Data Protection Agreement

Introduction

The parties agree that this Block Protocol Data Protection Agreement (“DPA”) sets forth their obligations with respect to the processing and security of Personal Data and, where explicitly stated in the DPA Terms, Customer Data in connection with the Online Services provided by HASH, Inc. ("the Block Protocol" and "Block Protocol").

The DPA (including its Appendix and Attachments) is between the Block Protocol and any customer receiving Online Services from the Block Protocol based on the Block Protocol Customer Agreement (“Customer”), and is incorporated by reference into the Block Protocol Customer Agreement.

In the event of any conflict or inconsistency between the DPA Terms and any other terms in the Block Protocol Customer Agreement, the DPA Terms will prevail. The provisions of the DPA Terms supersede any conflicting provisions of the Block Protocol Privacy Statement that otherwise may apply to processing of Personal Data. For clarity, the Standard Contractual Clauses prevail over any other term of the DPA Terms.

Applicable DPA Terms and Updates

Limits on Updates

When Customer renews or purchases a new subscription to an Online Service, the then-current DPA Terms will apply and will not change during the term of that new subscription for that Online Service.

New Features, Supplements, or Related Software

Notwithstanding the foregoing limits on updates, when the Block Protocol introduces features, supplements or related software that are new (i.e., that were not previously included with the subscription), the Block Protocol may provide terms or make updates to the DPA that apply to Customer’s use of those new features, supplements or related software. If those terms include any material adverse changes to the DPA Terms, the Block Protocol will provide Customer a choice to use the new features, supplements, or related software, without loss of existing functionality of a generally available Online Service. If Customer does not use the new features, supplements, or related software, the corresponding new terms will not apply.

Government Regulation and Requirements

Notwithstanding the foregoing limits on updates, the Block Protocol may modify or terminate an Online Service in any country or jurisdiction where there is any current or future government requirement or obligation that (1) subjects the Block Protocol to any regulation or requirement not generally applicable to businesses operating there, (2) presents a hardship for the Block Protocol to continue operating the Online Service without modification, and/or (3) causes the Block Protocol to believe the DPA Terms or the Online Service may conflict with any such requirement or obligation.

Electronic Notices

The Block Protocol may provide Customer with information and notices about Online Services electronically, including via email, or through a web site that the Block Protocol identifies. Notice is given as of the date it is made available by the Block Protocol.

Prior Versions

The DPA Terms provide terms for Online Services that are currently available. For earlier versions of the DPA Terms, Customer may contact its reseller or Block Protocol Account Manager.

Definitions

Capitalized terms used but not defined in this DPA will have the meanings provided in the Block Protocol Customer Agreement. The following defined terms are used in this DPA:

“CCPA” means the California Consumer Privacy Act as set forth in Cal. Civ. Code §1798.100 et seq. and its implementing regulations.
“Customer Data” means all data, including all text, sound, video, or image files, and software, that are provided to the Block Protocol by, or on behalf of, Customer through use of the Online Service.
“Data Protection Requirements” means the GDPR, Local EU/EEA Data Protection Laws, CCPA, and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Diagnostic Data” means data collected or obtained by the Block Protocol from software that is locally installed by Customer in connection with the Online Service. Diagnostic Data may also be referred to as telemetry. Diagnostic Data does not include Customer Data, Service Generated Data, or Professional Services Data.
“DPA Terms” means both the terms in this DPA and any Online Service-specific terms in the Block Protocol Customer Agreement that specifically supplement or modify the privacy and security terms in this DPA for a specific Online Service (or feature of an Online Service). In the event of any conflict or inconsistency between the DPA and such Online Service-specific terms, the Online Service-specific terms shall prevail as to the applicable Online Service (or feature of that Online Service).
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). In connection with the United Kingdom, “GDPR” means Regulation (EU) 2016/679 astransposed into national law of the United Kingdom by the UK European Union (Withdrawal) Act 2018 and amended by the UK Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as may be amended from time to time).
“Local EU/EEA Data Protection Laws” means any subordinate legislation and regulation implementing the GDPR.
“GDPR Related Terms” means the terms in Attachment 3, under which the Block Protocol makes binding commitments regarding its processing of Personal Data as required by Article 28 of the GDPR.
“Block Protocol Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the Block Protocol.
“Block Protocol Customer Agreement” means the service or other agreement(s) entered into by Customer with the Block Protocol for Online Services.
“Block Protocol Privacy Statement” means the Block Protocol privacy statement available at blockprotocol.org/legal/privacy
“Online Service” means any service or software provided by the Block Protocol to Customer under the Block Protocol Customer Agreement agreed upon with Customer, including Previews, updates, patches, bug fixes, and technical support.
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Preview” means Online Services provided for preview, evaluation, demonstration or trial purposes, or pre-release versions of the Online Services.
“Professional Services Data” means all data, including all text, sound, video, image files or software, that are provided to the Block Protocol, by or on behalf of a Customer (or that Customer authorizes the Block Protocol to obtain from an Online Service) or otherwise obtained or processed by or on behalf of the Block Protocol through an engagement with the Block Protocol to obtain Professional Services. Professional Services Data includes Support Data.
“Service Generated Data” means data generated or derived by the Block Protocol through the operation of an Online Service. Service Generated Data does not include Customer Data, Diagnostic Data, or Professional Services Data.
“Standard Contractual Clauses” means either of the following sets of Standard Contractual Clauses, as applicable in the individual case to the transfer of personal data according to the section of this DPA entitled “Data Transfers and Location” below:
- the Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91 (“Standard Contractual Clauses (EU/EEA)”) and adopted by the Switzerland Federal Data Protection and Information Commissioner (“Swiss FDPIC”). The Standard Contractual Clauses (EU/EEA) are set forth in Attachment 1.
- the International Data Transfer Addendum to the Standard Contractual Clauses (EU/EEA) as adopted by the United Kingdom Information Commissioner’s Office (“UK ICO”) for use in connection with data transfers from the United Kingdom (“Standard Contractual Clauses (UK)”). The Standard Contractual Clauses (UK) are set forth in Attachment 2.
“Sub-processor” means other processors used by the Block Protocol to process Personal Data on behalf of Customer in connection with the Online Services, as described in Article 28 of the GDPR.
“Support Data” means all data, including all text, sound, video, image files, or software, that are provided to the Block Protocol by or on behalf of Customer (or that Customer authorizes the Block Protocol to obtain from an Online Service) through an engagement with the Block Protocol to obtain technical support for Online Services covered under this agreement. Support Data is a subset of Professional Services Data.

Lower case terms used but not defined in this DPA, such as “personal data breach”, “processing”, “controller”, “processor”, “profiling”, “personal data”, and “data subject” will have the same meaning as set forth in Article 4 of the GDPR, irrespective of whether GDPR applies. The terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.

For clarity, and as detailed above, data defined as Customer Data, Diagnostic Data, Service Generated Data, and Professional Services Data may contain Personal Data. For illustrative purposes, please see the chart below:

Type of data	Description	May contain Support Data	May contain Personal Data
Customer Data	“provided” by Customer		Yes
Diagnostic Data	“collected” or “obtained” from software installed by Customer		Yes
Service Generated Data	“generated” or “derived” by the Block Protocol		Yes
Professional Services Data	“provided” by Customer in connection with "Professional Services”	Yes	Yes
Support Data	“provided” by Customer in connection with technical support	n/a	Yes
Personal Data	“information relating to an identified or identifiable natural person”		n/a

The above table outlines the various data types defined in the DPA. All Personal Data is processed as a part of one of the other data types (all of which also include non-personal data). Support Data is a sub-set of Professional Services Data. Except where explicitly stated otherwise, the DPA Terms exclusively apply to Personal Data.

General Terms

Compliance with Laws

The Block Protocol will comply with all laws and regulations applicable to its provision of the Online Services, including security breach notification law and Data Protection Requirements. However, the Block Protocol is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable to information technology service providers. The Block Protocol does not determine whether Customer Data includes information subject to any specific law or regulation. All Security Incidents are subject to the Security Incident Notification terms below.

Customer must comply with all laws and regulations applicable to its use of Online Services, including laws related to biometric data, confidentiality of communications, and Data Protection Requirements. Customer is responsible for determining whether the Online Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the Online Services in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of an Online Service, such as a request to take down content under the U.S. Digital Millennium Copyright Act, including in accordance with the HASH Copyrighted Materials (DMCA) Policy, or other applicable laws.

Data Protection Terms

This section of the DPA includes the following subsections:

Scope
Nature of Data Processing; Ownership
Disclosure of Processed Data
Processing of Personal Data; GDPR
Data Security
Security Incident Notification
Data Transfers and Location
Data Retention and Deletion
Processor Confidentiality Commitment
Notice and Controls on Use of Sub-processors
Educational Institutions
CJIS Customer Agreement, HIPAA Business Associate, Biometric Data
California Consumer Privacy Act (CCPA)
How to Contact the Block Protocol
Appendix A – Security Measures

Scope

The DPA Terms apply to all Online Services.

Previews may employ lesser or different privacy and security measures than those typically present in the Online Services. Unless otherwise noted, Customer should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in this DPA do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and California Consumer Privacy Act.

Nature of Data Processing; Ownership

Except as otherwise stated in the DPA Terms, the Block Protocol will use and otherwise process Customer Data and Personal Data as described and subject to the limitations provided below (a) to provide Customer the Online Service in accordance with Customer’s documented instructions, and/or (b) for the Block Protocol’s legitimate business operations incident to delivery of the Online Services to Customer. As between the parties, Customer retains all right, title and interest in and to Customer Data. The Block Protocol acquires no rights in Customer Data other than the rights Customer grants to the Block Protocol in this section. This paragraph does not affect the Block Protocol’s rights in software or services the Block Protocol licenses to Customer.

Processing to Provide Customer the Online Services

For purposes of this DPA, “to provide” an Online Service consists of:

Delivering functional capabilities as licensed, configured, and used by Customer and its users, including providing personalized user experiences;
Troubleshooting (e.g., preventing, detecting, and repairing problems); and
Ongoing improvement (e.g., installing the latest updates and making improvements to user productivity, reliability, efficacy, and security).

When providing Online Services, the Block Protocol will use or otherwise process Personal Data only on Customer’s behalf and in accordance with Customer’s documented instructions.

Processing for the Block Protocol’s Legitimate Business Operations

For purposes of this DPA, “the Block Protocol’s legitimate business operations” consist of the following, each as incident to delivery of the Online Services to Customer: (1) billing and account management; (2) compensation (e.g., calculating employee commissions and partner incentives); (3) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, abuse, cybercrime, or cyber-attacks that may affect the Block Protocol or Online Services; (5) improving the core functionality of accessibility, privacy or energy-efficiency; (6) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Processed Data outlined below); (7) the creation or management of end user accounts and profiles by the Block Protocol for individual users of Customer (except where Customer creates, manages or otherwise controls such end user accounts or profiles itself); and (8) other purposes pertaining to Personal Data not provided by Customer for storage in Block Protocol projects, workspaces, repositories or in connection with Professional Services.

When processing for the Block Protocol’s legitimate business operations, the Block Protocol will not use or otherwise process Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, (c) data selling or brokering, or (d) any other purpose, other than for the purposes set out in this section.

Disclosure of Processed Data

The Block Protocol will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by law. For purposes of this section, “Processed Data” means: (a) Customer Data; (b) Personal Data and (c) any other data processed by the Block Protocol in connection with the Online Service that is Customer’s confidential information under the Block Protocol Customer Agreement. All processing of Processed Data is subject to the Block Protocol’s obligation of confidentiality under the Block Protocol Customer Agreement.

The Block Protocol will not disclose or provide access to any Processed Data to law enforcement unless required by law. If law enforcement contacts the Block Protocol with a demand for Processed Data, the Block Protocol will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose or provide access to any Processed Data to law enforcement, the Block Protocol will promptly notify Customer and provide a copy of the demand, unless legally prohibited from doing so.

Upon receipt of any other third-party request for Processed Data, the Block Protocol will promptly notify Customer unless prohibited by law. The Block Protocol will reject the request unless required by law to comply. If the request is valid, the Block Protocol will attempt to redirect the third party to request the data directly from Customer.

The Block Protocol will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Processed Data; (b) platform encryption keys used to secure Processed Data or the ability to break such encryption; or (c) access to Processed Data if the Block Protocol is aware that the data is to be used for purposes other than those stated in the third party’s request.

In support of the above, the Block Protocol may provide Customer’s basic contact information to the third party.

Processing of Personal Data; GDPR

All Personal Data processed by the Block Protocol in connection with the Online Services is obtained as part of either Customer Data, Professional Services Data (including Support Data), Diagnostic Data, or Service Generated Data. Personal Data provided to the Block Protocol by, or on behalf of, Customer through use of the Online Service is also Customer Data. Pseudonymized identifiers may be included in Diagnostic Data or Service Generated Data and are also Personal Data. Any Personal Data pseudonymized, or de-identified but not anonymized, or Personal Data derived from Personal Data is also Personal Data.

To the extent the Block Protocol is a processor or sub-processor of Personal Data subject to the GDPR, the GDPR Related Terms in Attachment 3 govern that processing and the parties also agree to the following terms in this sub-section (“Processing of Personal Data; GDPR”):

Processor and Controller Roles and Responsibilities

Customer and the Block Protocol agree that Customer is the controller of Personal Data and the Block Protocol is the processor of such data, except (a) when Customer acts as a processor of Personal Data, in which case the Block Protocol is a sub-processor; or (b) as stated otherwise in the Block Protocol Customer Agreement or this DPA. When the Block Protocol acts as the processor or sub-processor of Personal Data, it will process Personal Data only on Customer’s behalf and in accordance with documented instructions from Customer. Customer agrees that its Block Protocol Customer Agreement (including the DPA Terms and any applicable updates), along with the product documentation and Customer’s use and configuration of features in the Online Services, are Customer’s complete documented instructions to the Block Protocol for the processing of Personal Data. Information on use and configuration of the Online Services can be found at blockprotocol.org/docs or a successor location.

Any additional or alternate instructions must be agreed to according to the process for amending Customer’s Block Protocol Customer Agreement. In any instance where the GDPR applies and Customer is a processor, Customer warrants to the Block Protocol that Customer’s instructions, including appointment of the Block Protocol as a processor or sub-processor, have been authorized by the relevant controller.

To the extent the Block Protocol uses or otherwise processes Personal Data subject to the GDPR for the Block Protocol’s legitimate business operations incident to delivery of the Online Services to Customer, the Block Protocol will comply with the obligations of an independent data controller under GDPR for such use. The Block Protocol is accepting the added responsibilities of a data “controller” under the GDPR for processing in connection with its legitimate business operations to: (a) act consistent with regulatory requirements, to the extent required under the GDPR; and (b) provide increased transparency to Customers and confirm the Block Protocol’s accountability for such processing. The Block Protocol employs safeguards to protect Personal Data in processing, including those identified in this DPA and those contemplated in Article 6(4) of the GDPR. With respect to processing of Personal Data under this paragraph, the Block Protocol makes the commitments set forth in the Standard Contractual Clauses set forth in Attachment 1 or Attachment 2 (as applicable); for those purposes, (i) any Block Protocol disclosure of Personal Data, as described in Annex IV to Attachment 1, that has been transferred in connection with the Block Protocol’s legitimate business operations is deemed a “Relevant Disclosure” and (ii) the commitments in Annex IV to Attachment 1 apply to such Personal Data.

Processing Details

The parties acknowledge and agree that:

Subject Matter. The subject-matter of the processing is limited to Personal Data within the scope of the section of this DPA entitled “Nature of Data Processing; Ownership” above and the GDPR.
Duration of the Processing. The duration of the processing shall be in accordance with Customer instructions and the terms of the DPA.
Nature and Purpose of the Processing. The nature and purpose of the processing shall be to provide the Online Service pursuant to Customer’s Block Protocol Customer Agreement and for the Block Protocol's legitimate business operations incident to delivery of the Online Service to Customer (as further described in the section of this DPA entitled “Nature of Data Processing; Ownership” above).
Categories of Data. The types of Personal Data processed by the Block Protocol when providing the Online Service include: (i) Personal Data that Customer elects to include in Customer Data or Professional Services Data (including, without limitation, Support Data); and (ii) those expressly identified in Article 4 of the GDPR that may be contained in Diagnostic Data or Service Generated Data. The types of Personal Data that Customer elects to include in Customer Data or Professional Services Data (including, without limitation, Support Data) may be any categories of Personal Data identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR, including the categories of Personal Data set forth in Annex I to Attachment 1.
Data Subjects. The categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers, and may include any other categories of data subjects as identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR, including the categories of data subjects set forth in Annex I to Attachment 1.

Data Subject Rights; Assistance with Requests

The Block Protocol will make available to Customer, in a manner consistent with the functionality of the Online Service and the Block Protocol’s role as a processor of Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the GDPR. If the Block Protocol receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an Online Service for which the Block Protocol is a data processor or sub-processor, the Block Protocol will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Online Service. The Block Protocol shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.

Records of Processing Activities

To the extent the GDPR requires the Block Protocol to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to the Block Protocol and keep it accurate and up-to-date. the Block Protocol may make any such information available to the supervisory authority if required by the GDPR.

Data Security

The Block Protocol will implement and maintain appropriate technical and organizational measures and security safeguards against accidental or unlawful destruction, or loss, alteration, unauthorized disclosure of or access to, Customer Data and Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Online Services. The Block Protocol will regularly monitor compliance with these measures and safeguards and will continue to take appropriate steps throughout the term of the Block Protocol Customer Agreement. Appendix A – Security Safeguards contains a description of the technical and organizational measures and security safeguards implemented by the Block Protocol.

Customer is solely responsible for making an independent determination as to whether the technical and organizational measures and security safeguards for an Online Service meet Customer’s requirements, including any of its security obligations under applicable Data Protection Requirements. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Customer Data and Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons) the technical and organizational measures and security safeguards implemented and maintained by the Block Protocol provide a level of security appropriate to the risk with respect to its Customer Data and Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

The Block Protocol will provide security compliance reporting such as external SOC1, type 2 and SOC2, type2 audit reports upon Customer request. Customer agrees that any information and audit rights granted by the applicable Data Protection Requirements (including, where applicable, Article 28(3)(h) of the GDPR) will be satisfied by these compliance reports, and will otherwise only arise to the extent that the Block Protocol's provision of a compliance report does not provide sufficient information, or to the extent that Customer must respond to a regulatory or supervisory authority audit or investigation.

Should Customer be subject to a regulatory or supervisory authority audit or investigation or carry out an audit or investigation in response to a request by a regulatory or supervisory authority that requires participation from the Block Protocol, and Customers’ obligations cannot reasonably be satisfied (where allowable by Customer’s regulators) through audit reports, documentation, or compliance information that the Block Protocol makes generally available to its customers, then the Block Protocol will promptly respond to Customer’s additional instructions and requests for information, in accordance with the following terms and conditions:

The Block Protocol will provide access to relevant knowledgeable personnel, documentation, and application software.
Customer and the Block Protocol will mutually agree in a prior written agreement (email is acceptable) upon the scope, timing, duration, control and evidence requirements, provided that this requirement to agree will not permit the Block Protocol to unreasonably delay its cooperation.
Customer must ensure its regulator’s use of an independent, accredited third-party audit firm, during regular business hours, with reasonable advance written notice to the Block Protocol, and subject to reasonable confidentiality procedures. Neither Customer, its regulators, nor its regulators’ delegates shall have access to any data from the Block Protocol’s other customers or to Block Protocol systems or facilities not involved in the Online Services.
Customer is responsible for all costs and fees related to the Block Protocol’s cooperation with the regulatory audit of Customer, including all reasonable costs and fees for any and all time the Block Protocol expends, in addition to the rates for services performed by the Block Protocol.
If the report generated from the Block Protocol’s cooperation with the regulatory audit of Customer includes any findings pertaining to the Block Protocol, Customer will share such report, findings, and recommended actions with the Block Protocol where allowed by Customer’s regulators.

Security Incident Notification

If the Block Protocol becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Online Services (each a "Security Incident"), the Block Protocol will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

Notification(s) of Security Incidents will be delivered to one or more of Customer's administrators by any means the Block Protocol selects, including via email. It is Customer's sole responsibility to ensure it maintains accurate contact information with the Block Protocol and that Customer's administrators monitor for and respond to any notifications. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.

The Block Protocol will make reasonable efforts to assist Customer in fulfilling Customer's obligation under GDPR Article 33 or other applicable law or regulations to notify the relevant regulatory or supervisory authority and individual data subjects about a Security Incident.

The Block Protocol’s notification of or response to a Security Incident under this section is not an acknowledgement by the Block Protocol of any fault or liability with respect to the Security Incident.

Customer must notify the Block Protocol promptly about any possible misuse of its accounts or authentication credentials or any Security Incident related to an Online Service.

Data Transfers and Location

Personal Data that the Block Protocol processes on behalf and in accordance with the documented instructions of Customer in connection with the Online Services may not be transferred to, or stored and processed in a geographic location except in accordance with the DPA Terms and the safeguards provided below in this section. Taking into account such safeguards, Customer appoints the Block Protocol to transfer Personal Data to the United States or any other country in which the Block Protocol or its Sub-processors operate and to store and process Personal Data to provide the Online Services, except as may be described elsewhere in these DPA Terms.

All transfers of Personal Data out of the European Union, European Economic Area, or Switzerland to provide the Online Services shall be governed by the Standard Contractual Clauses(EU/EEA) in Attachment 1. All transfers of Personal Data out of the United Kingdom to provide the Online Services shall be governed by the Standard Contractual Clauses (UK) in Attachment 2. For the purposes of the Data Protection Law of Switzerland, Standard Contractual Clauses (EU/EEA) in Attachment 1, shall be interpreted as follows:

i. references to the “European Union,” “EU,” “European Economic Area,” “EEA” or a “Member State” shall be interpreted to refer to “Switzerland”

ii. references to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the “Data Protection Law of Switzerland”.

iii. References to “supervisory authority” shall be interpreted to refer to the “Swiss FDPIC”.

The Block Protocol will abide by the requirements of applicable European Union, European Economic Area, United Kingdom and Swiss data protection law, and other Data Protection Requirements, in each case regarding the transfer of Personal Data to recipients or jurisdictions outside such jurisdiction. All such transfers of Personal Data will, where applicable, be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.

Subject to the safeguards described above, the Block Protocol may transfer, store and otherwise process Personal Data to or in jurisdictions and geographic locations worldwide as it, subject to its sole discretion, considers reasonably necessary in connection with the Online Services.

Data Retention and Deletion

Upon Customer's reasonable request, unless prohibited by law, the Block Protocol will return or destroy all Customer Data and Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Online Services at all locations where it is stored within 30 days of the request, provided that it is no longer needed for providing the Online Services or the purposes for which a data subject had authorized the processing of their Personal Data. The Block Protocol may retain Customer Data or Personal Data to the extent required by the applicable Data Protection Requirements or other applicable law, and only to the extent and for such period as required by the applicable Data Protection Requirements or other applicable law, provided that the Block Protocol will ensure that the Customer Data or Personal Data is processed only as necessary for the purpose specified in the applicable Data Protection Requirements or other applicable law and no other purpose, and the Customer Data or Personal Data remains protected by the Applicable Data Protection Requirements or other applicable law.

Processor Confidentiality Commitment

The Block Protocol will ensure that its personnel engaged in the processing of Customer Data and Personal Data on behalf of Customer in connection with the Online Services (i) will process such data only on instructions from Customer or as described in this DPA, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. The Block Protocol shall provide periodic and mandatory data privacy and security training and awareness to its employees with access to Customer Data and Personal Data in accordance with applicable Data Protection Requirements or other applicable law and industry standards.

Notice and Controls on Use of Sub-processors

The Block Protocol may hire Sub-processors to provide certain limited or ancillary services on its behalf. Customer consents to this engagement and to the Block Protocol Affiliates as Sub-processors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by the Block Protocol of the processing of Personal Data if such consent is required under applicable law, the Standard Contractual Clauses or the GDPR Related Terms. The Block Protocol is responsible for its Sub-processors’ compliance with the Block Protocol’s obligations in this DPA. The Block Protocol makes available information about Sub-processors on the Sub-processors page on the Block Protocol website (or a successor location). When engaging any Sub-processor, the Block Protocol will ensure via a written contract that the Sub-processor may access and use Customer Data or Personal Data only to deliver the services the Block Protocol has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. The Block Protocol will ensure that Sub-processors are bound by written agreements that require them to provide at least the level of data protection required of the Block Protocol by the DPA, including the limitations on disclosure of Personal Data. The Block Protocol agrees to oversee the Sub-processors to ensure that these contractual obligations are met.

From time to time, the Block Protocol may engage new Sub-processors. The Block Protocol will give Customer notice (by updating the Sub-processors page on the Block Protocol website (or a successor location) and providing Customer with a mechanism to obtain notice of that update) of any new Sub-processor in advance of providing that Sub-processor with access to Customer Data. If the Block Protocol engages a new Sub-processor for a new Online Service, the Block Protocol will give Customer notice prior to availability of that Online Service.

If Customer does not approve of a new Sub-processor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the relevant notice period, written notice of termination. Customer may also include an explanation of the grounds for non-approval together with the termination notice, in order to permit the Block Protocol to re-evaluate any such new Sub-processor based on the applicable concerns. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite.

After termination, the Block Protocol will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.

Educational Institutions

If Customer is an educational agency or institution subject to the regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), or similar state student or educational privacy laws (collectively “Educational Privacy Laws”), Customer shall not provide Personal Data covered by such Educational Privacy Laws to the Block Protocol without obtaining the Block Protocol’s prior, written and specific consent and entering into a separate agreement with the Block Protocol governing the parties’ rights and obligations with respect to the processing of such Personal Data by the Block Protocol in connection with the Online Services.

Subject to the above, if Customer intends to provide to the Block Protocol Personal Data covered by FERPA, the parties agree and acknowledge that, for the purposes of this DPA, the Block Protocol is a “school official” with “legitimate educational interests” in the Personal Data, as those terms have been defined under FERPA and its implementing regulations. Customer understands that the Block Protocol may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any student or parental consent for any end user’s use of the Online Services that may be required by applicable law and to convey notification on behalf of the Block Protocol to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Personal Data in the Block Protocol’s possession as may be required under applicable law.

CJIS Customer Agreement, HIPAA Business Associate, Biometric Data

Except with the Block Protocol’s prior, written and specific consent, Customer shall not provide to the Block Protocol any Personal Data:

relating to criminal convictions and offenses or Personal Data collected or otherwise processed by Customer subject to or in connection with FBI Criminal Justice Information Services or the related Security Policy;
constituting protected health information governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) or by state health or medical privacy laws;
collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects (Common Rule); or
covered by state, federal or foreign biometric privacy laws or otherwise constituting biometric information including information on an individual’s physical, physiological, biological or behavioral characteristics or information derived from such information that is used or intended to be used, singly or in combination with each other or with other information, to establish individual identity.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

If and to the extent the Block Protocol is processing Personal Data on behalf and in accordance with the documented instructions of Customer within the scope of the CCPA, the Block Protocol makes the following additional commitments to Customer. The Block Protocol will process the Personal Data on behalf of Customer and will not:

sell the Personal Data as the term “selling” is defined in the CCPA;
share, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing or by electronic or other means, the Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged;
retain, use or disclose the Personal Data for any purpose other than for the business purposes specified in the DPA Terms and the Block Protocol Customer Agreement, including retaining, using or disclosing the Personal Data for a commercial purpose other than the business purposes specified in the DPA Terms or the Block Protocol Customer Agreement, or as otherwise permitted by the CCPA;
retain, use or disclose the Personal Data outside of the direct business relationship with Customer;
combine the Personal Data with personal information that it receives from or on behalf of a third party or collects from California residents, except that the Block Protocol may combine Personal Data to perform any business purpose as permitted by the CCPA or any regulations adopted or issued under the CCPA.

How to Contact the Block Protocol

If Customer believes that the Block Protocol is not adhering to its privacy or security commitments, Customer may contact Block Protocol customer support.

For the fastest response time, Customer may contact the Block Protocol via the online form located at blockprotocol.org/contact. We will respond promptly.

Our mailing addresses is:

HASH, Inc. Attn: Block Protocol Privacy Team 2109 Broadway Unit 1141 New York, NY 10023 United States

David Wilkinson is the Block Protocol’s data protection representative for the European Economic Area. The privacy representative of the Block Protocol can be reached at the following address:

David Wilkinson Attn: Block Protocol EU/EEA Data Protection Representative Unit 2, 1 Shelton Street London, WC2H 9JN United Kingdom

Appendix A - Security Safeguards

The Block Protocol has implemented and will maintain for Customer Data and Personal Data processed by the Block Protocol on behalf and in accordance with the documented instructions of Customer in connection with the Block Protocol services the following technical and organizational measures and security safeguards, which in conjunction with the security commitments in this DPA (including the GDPR Related Terms), are the Block Protocol's only responsibility with respect to the security of that data:

Domain	Practices
Organization of Information Security	Security Ownership The Block Protocol has appointed one or more security officers responsible for coordinating and monitoring the security policies and procedures. Security Roles and Responsibilities. Block Protocol personnel with access to Customer Data and Personal Data are subject to confidentiality obligations. Risk Management Program. The Block Protocol performs an annual risk assessment. The Block Protocol retains its security documents pursuant to its retention requirements after they are no longer in effect. Vendor Management. The Block Protocol has a vendor risk assessment process, vendor contract clauses and additional data protection agreements with vendors.
Asset Management	Asset Inventory. The Block Protocol maintains an inventory of all media on which Customer Data and Personal Data is stored. Access to the inventories of such media is restricted to Block Protocol personnel authorized to have such access. Asset Handling: The Block Protocol classifies Customer Data and Personal Data to help identify it and to allow for access to it to be appropriately restricted. The Block Protocol communicates employee responsibility and accountability for data protection up to and including cause for termination. Block Protocol personnel must obtain the Block Protocol's authorization prior to remotely accessing Customer Data and Personal Data or processing Customer Data and Personal Data outside the Block Protocol’s facilities.
Human Resources Security	Security Training. The Block Protocol requires all new hires to complete security and privacy awareness training as part of initial on-boarding. Participation in annual training is required for all employees to provide a baseline for security and privacy basics.
Physical and Environmental Security	Physical Access to Facilities. The Block Protocol limits access to facilities where information systems that process Customer Data and Personal Data are located to identified authorized individuals. Physical Access to Components. The Block Protocol maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Customer Data and Personal Data they contain. Protection from Disruptions. The Block Protocol uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference. Component Disposal. The Block Protocol uses industry standard processes to delete Customer Data and Personal Data when it is no longer needed.
Communications and Operations Management	Operational Policy. The Block Protocol maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data. Data Recovery Procedures: On an ongoing basis, but in no case less frequently than once a week (unless no Customer Data and Personal Data has been updated during that period), the Block Protocol maintains multiple copies of Customer Data and Personal Data from which Customer Data and Personal Data can be recovered. The Block Protocol stores copies of Customer Data and Personal Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data and Personal Data is located. The Block Protocol has specific procedures in place governing access to copies of Customer Data. The Block Protocol logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process. Malicious Software. The Block Protocol has threat detection controls to help identify and respond to anomalous or suspicious access to Customer Data, including malicious software originating from public networks. Data Beyond Boundaries: The Block Protocol encrypts, or enables Customer to encrypt, Customer Data and Personal Data that is transmitted over public networks. The Block Protocol restricts access to Customer Data and Personal Data in media leaving its facilities. Event Logging. The Block Protocol logs, or enables Customer to log, access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Access Control	Access Policy. The Block Protocol maintains a record of security privileges of individuals having access to Customer Data. Access Authorization: The Block Protocol maintains and updates a record of personnel authorized to access Block Protocol systems that contain Customer Data. The Block Protocol identifies those personnel who may grant, alter or cancel authorized access to data and resources. The Block Protocol ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins where technically and architecturally feasible, and commercially reasonable. Least Privilege: Technical support personnel are only permitted to have access to Customer Data and Personal Data when needed. The Block Protocol restricts access to Customer Data and Personal Data to only those individuals who require such access to perform their job function. Block Protocol employees are only granted access to production systems based on their role within the organization. Integrity and Confidentiality: The Block Protocol instructs Block Protocol personnel to disable administrative sessions when computers are left unattended. The Block Protocol stores passwords such that they are encrypted or unintelligible while they are in force. Authentication: The Block Protocol uses industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication mechanisms are based solely on passwords, the Block Protocol requires the password to be at least eight characters long. The Block Protocol ensures that de-activated or expired employee identifiers are not granted to other individuals. The Block Protocol monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password. The Block Protocol maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed. The Block Protocol uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. Network Design. The Block Protocol has controls to ensure no systems storing Customer Data and Personal Data are part of the same logical network used for Block Protocol business operations.
Information Security Incident Management	Incident Response Process: The Block Protocol maintains a record of security incidents with a description of the incidents, the time period, the consequences of the breach, the name of the reporter, and to whom the incident was reported, and details regarding the handling of the incident. In the event that Block Protocol Security confirms or reasonably suspects that a blockprotocol.org customer is affected by a data breach, we will notify the customer without undue delay. The Block Protocol tracks, or enables Customer to track, disclosures of Customer Data, including what data has been disclosed, to whom, and at what time. Service Monitoring. The Block Protocol employs a wide range of continuous monitoring solutions for preventing, detecting, and mitigating attacks to the site.
Business Continuity Management	The Block Protocol maintains emergency and contingency plans for the facilities in which Block Protocol information systems that process Customer Data and Personal Data are located. The Block Protocol’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data and Personal Data in its original or last-replicated state from before the time it was lost or destroyed.

Attachment 1

The Standard Contractual Clauses (EU/EEA) Controller to Processor located at blockprotocol.org/legal/terms/dpa/attachment-1

Attachment 2

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses located at blockprotocol.org/legal/terms/dpa/attachment-2

Attachment 3

European Union General Data Protection Regulation Terms located at blockprotocol.org/legal/terms/dpa/attachment-3

Hub

Docs