Data Processing Addendum

1. Definitions

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Blam.AI ("Processor") and Customer ("Controller") and governs the processing of Personal Data in connection with the Services.

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on Personal Data, including collection, storage, and use
• Data Subject: The natural person to whom Personal Data relates
• Controller: The entity that determines the purposes and means of processing Personal Data
• Processor: The entity that processes Personal Data on behalf of the Controller

2. Scope and Purpose

Blam.AI processes Personal Data solely for the purpose of providing the Services as described in the Terms of Service. Processing is limited to the following categories:

• User account information and authentication data
• Service usage data and analytics
• Customer support communications
• Billing and payment information
• Technical logs and system monitoring data

3. Data Subject Rights

Blam.AI will assist Customer in fulfilling Data Subject rights requests, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

4. Security Measures

Blam.AI implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response and breach notification procedures

5. International Transfers

Personal Data may be transferred to and processed in countries other than the country where Customer is located. Such transfers will be subject to appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant data protection authorities
• Other legally recognized transfer mechanisms

6. Sub-processors

Blam.AI may engage sub-processors to assist in providing the Services. A current list of sub-processors is available upon request. Customer will be notified of any changes to sub-processors with at least 30 days' notice.

7. Data Breach Notification

In the event of a Personal Data breach, Blam.AI will notify Customer without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include available information about the nature of the breach and recommended mitigation measures.

8. Data Retention and Deletion

Upon termination of the Services, Blam.AI will delete or return all Personal Data to Customer within 30 days, unless longer retention is required by applicable law. Customer may request earlier deletion of specific Personal Data categories.