Effective Date: 8 January 2026
This Data Processing Agreement (“DPA”) is entered into between Bluedot (Twiso, Inc.), 30A Abbey, San Francisco, CA 94114, United States (“Bluedot”, “Processor”) and each Customer (“Customer”, “Controller”).This DPA forms part of the Order Form, Terms of Use, or Service Agreement between the parties (“Agreement”).
In the event of any conflict between this DPA and the Agreement regarding data protection matters, this DPA shall prevail.
1. INTRODUCTION
This DPA governs Bluedot’s Processing of Personal Data on behalf of Customer in connection with the Services. The Parties agree to comply with applicable data protection laws, including the GDPR and UK GDPR (“Applicable Data Protection Law”).
If Applicable Data Protection Law changes, the Parties shall cooperate in good faith to ensure continued lawful Processing.
2. ROLES AND SCOPE
Customer acts as the Controller and Bluedot acts as the Processor for Customer Personal Data, except where Bluedot acts as an independent Controller for limited purposes such as billing, fraud prevention, security, or legal compliance.
Bluedot shall:
- Process Personal Data only on documented instructions from Customer
- Process Personal Data solely to provide the Services, including meeting recording, transcription, summarization, storage, analytics, and related SaaS functionality
- Process only the minimum Personal Data necessary to provide the Services
3. PROCESSOR OBLIGATIONS
Bluedot shall:
- Comply with Applicable Data Protection Law
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizationalmeasures
- Maintain records of processing where required
- Make available information reasonably necessary to demonstrate compliance
Customer audit requests shall be limited to reasonable frequency and subject to confidentiality and security requirements.
4. SECURITY MEASURES
Bluedot maintains appropriate technical and organizationalmeasures, including:
- Encryption in transit (TLS)
- Encryption at rest (AES‑256)
- Role-based access controls
- Multi-factor authentication
- Logging and monitoring
- Vulnerability management and testing
- Incident detection and response procedures
Infrastructure is hosted on AWS in data centers located inthe EEA and/or other regions as necessary to provide the Services.
5. PERSONNEL
Access to Personal Data is limited to authorized personnelbound by confidentiality obligations and trained in security and privacypractices.
6. ASSISTANCE TO CUSTOMER
Bluedot shall reasonably assist Customer with:
- Data subject rights requests
- Data protection impact assessments (DPIAs)
- Regulatory inquiries
- Security and compliance assessments
7. SUB-PROCESSORS
Customer provides general written authorization for the use of Sub-processors.
Bluedot shall:
- Impose data protection obligations equivalent to this DPA
- Remain responsible for Sub-processor performance
- Provide at least fourteen (14) days’ prior notice of new Sub-processors
8. CUSTOMER OBLIGATIONS
Customer is responsible for ensuring lawful collection anduse of Personal Data and providing appropriate notices and consents where required.
Customer agrees not to submit special categories of personaldata unless appropriate safeguards and a valid legal basis are in place.
9. PERSONAL DATA BREACH
Bluedot shall notify Customer without undue delay and, where feasible, within forty‑eight (48) hours after becoming aware of a confirmed Personal Data Breach.
Bluedot will provide reasonable assistance to support Customer’s breach response obligations.
10. DATA RETENTION, RETURN AND DELETION
Upon termination of the Agreement:
- Customer Personal Data will be retained for up to ninety (90) days to allow retrieval
- Upon Customer request during this period, Bluedot will provide a data export where technically feasible
- After this period, Personal Data will be deleted or irreversibly anonymized unless retention is required by law
11. GOVERNMENT REQUESTS
Bluedot shall review the legality of government or law enforcement requests, challenge unlawful or disproportionate requests where appropriate, and notify Customer unless legally prohibited.
12. INTERNATIONAL TRANSFERS
Where Personal Data is transferred outside the EEA, UK, or Switzerland, such transfers shall rely on:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)
- UK International Data Transfer Addendum (where applicable)
- Appropriate supplementary safeguards
13. LIABILITY
Liability arising under this DPA shall be governed by the limitations and exclusions set out in the Agreement.
14. GOVERNING LAW
This DPA shall be governed by the laws of Ireland.
15. INCORPORATION OF STANDARD CONTRACTUAL CLAUSES
The EU Standard Contractual Clauses (2021/914) are incorporated by reference and shall apply to applicable international datatransfers.
For the purposes of the Standard Contractual Clauses:
- Module Two (Controller to Processor) applies
- Clause 7 (Docking Clause) applies
- Clause 9(a) Option 2 (general authorization) applies with fourteen (14) days’ notice
- Clause 11(a) (independent dispute resolution body) does not apply
- Clause 17: The governing law shall be the law of Ireland
- Clause 18: The Parties submit to the jurisdiction of thecourts of Ireland
Annex information is provided in the Exhibits below.
EXHIBIT 1 – PROCESSING DETAILS
Purpose: Provision of Bluedot SaaS meeting documentation services
Data Subjects: Employees, contractors, customers, andmeeting participants
Data Types: Name, email, meeting metadata, transcripts, audio/video content
Special Categories: Not intended to be processed. Customeris responsible for avoiding submission unless legally permitted.
Duration: For the duration of the Agreement and theretention period described above.
EXHIBIT 2 – SECURITY MEASURES
- Encryption in transit and at rest
- Multi-factor authentication and role-based access controls
- Logging and monitoring
- Vulnerability management
- Incident response procedures
- Periodic security reviews
EXHIBIT 3 – CCPA / CPRA TERMS
Bluedot acts as a Service Provider / Processor and:
- Does not sell or share Personal Information
- Processes Personal Information only to provide the Services
- Does not retain, use, or disclose Personal Information outside the direct business relationship
- May de-identify or aggregate data where permitted by law
