• Agreements
  • End User License Agreement (EULA)
  • Terms of Service
  • Data Processing Addendum (DPA)
  • Policies
  • Mix It Up – Cookie Policy
  • Trademarks and Brand Assets
  • Acceptable Use & Communications Policy
  • Privacy Policy
  • Mix It Up — DMCA Copyright Policy
  • Security & Incident Response Policy
  • Licenses
  • Mix It Up Business Source License (no automatic conversion)
  • Third-Party Notices
  • Contributions
  • Mix It Up Individual Contributor License Agreement (ICLA)
  • Mix It Up Corporate Contributor License Agreement (CCLA)
  • Accessibility Statement
    •
  • 1. Roles; Scope; Instructions
  • 2. Processor Obligations
  • 3. Retention; Deletion; Return
  • 4. International Transfers
  • 5. Audits; Reports
  • 6. Security Incidents
  • 7. Government & Third-Party Requests
  • 8. Order of Precedence; Liability; Governing Law
  • Annex I — Description of Processing
  • Annex II — Technical & Organizational Measures (TOMs)
  • Annex III — Sub-processors
    •

    Data Processing Addendum (DPA)

    This DPA is incorporated into the Agreement between Blazing Cacti LLC (“Processor”) and the Customer (“Controller”) and applies only to Mix It Up Online (hosted service). Mix It Up Desktop stores data locally on the user’s device and is out of scope for this DPA.

    1. Roles; Scope; Instructions

    1.1 Roles. Customer is Controller (or “Business” under U.S. privacy laws). Blazing Cacti is Processor (or “Service Provider/Contractor”).
    1.2 Scope. Processor will process Personal Data solely to provide the Online service under the Agreement and this DPA.
    1.3 Instructions. Processor will act only on Controller’s documented instructions, including with respect to retention, deletion, and disclosures to third parties.

    2. Processor Obligations

    2.1 Confidentiality. Processor ensures personnel with access to Personal Data are bound by confidentiality.
    2.2 Security. Processor implements appropriate technical and organizational measures described in Annex II.
    2.3 Sub-processors. Processor may engage sub-processors listed in Annex III under written contracts imposing data-protection obligations no less protective than this DPA. Processor will notify Controller of material changes and, if Controller objects on reasonable grounds, the parties will work in good faith to resolve; if not resolved, Controller may terminate affected services.
    2.4 Assistance. Taking into account the nature of processing, Processor will reasonably assist Controller with (a) security, (b) data subject requests (by routing to Controller), and (c) DPIAs/consultations where required by Controller’s law.
    2.5 Prohibitions (CPRA service provider/contractor). Processor will not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for purposes other than providing the services to Controller; (c) combine Personal Data with data obtained from other sources except as permitted for service operation, security, or as instructed by Controller.

    3. Retention; Deletion; Return

    3.1 Online default. Processor retains Personal Data for the life of the Controller’s account unless Controller instructs otherwise.
    3.2 Deletion/Return. Upon account deletion or Controller’s written request, Processor will delete or return Personal Data and delete remaining copies within standard backup cycles, except for limited security logs and disaster-recovery backups retained for integrity and legal defense and not used for any other purpose.

    4. International Transfers

    If Controller requires EU/UK transfer terms, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2) and, where applicable, the UK Addendum, as completed in Annex I. Supplemental measures are described in Annex II. No other non-U.S. law compliance is undertaken by Processor.

    5. Audits; Reports

    On reasonable written request no more than annually, Processor will provide available third-party security reports or complete a security questionnaire relating to Annex II. If additional audit rights are mandated by applicable law or the SCCs, the parties will agree on scope, timing, and controls to minimize disruption and protect confidentiality.

    6. Security Incidents

    Processor will notify Controller without undue delay after confirming a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data on Processor’s systems. Notification will include available information on the nature of the incident, likely consequences, and measures taken or proposed.

    7. Government & Third-Party Requests

    Processor will not disclose Personal Data to any government or third party except (a) as instructed by Controller; or (b) where required by valid U.S. legal process, in which case Processor will (where legally permitted) notify Controller to permit Controller to seek protection.

    8. Order of Precedence; Liability; Governing Law

    8.1 Precedence. If there is a conflict between this DPA and the Agreement, this DPA controls regarding Personal Data. If the SCCs apply, the SCCs control over this DPA to the extent of conflict.
    8.2 Liability. Liability is governed by the Agreement’s limitations, except to the extent prohibited by applicable law or the SCCs.
    8.3 Governing Law. This DPA is governed by the laws of Nevada, USA, without regard to conflict-of-laws rules; venue as set in the Agreement.

    Annex I — Description of Processing

    • Data Subjects: end-user audience members and visitors interacting with Controller’s channels; Controller’s users/admins.
    • Categories of Personal Data: usernames/IDs, chat/event payloads, timestamps, channel IDs, configuration metadata, and other data routed by Controller; no special categories intentionally processed.
    • Purpose: deliver Online features (alerts, logs, dashboards), security/abuse prevention, support.
    • Duration: for the life of the Controller’s account or as otherwise instructed; backups/security logs per Annex II.
    • Controller Transfer Mechanism (if required): SCCs (Module 2) + UK Addendum incorporated by reference.

    Annex II — Technical & Organizational Measures (TOMs)

    • Access control: least-privilege IAM; MFA; role-based access; logging of privileged actions.
    • Data in transit/at rest: TLS 1.2+ in transit; encryption at rest for storage and backups; key management via reputable KMS.
    • Segregation: per-tenant logical separation; environment isolation.
    • Development & change: code review, CI/CD with artifact signing; secrets management.
    • Monitoring & logging: centralized logs (no audience message content mining), alerting, retention schedules published in Security Policy.
    • Incident response: runbook with triage, containment, eradication, recovery, post-mortems; customer comms “without undue delay.”
    • Vendor management: security review of sub-processors; contractual flow-downs; periodic reassessment.

    Annex III — Sub-processors

    • [List each vendor, purpose, data types, region].
    • Updates: Processor will post updates at [URL] or notify via email; Controller may object on reasonable grounds within 10 business days.

    Contact (privacy): privacy@mixitupapp.com

    Legal Documents

    Choose which cookies to allow. Your preference is saved for 6 months.

    Necessary
    Required for the site to function correctly. Cannot be disabled.
    Analytics
    Helps us understand how visitors use the site. No personal data is shared with third parties.