial on-boarding. Participation in annual training is required for all employees to provide a baseline for security and privacy basics.
|Physical and Environmental Security
|Physical Access to Facilities. The Block Protocol limits access to facilities where information systems that process Customer Data and Personal Data are located to identified authorized individuals.
Physical Access to Components. The Block Protocol maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Customer Data and Personal Data they contain.
Protection from Disruptions. The Block Protocol uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Component Disposal. The Block Protocol uses industry standard processes to delete Customer Data and Personal Data when it is no longer needed.
|Communications and Operations Management
|Operational Policy. The Block Protocol maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
Data Recovery Procedures:
Data Beyond Boundaries:
|Access Policy. The Block Protocol maintains a record of security privileges of individuals having access to Customer Data.
|Information Security Incident Management
|Incident Response Process:
|Business Continuity Management
The Standard Contractual Clauses (EU/EEA) Controller to Processor located at blockprotocol.org/legal/terms/dpa/attachment-1
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses located at blockprotocol.org/legal/terms/dpa/attachment-2
European Union General Data Protection Regulation Terms located at blockprotocol.org/legal/terms/dpa/attachment-3