Data Processing Addendum
Last updated: October 5, 2020
Updates have been made to the International transfers
the Data Processing Addendum to more clearly describe where data uploaded by or on behalf of Customers to
Backblaze are stored, and to also address the recent invalidation of Privacy Shield.
This document is a “Data Processing Agreement” (“DPA”) as required for certain customers under Article
28 of the “General Data Protection Regulation” (EU) 2016/679 (“GDPR”).
This DPA is an addendum to, and is referenced by the Backblaze Terms of
found on the Backblaze
web site. In case of a conflict between the terms of the DPA and the Backblaze Terms of Service, the DPA
will take precedence.
This DPA is intended to be binding on Backblaze with regard to each of its customers whose processing of
files stored with Backblaze is subject to the GDPR (“Customers”). It governs the processing by Backblaze
of personal data, as defined by the GDPR, contained in files that a customer stores with Backblaze
As the GDPR evolves and best practices are refined, Backblaze reserves the right to update this DPA at
any time. If there is something we view as a material change, we will notify our customers via email 30
days in advance of the change and will offer our customers the right to terminate the services before
the change takes effect.
Subject-matter and nature of the processing
Backblaze offers two services: a computer backup service, with which a customer can backup its files to
our servers automatically, and a cloud storage service, with which the customer can upload files to our
servers (together the “Services”). To the extent that these files are uploaded by or on behalf of a
Customer and they contain personal data as defined in the GDPR, Backblaze processes this data as a
processor, as defined in the GDPR.
Type of personal data and categories of data subjects
The types of personal data and categories of data subjects processed in the context of Backblaze’s
Services depend on the content of files uploaded to servers by or on behalf of its Customers.
Backblaze will only process the Files for the performance of the Service to the Customer, on the
documented instructions from the Customer, and to comply with laws to which Backblaze is subject. Where
Backblaze processes Files to comply with a legal requirement, it shall inform the Customer which
uploaded the data thereof before processing, unless that law prohibits such information on important
grounds of public interest.
Backblaze processes any Files for the duration it provides the Services to the customer. When the
Customer cancels their Backblaze subscription and deletes their Backblaze account, Backblaze will delete
the files stored for the period set out in the Backblaze Terms of Service.
For Backblaze Customers who establish their Backblaze account in the EU (EU-Central region), the Files
uploaded by or on behalf of Customers to Backblaze are stored in the EU and are not transferred outside
of the EU unless directed by the Backblaze Customer. By making such a request, the Customer is giving
Backblaze permission to perform the transfer of the requested Files, including the transfer of the
requested Files to the United States as applicable.
For Backblaze Customers who establish their Backblaze account in the US (US-West region), the Backblaze
servers where your uploaded Files will reside is located in the United States. This means a Customer with
a US-based Backblaze account, who resides in the European Economic Area (“EEA”) and uses Backblaze’s
Services, will have their Files transferred outside of the EEA and stored in the United States. By accepting
Backblaze’s Terms of Service and/or by using Backblaze’s services, a Customer is considered to have given
instructions to do so when using Backblaze’s Services.
In light of the recent ruling issued by the Court of Justice of the European Union on the invalidation of the
EU-U.S. Privacy Shield, and the recent opinion provided by the Federal Data Protection and Information Commissioner
(FDPIC) of Switzerland on the inadequacy of the Swiss-U.S. Privacy Shield Framework, we are no longer relying on
these frameworks when transferring personal information from the EEA and Switzerland to the United States.
We continue to comply with applicable EU data transfer requirements, including adherence to no less than the
principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. We are closely monitoring development of
international data-transfer mechanisms under the GDPR and will update our policies accordingly. Additional information
can be found in the International Data Transfer section of the Backblaze Privacy Notice
Backblaze ensures that persons authorized to process the Files have committed themselves to
Backblaze with regard to Files shall implement appropriate technical and organizational measures to
ensure a level of security appropriate to the risk, taking into account the state of the art, the costs
of implementation and the nature, scope, context and purposes of processing as well as the risk of
varying likelihood and severity for the rights and freedoms of natural persons.
The Customer, by accepting Backblaze’s Terms of Service and/or by using Backblaze’s Services, authorizes
Backblaze to engage processors for processing the Files of Customers. If Backblaze engages other
processors, Backblaze shall inform the customer, thereby giving the Customer the opportunity to object
to such changes. When Backblaze engages a processor, it shall impose data protection obligations which
are no less onerous as those set out in this DPA on that other processor by way of a contract or other
legal act, in particular providing sufficient guarantees to implement appropriate technical and
organizational measures in such a manner that the processing will meet the requirements of the GDPR.
Where that other processor fails to fulfil its data protection obligations, Backblaze remains fully
liable to the Customer for the performance of that other processor's obligations, but only to the extent
that Backblaze can be held liable under its Terms of Service. A list of the subprocessors that Backblaze
engages to process Files is available upon request to [email protected]
Assistance with exercise of rights
At the request of a Customer, Backblaze shall assist it by appropriate technical and organizational
measures, taking into account the nature of the processing and insofar as this is possible, for the
fulfilment of the Customer’s obligation to respond to requests for exercising the data subject's rights
laid down in Chapter III of the GDPR.
Assistance with security, data breaches and DPA
Backblaze shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32
to 36 of the GDPR, taking into account the nature of processing and the information available to
Backblaze. In the unlikely event of a data breach, as defined in the GDPR, Backblaze will without undue
delay send its affected customers a notification email, and provide at its discretion, updates through
other communications channels. This notification will describe the nature of the data breach, including
where possible, the categories and approximate number of data subjects concerned, the categories and
approximate number of personal data records concerned, the contact point where more information can be
obtained, the likely consequences of the personal data breach, and the measures taken or proposed to be
taken by Backblaze to address the data breach, including, where appropriate, measures to mitigate its
possible adverse effects. A “data breach” does not include a Backblaze account being accessed via valid
credentials unless those credentials were exposed through some action or fault of Backblaze or one of
Deletion and return of Files
Backblaze shall, at the choice of the Customer, delete or return all the Files to the Customer after the
end of the provision of the Services subject to any fee applicable at that time, and delete existing
copies within the period set out under “Duration,” unless applicable law requires storage of such data.
Subject to any fee applicable at the time, Customers may request copies (i.e., return) of their Files
within their Backblaze account prior to cancelling their Services.
Backblaze shall at the request of a Customer make available to it all information reasonably necessary
to demonstrate compliance with the obligations under this DPA, including a copy of the most recent
report on such compliance performed at the request of Backblaze by an external auditor, if available,
and only if the Customer agrees to keep such information confidential under a non-disclosure agreement
provided by Backblaze. Backblaze shall immediately inform the Customer if, in its opinion, an
instruction infringes the GDPR data protection provisions applicable to the Customer and/or Backblaze.
For further information on our compliance with the GDPR, please visit our knowledge base at help.backblaze.com
or contact us at [email protected]