Backblaze Policies

Data Processing Addendum

Last updated: July 10, 2018

Dear Backblaze Customer:

This document is a “Data Processing Addendum” (“DPA”) for customers that are looking for one in reference to the “General Data Protection Regulation” (EU) 2016/679 (“GDPR”). It covers the Personal Data, as defined by the GDPR, that a customer stores with Backblaze. The terms and principles in this DPA apply to all Backblaze customers, regardless of where they reside. This DPA is an addendum and is incorporated by reference from the Backblaze Terms of Service and the Backblaze Privacy Policy found on the Backblaze web site.

As the GDPR evolves and best practices are refined, Backblaze reserves the right to update this DPA at any time. If there is something we view as a material change, we will notify our customers via email 30 days in advance of the change going into place.
Backblaze is compliant with the requirements set forth in the GDPR for a Data Processor. Our compliance with the GDPR includes, but is not limited to:
  • The use of Personal Data of an EU data subject solely for the performance of our services and as permitted by applicable law;
  • Taking appropriate measures to ensure the security of the Personal Data Backblaze processes. This includes, but is not limited to - maintaining a Chief Security Officer and resourcing that position to effect high security standards for all Backblaze services, deployment of generally accepted technical protections, frequent testing of our services, and training of all Backblaze employees;
  • Ensuring adherence with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks when transferring personal information from the EEA and Switzerland to the United States. Additional information can found in the International Data Transfer section of the Backblaze Privacy Policy.
  • Ensuring that all Backblaze personnel who have access to or process Personal Data, are subject to a duty of confidence;
  • Ensuring that no third party processes any Personal Data received from Backblaze except in accordance with applicable GDPR requirements;
  • Servicing obligations in connection with subject access requests and other data subject rights under GDPR;
  • Retention of Personal Data after the termination of an account only for the period specified in our published privacy policy (which complies with GDPR requirements).
  • In the unlikely event of a system breach, we will expeditiously (within 72 hours) send you a notification email, and may at our discretion, update our official Twitter account, and post on our Blog. A “system breach” does not include a customer account being accessed via valid credentials unless those credentials were exposed through some action or fault of Backblaze or one of its sub-processors.

For further information on our compliance with the GDPR, please visit our knowledge base at or contact us at