Version: 1.0
Effective date: 01.03.2026
Controller: Customer using the BloomLightly Service
Processor:Clownfish Web Artur Cichosz, Poland

This Data Processing Agreement ("DPA") forms part of the Terms of Service for the BloomLightly SaaS platform and applies where the Provider processes personal data on behalf of a Customer acting as data controller under the General Data Protection Regulation (EU) 2016/679 (GDPR).

1. Subject Matter and Duration
The Processor processes personal data solely to provide the BloomLightly SaaS platform and related services for the Customer. Processing continues for the duration of the service agreement and any applicable data retention period.

2. Nature and Purpose of Processing
Processing may include collection, storage, organization, retrieval, transmission, and deletion of personal data necessary for:

user account management
farm management workflows
collaboration and staff access management
operational telemetry and analytics
customer support and security monitoring
Processing is limited to the purposes required to deliver and secure the Service.

3. Categories of Data Subjects
Data subjects may include:

Customer employees and contractors
authorized platform users
visitors or individuals appearing in camera snapshots (if enabled)
support request submitters
4. Categories of Personal Data
Depending on the service configuration, personal data may include:

identification data (name, email, account identifiers)
authentication and security metadata (IP address, session metadata)
operational records entered by users
collaboration and role‑management records
billing identifiers and subscription metadata
camera snapshot images and webhook metadata (if feature enabled)
5. Processor Obligations
The Processor shall:

process personal data only on documented instructions from the Controller
ensure personnel authorized to process data are bound by confidentiality obligations
implement appropriate technical and organizational measures under Article 32 GDPR
assist the Controller in responding to data subject requests
notify the Controller without undue delay after becoming aware of a personal data breach
delete or return personal data after termination of services unless
legal obligations require retention
6. Security Measures
The Processor implements measures including:

encryption in transit (TLS)
role‑based access control
authentication and credential security
system logging and audit trails
backup and recovery procedures
monitoring and incident response controls
7. Subprocessors
The Controller authorizes the Processor to engage subprocessors for hosting, infrastructure, monitoring, email delivery, and payment processing. The Processor shall ensure subprocessors are bound by data protection obligations equivalent to those in this DPA. A current list of subprocessors is available at: [INSERT SUBPROCESSOR URL]

8. International Transfers
If personal data is transferred outside the European Economic Area or United Kingdom, the Processor shall ensure appropriate safeguards such as Standard Contractual Clauses or adequacy decisions in accordance with Chapter V GDPR.

9. Assistance and Cooperation
The Processor shall assist the Controller with:

security obligations
data protection impact assessments where relevant
breach notifications
responses to supervisory authorities
10. Return and Deletion of Data
Upon termination of the Service, the Processor shall delete or return personal data in accordance with Controller instructions, except where retention is required by law.

11. Audit Rights
The Processor shall make available information necessary to demonstrate compliance with Article 28 GDPR and allow audits under reasonable notice and confidentiality safeguards.

12. Annexes
The following annex forms part of this DPA:

Annex I – Description of Processing Activities
Annex II – Technical and Organizational Measures
Annex III – Subprocessors
Annex IV – Camera Snapshot Processing Instructions (Article 28 Annex)