Data Processing Addendum
Last updated: February 12, 2020
This document is a “Data Processing Agreement” (“DPA”) as required for certain customers under Article
28 of the “General Data Protection Regulation” (EU) 2016/679 (“GDPR”).
This DPA is an addendum to, and is referenced by the
Backblaze Terms of
Service found on the Backblaze
web site. In case of a conflict between the terms of the DPA and the Backblaze Terms of Service, the DPA
will take precedence.
This DPA is intended to be binding on Backblaze with regard to each of its customers whose processing of
files stored with Backblaze is subject to the GDPR (“Customers”). It governs the processing by Backblaze
of personal data, as defined by the GDPR, contained in files that a customer stores with Backblaze
(“Files”).
As the GDPR evolves and best practices are refined, Backblaze reserves the right to update this DPA at
any time. If there is something we view as a material change, we will notify our customers via email 30
days in advance of the change and will offer our customers the right to terminate the services before
the change takes effect.
Subject-matter and nature of the processing
Backblaze offers two services: a computer backup service, with which a customer can backup its files to
our servers automatically, and a cloud storage service, with which the customer can upload files to our
servers (together the “Services”). To the extent that these files are uploaded by or on behalf of a
Customer and they contain personal data as defined in the GDPR, Backblaze processes this data as a
processor, as defined in the GDPR.
Type of personal data and categories of data subjects
The types of personal data and categories of data subjects processed in the context of Backblaze’s
Services depend on the content of files uploaded to servers by or on behalf of its Customers.
Purpose
Backblaze will only process the Files for the performance of the Service to the Customer, on the
documented instructions from the Customer, and to comply with laws to which Backblaze is subject. Where
Backblaze processes Files to comply with a legal requirement, it shall inform the Customer which
uploaded the data thereof before processing, unless that law prohibits such information on important
grounds of public interest.
Duration
Backblaze processes any Files for the duration it provides the Services to the customer. When the
Customer cancels their Backblaze subscription and deletes their Backblaze account, Backblaze will delete
the files stored for the period set out in the Backblaze Terms of Service.
International transfers
The servers of Backblaze are in the United States. This means that if a customer residing in the
European Economic Area (“EEA”) uses Backblaze’s Services, personal data in files stored by it with
Backblaze will be transferred outside of the EEA. By accepting Backblaze’s Terms of Service and/or by
using Backblaze’s services, a Customer is considered to have given instructions to do so when using
Backblaze’s Services.
Backblaze will adhere to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks when transferring personal
information from the EEA and Switzerland to the United States. Additional information can be found in
the
International Data Transfer section of the Backblaze Privacy
Policy.
Confidentiality
Backblaze ensures that persons authorized to process the Files have committed themselves to
confidentiality.
Security
Backblaze with regard to Files shall implement appropriate technical and organizational measures to
ensure a level of security appropriate to the risk, taking into account the state of the art, the costs
of implementation and the nature, scope, context and purposes of processing as well as the risk of
varying likelihood and severity for the rights and freedoms of natural persons.
Subprocessors
The Customer, by accepting Backblaze’s Terms of Service and/or by using Backblaze’s Services, authorizes
Backblaze to engage processors for processing the Files of Customers. If Backblaze engages other
processors, Backblaze shall inform the customer, thereby giving the Customer the opportunity to object
to such changes. When Backblaze engages a processor, it shall impose data protection obligations which
are no less onerous as those set out in this DPA on that other processor by way of a contract or other
legal act, in particular providing sufficient guarantees to implement appropriate technical and
organizational measures in such a manner that the processing will meet the requirements of the GDPR.
Where that other processor fails to fulfil its data protection obligations, Backblaze remains fully
liable to the Customer for the performance of that other processor's obligations, but only to the extent
that Backblaze can be held liable under its Terms of Service. A list of the subprocessors that Backblaze
engages to process Files is available upon request to
privacy@backblaze.com.
Assistance with exercise of rights
At the request of a Customer, Backblaze shall assist it by appropriate technical and organizational
measures, taking into account the nature of the processing and insofar as this is possible, for the
fulfilment of the Customer’s obligation to respond to requests for exercising the data subject's rights
laid down in Chapter III of the GDPR.
Assistance with security, data breaches and DPA
Backblaze shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32
to 36 of the GDPR, taking into account the nature of processing and the information available to
Backblaze. In the unlikely event of a data breach, as defined in the GDPR, Backblaze will without undue
delay send its affected customers a notification email, and provide at its discretion, updates through
other communications channels. This notification will describe the nature of the data breach, including
where possible, the categories and approximate number of data subjects concerned, the categories and
approximate number of personal data records concerned, the contact point where more information can be
obtained, the likely consequences of the personal data breach, and the measures taken or proposed to be
taken by Backblaze to address the data breach, including, where appropriate, measures to mitigate its
possible adverse effects. A “data breach” does not include a Backblaze account being accessed via valid
credentials unless those credentials were exposed through some action or fault of Backblaze or one of
its sub-processors.
Deletion and return of Files
Backblaze shall, at the choice of the Customer, delete or return all the Files to the Customer after the
end of the provision of the Services subject to any fee applicable at that time, and delete existing
copies within the period set out under “Duration,” unless applicable law requires storage of such data.
Subject to any fee applicable at the time, Customers may request copies (i.e., return) of their Files
within their Backblaze account prior to cancelling their Services.
Information
Backblaze shall at the request of a Customer make available to it all information reasonably necessary
to demonstrate compliance with the obligations under this DPA, including a copy of the most recent
report on such compliance performed at the request of Backblaze by an external auditor, if available,
and only if the Customer agrees to keep such information confidential under a non-disclosure agreement
provided by Backblaze. Backblaze shall immediately inform the Customer if, in its opinion, an
instruction infringes the GDPR data protection provisions applicable to the Customer and/or Backblaze.
For further information on our compliance with the GDPR, please visit our knowledge base at
help.backblaze.com
or contact us at
privacy@backblaze.com.
Previous Version(s):