Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between the customer ("Controller") and BlockForge Technologies LLC ("Processor") in accordance with Article 28 of the General Data Protection Regulation (GDPR). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the BlockForge platform services.

This DPA supplements and forms part of the BlockForge Terms of Service and Privacy Policy.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
"Processing" means any operation performed on personal data as defined in Article 4(2) GDPR.
"Controller" means the customer who determines the purposes and means of processing personal data.
"Processor" means BlockForge Technologies LLC, which processes personal data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

2. Subject and Duration

The Processor processes personal data on behalf of the Controller for the purpose of providing WordPress monitoring, backup, security scanning, uptime monitoring, and site management services through the BlockForge platform.

This DPA is effective for the duration of the Controller's use of BlockForge services and terminates upon expiration or termination of the service agreement.

3. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of providing and maintaining the BlockForge platform services, including:

WordPress site monitoring and health assessment
Automated and manual backup creation and storage
Uptime and performance monitoring
Security scanning and vulnerability detection
Plugin and theme management
Activity logging and audit trail generation
Notification delivery (email, Slack, webhooks)

4. Types of Personal Data

Category	Examples
Account Data	Name, email address, IP address, avatar
Site Credentials	WordPress API keys, access tokens (encrypted)
Backup Data	WordPress database and files (may contain end-user data)
Activity Data	Login events, platform actions, audit logs
Monitoring Data	Uptime records, performance metrics, error logs

5. Categories of Data Subjects

Customers and their authorized team members
WordPress site administrators managed through BlockForge
End-users of monitored WordPress sites (where applicable through backup data)

6. Obligations of the Processor

The Processor shall:

Process personal data only on documented instructions from the Controller
Ensure that persons authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational measures to ensure data security
Not engage another processor without prior written authorization of the Controller
Assist the Controller in responding to data subject requests
Assist the Controller in ensuring compliance with GDPR Articles 32-36
Delete or return all personal data upon termination of services
Make available all information necessary to demonstrate compliance with Article 28 obligations

7. Technical and Organizational Measures

The Processor implements the following measures:

Measure	Implementation
Encryption at rest	AES-256 for all stored data and backups
Encryption in transit	TLS 1.2+ for all connections
Access control	Role-based access, MFA, session management
Data location	European infrastructure (EU data residency)
Backup redundancy	Dual-location storage with integrity verification
Audit logging	Comprehensive audit trail for all platform actions
Vulnerability management	Regular security assessments and patching

8. Sub-processors

The Controller grants the Processor general authorization to engage sub-processors. The Processor will notify the Controller of any intended changes to sub-processors, providing the Controller with the opportunity to object.

A current list of sub-processors is available upon request. All sub-processors are contractually bound to equivalent data protection obligations.

9. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Data Subject Rights

The Processor assists the Controller in fulfilling data subject requests under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection). The Processor will promptly inform the Controller of any data subject request received directly.

11. Data Deletion and Return

Upon termination of the service agreement, the Processor will delete all personal data within 30 days, unless retention is required by applicable law. The Controller may request data export before termination. Backup copies will be purged from all storage locations according to the configured data retention policy.

12. Audit Rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Controller may appoint an independent third-party auditor, subject to reasonable confidentiality obligations. The Processor will cooperate with such audits and provide necessary information and access.

13. International Data Transfers

BlockForge Technologies LLC is incorporated in Wyoming, USA, but all primary infrastructure is located within the European Union. Where data transfers outside the EEA are necessary, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law.

Data Processing Agreement