BlueNexus — Universal Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the agreement between BlueNexus Tech Pty Ltd (“BlueNexus”, “Processor”) and the Developer, Customer, or Enterprise using the BlueNexus Platform (“Developer”, “Controller”).

This DPA governs the Processing of Personal Data through the BlueNexus Platform, including both Developer-Managed Accounts and Sovereign BlueNexus Accounts.

Section 1 — Definitions

1.1 “Account”

Means any Developer, Enterprise, or End User account registered on the BlueNexus Platform, including Developer-Managed Accounts and Sovereign BlueNexus Accounts.

1.2 “Additional Services”

Means optional or usage-based services offered by BlueNexus that fall outside the Core Services, including but not limited to non-confidential LLM access, premium integrations, expanded compute, additional storage, paid infrastructure add-ons, and third-party service connectors with separate pricing.

1.3 “Applicable Data Protection Laws”

Means all laws governing Personal Data and privacy that apply to the processing performed under this DPA, including but not limited to:

• EU General Data Protection Regulation (“GDPR”)
• UK GDPR
• Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (“APPs”)
• U.S. state privacy laws (including CCPA/CPRA, Virginia CDPA, Colorado Privacy Act, Texas TDPSA, Washington My Health My Data Act)
• HIPAA/HITECH where applicable
• Any successor or equivalent laws globally.

1.4 “BlueNexus”, “Processor”, or “we”

Means BlueNexus Tech Pty Ltd, which processes Personal Data on behalf of the Developer in accordance with this DPA.

1.5 “Confidential Information”

Means all non-public information disclosed by either Party, whether oral, written, electronic, technical, operational, or financial, that is designated as confidential or would reasonably be understood to be confidential.

1.6 “Controller” or “Developer”

Means the Developer or Enterprise using the BlueNexus Platform who determines the purposes and means of processing Personal Data through their application, including where End Users operate Sovereign BlueNexus Accounts.

1.7 “Core Services”

Means the standard BlueNexus infrastructure and platform capabilities provided under the Developer Terms, including:

• Sovereign account control
• Encrypted document storage
• Encrypted file storage
• Confidential compute (TEE-based where supported)
• Authentication and account management
• User Memory services
• MCP server functionality
• Default external service integrations

as updated from time to time in BlueNexus documentation.

1.8 “Data Subject” or “End User”

Means any individual whose Personal Data is processed through the BlueNexus Platform, whether via a Developer-Managed Account or a Sovereign BlueNexus Account.

1.9 “Data Breach”

Means any confirmed unauthorised access, disclosure, alteration, or loss of Personal Data processed by BlueNexus, excluding unsuccessful attempts or attacks that do not compromise the confidentiality, integrity, or availability of Personal Data.

1.10 “Developer-Managed Account”

Means an End User identity created, provisioned, or controlled by the Developer inside the Developer’s application, where the Developer retains custodial access to authentication keys, permissions, or routing rules. Such accounts are not sovereign and remain under the Developer’s control until the End User elects to migrate to a Sovereign BlueNexus Account.

1.11 “Documentation”

Means all technical and operational documentation made available by BlueNexus relating to the Services, including integration guides, APIs, SDKs, and security specifications.

1.12 “Personal Data”

Means any information relating to an identified or identifiable natural person that is processed through the BlueNexus Platform, including encrypted or pseudonymised data where such data qualifies as personal information under Applicable Data Protection Laws.

1.13 “Processing”

Means any operation performed on Personal Data, whether automated or not, including collection, storage, access, transmission, routing, computation, encryption, deletion, analysis, or any similar activity.

1.14 “Services” or “Platform”

Means the BlueNexus infrastructure, APIs, SDKs, confidential compute systems, identity systems, storage systems, MCP server, user memory, and all related products made available to the Developer.

1.15 “Sovereign BlueNexus Account”

Means a non-custodial user account where the End User holds their own cryptographic keys, controls permissions, and independently manages data routing. Even for sovereign accounts, the Developer remains the Controller for any processing initiated by their application, and BlueNexus remains the Processor.

1.16 “Sub-Processor”

Means any third party engaged by BlueNexus to process Personal Data on behalf of the Developer, including cloud providers, confidential compute vendors, integration providers, and communication infrastructure services.

1.17 “TEE” or “Trusted Execution Environment”

Means a secure hardware-based enclave that allows encrypted data to be processed in isolation such that plaintext is inaccessible to BlueNexus, the Developer, and all other third parties, except as explicitly authorised by the End User.

1.18 “User Data” or “End User Data”

Means Personal Data or content relating to an End User that is submitted, stored, transmitted, or processed through the Services via the Developer’s application.

2. Scope of this DPA

2.1 This DPA applies to all Processing of Personal Data performed by BlueNexus on behalf of the Developer through the BlueNexus Platform, APIs, SDKs, confidential compute, storage systems, or integrations (“Services”).

2.2 This DPA applies to:

• Developer-Managed Accounts
• Sovereign BlueNexus Accounts
• Third-party service connections configured by the Developer
• Any Processing performed by BlueNexus within TEEs or other secure infrastructure

2.3 This DPA does not apply where BlueNexus acts as an independent controller (e.g., for billing, fraud prevention, or compliance).

3. Roles of the Parties

3.1 Developer as Data Controller

The Developer determines the purpose and means of Processing carried out through their application, including integrations, MCPs, data flows, compute tasks, consents, and downstream logic. The Developer is the Data Controller under GDPR, CCPA/CPRA, OAIC, and equivalent laws.

For clarity, BlueNexus does not monitor, access, audit, validate, inspect, or supervise any Developer-defined data flows, permission models, integration logic, or processing instructions. BlueNexus executes processing solely as instructed by the Developer’s configuration. All compliance, legal basis, consent collection, and disclosure obligations remain with the Developer in their role as Data Controller.

3.2 BlueNexus as Data Processor

BlueNexus processes Personal Data strictly on documented instructions from the Developer and does not determine how Personal Data is used.

3.3 End User as Data Subject

Individuals interacting with the Developer’s application (including those with Sovereign BlueNexus Accounts) are Data Subjects.

3.4 Sovereign Account Clarification

For Sovereign BlueNexus Accounts:

• The End User holds their own keys and controls cryptographic access;
• The Developer remains the Controller because they define purpose and means;
• BlueNexus remains the Processor because it executes compute and storage functions on the Developer’s behalf;
• BlueNexus operates purely as a zero-access Processor, with no visibility into plaintext data;
• Sovereignty refers to key custody, not legal controllership.

3.5 Sovereign Vault Data

For data stored or processed exclusively within a Sovereign Vault, BlueNexus does not act as a Controller or Processor under GDPR, UK GDPR, the Australian Privacy Act, or U.S. state privacy laws.

This is because:

• the End User exclusively controls encryption keys;
• the End User alone determines the purposes and means of Processing;
• BlueNexus cannot access or decrypt plaintext data;
• BlueNexus performs no meaningful operations other than encrypted routing or TEE activation initiated by the End User.

Accordingly, Sovereign Vault data is outside the scope of this DPA.

3.7 Developer Interaction With Sovereign Vaults

Developers acknowledge that:

• they cannot view, decrypt, or override Sovereign Vault data;
• they may only receive access where explicitly granted by the End User via cryptographic permissions;
• loss of End User keys results in irreversible loss of access;
• BlueNexus cannot restore or recover Sovereign Vault data.

Because no party other than the End User can access plaintext, the handling of Sovereign Vault data does not constitute regulated “processing” by BlueNexus.

4. Processing Instructions

BlueNexus will process Personal Data only:

1. as necessary to operate the Services,
2. as documented in this DPA,
3. as configured through the Developer’s implementation, and
4. as required to comply with applicable law.

BlueNexus will not retain, use, disclose, or process Personal Data for any purpose other than those set by the Developer.

5. Zero-Access Confidential Compute

BlueNexus provides a confidential computing environment where:

• Data remains encrypted in transit, at rest, and in use,
• Compute is performed within hardware-based TEEs,
• BlueNexus cannot view, extract, or decrypt user data,
• Only encrypted payloads and encrypted outputs are visible to BlueNexus,
• No logging of plaintext confidential data occurs within BlueNexus systems.

This applies equally to Developer-Managed and Sovereign Accounts.

5. Developer Responsibilities

The Developer shall:

1. obtain valid user consent for all processing activities, including MCPs, data imports, and connected accounts;
2. configure lawful data routing, integrations, and compute settings;
3. honour data subject rights (access, deletion, correction, revocation);
4. ensure accuracy and lawfulness of Personal Data submitted through the Services;
5. configure whether or not TEEs are used (BlueNexus does not override this configuration);
6. notify BlueNexus of inaccurate, unlawful, or prohibited data processing;
7. developers may not bypass, disable, or attempt to override any sovereign account permissions, user-controlled revocation mechanisms, or BlueNexus-enforced access restrictions. Developers must respect all End User consent signals, permission settings, and account transitions (including migrations from Developer-Managed Accounts to Sovereign BlueNexus Accounts). Any attempt to circumvent these controls is strictly prohibited.

6. Sub-Processors

6.1 BlueNexus may engage Sub-Processors necessary to provide the Service, including but not limited to:

• Cloud hosting providers
• Confidential compute vendors
• Integration providers such as Thryve, 1UpHealth, wearables aggregators
• Messaging, email, and authentication infrastructure

6.2 BlueNexus will:

• ensure each Sub-Processor is bound by equivalent data protection obligations;
• remain responsible for Sub-Processor performance.

6.3 A current list of Sub-Processors will be published in the Documentation.

7. Security Measures

BlueNexus will maintain industry-standard technical and organisational measures, including:

• encrypted storage and transit
• confidential compute
• zero-trust infrastructure
• access minimisation
• audit logging
• strict key-management separation
• privacy-preserving analytics
• incident response program

These measures are further described in the BlueNexus Privacy Policy.

8. Data Breach Notification

In the event of a confirmed breach involving Personal Data, BlueNexus will notify the Developer:

• Without undue delay (within 72 hours where applicable), and
• Provide details of the incident, scope, affected systems, and remediation steps.

Developer is responsible for end-user and regulatory notification unless otherwise agreed.

9. International Transfers

9.1 General Authorization

BlueNexus may transfer Personal Data globally as necessary to provide the Services, subject to the transfer mechanisms described in this Section. The Developer authorizes such transfers through their configuration of regions, integrations, and data routing.

9.2 EU/EEA Personal Data

Transfers of Personal Data originating from the EU/EEA outside the EEA rely on:

• the European Commission’s Standard Contractual Clauses (SCCs), Module 2 (Controller → Processor);
• supplementary technical safeguards including TEE-based in-use encryption; and
• any successor transfer mechanisms adopted by the EU.

9.3 UK Personal Data

Transfers of Personal Data originating from the UK rely on:

• the UK International Data Transfer Addendum (IDTA) or UK Addendum to the SCCs; and
• BlueNexus’s technical and organisational safeguards.

9.4 Australian Personal Information

Transfers of Personal Information originating from Australia comply with the Australian Privacy Principles (APPs), including APP 8 (cross-border disclosure). TEE-based encryption, access separation, and zero-access architecture constitute reasonable steps to ensure materially equivalent protection.

9.5 U.S. State-Law-Regulated Data

For U.S. state privacy laws, transfers outside the originating state are supported by contractual commitments requiring materially equivalent protection, consistent with the CCPA/CPRA, CDPA, CPA, TDPSA, and other applicable laws.

9.6 Transparency of Transfer Destinations

BlueNexus will maintain in the Documentation a list of regions and jurisdictions where Personal Data may be stored, routed, or processed, including cloud environments used for compute, encrypted storage, and communication infrastructure.

9.7 Developer-Selected Regions

Where the Developer selects a region for compute, storage, or external service integration, the Developer is instructing BlueNexus to transfer Personal Data to that region. Such Developer-selected regions are deemed authorised transfer locations under this DPA.

9.8 Supplementary Safeguards

BlueNexus applies the following safeguards to all international transfers:

• TEE-based confidential compute ensuring data remains encrypted in use
• zero-access architecture preventing BlueNexus from decrypting data
• strong encryption (TLS 1.3, AES-256 or equivalent)
• strict access controls and audit logging
• metadata minimisation

These safeguards constitute “appropriate technical and organisational measures” under GDPR Article 46 and equivalent laws.

9.9 Government or Third-Party Requests

BlueNexus will not disclose Personal Data to governmental or regulatory authorities unless legally required to do so. Where legally permitted:

1. BlueNexus will notify the Developer promptly; and
2. limit disclosure to the minimum amount required.

10. Data Subject Rights

10.1 BlueNexus Assistance

BlueNexus will assist the Developer in fulfilling Data Subject rights requests relating to Personal Data processed under this DPA, including access, deletion, correction, export/portability, consent withdrawal, and restriction. Requests must be routed through the Developer unless otherwise required by law.

10.2 Sovereign Account Data Subject Rights

For data stored exclusively within a Sovereign Vault:

• The End User is solely responsible for executing access, deletion, correction, export/portability, and consent-related actions.
• BlueNexus cannot access plaintext data and therefore cannot fulfill Data Subject rights requests relating to Sovereign Vault content.
• Such requests must be performed directly by the End User through their key-controlled account.

10.3 Mixed Requests

If a Data Subject submits a request involving both:

1. Developer-controlled Personal Data; and
2. End-User-controlled Sovereign Vault data,

then BlueNexus will:

• route the request concerning Developer-controlled data to the Developer; and
• inform the End User that Sovereign Vault data must be managed through their own key-controlled interface.

10.4 Developer Notification Duties

The Developer must clearly inform End Users which categories of data:

• are processed by BlueNexus as Processor under this DPA; and
• are exclusively controlled by the End User within a Sovereign Vault.

10.5 Limitations

To the extent permitted by law, BlueNexus is not responsible for fulfilling Data Subject rights requests relating to encrypted content it cannot access, decrypt, or interpret.

11. Data Retention & Deletion

Upon request or termination:

• Developer-Managed Account data is deleted or returned as instructed;
• Sovereign Account data is retained or deleted by the End User directly via their key-controlled account;
• BlueNexus deletes residual encrypted data in accordance with security policy;
• Logs that do not contain plaintext may be retained to comply with legal obligations.

12. Audits & Verification

BlueNexus will:

• maintain SOC2/ISO-style standards,
• provide audit summaries upon request,
• allow regulator-mandated audits,
• not grant raw access to TEEs or sensitive infrastructure (for security reasons).

13. Liability & Indemnity

13.1 BlueNexus’ total liability under this DPA is limited to the fees paid by Developer in the 12 months preceding the event.

13.2 Neither party is liable for indirect or consequential damages.

13.3 Developer indemnifies BlueNexus for misuse, misconfiguration, unlawful processing, or breach of user consent obligations.

14. Term & Termination

This DPA takes effect upon acceptance of the Developer Terms and remains in force as long as BlueNexus processes data for the Developer.

Upon termination:

• Developer must delete all API keys
• BlueNexus will delete or return Personal Data as instructed
• Sovereign Account data remains under End User control

15. Governing Law

This DPA is governed by the laws of New South Wales, Australia.