Dropstone
08 — Data Protocols

Data Processing
Agreement.

Effective Date
November 11, 2025
Version
Protocol v2.0 (Stable)

GDPR-COMPLIANT DATA PROCESSING TERMS

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Controller," or "you") and Blankline ("Processor," "we," "us," or "our") for the use of Dropstone services. This DPA applies when Blankline processes Personal Data on behalf of Customer in connection with the Services, and such processing is subject to the European Union General Data Protection Regulation ("GDPR") or other applicable data protection laws.

Section 01

Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Blankline on behalf of Customer in connection with the Services.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data. In this DPA, Customer is the Controller.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller. In this DPA, Blankline is the Processor.
  • "Sub-processor" means any third party engaged by Blankline to Process Personal Data on behalf of Customer.
  • "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including the GDPR, California Consumer Privacy Act (CCPA), and other relevant legislation.
  • "Services" means the Dropstone AI Development Platform, including the website, desktop application, and all related services.
Section 02

Scope and Applicability

2.1 Applicability

This DPA applies only where and to the extent that:

  • Blankline Processes Personal Data on behalf of Customer;
  • Such Processing is subject to Data Protection Laws;
  • Customer acts as a Controller and Blankline acts as a Processor; and
  • The Personal Data relates to individuals in the European Economic Area (EEA), United Kingdom, or other jurisdictions with applicable data protection laws.

2.2 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Terms of Service, this DPA shall prevail to the extent of such conflict or inconsistency, but only with respect to data protection matters.

Section 03

Details of Processing

3.1 Subject Matter and Duration

The subject matter of Processing is the provision of the Dropstone Services to Customer. The duration of Processing is the term of the agreement between Customer and Blankline, including any renewal periods, plus the period required for deletion or return of Personal Data.

3.2 Nature and Purpose

  • Providing the Dropstone AI development platform and related services
  • Processing AI-assisted code generation and analysis requests
  • Maintaining user accounts and authentication
  • Providing customer support and technical assistance
  • Improving and optimizing the Services through analytics
  • Ensuring security and preventing fraud
  • Complying with legal obligations

3.4 Categories of Personal Data

  • Contact information (name, email address, phone number)
  • Account credentials (username, encrypted password)
  • Profile information and preferences
  • Usage data and activity logs
  • Device and technical information
  • IP addresses and location data
  • Payment and billing information
  • Code, prompts, and project data submitted to the Services
  • Communication and support correspondence
Section 04

Customer Obligations

4.1 Compliance with Laws

Customer represents and warrants that it will comply with all applicable Data Protection Laws in its use of the Services and Processing of Personal Data. Customer shall ensure that it has all necessary rights and consents to provide Personal Data to Blankline for Processing.

4.2 Processing Instructions

Customer instructs Blankline to Process Personal Data in accordance with this DPA, the Terms of Service, and Customer's use of the Services.

Customer specifically instructs Processor to process Personal Data for the purpose of AI-assisted code generation and analysis ("Inference"). Processor shall not use Customer’s Personal Data to train or improve its foundation models or those of its Sub-processors unless otherwise agreed in writing.

4.3 Safety Instructions

Customer agrees not to use the Services to submit prompts intended to circumvent safety filters or elicit restricted behaviors from the AI models.

Section 05

Processor Obligations

5.1 Lawful Processing

  • Process Personal Data only in accordance with Customer's documented instructions;
  • Ensure authorized persons are subject to confidentiality obligations;
  • Implement appropriate technical and organizational measures to protect Personal Data;
  • Assist Customer in ensuring compliance with Data Protection Laws.

5.2 Security Measures

  • Encryption of Personal Data in transit and at rest (TLS 1.2+, AES-256)
  • Access controls and multi-factor authentication
  • Regular security assessments and vulnerability scanning
  • Incident response and business continuity plans
  • Logic Isolation: Implementation of logical separation of Customer data within multi-tenant database architectures.
  • Data Minimization: Use of automated filters to scrub sensitive PII from AI prompts before transmission to Sub-processors where technically feasible.
  • Audit Logging: Maintenance of immutable logs for all data access events by Processor's internal staff.

5.3 Technical Documentation

Detailed descriptions of our security architecture, including local-first indexing and encryption protocols, are maintained in our Security Whitepaper at: www.blankline.org/security.

Section 06

Sub-processors

6.1 Authorization & Categories

Customer authorizes Blankline to engage Sub-processors. Blankline ensures Sub-processors are bound by similar data protection obligations.

Current Categories

  • Cloud Infrastructure (AWS, Google Cloud)
  • AI Model Providers (OpenAI, Anthropic)
  • Payment Processors (Stripe)
  • Authentication Services (OAuth providers)
  • Analytics (Google Analytics, Vercel)

6.2 Change Notification

Blankline shall provide 30 days' prior notice of any new Sub-processor via email or a public status page. Customer may object to such change on reasonable data protection grounds.

6.3 Liability

Blankline remains fully liable for Sub-processors' performance.

Section 07

Data Breach Notification

In the event of a Personal Data Breach, Blankline shall:

  • Notify Customer without undue delay (within 72 hours);
  • Provide information to help Customer meet reporting obligations;
  • Take reasonable steps to mitigate effects;
  • Cooperate with Customer on remediation.
Section 08

International Data Transfers

Where Personal Data is transferred to countries without adequate protection, Blankline ensures safeguards including:

  • Standard Contractual Clauses (SCCs);
  • Adequacy decisions;
  • Supplementary technical measures (encryption).
Section 09

Data Retention & Deletion

Blankline retains Personal Data only as long as necessary. Upon termination, Blankline shall, at Customer's choice:

  • Return Personal Data in a machine-readable format; or
  • Securely delete Personal Data (unless retention is required by law).
Section 10

Audit Rights

Blankline shall make available information to demonstrate compliance. Customer may conduct audits (once per year) with reasonable notice, subject to confidentiality and non-interference. Blankline can provide audit reports (SOC 2, ISO 27001) upon request.

Section 11

Liability & Indemnification

Liability under this DPA is subject to the limitation of liability in the Terms of Service. Customer indemnifies Blankline for claims arising from Customer's breach of this DPA or Data Protection Laws.

Section 12

Term & Termination

This DPA commences on the effective date and continues for the duration of the Terms of Service. Survival provisions apply to data deletion, confidentiality, and liability.

Section 13

General Provisions

13.1 Governing Law

This DPA shall be governed by the laws of India, except to the extent that Data Protection Laws of another jurisdiction apply to the Processing activities.

13.2 Research Integrity Oversight

For Enterprise and "God Mode" accounts, the Processing of data is further governed by the safety and alignment protocols of the Blankline Research Integrity Council, incorporated herein by reference: www.blankline.org/governance/research-integrity-council.

13.3 Amendments

Blankline may amend this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or business practices. Material changes will be communicated to Customer with at least 30 days' prior notice.

13.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.5 Third-Party Beneficiaries

This DPA does not confer any third-party beneficiary rights, except that Data Subjects in the EEA, UK, or Switzerland may enforce certain provisions as third-party beneficiaries to the extent required by Data Protection Laws.

Section 14

Contact Information

Data Protection Officer

Email: [email protected]

Privacy Inquiries: [email protected]

BY USING THE DROPSTONE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS DATA PROCESSING AGREEMENT.