Data Processing Agreement

How we process personal data for our business customers

Effective: February 1, 2026|Last Updated: February 1, 2026

Applicability: This Data Processing Agreement ("DPA") applies to business customers who use Bluetick services and where Bluetick processes personal data on behalf of the customer. Individual consumers should refer to our Privacy Policy.

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement or Terms of Service ("Agreement") between Bluetick Network LLP ("Data Processor," "Bluetick," "we," "us") and the customer ("Data Controller," "Customer," "you") using our services.

1. Definitions

"Personal Data"Any information relating to an identified or identifiable natural person as defined under applicable data protection laws.

"Processing"Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Data Controller"The entity that determines the purposes and means of processing Personal Data (the Customer).

"Data Processor"The entity that processes Personal Data on behalf of the Data Controller (Bluetick).

"Sub-processor"A third party engaged by Bluetick to process Personal Data on behalf of the Customer.

"Data Subject"An individual whose Personal Data is processed.

"Applicable Laws"GDPR, CCPA, India DPDP Act, and any other applicable data protection regulations.

2. Scope of Processing

2.1 Subject Matter

This DPA governs the processing of Personal Data by Bluetick when providing digital business card and networking services to the Customer.

2.2 Categories of Personal Data

Contact information (name, email, phone)

Professional information (job title, company)

Profile photos and images

Business card scan data

Connection and networking data

Usage and analytics data

Payment information (processed by third parties)

Device and technical identifiers

2.3 Categories of Data Subjects

• Customer employees and team members
• Contacts and connections of the Customer's users
• Individuals who interact with the Customer's digital business cards

2.4 Duration of Processing

Processing will continue for the duration of the Agreement and until all Personal Data is deleted or returned in accordance with this DPA.

3. Customer Obligations

As Data Controller, you are responsible for:

•Ensuring you have lawful basis to collect and share Personal Data with Bluetick

•Providing appropriate notices to Data Subjects about data processing

•Obtaining necessary consents where required by law

•Ensuring accuracy and completeness of Personal Data provided

•Responding to Data Subject requests and exercising their rights

•Complying with all applicable data protection laws

•Notifying Bluetick of any changes affecting data processing

4. Bluetick's Obligations

4.1 Processing Instructions

We will process Personal Data only on your documented instructions, unless required by law to do otherwise.

4.2 Confidentiality

We ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

4.4 Sub-processing

We will not engage another processor without your prior written authorization. We maintain a list of authorized sub-processors.

4.5 Assistance

We assist you in responding to Data Subject requests and ensuring compliance with obligations under data protection laws.

4.6 Deletion/Return

Upon termination, we will delete or return all Personal Data at your choice, unless legal requirements mandate retention.

4.7 Audit Rights

We make available all information necessary to demonstrate compliance and allow for audits by you or an auditor mandated by you.

5. Security Measures

Bluetick implements the following technical and organizational security measures:

Encryption

AES-256 encryption at rest
TLS 1.3 in transit
End-to-end encryption for sensitive data

Access Control

Role-based access control
Multi-factor authentication
Regular access reviews

Infrastructure

SOC 2 compliant hosting
Geographic redundancy
DDoS protection

Monitoring

24/7 security monitoring
Intrusion detection systems
Regular vulnerability scans

Personnel

Background checks
Security training
Confidentiality agreements

Incident Response

Documented response plan
Regular drills
72-hour notification

6. Sub-processors

We use the following sub-processors to provide our services:

Sub-processor	Purpose	Location
Supabase Inc.	Database and authentication	USA (Mumbai region)
Cloudinary Ltd.	Media storage and processing	USA/EU
Razorpay Software Pvt. Ltd.	Payment processing	India
Google LLC (Firebase)	Analytics and notifications	USA
Digital Ocean, Inc.	Web hosting	USA (BLR region)
Vercel Inc.	Edge hosting	Global CDN

You may subscribe to sub-processor updates by emailing [email protected]. We will notify you of any new sub-processors at least 30 days before engagement.

7. International Data Transfers

Where Personal Data is transferred outside of India, the EEA, UK, or Switzerland, we ensure appropriate safeguards through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Binding Corporate Rules where applicable
Adequacy decisions for transfers to recognized countries
Supplementary measures as required by Schrems II decision

8. Data Subject Requests

Bluetick will assist you in responding to Data Subject requests, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object

We will promptly notify you if we receive a request from a Data Subject regarding their Personal Data, unless prohibited by law.

9. Data Breach Notification

In the event of a Personal Data breach, Bluetick will:

1Notify you without undue delay, and in any event within 72 hours of becoming aware

2Provide all information reasonably required for you to meet notification obligations

3Cooperate with you and take reasonable steps to assist in investigation and mitigation

4Document all breaches and maintain records of remedial actions taken

10. Audits and Certifications

10.1 Bluetick maintains industry-standard certifications and undergoes regular security assessments.

10.2 Upon reasonable request and subject to confidentiality obligations, we will provide audit reports, certifications, and attestations demonstrating compliance.

10.3 You may conduct an audit (or appoint a third-party auditor) with 30 days written notice, at your expense, during normal business hours, and subject to reasonable confidentiality requirements.

11. Term and Termination

11.1 Term

This DPA remains in effect for the duration of the Agreement between you and Bluetick.

11.2 Data Return/Deletion

Upon termination, we will, at your election, return or delete all Personal Data within 30 days, unless retention is required by applicable law.

11.3 Survival

Obligations that by their nature should survive termination (including confidentiality and data protection) will remain in effect.

12. Contact & Execution

For DPA-related inquiries, execution of this agreement, or to request a signed copy:

Data Protection Officer

Bluetick Network LLP
138 Atlanta Mall, Motavaracha
Surat - 394101
India

Contact

Email: [email protected]
DPA Requests: [email protected]
Phone: +91 94286 32907

To execute this DPA, contact us at [email protected] with your company details. A countersigned copy will be provided within 5 business days.