1. Definitions
The terms "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Breach" and "Supervisory Authority" have the meaning given in the GDPR (EU Regulation 2016/679).
2. Subject and scope
This Data Processing Agreement ("DPA") applies to the processing of Personal Data by Blacknel ("Processor") on behalf of the Customer ("Controller") under GDPR Article 28. It is integral to the Master Services Agreement (MSA) signed between the parties.
3. Roles and duration
Customer acts as Controller; Blacknel acts as Processor. This DPA is effective for as long as Blacknel processes Personal Data on behalf of Customer under the MSA, plus applicable retention periods.
4. Nature of processing
Blacknel processes Personal Data solely to operate the Service: digital presence management including unified inbox, social publishing, reviews, ads, AI, and analytics. Types of data processed: User identification data, Customer Content data, usage metrics and communication.
5. Controller's instructions
Blacknel processes Personal Data only on Customer's documented instructions, unless required by applicable law. Service functionality configured by Customer constitutes sufficient documented instructions.
6. Personnel confidentiality
Blacknel ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality commitments and have received data protection training.
7. Technical and organizational measures (Annex 2)
Blacknel implements security measures aligned with ISO 27001 and SOC 2 Type II (audit in progress). Full detail at blacknel.com/security:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Row-Level Security in database (multi-tenant isolation)
- Granular RBAC with permission checks across 3 layers
- Immutable append-only audit log
- Mandatory 2FA for employees
- Quarterly security reviews
- Private bug bounty program
- Daily backups with point-in-time recovery
8. Authorized sub-processors (Annex 1)
Customer authorizes the use of the sub-processors listed at blacknel.com/privacy, with 30-day prior notice for substantial changes. Customer has the right to object to a new sub-processor; if the objection is not resolved, Customer may terminate the MSA without penalty.
9. Data subject requests
Blacknel assists Customer with appropriate technical and organizational measures to respond to Data Subject requests (access, rectification, deletion, portability). For direct requests to Blacknel about Customer data, we forward them to Customer without undue delay.
10. Breach notification
In the event of a Personal Data breach, Blacknel will notify Customer without undue delay and no later than 48 hours after becoming aware, with the information required under GDPR Article 33.3.
11. DPIAs and prior consultations
Blacknel provides Customer with the information reasonably needed for Customer to perform Data Protection Impact Assessments (DPIAs) or prior consultations with the Supervisory Authority under GDPR Arts. 35–36.
12. International transfers (Annex 3)
For transfers of Personal Data outside the EEA, Blacknel adopts the Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914, Module Two: Controller-to-Processor). Upon request, Blacknel provides specific Transfer Impact Assessments (TIA).
13. Audits and inspections
Blacknel makes available to Customer all information needed to demonstrate compliance with GDPR Art. 28 obligations. Enterprise customers may request on-site or third-party audits with 30 days' notice, subject to NDA and reasonable operational restrictions.
14. Return or deletion of data
Upon MSA termination, Blacknel deletes or returns (at Customer's choice) all Personal Data processed, unless applicable law requires further retention. Deletion is executed within 90 days after termination.
15. Liability
Liability under this DPA is subject to the limitations set in the MSA. Nothing in this DPA limits Data Subject rights under GDPR or applicable local law.
16. How to sign the DPA
If your organization requires a signed DPA, write to legal@blacknel.com with your legal name, jurisdiction, and DPO contact. We process DPA requests within 5 business days.