Data Processing Agreement

Effective date: 4th of March, 2025

BETWEEN: Bluedot (Twiso, Inc). 30A Abbey, San Francisco, CA, US, 94114
("Bluedot")

AND: Each individual Bluedot Customer that Bluedot processes data for
(the “Customer”)

‍1. INTRODUCTION

1.1  This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations which arise from Bluedot's processing of Personal Data on behalf of Customer under the order form, service agreement or other agreement between the Parties (“the Agreement”). All capitalised terms not defined in this DPA shall have the meaning set forth in the Agreement.

1.2  The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term of the Agreement, the DPA will prevail. If and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement or the DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.

1.3  If Applicable Data Protection Law is amended, replaced or repealed, the parties shall, where necessary, negotiate in good faith a solution to enable the processing of Personal Data to be conducted in compliance with Applicable Data Protection Law.

‍2. PURPOSE, SCOPE AND RESPONSIBILITIES

2.1 Bluedot shall only process Personal Data in accordance with the terms of this DPA.

2.2 The parties agree that Customer is the Data Controller of Customer Personal Data, and that Bluedot is the Data Processor of Customer Personal Data, except where Bluedot acts as an independent Data Controller as further detailed in Section 2.9.

[Amendment: All instructions from Customer, as Data Controller, must be provided in written or other documented form (electronic records acceptable) to ensure clarity and traceability of instructions.]

2.3 Bluedot shall process Customer Personal Data solely for the limited purpose of performing the obligations set out under the Agreement and only in accordance with Customer's lawful written instructions or as otherwise necessary to comply with Applicable Data Protection Law. Data may, for that purpose, be processed by any of Bluedot’s entities in accordance with Section 7.

2.4 Customer shall ensure that its instructions to Bluedot comply with all applicable laws and regulations and that such instructions will not cause Bluedot to be in breach of Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data provided to Bluedot.

2.5 Personal Data processed by Bluedot shall include only those data processing activities specified in the Agreement. Further processing outside this scope shall require a separate, mutually documented written agreement.

2.6 If Bluedot becomes aware that any written instruction from Customer breaches Applicable Data Protection Law, Bluedot shall immediately notify Customer with details of the breach or potential breach.

2.7 The term of this DPA shall continue until the later of the termination of the Agreement or the date at which Bluedot ceases to process Personal Data for Customer.

2.8 In no event will the data processed by Bluedot include financial data or Sensitive Data, except as explicitly agreed in writing.

2.9 Independent Data Controller Processing:

Bluedot acknowledges that it acts as a Data Processor for all Customer Personal Data processed under this Agreement. Any processing of Customer Personal Data as an independent Data Controller shall be strictly limited to the following purposes: (i) invoicing and financial reporting, (ii) fraud detection and prevention, (iii) compliance with mandatory legal obligations. Bluedot shall ensure that such processing is clearly segregated from Data Processor activities and does not contradict the Customer's role as the Data Controller. Furthermore, Bluedot shall provide the Customer with a documented explanation of the legal basis for any independent processing upon request.

2.10 The types and categories of Customer Personal Data processed by Bluedot and the purpose of such processing is set out in Exhibit 1.
‍

3. OBLIGATIONS OF BLUEDOT AS DATA PROCESSOR

3.1 Bluedot warrants that it will:

i) comply with Applicable Data Protection Law relevant to its obligations under the Agreement;

ii) implement appropriate technical and organizational measures that meet the requirements of Applicable Data Protection Law, including specific measures described in Exhibit 2, ensuring protection of the rights of data subjects;

iii) make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including documentation related to security audits, risk assessments, and breach response procedures; and

iv) reasonably cooperate with any audits performed by Customer or its independent auditor.

[Amendment: Audit rights are not limited to once per year. Customer may request additional audits or security reviews when warranted by changes in applicable law or risks, with costs to be mutually agreed rather than imposed solely on Customer.]

4.  TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

​4.1 Bluedot shall implement and maintain, throughout the term of the DPA, technical and organizational security measures that protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. These measures include, but are not limited to, the following:

• Encryption: Data shall be encrypted both in transit (using standard TLS protocols) and at rest (using AES-256 or an equivalent standard).
• Pseudonymization: Where feasible, Personal Data shall be pseudonymized to reduce the risks associated with unauthorized access.
• Access Controls: Robust authentication methods (including multi-factor authentication) and role-based access controls shall be enforced to ensure that only authorized personnel have access to Personal Data.
• Security Audits: Regular security audits, including both internal reviews and independent third-party audits, shall be conducted at least annually or more frequently if necessary.
• Additional Measures: Additional controls may include intrusion detection systems, regular vulnerability assessments, and comprehensive logging of access to sensitive data.

4.2 Bluedot will ensure that its Sub-processors comply with the minimum security requirements set out in Exhibit 2, which may be updated from time to time, provided such updates do not diminish the overall security of the Services.

4.3 Customer has evaluated the security measures implemented by Bluedot and agrees that, as updated herein, they provide an appropriate level of protection for Customer Personal Data.

‍
5.  PERSONNEL

​5.1 Bluedot shall ensure that any personnel required to access Customer Personal Data have either committed to confidentiality as set out in the Agreement or are under a statutory obligation of confidentiality.

5.2 Bluedot shall ensure that its personnel are informed of the confidential nature of Customer Personal Data and the applicable security procedures.

5.3 Personnel confidentiality obligations shall survive the termination of both the personnel engagement and this DPA.

‍
6.  ASSISTANCE TO THE CUSTOMER AS DATA CONTROLLER

​6.1 Bluedot shall provide timely and reasonable assistance, using appropriate technical and organizational measures, to enable Customer to respond to:

i) any data subject request to exercise its rights under Applicable Data Protection Law; and

ii) any related correspondence, enquiry, or complaint from a data subject, Regulator, or third party.

In the event such requests are made directly to Bluedot, it shall promptly notify Customer with full details, unless legally prohibited.

6.2 Bluedot shall assist Customer with its obligation to conduct any required data protection impact assessments.

‍

‍
7.  SUB-PROCESSORS

​7.1 Bluedot’s Sub-processors include Amazon Web Services (AWS), Google (Alphabet Inc.), and Amplitude Inc. Customer hereby grants a general authorization for the engagement of additional Sub-processors for performing its obligations under the Agreement, provided that Bluedot shall:

• Provide at least 30 days prior written notice (except in emergencies affecting service availability or security) of any change to its Sub-processors via its standard notification process;
• Execute a written agreement with each Sub-processor obligating them to protect Customer Personal Data to the same standard as required of Bluedot and to comply with Applicable Data Protection Law.

7.2 If Customer objects to a new Sub-processor on reasonable grounds within 30 days of receiving notice, the parties shall negotiate in good faith to find an alternative solution. If an alternative is not found and Bluedot proceeds with the new Sub-processor, Customer may terminate the Agreement with 30 days’ prior written notice, without either party being deemed in breach.

7.3 Bluedot shall be liable for the acts or omissions of its Sub-processors as if it were performing the Services directly.

8.  OBLIGATIONS OF THE CUSTOMER

​8.1 Each party remains separately responsible for ensuring compliance with Applicable Data Protection Law.

8.2 Customer shall promptly inform Bluedot in writing of any known failure to comply with Applicable Data Protection Law concerning the processing of Personal Data under this DPA.

8.3 Customer is responsible for providing accurate and current contact details to facilitate Bluedot’s notification obligations.

8.4 Customer represents and warrants that it has obtained all necessary consents and rights required under Applicable Data Protection Law for Bluedot to process Customer Personal Data as described herein.

9.  NOTIFICATION OF DATA BREACH

​9.1 Bluedot shall notify Customer in writing within 48 hours of any identified Data Breach.

[Amendment: In addition, Bluedot shall maintain an internal log of all Data Breaches and document the risk assessments and mitigation measures taken as part of its internal incident management procedures.]

9.2 The notification shall include, where possible:

a) a description of the nature of the breach, including categories and approximate number of data subjects and records affected;

b) Bluedot’s contact details for further information;

c) a description of the likely consequences; and

d) the measures taken or proposed to address the breach, including mitigation steps and planned improvements to security measures.

‍

10. ADDITIONAL ASSIGNMENTS

​10.1 For tasks not covered under this DPA that go beyond statutory obligations, Bluedot may charge Customer for additional resources, time, and materials, unless such services are already included in the Services under the Agreement.

10.2 Bluedot will notify Customer in advance of such additional charges and, where possible, provide a quote.

10.3 If Customer does not agree to the additional costs, Bluedot is not obliged to perform the additional assignment.

‍

11.  DELETION AND RETURN OF PERSONAL DATA

​11.1 Following the termination or expiration of the Agreement, Bluedot shall retain Customer Data in a secured, isolated account for 90 days.

[Amendment: Bluedot shall notify Customer in advance—no less than 30 days prior—to inform them of the impending deletion or anonymisation of Customer Personal Data, unless retention is required by law.]

After this retention period and upon notification, Bluedot shall either delete or irreversibly anonymize all Customer Personal Data unless otherwise permitted or required by Applicable Law.

11.2 During the term of the Agreement, Customer will have continuous access to, and the ability to extract and delete, its Personal Data stored in its tenant.
‍

12.  LAW ENFORCEMENT REQUESTS

​12.1 If contacted by a court, law enforcement authority, or intelligence agency with a demand for Customer Personal Data, Bluedot shall first assess the legitimacy of the order.

If compelled to disclose or provide access to Customer Personal Data, Bluedot shall promptly notify Customer and provide a copy of the request, unless legally prohibited.

12.2 Bluedot shall cooperate only to the extent required by law and, where possible, shall challenge or minimize the disclosure, including limiting the data disclosed to only that which is strictly necessary.

‍

13.  JURISDICTION SPECIFIC TERMS

​13.1 Where Bluedot processes Personal Data originating from jurisdictions covered by specific data protection laws listed in Exhibit 3 (Jurisdiction Specific Terms), those terms apply in addition to the terms of this DPA.

‍

14.  LIABILITY

​14.1 Each party's liability for breaches of this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.
‍

15.  LEGAL VENUE AND APPLICABLE LAW

​15.1 This DPA shall be governed by Danish Law.

15.2 Any claim or dispute arising from or in connection with this DPA shall be subject to the jurisdiction of the Copenhagen City Court as the court of first instance.

‍

16.  DATA TRANSFERS TO THIRD COUNTRIES

​16.1 In the event that Customer Personal Data is transferred outside the EU or Switzerland, Bluedot shall implement appropriate safeguards, such as Standard Contractual Clauses or other approved security mechanisms, to ensure that such transfers comply with Applicable Data Protection Law.

16.2 Additional Safeguards for Third-Country Transfers: Bluedot shall ensure that any transfer of Customer Personal Data to a country outside the European Economic Area (EEA) or Switzerland is subject to appropriate safeguards as required by Applicable Data Protection Law. Such safeguards shall include, but are not limited to:  

i) the implementation of Standard Contractual Clauses (SCCs) approved by the European Commission;  

ii) technical measures such as end-to-end encryption and pseudonymization before transfer; and  

iii) a documented Transfer Impact Assessment (TIA) to evaluate the risks of the transfer.

Upon request, Bluedot shall provide evidence of these safeguards to Customer. If any legal requirement prevents compliance with these safeguards, Bluedot shall immediately inform Customer and suspend further transfers until a lawful solution is agreed upon.

‍
17.  DEFINITIONS

​The terms “Data Controller”, “Data Processor”, “data subject”, “processing” and “process” shall have the meaning given in Applicable Data Protection Law.

​“Applicable Data Protection Law” means any applicable law which applies to each party in any territory in which they process Personal Data and which relates to the protection of individuals with regards to the processing of Personal Data and privacy rights, and may include EU Data Protection Laws, UK Data Protection Laws, Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”), the California Consumer Privacy Act, as amended by the California Privacy Right Act of 2020 and its implementing regulation (“CCPA”); the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”), the Virginia’s Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut’s Act Concerning Data Privacy and Online Monitoring (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”).

​“Customer Personal Data” means the Personal Data that is generated by or provided to Bluedot by, or on behalf of, Customer through use of the Services.

​“Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Bluedot.

​“EU Data Protection Laws” means all data protection laws and regulation applicable to the European Economic Area (“EEA”) and Switzerland, including the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national law implementing the Directive and the Swiss Federal Data Protection Act (“Swiss DPA”).

​“Personal Data” means any information defined under Applicable Data Protection Law as “personal data”, “personal information”, “personally identifiable information” or any other similar term relating to an identified of identifiable natural person.

​“Regulator” means any local, national or multinational agency, department, official, public of statutory person or any regulatory or supervisory authority for administering, providing guidance on, supervising and enforcing Applicable Data Protection Law.

​“Restricted Country” mean a country, territory or jurisdiction which (i) when GDPR applies, is not covered by an adequacy determination by European Commission, as described under the GDPR, (ii) when Swiss DPA applies, is not included on the list of adequate jurisdictions published by the Swiss Regulator or (iii) when UK Data Protection Law applies, is not recognized as providing an adequate level of protection for Personal Data pursuant to Section 17A of the UK GDPR.  

​“Sensitive data” means any (i) special categories of Personal Data defined under EU Data Proteciton Law and UK Data Protection Law, (ii) data relating to criminal convictions and offences defined under EU Data Proteciton Law and UK Data Protection Law or (iii) within the definition of ’sensitive personal information” under the CCPA.  

​“Sub-processor” mean any Bluedot Affiliate and any sub-contractor engaged by Bluedot in the processing of Customer Personal Data under the terms of the Agreement and this DPA.

​“UK Addendum” mean the UK Addendum issued by the United Kingdom Regulator under section 119A(1) of the Data Protection Act 2018, being an addendum to the Standard Contractual Clauses.

​“UK Data Protection Law” means all data protection laws and regulation applicable to the United Kingdom, including the United Kingdom's Data Protection Act 2018 and the GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”), each as amended, supplemented or replaced from time to time.

‍

17.  SIGNATURES

Signed for and on behalf of Bluedot

Date: 4th of March, 2025

Name: Dmitry Eremin

‍

‍‍

‍

EXHIBIT 1:  INFORMATION ABOUT THE PROCESSING

1. ​The purpose of the data processor’s processing of Personal Data on behalf of the data controller is:
   Bluedot is a software development company, assigned by Customer to make available to Customer software as a service for supporting the creation of business documents. The content of this DPA reflects the limited amount of Personal Data Bluedot handles for Customer.

2. ​The data processor’s processing of Personal Data on behalf of the data controller shall mainly pertain to (the nature of the processing):
   The provision of the Services by Bluedot to Customer.

3. ​The processing includes the following types of Personal Data about data subjects:
   Name, business e-mail address, job title, office location; as well as documents, images, video and other content or data in electronic form stored or transmitted by End Users via the Services.

4. ​The processing includes the following type of Sensitive data about data subjects:
   None.

5. ​Processing includes the following categories of data subject:
   Customer’s employees.
   Or as determined by Customer through their use of the Bluedot Service.

6. ​The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:
   
   Personal data is stored with Bluedot until Customer requests that the data is erased or returned, pursuant to Section 12.1 of this DPA.
   ‍

‍EXHIBIT 2: DESCRIPTION OF MINIMUM DATA SECURITY

1. ​Physical Access Controls: Bluedot shall take reasonable measures to prevent physical access, such as secured buildings, to prevent unauthorized persons from gaining access to Personal Data.

2. ​System Access Controls: Bluedot shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.  

3. ​Data Access Controls:  Bluedot shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access; and, that Personal Data cannot be read, copied, modified or removed without authorization in the course of processing. The Bluedot shall take reasonable measures to implement an access policy under which access to its system environment, to Personal Data and other data by authorized personnel only.  

4. ​Transmission Controls:  Bluedot shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

5. ​Input Controls: Bluedot shall take reasonable measures to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed.  Bluedot shall take reasonable measures to ensure that (i) the personal data source is under the control of data exporter; and (ii) Personal Data integrated into  Bluedot’s systems is managed by secured file transfer from the Bluedot and data subject.
6. • Encryption: Use of TLS for data in transit and AES-256 for data at rest.
   • Pseudonymization: Where applicable, data shall be pseudonymized to reduce identification risks.
   • Access Controls: Enforcement of multi-factor authentication, role-based access, and regular review of access rights.
   • Security Audits: Minimum of annual internal and independent third-party audits, with additional audits as required by risk assessments.
   • Logging and Monitoring: Detailed logs of access and changes to Personal Data shall be maintained and reviewed regularly.

EXHIBIT 3: JURISDICTION SPECIFIC TERMS

​California (CCPA):

​1.1.   The definition of “data subject” includes “Consumer” as defined under CCPA. Any data subject rights, as set forth in Section 6 of this DPA, apply to Consumer rights.  

​1.2.  The definition of “Data Controller” includes “Business” as defined under CCPA. The definition of “Data Processor” includes “Service Provider” as defined under CCPA.

​1.3.  Bluedot will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement. Bluedot agrees not to (a) sell or share (as defined by the CCPA) Customer’s Personal Data; (b) retain, use, or disclose Customer’s Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; (c) retain, use, or disclose Customer’s Personal Data outside of the scope of the Agreement.

​1.4.  Bluedot may deidentify (as defined by the CCPA) Customer Personal Data as part of performing the Services in the Agreement, in accordance with limitation on Services Providers under the CCPA. Bluedot shall not re-identify any Customer deidentified Data.

​1.5.  Bluedot certifies that its Sub-processors, as set forth in Section 7 of this DPA, are Service Providers under CCPA, with whom Bluedot has entered into a written contract that includes terms substantially similar to this DPA.

​1.6.  If Bluedot becomes aware that it cannot longer meet any of its obligations under the CCPA, Bluedot shall immediately notify Customer.

‍