LEGAL :: DATA PROCESSING ADDENDUM

Data Processing Addendum.

This Data Processing Addendum ("DPA") supplements the agreement between BlueTier Operations LLC ("BlueTier", "we", "us") and the customer identified on the signature page ("Customer", "you") governing your use of the Black_Wall service (the "Service").

VERSION :: 1.0 · LAST UPDATED :: 2026-05-29 · QUESTIONS → security@blackwalltier.com

01Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the underlying agreement. The following terms have the meanings set forth below:

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including (as applicable) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA"), and equivalent laws of other jurisdictions.
"Customer Data" means the data submitted to the Service by or on behalf of Customer for processing, including action payloads, context, and metadata.
"Personal Data" means any Customer Data that constitutes personal data, personal information, or personally identifiable information under Applicable Data Protection Law.
"Processing" (and "Process") has the meaning given in Applicable Data Protection Law.
"Sub-processor" means any third party engaged by BlueTier to Process Personal Data on BlueTier's behalf.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Decision (EU) 2021/914, as may be amended or replaced.

02Roles & scope

The parties acknowledge that, with respect to Personal Data contained in Customer Data:

Customer is the Controller (and, where applicable, the Business under CCPA/CPRA).
BlueTier is the Processor (and, where applicable, the Service Provider) and Processes Personal Data solely on Customer's documented instructions, as set forth in this DPA and the underlying agreement.

BlueTier will not (a) sell or share Personal Data within the meaning of CCPA/CPRA, (b) Process Personal Data for any purpose other than performing the Service, or (c) combine Personal Data received from Customer with Personal Data received from any other source, except as required by law.

03Subject matter & nature of processing

Subject matter: the provision of pre-action risk evaluation (forecast and observe) as a service.

Duration: for the term of the underlying agreement plus any post-termination retention period set out in Section 09.

Nature and purpose: evaluating proposed actions submitted by Customer's agents, returning a structured risk verdict and a cryptographically signed receipt, and recording metadata about the evaluation for Customer's audit trail.

Categories of data subjects: end users of Customer's systems whose information may appear in Customer-submitted action payloads (e.g., email recipients, payment counterparties, database records).

Categories of Personal Data Processed:

Action payloads submitted by Customer (which Customer determines and controls; may contain end-user identifiers depending on Customer's use).
Customer account information (email address, billing contact).
Service usage metadata (timestamps, latency, IP address for the anonymous demo only).

The Service is not designed to receive special categories of data (Article 9 GDPR) or payment card data. Customer agrees not to knowingly submit such categories to the Service.

04Security measures

BlueTier implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. Current measures are documented at blackwalltier.com/security and include:

Encryption in transit: TLS 1.2+ on all endpoints; HTTPS-only.
Encryption at rest: managed database storage with platform-provided encryption at rest.
No raw payload persistence: request and response bodies are processed in volatile memory and released after hashing; the SHA-256 canonical hash is recorded in the Ed25519-signed Decision Receipt.
Authentication: API keys stored only as SHA-256 hashes; soft-revoke supported.
Row-level isolation: tenant data isolated via row-level security in the database.
Logging hygiene: structured logs capture timing and verdict metadata; payload content is not logged.

BlueTier will review and update these measures as the Service evolves and as new threats are identified. Material changes will be reflected at the URL above.

05Sub-processors

The current list of Sub-processors is published at blackwalltier.com/security and is incorporated into this DPA by reference. Customer authorizes BlueTier to use the Sub-processors listed there.

Changes: BlueTier will provide at least 30 days' notice of any addition or replacement of a Sub-processor, via the security page above or via direct notice to enterprise customers. Customer may object to a proposed Sub-processor on reasonable data protection grounds by emailing security@blackwalltier.com during the notice period; if the parties cannot reach a resolution, Customer may terminate the underlying agreement for the affected portion of the Service.

BlueTier remains responsible for the acts and omissions of its Sub-processors to the same extent as if those acts or omissions were its own.

06International transfers

Where Personal Data subject to GDPR or UK GDPR is transferred to a country outside the EEA or the UK that has not been recognized as providing an adequate level of protection, the parties agree that:

The EU Standard Contractual Clauses (Module Two — Controller-to-Processor) are incorporated into this DPA by reference and apply to such transfers. BlueTier is the "data importer" and Customer is the "data exporter."
The UK International Data Transfer Addendum issued by the UK ICO applies, with BlueTier as importer and Customer as exporter, for transfers subject to UK GDPR.
For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act.

BlueTier will provide appropriate transfer-impact assessments and supplementary measures on request.

07Data subject rights & cooperation

BlueTier will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection).

Where BlueTier receives a request directly from a data subject, BlueTier will (a) not respond substantively, (b) advise the data subject to contact Customer, and (c) promptly forward the request to Customer.

BlueTier will reasonably assist Customer with data protection impact assessments and prior consultations with supervisory authorities to the extent required under Applicable Data Protection Law.

08Personal data breach notification

BlueTier will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

Notification is sent to the security contact on file for Customer; Customer is responsible for keeping that contact current.

09Return & deletion of data

On termination or expiry of the underlying agreement, and at Customer's choice, BlueTier will return or delete all Personal Data Processed on Customer's behalf, except where storage is required by applicable law or for the limited purpose of resolving outstanding claims.

Default behavior: account deletion (initiated by Customer or upon contract termination) triggers deletion of Customer's account profile, API keys, forecast metadata, and receipt envelopes within 30 days. Upstream Sub-processor retention windows (e.g., Anthropic's up-to-30-day abuse-monitoring window) run concurrently.

Backups containing Personal Data are overwritten in the ordinary course within 90 days; BlueTier will not restore from backup for the purpose of re-creating deleted Personal Data.

10Audits

BlueTier will make available to Customer information necessary to demonstrate compliance with this DPA, including:

The security documentation published at blackwalltier.com/security.
Responses to a reasonable security questionnaire, no more than once per twelve (12) months.
Once available, the most recent SOC 2 Type 2 report, under NDA.

Customer may, no more than once per twelve (12) months and on at least 30 days' prior written notice, conduct or commission a third-party audit of BlueTier's compliance with this DPA, subject to mutually agreed scope, confidentiality, and reasonable cost-recovery terms. Audits will not unreasonably interfere with BlueTier's operations.

11Liability & survival

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement.

This DPA survives termination of the underlying agreement for as long as BlueTier Processes Personal Data on Customer's behalf or retains the obligations set out in Section 09.

12Order of precedence & governing law

In the event of any conflict or inconsistency between this DPA and the underlying agreement with respect to Processing of Personal Data, this DPA prevails. The Standard Contractual Clauses prevail over any conflicting terms of this DPA.

This DPA is governed by and construed in accordance with the laws of the State of Nevada, United States, without regard to its conflict-of-laws principles, except that the SCCs are governed by the law of the EU Member State chosen in Clause 17 of the SCCs.

13Signature

By signing below, the parties acknowledge that they have read and agree to this DPA.

BLUETIER OPERATIONS LLC

Signature:

Name:

Title:

Date:

Email: security@blackwalltier.com

CUSTOMER

Signature:

Name:

Title:

Date:

Email: