This document provides a public overview of the key terms in BlazeSQL's Data Processing Agreement (DPA). This is not the binding DPA itself β it is intended to help you understand our data processing commitments before entering into a formal agreement. The full DPA, including complete legal terms, annexes, liability provisions, and indemnification clauses, is available for enterprise customers as part of the contracting process.
To request the full DPA: [email protected]
2. Scope of Processing
BlazeSQL processes data solely to provide the Service as described in the customer agreement. Processing activities include:
Category | Details |
Data subjects | Customer's employees and end users who interact with BlazeSQL |
Personal data categories | Account data (name, email), database metadata, chat messages, query results (depending on deployment model) |
Processing purposes | AI-powered SQL query generation, result display, dashboard and reporting features, team collaboration |
Duration | For the term of the service agreement, plus any retention period required by law |
3. Processor Obligations
Blaze Analytics vGmbH commits to:
Process personal data only on documented instructions from the controller
Ensure that persons authorized to process data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures (see Security Overview and the TOMs annex in the full DPA)
Assist the controller in responding to data subject rights requests
Assist the controller in ensuring compliance with breach notification obligations
Delete or return all personal data upon termination of the service, at the controller's choice
Make available all information necessary to demonstrate compliance and allow for audits
4. Security Measures
BlazeSQL implements the following technical and organizational measures (a detailed TOMs annex is included in the full DPA):
Technical:
AES-256 encryption at rest
TLS encryption in transit
Zero Data Retention on all AI model calls (prompts/responses not stored by Google)
Firewalled, non-public network subnet
Admin-controlled access permissions with read/read-write granularity
SSO integration (SAML, OpenID Connect) with MFA enforced through your identity provider
Unique user accounts with activity logging
Organizational:
Restricted production access for BlazeSQL personnel (limited to service operation needs)
Confidentiality obligations for all personnel with data access
Incident response process with defined escalation procedures
All production access logged
Subprocessor management with notification of changes
For full details, see the BlazeSQL Security Overview.
5. Subprocessors
BlazeSQL uses the following subprocessors:
Subprocessor | Purpose | Data Processed | Location |
Google Cloud Platform | Infrastructure, compute, storage | All service data | EU / US (configurable for enterprise) |
Google Vertex AI | AI model inference | Chat prompts (ZDR β not retained) | EU / US |
Google Cloud Firestore | Application database | Account data, metadata, query results | Per GCP region |
Crisp | Customer support live chat | Name, email, support conversations | EU (Netherlands / Germany) |
Stripe | Payment processing | Payment details, billing email, transaction data | US |
BlazeSQL will provide at least 30 days written notice before engaging a new subprocessor or replacing an existing one, giving the controller an opportunity to object.
6. Data Subject Rights
BlazeSQL assists controllers in fulfilling data subject requests including:
Right of access: Data export available within 14 days
Right to rectification: Profile updates available in-app; support available for other corrections
Right to erasure: Self-service deletion in-app; bulk deletion via support
Right to data portability: Machine-readable export within 14 days
Right to restriction of processing: Available upon request
Right to object: Available upon request
7. Data Breach Notification
In the event of a personal data breach, BlazeSQL will:
Notify the controller without undue delay, and in any case within 72 hours of becoming aware of the breach
Provide details including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
Cooperate with the controller in notifying supervisory authorities and data subjects as required
8. Data Deletion and Return
Upon termination of the service agreement:
BlazeSQL will delete all personal data processed on behalf of the controller, unless retention is required by applicable law
Alternatively, the controller may request return of data in a machine-readable format prior to deletion
Deletion will be confirmed upon request
During the active agreement, controllers can delete data at any time via self-service controls or support requests.
The full DPA includes provisions for data portability and return in the event of contract termination or BlazeSQL ceasing operations. Customer data remains available for export at all times during the term.
9. Audit Rights
The controller has the right to:
Request information necessary to demonstrate BlazeSQL's compliance with its data processing obligations
Conduct audits, including inspections, either directly or through an appointed third-party auditor
Audit requests require a minimum of 30 days written notice
Audits may be conducted up to once per year under normal circumstances (additional audits may be conducted following a data breach or at the direction of a supervisory authority)
BlazeSQL will cooperate with audit requests, subject to confidentiality protections
10. International Data Transfers
For transfers of personal data outside the European Economic Area:
BlazeSQL relies on EU Standard Contractual Clauses (SCCs) as approved by the European Commission
Google Cloud Platform's data processing terms include SCCs for international transfers
Subprocessors based outside the EEA (Stripe) are covered by SCCs
Enterprise customers can request data residency in specific GCP regions
Transfer Impact Assessments are available upon request for data transfers involving non-EEA subprocessors (currently limited to Stripe for payment processing)
11. Governing Law
The full DPA is governed by the laws of Luxembourg. The competent courts of Luxembourg have jurisdiction over disputes arising from the DPA.
12. Data Protection Contact
For data protection inquiries related to this DPA:
Privacy Contact: [email protected]
Enterprise DPA requests: [email protected]
13. What's in the Full DPA
The full Data Processing Agreement, available for enterprise customers, includes:
Complete legal terms and definitions
Annex: Technical and Organizational Measures (TOMs)
Annex: Detailed subprocessor list
Annex: Description of processing activities
Liability and indemnification provisions
Dispute resolution procedures
Standard Contractual Clauses (where applicable)
To request the full DPA: [email protected]
Β© Blaze Analytics vGmbH (LU35935057), 23 Boulevard Friedrich Wilhelm Raiffeisen, 2411 Luxembourg