Data Processing Agreement
Effective Date:01/02/2025Last Updated:01/02/2025
1. Introduction
This Data Processing Agreement (“Agreement”) forms part of the Terms and Conditions between Oxygen365 Ltd (“Processor”) and any individual or organization(“Controller”) using Blind Report (“Service”). This Agreement ensures compliance with UK GDPR, EU GDPR, and other applicable data protection laws.2. Definitions
- Controller: The entity that determines the purposes and means of processing personal data.
- Processor: Oxygen365 Ltd, which processes personal data on behalf of the Controller.
- Personal Data: Any information relating to an identifiable individual, as defined under UK GDPR.
- Processing: Any operation performed on personal data, including collection, storage, modification, analysis, or deletion.
- Data Subject: The individual whose personal data is processed.
3. Processing of Personal Data
- The Processor shall process personal data only on documented instructions from the Controller.
- Personal data processed may include:
- Name, surname, email, company name, IP address, and survey responses.
- The Processor shall not use personal data for any purpose other than those outlined in this Agreement.
4. Data Sharing & Third Parties
The Processor shares specific data with the following third parties:- ChatGPT API, x.AI API – For survey analysis (only Likert scale slider responses and free-text responses).
- Stripe – For payment processing (company details only, no payment card data is stored).
5. Security Measures
The Processor implements appropriate technical and organizational measures to protect personal data, including:- Secure storage on AWS servers (UK/EU region).
- Encrypted data transmission using SSL/TLS.
- Access control & authentication mechanisms to restrict unauthorized access.
- Regular security audits and vulnerability assessments.
6. Data Retention & Deletion
- Survey data and participant information are retained for up to 1 year.
- Controller account data is retained until account deletion.
- Upon request, the Processor will delete or return personal data in compliance with UK GDPR obligations.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject rights, including: ✔ Right to Access – Providing a copy of personal data upon request. ✔ Right to Rectification – Correcting inaccurate or incomplete personal data. ✔ Right to Deletion (“Right to be Forgotten”) – Erasing personal data upon valid request.8. Data Breach Notification
- The Processor will notify the Controller without undue delay in the event of a personal data breach.
- The notification will include details of the breach, impacted data, potential risks, and mitigation actions.
- The Processor will provide necessary assistance to ensure compliance with UK GDPR notification requirements.
9. Sub-Processors
- The Processor may engage sub-processors (e.g., AWS, Stripe) to support service operations.
- The Controller will be notified in advance of new sub-processors where required.
- The Processor ensures all sub-processors meet equivalent UK GDPR-compliant obligations.
10. International Data Transfers
- Personal data is stored within UK/EU AWS servers.
- If personal data is transferred outside the UK/EU, the Processor ensures appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the UK ICO.
- Adequacy decisions (for transfers to countries with equivalent data protection laws).
11. Term & Termination
- This Agreement remains in effect as long as the Controller uses the Processor’s services.
- Upon termination, the Processor will delete or return all personal data unless legally required to retain it.
12. Governing Law & Jurisdiction
- This Agreement shall be governed by and construed in accordance with the laws of England and Wales.
- Any disputes shall be resolved in the UK courts.