# DATA PROCESSING AGREEMENT (DPA) ## Between GeoChain and Backblaze B2 **Last Updated: November 3, 2025** **Effective Date: [Date of Implementation]** --- ## PREAMBLE This Data Processing Agreement (hereinafter "DPA") is entered into between GeoChain (hereinafter "Controller") and Backblaze, Inc., operator of Backblaze B2 cloud storage service (hereinafter "Processor"). This DPA governs the processing of personal data by Backblaze B2 in its role as a data processor on behalf of GeoChain, the data controller. This DPA is concluded pursuant to Article 28 of the General Data Protection Regulation (GDPR/Regulation 2016/679) and implements Standard Contractual Clauses (Module 2: Controller-to-Processor) approved by the European Commission. --- ## 1. SUBJECT & SCOPE ### 1.1 Subject Matter This DPA applies to the processing of personal data collected by GeoChain and transmitted to Backblaze B2 for storage, backup, and related operational purposes. ### 1.2 Processing Activities Backblaze B2 will process personal data for the following purposes: - Cloud storage and backup of user data and system information - Disaster recovery and business continuity - Technical infrastructure operations - System maintenance and support - Incidental processing necessary to provide storage services ### 1.3 Categories of Personal Data The personal data processed includes: - User email addresses and account information - Wallet addresses and cryptocurrency identifiers - Transaction records and metadata - Backup copies of user-generated data - Technical logs and system data (IP addresses, timestamps) - Aggregated and anonymized analytics data ### 1.4 Categories of Data Subjects Data subjects include: - GeoChain users (Sellers and Buyers) - Users accessing GeoChain services - Indirect beneficiaries of backup and recovery services ### 1.5 Duration of Processing This DPA remains in effect for the duration of the Backblaze B2 service agreement between GeoChain and Backblaze B2, unless earlier terminated by either party. --- ## 2. PROCESSOR OBLIGATIONS ### 2.1 Processing Instructions Backblaze B2 agrees to process personal data only in accordance with: - Documented instructions from GeoChain - This Data Processing Agreement - Applicable data protection laws and regulations - Security and confidentiality requirements specified herein Backblaze B2 shall not process personal data for independent purposes or in ways not authorized by GeoChain. ### 2.2 Confidentiality Obligations Backblaze B2 commits to: - Ensure all personnel with access to personal data are bound by confidentiality - Implement appropriate training on data protection obligations - Restrict data access to personnel with legitimate business need - Maintain confidentiality even after termination of employment or service ### 2.3 Data Security Measures Backblaze B2 shall implement and maintain the following technical and organizational security measures: **Technical Measures:** - Encryption of data in transit (TLS/SSL 256-bit or equivalent) - Encryption of data at rest (AES-256 or equivalent) - Secure authentication mechanisms (multi-factor authentication for administrative access) - Firewalls and intrusion detection/prevention systems - Regular security patching and vulnerability management - Network segmentation and access controls - Automated backup and redundancy systems **Organizational Measures:** - Regular security audits and penetration testing - Incident response procedures - Personnel background checks for administrative staff - Data protection training for personnel - Physical security controls for data centers - Access logging and monitoring - Disaster recovery and business continuity planning ### 2.4 Sub-processors Backblaze B2 shall not engage sub-processors without prior written authorization from GeoChain. Current authorized sub-processors include: - Amazon Web Services (AWS) - cloud infrastructure - Content delivery networks (CDNs) as needed For any new sub-processor engagement, Backblaze B2 shall: - Notify GeoChain in advance (minimum 30 days) - Provide details of sub-processor role and data access - Obtain GeoChain's written approval - Implement Data Processing Agreements with sub-processors - Remain liable to GeoChain for sub-processor performance ### 2.5 Data Subject Rights Support Backblaze B2 agrees to support GeoChain's compliance with data subject rights by: - Providing tools and interfaces for data access/export - Assisting with data deletion/anonymization requests - Providing evidence of data destruction upon request - Supporting data portability requests in machine-readable format - Responding to queries regarding data processing within 10 business days ### 2.6 Data Return and Deletion Upon termination or expiration of this DPA: - Backblaze B2 shall delete or return all personal data within 30 days - Deletion shall include all backup copies and redundancy systems - GeoChain may request data be returned instead of deleted - Backblaze B2 shall provide written certification of deletion - Backblaze B2 shall not retain personal data after termination **Exception:** Data must be retained if legally required (tax retention, litigation hold, regulatory requirements) and must be stored securely and separately. --- ## 3. GDPR COMPLIANCE ### 3.1 Legal Basis This DPA ensures GeoChain's processing of personal data through Backblaze B2 is compliant with GDPR legal bases including: - Contractual necessity (service provision) - Legal obligation (regulatory compliance) - Legitimate interests (service improvement, security) - Explicit consent (where applicable) ### 3.2 Standard Contractual Clauses The parties incorporate by reference the Standard Contractual Clauses (Module 2: Controller-to-Processor) as approved by the European Commission decision (C(2021)3972) of June 4, 2021. These SCCs are available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en The SCCs govern data transfers from the European Union/European Economic Area to the United States and provide legally binding commitments to protect personal data. ### 3.3 International Data Transfers Backblaze B2 acknowledges that personal data may be transferred to and processed in the United States. The parties implement the following supplementary safeguards to address potential surveillance risks: **Supplementary Safeguards:** - Enhanced encryption of personal data - Minimization of personal data transferred - Contractual limitations on Backblaze B2 data use - Audit rights for GeoChain - Incident notification requirements - Data subject rights enforcement ### 3.4 Compliance with Schrems II This DPA reflects the requirements of the CJEU Schrems II decision by implementing: - Appropriate supplementary safeguards beyond SCCs - Regular Transfer Impact Assessments - Enhanced monitoring of US surveillance laws - Option for data localization in EU where feasible --- ## 4. DATA PROTECTION AUDIT & MONITORING ### 4.1 Audit Rights GeoChain retains the right to: - Audit Backblaze B2's compliance with this DPA - Request security assessments and certifications - Conduct periodic compliance reviews - Inspect security measures upon reasonable notice - Request evidence of security implementation ### 4.2 Security Certifications Backblaze B2 commits to maintain certifications including: - SOC 2 Type II certification - ISO 27001 certification - Other relevant security standards as available Backblaze B2 shall provide copies of certifications upon request. ### 4.3 Incident Notification Backblaze B2 shall notify GeoChain within 24 hours of discovering any: - Data breach or unauthorized access to personal data - System failure or service disruption affecting data availability - Security vulnerability or attack on infrastructure - Suspected unauthorized data processing - Compliance violation or concern Notification shall include: - Description of the incident - Scope of affected data - Likely consequences - Measures taken or proposed to address - Contact person for follow-up ### 4.4 Compliance Certification Backblaze B2 shall certify semi-annually its compliance with this DPA and applicable data protection laws. --- ## 5. SPECIAL PROVISIONS FOR GDPR COMPLIANCE ### 5.1 Article 28 Compliance This DPA fulfills the mandatory requirements of GDPR Article 28 including: **Subject Matter:** Cloud storage and backup services for personal data **Duration:** Term of Backblaze B2 service agreement **Nature & Purpose:** Secure storage, backup, disaster recovery, and technical operations **Types of Personal Data:** User account information, transaction data, technical logs **Categories of Data Subjects:** GeoChain users and indirect beneficiaries **Obligations:** As specified in Sections 2-4 of this DPA ### 5.2 Data Subject Rights Backblaze B2 commits to facilitate GeoChain's compliance with data subject rights: - Right of Access (GDPR Article 15) - Right of Rectification (GDPR Article 16) - Right to Erasure/Deletion (GDPR Article 17) - Right to Restrict Processing (GDPR Article 18) - Right to Data Portability (GDPR Article 20) - Right to Object (GDPR Article 21) ### 5.3 Processor Liability Backblaze B2 acknowledges liability for: - Damages caused by breach of GDPR or this DPA - Failure to comply with processing instructions - Failure to implement required security measures - Unauthorized data processing or transfers - Failure to support data subject rights ### 5.4 Jurisdiction & Dispute Resolution **Governing Law:** This DPA shall be governed by the laws of the United States, specifically the State of California, without regard to conflict of law principles. GDPR shall supersede state law to the extent it provides greater protection. **Dispute Resolution:** 1. Parties shall attempt good faith resolution 2. Binding arbitration in accordance with UNCITRAL rules 3. Either party may enforce GDPR rights through regulatory authorities --- ## 6. LIMITATION OF LIABILITY ### 6.1 Cap on Damages Notwithstanding any other provision, Backblaze B2's aggregate liability under this DPA shall not exceed the fees paid by GeoChain to Backblaze B2 in the 12 months preceding the incident giving rise to liability. ### 6.2 Excluded Damages Neither party shall be liable for indirect, incidental, consequential, special, or punitive damages, including loss of profits, data loss, or business interruption, even if advised of the possibility of such damages. --- ## 7. FORCE MAJEURE Neither party shall be liable for failure to perform obligations due to causes beyond reasonable control, including: - Natural disasters - War, terrorism, or civil unrest - Pandemics or epidemics - Government actions or regulations - Telecommunications failures - Power outages - Cyber attacks or security incidents --- ## 8. TERM & TERMINATION ### 8.1 Effective Date This DPA is effective as of the date of last signature and continues for the duration of the underlying Backblaze B2 service agreement. ### 8.2 Termination This DPA shall terminate upon: - Termination of the underlying Backblaze B2 service agreement - Mutual written agreement of the parties - Material breach by either party not cured within 30 days of notice - Unilateral termination by GeoChain for convenience with 60 days' notice ### 8.3 Effect of Termination Upon termination: - All processing must cease within 30 days - Personal data must be deleted or returned per Section 2.6 - Confidentiality obligations survive indefinitely - Audit rights survive for 3 years - Accrued rights and obligations remain enforceable --- ## 9. AMENDMENTS & MODIFICATIONS ### 9.1 Amendments Amendments to this DPA require written agreement of both parties. Backblaze B2 may not unilaterally impose amendments that reduce data protection standards. ### 9.2 Regulatory Changes If changes in data protection laws require modifications to this DPA, the parties agree to negotiate in good faith to maintain equivalent protection levels. --- ## 10. SEVERABILITY & ENTIRE AGREEMENT ### 10.1 Severability If any provision of this DPA is found invalid or unenforceable, the remaining provisions remain in full effect and the parties shall negotiate a replacement provision maintaining the original intent. ### 10.2 Entire Agreement This DPA, together with the Backblaze B2 Service Agreement and any referenced policies, constitutes the entire agreement regarding personal data processing and supersedes all prior understandings. --- ## 11. SIGNATURE **By entering into this DPA, the parties acknowledge:** - They have authority to bind their respective organizations - They have reviewed and understood all provisions - They commit to compliance with GDPR and data protection obligations - They accept the terms and conditions herein --- **DATA PROCESSING AGREEMENT** **GeoChain (Data Controller)** Date: _______________ Authorized Representative: _______________ Name/Title: _______________ Email: _______________ --- **Backblaze, Inc. / Backblaze B2 (Data Processor)** Date: _______________ Authorized Representative: _______________ Name/Title: _______________ Email: _______________ --- --- ## APPENDIX A: SECURITY MEASURES IMPLEMENTATION ### A.1 Technical Controls **Encryption:** - In Transit: TLS 1.2 or higher - At Rest: AES-256 encryption - Key Management: Industry-standard practices **Access Control:** - Multi-factor authentication for administrative access - Role-based access control (RBAC) - Principle of least privilege - Regular access reviews **Network Security:** - Firewalls and intrusion detection - DDoS protection - Secure VPN for administrative access - Network segmentation **Monitoring & Logging:** - Continuous security monitoring - Comprehensive access logging - Intrusion detection systems - Regular log review ### A.2 Organizational Controls **Personnel Security:** - Background checks for sensitive roles - Confidentiality/NDA agreements - Annual security training - Incident response training **Physical Security:** - Secure data center facilities - Biometric access controls - CCTV monitoring - Environmental controls **Incident Response:** - 24/7 security operations center - Documented incident response procedures - Forensics capability - Regular tabletop exercises **Business Continuity:** - Redundant systems and backups - Disaster recovery procedures - Geographic data distribution - Regular recovery testing --- **END OF DATA PROCESSING AGREEMENT** **Document Version**: 1.0 **Language**: English **Last Updated**: November 3, 2025