#1 Workplace alternative - scored highest for employee communications by Gartner Peer Insights.
#1 Workplace alternative - scored highest for employee communications by Gartner Peer Insights.
#1 Workplace alternative - scored highest for employee communications by Gartner Peer Insights.

Data Protection Agreement

Last updated: March 2025

  • This Data Protection Agreement (“DPA”) is incorporated by reference in the Order Form or online sign-up process and forms part of the Agreement between Blink and the Customer for the provision of the Services by Blink to Customer. It sets out the terms on which Blink may process personal data comprised in: (a) Blink Controller Data as a controller; and (b) Customer Personal Data as a processor for or on behalf of the Customer (who is the Controller of Customer Personal Data).

 

1. DEFINITIONS AND RULES OF INTERPRETATION

  • 1.1. Terms not otherwise defined in this DPA shall have the meaning given to them elsewhere in the Agreement and all rules of interpretation as set out in elsewhere in the Agreement shall apply in this DPA.
  • 1.2. The following additional definitions shall apply in this DPA:
  • Blink Controller Data: means the categories of personal described in clause 3.13 below and set out in Blink’s Privacy Policy from time to time, processed by Blink as a controller in connection with Blink’s business or the Agreement or both.
  • CCPA: means the California Consumer Privacy Act of 2018.
  • CPRA: means the California Privacy Rights Act of 2020.
  • Customer Personal Data: means the categories of personal data set out at Schedule 1 processed by Blink as a processor in connection with the Agreement.
  • Data Protection Legislation: means the UK GDPR, the EU GDPR, the FADP, the Australian Privacy Act 1988, the CCPA, the CPRA, and any other applicable laws relating to the processing of personal data and privacy as amended from time to time in each case to the extent applicable to the relevant processing by either party in connection with the Agreement.
  • End-user: means Allocated Users and Authorised Users (excluding Admin Users to the extent they are using the Services via an administrator account)
  • EU GDPR: means the General Data Protection Regulation ((EU) 2016/679).
  • EU Personal Data: means Customer Personal Data which is processed subject to Data Protection Legislation of the EU, a Member State of the EU, or the European Economic Area.
  • FADP: means the Swiss Federal Act on Data Protection.
  • Personal Data Breach: means any accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to the Customer Personal Data.
  • Protected Area: means:
    • a) in the case of EU Personal Data, the members states of the EU and the European Economic Area and any country, territory, sector, or international organisation in respect of which an adequacy decision under Art.45 EU GDPR is in force;
    • b) in the case of UK Personal Data, the UK and any country, territory, sector, or international organisation in respect of which an adequacy decision under UK adequacy regulations is in force; or
    • c) in the case of Swiss Personal Data, any country, territory, sector, or international organisation which is recognised as adequate under the laws of Switzerland.
  • Swiss Personal Data: means Customer Personal Data to which the FADP is applicable.
  • UK GDPR: means the EU GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).
  • UK Personal Data: means Customer Personal Data which is processed subject to Data Protection Legislation of the UK.
  • US Personal Data: means Customer Personal Data that relates to an identified or identifiable household or individual in the United States.
  • controller, processor, sub-processor, process and processing, data subject, special category data, and personal data shall have the meanings set out in the Data Protection Legislation.

 

2. ROLES OF THE PARTIES

  • 2.1. The parties acknowledge that for the purposes of Data Protection Legislation:
    • a) the Customer is the controller and Blink is the processor in respect of Customer Personal Data; and
    • b) the Customer and Blink each act as independent controllers (or, as applicable, Blink acts solely as a data controller) of the Blink Controller Data.
  • 2.2. The provisions of clauses 3.5 to 3.10 shall apply to Blink’s processing of Customer Personal Data.
  • 2.3. The provisions of clauses 3.11 to 3.13 shall apply to each party’s processing of Blink Controller Data and each party shall remain responsible for its own compliance with Data Protection Legislation.

 

3. OBLIGATIONS OF THE PARTIES

  • General
  • 3.1. The Customer shall, in respect of any personal data it provides or makes available to Blink:
    • a) ensure that relevant data subjects are provided with clear and sufficient information about the collection and processing of personal data under this Agreement in accordance with Data Protection Legislation, including an explicit reference to Blink as an entity with whom Customer Personal Data is shared;
    • b) ensure it has a legal basis for processing the Customer Personal Data as required by and in accordance with Data Protection Legislation, taking into account the sharing or making available of such Customer Personal Data with Blink and the subsequent processing of such Customer Personal Data by Blink; and
    • c) not cause Blink, Blink's affiliates, or Blink's sub-processors to be in breach of their respective obligations under Data Protection Legislation by reason of an act or omission of the Customer.
  • 3.2. Each party agrees that it will comply with the Australian Data Protection Terms set out in Schedule 3 to this Agreement whenever and to the extent that the Data Protection Legislation of Australia is applicable to it, either because a party is itself subject to such Data Protection Legislation or because it is processing Personal Data on behalf of a party to whom such Data Protection Legislation apply.
  • 3.3. Each party agrees that it will comply with the US Data Protection Terms set out in Schedule 4 to this Agreement where Blink processes US Personal Data in connection with Blink's performance of the Services.
  • 3.4. Each party shall collaborate in good faith to make any necessary amendments to this DPA to reflect changes in Data Protection Legislation.
  • Customer Personal Data
  • 3.5. The subject-matter of Blink's processing of the Customer Personal Data is the provision of the Services by Blink to Customer, and the Customer's rights and obligations are set out in the Agreement. Schedule 1 sets out the nature, duration, and purpose of the processing of the Customer Personal Data, the categories of Customer Personal Data processed, and the relevant categories of data subjects.
  • 3.6. Blink shall, in relation to any Customer Personal Data processed in connection with the performance by Blink of its obligations under the Agreement and solely to the extent required by applicable Data Protection Legislation:
    • a) process that Customer Personal Data only on the written instructions of the Customer unless Blink is required by applicable law to process that Personal Data for any other purpose, in which case Blink shall notify the Customer of this before performing the processing required by the applicable law, unless that applicable law prohibits Blink from so notifying the Customer. Blink shall immediately notify the Customer if, in its opinion, an instruction given under this clause 3.6(a) infringes Data Protection Legislation, it being acknowledged that Blink shall not be obliged to undertake additional work to determine if the Customer’s instructions are compliant;
    • b) ensure that (relative to its business) it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of or modification of or access to Customer Personal Data and against accidental loss or destruction of, misuse, interference or damage to, Customer Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
    • c) ensure that all personnel who have access to or process Customer Personal Data are obliged to keep the Customer Personal Data confidential;
    • d) assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
    • e) notify the Customer without undue delay and in any event within 48 hours on becoming aware of a Personal Data Breach in relation to the Customer Personal Data. Blink shall assist the Customer in meeting its own security incident notification obligations, including sharing details necessary for regulatory notifications;
    • f) at the written direction of the Customer and within 30 days of such request, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement, unless required by applicable law to store the Customer Personal Data;
    • g) maintain complete and accurate records and information during the term of the Agreement to demonstrate its compliance with this clause 3.6, and permit audits to demonstrate such compliance, providing that any such audit (i) is requested not more than once annually (unless following a data breach or if requested by a supervisory authority); (ii) on a minimum of 30 days written notice; (iii) is undertaken by the Customer's designated independent auditor; and (iv) at the Customer's cost. If the Customer's request for information or audit relates to a sub-processor or information held by a sub-processor, the Customer acknowledges that access to that sub-processor’s premises or information is subject to agreement from that sub-processor, and that Blink cannot guarantee access to that sub-processor's premises or information at any particular time, or at all. Blink shall provide all information necessary for verifying compliance with Data Protection Legislation obligations, including documentation on security measures, data flows, and sub-processor agreements; and
    • h) comply with all applicable Data Protection Legislation
  • 3.7. The Customer hereby authorises Blink to transfer Customer Personal Data outside of the Protected Area in connection with the Agreement, which shall be in accordance with an appropriate transfer mechanism under Data Protection Legislation. Blink agrees to promptly implement supplementary measures if the transfer mechanism is insufficient to safeguard the personal data to the required standards.
  • 3.8. The Customer hereby gives its general written authorisation to Blink appointing sub-processors in accordance with this clause 3.8 for the purpose of processing Customer Personal Data in connection with the Agreement. The sub-processors approved by the Customer as at the date of this Agreement are (i) Blink's affiliates and (ii) the third-party sub-processors listed in Schedule 2. Blink can at any time appoint a new sub-processor provided that, where notice and an objection right is so required by Data Protection Legislation, the Customer is given 30 days prior notice, and the Customer does not reasonably object within that timeframe. If the Customer does reasonably object within that timeframe (to the extent the objection right is applicable as above), Blink shall use reasonable efforts to make available to the Customer a change in the Services to avoid the processing of Customer Personal Data by the objected-to sub-processor. If Blink is unable to make available such change within a reasonable period of time, or the Customer does not approve any such changes proposed by Blink, the Customer may (to the extent the objection right is applicable as above), by providing written notice to Blink, terminate the relevant portion of the Services provided that the Customer must promptly pay all correctly due sums to the point of termination to Blink. If the Customer terminates the Agreement under this clause, Blink shall provide a pro-rata refund for any prepaid fees covering the remainder of the term after the effective date of termination.
  • 3.9. To the extent required by applicable Data Protection Legislation, Blink confirms that it has entered or (as the case may be) will enter with such third-party sub-processors into written agreements which contain obligations substantially similar to the obligations relating to Customer Personal Data under this DPA.
  • 3.10. Blink shall remain fully liable for all acts and omissions of any third-party sub-processor appointed by it pursuant to this DPA.
  • Blink Controller Data
  • 3.11. In respect of the Blink Controller Data, each party will:
    • a) provide the other party with such assistance and co-operation as it reasonably requests to enable the requesting party to comply with Its obligations under Data Protection Legislation;
    • b) promptly notify the other party in writing if:
      • i) any data subject request or notice, correspondence, or other communication from a regulator or supervisory body it receives relates in whole or part to the other party's processing, taking into account the required timeframe for responding to such request or communication, and including a copy of such relevant request or communication in such notification; and
      • ii) action required to be taken by that party as a result of a data subject request might reasonably be expected to affect the other party's processing, in which case the parties shall co-operate in good faith to mitigate any adverse business impact of responding to such a request.
  • 3.12. In regard to Blink’s use of Blink Controller Data, Blink’s Privacy Policy shall apply and in regard to Customer’s use of personal data comprised in Blink Controller Data, Customer’s own privacy notice from time to time shall apply, which it shall be solely responsible for providing to data subjects.
  • 3.13. For the purpose of this clause, Blink Controller Data means each of the following, to the extent it is collected by Blink as a Controller in connection with Blink's Services under the Agreement: (i) each Authorised User username and Unique User ID or other access credentials required by Blink for the Authorised User to access the Services; (ii) the identification, contact information and business correspondence of the Customer's employees who are the points of contact with Service Provider or who manage the Customer's organisational account with Service Provider (the "Key Administrators") submitted to Blink for purposes of providing the Services; and (iii) Marketing information pertaining to the Key Administrators, including any consents given to Blink and/or where revoked, the fact of the unsubscription and the email address, which is maintained on a suppression list in order to not contact them in the future; (iv) technical information related to the browser or device or both used by the Authorised User to access the Services, including type of device, a unique device identifier, IP address, mobile network information, operative system, browser type and device time zone setting; and (v) information about App usage, for example which sections are engaged with, how many times the App is opened, and other key events, at aggregate level.

Schedule 1

CUSTOMER PERSONAL DATA

Categories of data subject

The Customer Personal Data concerns the following categories of data subjects:

  • • End-users
  • • Admin Users

 

Nature and purpose of processing operations

The Customer Personal Data will be processed as follows:

In respect of End-users and Admin Users:

  • • in order to make the Services available to End-users/Admin Users, including:
    • o to personalise the Services to their needs;
    • o to allow them to participate in interactive features of the Services, when they choose to do so;
    • o to enable messaging between End-users or between Admin Users and End-users via the Blink Apps;
    • o to allow them to connect to, or link through to Customer’s own services and websites or Third Party Services via the Blink Apps (for example, third party payslip providers); and
    • o to ensure that the Blink Apps are presented in the most effective manner for them and for their device;
  • • to send End-users/Admin Users service and administrative in-app communications and email messages which are necessary for Blink to make the Services available to them, such as those reminding them that they have messages waiting, or those notifying them about changes to the Services (but excluding any promotional material);
  • • to provide End-users/Admin Users with support related to the Services;
  • • to keep the Services safe and secure; and
  • • where requested by Customer and in accordance with applicable law, to provide Customer with chat messages and feed posts & comments from the Blink Apps in connection with Customer's moderation activities.

 

In addition, in respect of Admin Users:

  • • to provide and support Admin Users with enhanced functionality in the Blink Apps, for example the ability to request Blink to amend the Services’ settings.

 

Categories of data

The Customer Personal Data concerns the following categories of personal data:

In respect of both End-users and Admin Users:

  • • Name
  • • Employee id
  • • Contact Details
    • o Email address
    • o Phone number
  • • Social media handles
  • • Profile Photo
  • • IP Address
  • • Chat Messages
  • • Feed Posts & Comments
  • • Device Details
  • • Device ID
    • o OS & version
    • o Browser version details

 

In addition, in respect of Admin Users:

  • • Content of customer support messages between the Admin Users and Blink in relation to enhanced functionality in the Blink Apps.

 

Special categories of data

To the extent End-users choose to input special category data as part of their responses to the diversity & inclusion survey modules hosted by the Blink Apps then this will be processed by Blink as Customer Personal Data on Customer's behalf. The categories of special category data included in such survey responses will be dependent on Customer's configuration of relevant survey but may include (for example) data concerning racial or ethnic origin, health, sex, or sexual orientation.

Duration of Processing

The Customer Personal Data shall be processed for the term of the Agreement or for such longer or shorter period as Blink provides data processing services under the Agreement. Following the termination of the Agreement, Blink will, at the Customer’s request, remove all Customer Personal Data within 30 days, unless required by applicable law to store the Customer Personal Data.

API log data (including source IP addresses) is maintained for 90 days for the purpose of threat detection and analysis.

Schedule 2

APPROVED SUB-PROCESSORS

Amazon Web Services EMEA SARL
38 avenue John F. Kennedy, L-1855 Luxembourg

Service: Core cloud network, compute & storage.
Scope: hosting and infrastructure of Blink services.

Google LLC 1600

Amphitheatre Parkway Mountain View, CA 94043 USA

Service: Mobile error reporting.

Scope: For error reporting, Google stores some device information and Blink user ids, but no other personal data.

Service: Offsite Backups

Scope: Back-ups of data input into Blink services.

Service: Android Push Notifications (Encrypted) Scope: Where consent is provided, it notifies the user of activity in the Blink App.

Apple Inc.
One Apple Park Way, Cupertino, California 95014, USA

Service: Translation Services.

Scope: Automatic in-app translation of content on the Blink Apps to a set of available languages. This is on a per End-user basis.

Microsoft Ireland Operations Limited
1 Microsoft Plc, Leopardstown South County Business Park Dublin 18, D18 P521 Ireland

Service: Core cloud network, compute & storage.
Scope: hosting and infrastructure of Blink services.

Functional Software Inc., T/A Sentry
132 Hawthorne Street, San Francisco, California, 94107, USA

Service: Web / Desktop error reporting
Scope: Sentry stores some device information related to the error and the Blink user id, but no other personal data

Twilio
375 Beale Street, Suite 300 San Francisco, CA 94105, USA

Service: SMS Delivery

Scope: SMS invitations for End-users to join Blink where customer chooses to send out invitations via phone numbers.

The Rocket Science Group, LLC T/A Mailchimp
675 Ponce de Leon Ave NE Suite 5000. Atlanta, GA 30308 USA

Service: Transactional emails

Scope: End-user email invitations and reminders, email verification, one time password notifications, password reset and missed content emails.

Mixpanel
One Front Street, 28th Floor, San Francisco, CA 94111 USA

Service: app usage analytics
Scope: Mixpanel contains Blink user IDs, device details and linked app actions to assist with troubleshooting and support.

HubSpot
25 First Street, 2nd Floor Cambridge, MA 02141 USA

Service: Customer relationship management

Scope: launch and implementation rollout plans; newsletters with product and feature updates to Admins; outage updates.

Intercom
552nd St. 4th Floor, San Francisco, CA 94105 U.S.A.

Service: Support ticketing system

Scope: email and chat support for admins and specific End-users (when an End-user submits a support request).

Schedule 3

AUSTRALIAN DATA PROTECTION TERMS

  1. 1.1 When this Schedule 3 applies the following terms are taken to have the following meanings:
    1. (a) data subject includes "individual" as defined in s6 of the Privacy Act;
    2. (b) Personal Data Breach includes "eligible data breach" as defined in s6 of the Privacy Act;
    3. (c) Personal Data includes "personal information" as defined in s6 of the Privacy Act;
    4. (d) process includes “collect”, "disclose", "hold" and "use" (as the context requires), as defined in section 6 of the Australian Privacy Act;
    5. (e) Protected area for the purpose of processing Personal Data in accordance with this schedule, includes Australia and its external territories and any country where Blink reasonably believes that the law or binding scheme that has the effect of protecting the Personal Data in that country is substantially similar to the way the Australian Privacy Act protects Personal Data and mechanisms can be accessed by Blink to enforce the protection of that law or binding scheme; and
    6. (f) Privacy Act means the Privacy Act 1988 (Cth).
  2. 1.2 Each party must comply with the Privacy Act when undertaking its obligations under or in connection with this agreement.
  3. 1.3 The Customer warrants that it has obtained from all data subjects the necessary consents and rights required to disclose the Personal Data to Blink for Blink to use that Personal Data in accordance with the Agreement, and has provided data subjects with any requisite notifications, as required under applicable Data Protection Laws and Regulations.
  4. 1.4 Nothing in this agreement:
    1. (a) excludes, restricts, or modifies any obligations that a party has under the Privacy Act; or
    2. (b) limits or affects a person’s right to request access to or the correction of their Personal Data.

Schedule 4

US DATA PROTECTION TERMS

To the extent Blink processes US Personal Data as a data processor or "service provider" under applicable Data Protection Legislation, Blink agrees to process such US Personal Data subject clause 3 (Obligations of the Parties) of this DPA and the following provisions:

  1. 1. Blink acknowledges that Customer is disclosing to Blink, or authorising Blink to collect on the Customer's behalf or otherwise making available, US Personal Data only for the limited and specified purposes set out in Schedule 1 of this DPA, or as otherwise specified under the Agreement and any applicable Statement of Work (collectively, the Instructions).
  2. 2. Blink shall: (1.) process US Personal Data only as set forth in the Instructions; and (2.) process US Personal Data at all times in compliance with the Data Protection Legislation, including by providing no less than the level or privacy protection as required by Data Protection Legislation.
  3. 3. Blink shall not: (1) retain, use, disclose, or otherwise process US Personal Data except as necessary for the business purposes specified in the Instructions; (2) "Sell" or "Share" US Personal Data as those terms are defined under Data Protection Legislation; (3) retain, use, disclose, or otherwise process US Personal Data in any manner outside of the direct business relationship between Customer and Blink; or (4) combine any US Personal Data with any personal data that Blink receives from or on behalf of an other third party or collects from Blink's own interactions with data subjects, provided that Blink may so combine US Personal Data with other personal data for a purpose permitted under Data Protection Legislation if directed to do so by Customer or as otherwise expressly permitted by Data Protection Legislation.
  4. 4. Customer may, upon providing reasonable notice to Blink, take all reasonable and appropriate steps to prevent, stop, or remediate any unauthorised processing of US Personal Data.
  5. 5. Blink agrees to promptly notify Customer if it can no longer comply with Data Protection Legislation applicable to US Personal Data, no later than 3 business days after it makes a determination that it can no longer meet its obligations.
  6. 6. For purposes of this Schedule, Deidentified Data means data originally created from US Personal Data that has been deidentified or anonymised such that it cannot reasonably be used to infer information about, or otherwise linked to, a data subject and where such data is processed only in accordance with this clause 6. To the extent Customer discloses or otherwise makes available Deidentified Data to Blink, or to the extent Blink creates Deidentified Data from US Personal Data, Blink shall: (1) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (2) publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, except that Blink may attempt to re-identify the data solely for the purpose of determining whether Blink's deidentification processes are compliant with Data Protection Legislation; and (3) before sharing Deidentified Data with any other party, including sub-processors, contractors, or any other persons (Recipients), contractually obligate any such Recipients to comply with all requirements of this clause 6 (including imposing this requirement on any further Recipients),

Trusted by the world's leading brands

Get demo
Dominos
Holcim
Stage Coach
Nokia
Elara Caring
Falck
Poundland
Metroline
Ratp Dev

What could you and your workforce achieve with Blink?

Get a demo of the mobile-first employee experience platform trusted by the world's top brands.

Get demo

© 2025 Blink

Product
Internal CommunicationsDigital AccessEmployee EngagementFrontline IntelligenceIntegrationsFeaturesDownloadProduct overview
Industries
Facilities managementTransitHospitalityHealthcareLogisticsManufacturingConstructionRetail
Insights
BlogEventsEventsGuidesPodcasts
Company
AboutCareersPresshello@joinblink.comDocumentation
Legal
Privacy PolicyWebsite TermsSecurity