Introduction

This Universal Data Processing Agreement (“DPA”) forms part of the agreement between BlueNexus Tech Pty Ltd (“BlueNexus”, “Processor”, or “Service Provider”) and the organisation entering this DPA (“Developer”, “Customer”, or “Controller”).

This DPA governs the Processing of Personal Data by BlueNexus on behalf of the Developer under:

• the Developer Terms of Use, and/or
  
• any applicable Enterprise Agreement (collectively, the “Agreement”).
  

This DPA applies only to organisations processing Personal Data for business purposes.

It does not apply to individual end users, Personal Accounts, or personal/household use of the Services.

If the DPA conflicts with an Enterprise Agreement, the Enterprise Agreement prevails.

1. Definitions

All capitalised terms not defined here have the meanings set out in the Agreement.

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.

“Applicable Data Protection Laws” include the GDPR, UK GDPR, CCPA/CPRA, APPs (Australia), and other privacy laws applicable to the Processing of Personal Data.

“Controller”, “Processor”, “Subprocessor”, “Processing” have the meanings given in the GDPR.

“Developer Data” means any data, content, or information submitted, routed, stored, or transmitted by Developer or its End Users through the Services.

“End User” means an individual who uses a Developer's application or service that integrates BlueNexus.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Sovereign Vault” means a user-controlled environment offered by BlueNexus where Personal Data is encrypted at rest, in transit, and in use, such that BlueNexus cannot access decrypted content.

Clarification on Processing vs Access

For the avoidance of doubt, references to processing by BlueNexus include automated processing performed by the Platform. Such processing does not imply human access to Personal Data by BlueNexus personnel, except where access is explicitly provided by the Controller for support, compliance, or lawful purposes.

2. Roles of the Parties

2.1 Developer as Controller

Developer acts as Controller of Personal Data processed through its use of the Services.

2.2 BlueNexus as Processor / Service Provider

BlueNexus acts as:

• a Processor under GDPR/UK GDPR,
  
• a Service Provider / Contractor under the CCPA/CPRA, and
  
• a Processor under other similar laws,

to the extent BlueNexus processes Personal Data on behalf of Developer.

2.3 Sovereign Vault Exclusion

Personal Data processed within a Sovereign Vault is processed using confidential compute or Trusted Execution Environment (TEE) mechanisms designed to prevent human access to decrypted data by BlueNexus personnel.

Such processing constitutes “processing” for the purposes of Applicable Data Protection Laws. However, BlueNexus does not access, view, or otherwise handle decrypted Personal Data processed within a Sovereign Vault, except where explicitly authorised by the Controller or required by law.

Nothing in this clause alters the parties’ respective roles or obligations under Applicable Data Protection Laws, including their independent responsibilities as controller or processor (as applicable).

3. Developer Instructions

BlueNexus will Process Personal Data only:

• on documented instructions from Developer,
  
• to provide and secure the Services,
  
• to comply with law,
  
• as required for billing/administration,
  
• as needed to fulfil the Agreement.

Developer is responsible for ensuring its instructions comply with Applicable Data Protection Laws.

4. Confidentiality

BlueNexus will ensure that persons authorised to Process Personal Data are bound by confidentiality obligations.

5. Security

5.1 Technical and Organisational Measures

BlueNexus implements industry-standard security measures appropriate to risk, including:

• encryption in transit,
  
• encryption at rest,
  
• encrypted-in-use processing via TEEs where available,
  
• access controls,
  
• network and infrastructure protections,
  
• credential protection,
  
• secure software development practices.
  
  

5.2 Confidential Compute / TEE Processing

Where Personal Data is processed inside TEEs or similar confidential-compute environments:

• BlueNexus does not access decrypted data;
  
• Processing is hardware-isolated;
  
• attestation is performed to validate secure execution.
  

6. Subprocessors

6.1 Authorisation

Developer grants BlueNexus general authorisation to engage Subprocessors.

6.2 List of Subprocessors

BlueNexus will maintain a list of Subprocessors and make it available to the Developer.

6.3 Notice and Objection Right (GDPR-only)

Where required by GDPR, BlueNexus will notify the Developer of any intended addition or replacement of a Subprocessor.

The Developer may object to such change on reasonable grounds relating to data protection by notifying BlueNexus within a reasonable period.

If the Developer objects to a Subprocessor and BlueNexus reasonably determines that it cannot provide the Services (or a material part of the Services) without engaging that Subprocessor, BlueNexus may, at its option:

(a) provide the Services without the use of the relevant Subprocessor, where reasonably practicable;

(b) limit, suspend, or modify the affected Services; or

(c) terminate the affected Services (or this DPA) without liability.

6.4 Subprocessor Obligations

BlueNexus will ensure that each Subprocessor is subject to contractual obligations that require the Subprocessor to implement appropriate technical and organisational measures to protect Personal Data, taking into account the nature of the services provided and the risks associated with the relevant processing.

Such obligations are intended to provide a level of protection that is no less protective in substance than that required under Applicable Data Protection Laws, but do not require identical security controls, compliance certifications, or audit standards to those applied by BlueNexus.

Where BlueNexus makes available optional or non-core services that rely on third-party providers with different compliance characteristics, such differences may be disclosed to Developers or customers, and the use of such services may be subject to additional terms or configuration choices.

7. Assistance to Developer

BlueNexus will assist Developer by:

• responding to data subject requests (to the extent applicable),
  
• assisting with DPIAs,
  
• providing available security and compliance documentation,
  
• supporting consultations with data protection authorities where required.
  
  

8. Personal Data Breaches

8.1 Notification

BlueNexus will notify Developer without undue delay after becoming aware of a Personal Data Breach involving Personal Data Processed on Developer’s behalf.

8.2 Developer Cooperation

Developer must cooperate with BlueNexus in good faith, including providing timely and accurate information necessary for joint assessment or notifications.

8.3 Cost Allocation

If a breach results from Developer’s misuse, misconfiguration, or insecure integration, Developer is responsible for reasonable costs associated with required notifications.

9. International Transfers

9.1 Cross-Border Transfers

BlueNexus will ensure transfers of Personal Data outside the relevant jurisdiction comply with Applicable Data Protection Laws.

9.2 Standard Contractual Clauses (SCCs)

Where required by the GDPR or UK GDPR:

• the SCCs are incorporated by reference into this DPA,
  
• BlueNexus is the “data importer”
  
• Developer is the “data exporter”.

Module 2 (Controller > Processor) applies unless otherwise agreed.

9.3 Supplementary Measures

Confidential compute (TEE processing), encrypted-in-use architecture, and other measures described in the Enterprise Privacy & Compliance Framework may be applied as supplementary measures.

10. Deletion and Return of Data

Upon termination of the Agreement:

• BlueNexus will delete or return Personal Data processed on behalf of Developer, unless retention is required by law or as described in the Privacy Policy, and
  
• The Developer is responsible for exporting any data it wishes to retain prior to termination
• Developer-Managed Accounts (including associated user accounts provisioned or managed by the Developer) will be deleted, together with data processed through those accounts, to the extent such data is controlled by the Developer through the Services.

For the avoidance of doubt, content stored within a Sovereign Vault remains under the control of the relevant end user and is not deleted by BlueNexus upon termination of this Agreement unless instructed by the user or required by law.

11. Audits

11.1 Audit Mechanism

Developer may audit BlueNexus’s compliance with this DPA through:

• independent compliance certifications (e.g., SOC2, ISO),
  
• TEE attestation reports,
  
• third-party audit summaries provided by BlueNexus.
  
  

11.2 Regulatory Access

BlueNexus will support reasonable requests from data protection authorities to the extent legally required.

11.3 On-Site Audits

On-site audits may be permitted where required by law, with reasonable notice and subject to confidentiality and security controls.

12. Liability

The liability limitations in the Agreement apply to this DPA.

Nothing in this DPA excludes or limits:

• liability that cannot be excluded under Applicable Data Protection Laws, including the Australian Consumer Law,
  
• liability for unauthorised use or disclosure of Personal Data caused by a party’s wilful misconduct.

13. Governing Law

This DPA is governed by the governing law specified in the Agreement.

If the parties have entered an Enterprise Agreement with a different governing law, that agreement prevails.

14. Term

This DPA remains in effect for as long as BlueNexus Processes Personal Data on behalf of the Developer.

‍