Overview
This Appendix I forms part of the Data Processing Addendum ("DPA") between the Client and Blue Arctic, LLC. It provides the information required by Annex I of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as incorporated into the DPA.
This appendix should be read in conjunction with the DPA and SCC Appendix II (Technical and Organizational Measures).
A. List of Parties
Data Exporter
Name: The Client, as identified in the applicable Service Order or Agreement.
Address: As provided in the Client's account registration.
Contact person: The Client's designated account contact or authorized representative.
Activities relevant to the transfer: The Data Exporter uses Blue Arctic's hosting and infrastructure services to host, store, and process data, which may include Personal Data of the Data Exporter's customers, employees, contractors, and end users.
Role: Controller
Data Importer
Name: Blue Arctic, LLC
Address: PO Box 2195, Bushnell, FL 33513, USA
Contact person: Legal Department — legal@bluearctic.com
Activities relevant to the transfer: The Data Importer provides managed hosting, infrastructure, and related professional services, including the storage, transmission, backup, and maintenance of Client Data on its infrastructure located in the United States.
Role: Processor
B. Description of Transfer
Categories of Data Subjects
The Personal Data transferred may concern the following categories of Data Subjects:
- The Data Exporter's customers and end users
- The Data Exporter's employees, contractors, and agents
- Visitors to websites hosted on the Data Importer's infrastructure
- Any other individuals whose Personal Data is stored or processed by the Data Exporter through the Services
Categories of Personal Data
The Personal Data transferred may include the following categories, depending on the Data Exporter's use of the Services:
- Contact information (names, email addresses, phone numbers, mailing addresses)
- Account and authentication data (usernames, hashed passwords, security questions)
- Transaction and billing data (order histories, invoices, payment references)
- Technical data (IP addresses, browser metadata, device identifiers, access logs)
- Content data (files, databases, emails, and other content stored by the Data Exporter on the Services)
- Any other categories of Personal Data that the Data Exporter chooses to store or process through the Services
Sensitive Data
The transfer does not, by default, involve special categories of data (as defined in Article 9 of the GDPR) or data relating to criminal convictions and offenses (as defined in Article 10 of the GDPR). If the Data Exporter stores or processes sensitive data through the Services, the Data Exporter is responsible for ensuring that appropriate legal bases and additional safeguards are in place, and must provide Blue Arctic with prior written notice as described in Section 4 of the DPA.
Frequency of Transfer
Continuous, for the duration of the Agreement between the parties.
Nature and Purpose of Processing
The Data Importer processes Personal Data for the purpose of providing the Services to the Data Exporter, including:
- Hosting and storage of Client Data on the Data Importer's infrastructure
- Transmission and delivery of Client Data over the internet
- Backup and disaster recovery of Client Data
- Infrastructure maintenance, monitoring, and security operations
- Technical support and service management
Retention Period
Personal Data is retained for the duration of the Agreement. Following termination or expiration of the Agreement, the Data Importer retains Personal Data for a Data Retrieval Period of 30 calendar days, after which the data is deleted in accordance with Section 12 of the DPA.