Legal

Data Processing Agreement

Effective: 2nd June 2026 Version: 1.0 Company: Blue Silk Limited · No. 17051544

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Blue Silk Limited and the User (Creator or Agency). It governs the processing of personal data by Blue Silk Limited as data processor on behalf of the User as data controller, where applicable under UK GDPR and the Data Protection Act 2018.

Blue Silk Limited 167-169 Great Portland Street, London, United Kingdom, W1W 5PF
Privacy enquiries: privacy@bluesilk.ai

1. Definitions

In this DPA, terms defined in the Terms of Service have the same meaning. Additionally:

“Controller” means the party that determines the purposes and means of processing personal data. Creators and Agencies are Controllers in respect of their Fans’ data.
“Processor” means the party that processes personal data on behalf of the Controller. Blue Silk Limited acts as Processor in respect of Fan data processed to deliver the AI Chatter service.
“Data Subject” means an identified or identifiable natural person whose personal data is processed.
“Personal Data Breach” has the meaning given in Article 4(12) UK GDPR.
“Processing” has the meaning given in Article 4(2) UK GDPR.
“Standard Contractual Clauses” or “SCCs” means the standard clauses approved by the ICO for international data transfers.

2. Roles of the Parties

2.1 Dual-role structure

The parties acknowledge that the data processing relationship operates on two levels:

Blue Silk Limited as independent Controller: in respect of User account data, payment data, usage data, and the semantic analysis output generated by BSilk’s proprietary AI. Blue Silk Limited determines the purposes and means of this processing independently.
Blue Silk Limited as Processor on behalf of the Creator/Agency: in respect of Fan personal data that is temporarily processed during the content screening process and in the course of operating the AI Chatter on the Creator’s account.

This DPA governs Blue Silk Limited’s role as Processor. The Privacy Policy governs Blue Silk Limited’s role as independent Controller.

2.2 Creator/Agency as Controller

By using the BSilk platform to process Fan personal data, the Creator or Agency acts as a data Controller and acknowledges that they:

have a lawful basis for processing their Fans’ personal data;
have provided Fans with appropriate privacy notices;
are responsible for compliance with applicable data protection law in the jurisdictions of their Fans;
have the authority to instruct Blue Silk Limited to process Fan data on their behalf as set out in this DPA.

3. Subject Matter and Details of Processing

Item	Detail
Subject matter	Fan personal data processed by Blue Silk Limited on behalf of the Creator/Agency for the purpose of providing the AI Chatter service, including the content screening and semantic analysis process.
Nature of processing	Collection (temporary download from Supported Platform API), analysis (AI-powered semantic processing), immediate deletion of raw data, retention of structured analysis output, and use of analysis output to configure AI Chatter behaviour.
Purpose of processing	Configuring and operating the BSilk AI Chatter to communicate with Fans on the Creator’s behalf in a manner consistent with the Creator’s content style, pricing, and engagement patterns.
Types of personal data	Fan pseudonymous identifiers; Fan message content (temporarily, during screening only — deleted within seconds); Fan engagement behaviour (likes, tips, purchase history); content metadata associated with Fan interactions.
Categories of data subjects	Fans: subscribers and buyers on OnlyFans, Fanvue, or other Supported Platforms who interact with the Creator’s account.
Duration of processing	For the duration of the Creator’s BSilk account. Raw Fan data is deleted within seconds of analysis. Structured semantic output is retained until account closure.

4. Obligations of Blue Silk Limited as Processor

Process only on documented instructionsBlue Silk Limited will process Fan personal data only in accordance with the Creator’s documented instructions as set out in this DPA and the Terms of Service. If Blue Silk Limited is required by law to process data in a way not covered by these instructions, it will inform the Creator unless prohibited by law.

ConfidentialityBlue Silk Limited will ensure that all personnel authorised to process Fan personal data are bound by appropriate confidentiality obligations.

SecurityBlue Silk Limited will implement appropriate technical and organisational measures to protect Fan personal data, as described in Section 13 of the Privacy Policy and Schedule 2 to this DPA. Given that raw content is deleted within seconds, the primary security risk is limited to the brief processing window.

Sub-processorsBlue Silk Limited will not engage any sub-processor to process Fan personal data without informing the Creator. The current list of sub-processors is set out in Schedule 1 to this DPA. Blue Silk Limited will impose equivalent data protection obligations on any sub-processor.

Data subject rightsBlue Silk Limited will assist the Creator in fulfilling data subject rights requests from Fans, to the extent technically possible given the data retained.

Data protection impact assessmentsBlue Silk Limited will provide reasonable assistance to the Creator for any DPIA required under Article 35 UK GDPR in connection with the services provided under this DPA.

Deletion on terminationUpon termination of the Creator’s BSilk account, Blue Silk Limited will delete all Fan personal data (including the semantic profile) within 30 days, unless retention is required by law.

Audit rightsBlue Silk Limited will make available all information necessary to demonstrate compliance with this DPA and will permit and contribute to audits conducted by the Creator or an auditor mandated by the Creator, subject to reasonable advance notice and confidentiality obligations.

Breach notificationBlue Silk Limited will notify the Creator without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Fan personal data processed under this DPA.

5. Sub-Processors

Blue Silk Limited currently uses the following categories of sub-processors that may process Fan personal data:

Category	Role	Fan data involved?
Cloud infrastructure provider	Hosts servers and databases on which the BSilk platform operates. Fan data may reside briefly on this infrastructure during the content screening window (seconds).	Yes — briefly
Stripe, Inc.	Card payment processing only.	No
Cryptocurrency payment provider	Cryptocurrency transaction processing only.	No
Email service provider	Transactional email delivery — User contact data only.	No

No Fan personal data is shared with any third-party AI provider. BSilk’s content screening AI is proprietary and runs entirely on BSilk’s own infrastructure.

Blue Silk Limited will notify Creators of any intended changes to sub-processors at least 14 days in advance by email. If a Creator objects to a new sub-processor on data protection grounds, they must notify Blue Silk Limited within 14 days. Where Blue Silk Limited cannot accommodate the objection, the Creator may terminate their account without penalty.

6. International Data Transfers

Where Fan personal data is transferred outside the UK or EEA, Blue Silk Limited will ensure appropriate safeguards are in place in accordance with Chapter V UK GDPR, including UK International Data Transfer Agreements (IDTAs) or equivalent mechanisms.

Creators with Fans in specific jurisdictions (including EU member states, the United States, and other countries with specific data transfer requirements) should ensure they have their own lawful basis for the international transfer of Fan data to Blue Silk Limited.

7. Term and Termination

This DPA is effective from the date the Creator accepts the Terms of Service and continues until the Creator’s BSilk account is terminated. Termination of the Terms of Service automatically terminates this DPA. The obligations in Clauses 4.3 (Security) and 4.7 (Deletion) survive termination.

8. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 — Sub-Processor List

Current as of the Effective Date. Subject to change with 14 days’ notice.

Sub-processor	Purpose	Location
Cloud infrastructure provider	Hosting, compute, and storage infrastructure	UK/EEA region where possible
Stripe, Inc.	Card payment processing only — does not process Fan personal data	United States
Cryptocurrency payment provider	Cryptocurrency transaction processing only — does not process Fan personal data	To be confirmed at point of payment
Email service provider	Transactional email delivery — User contact data only, not Fan data	To be confirmed

Schedule 2 — Technical and Organisational Security Measures

Blue Silk Limited implements the following measures in connection with Fan personal data processed under this DPA:

Encryption: all data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent.
Access controls: access to systems processing Fan personal data is restricted to authorised personnel on a need-to-know basis, enforced by role-based access controls and multi-factor authentication.
Immediate deletion: the primary security measure for raw Fan content is immediate deletion within seconds of AI analysis completing, drastically minimising the exposure window.
Network security: firewalls, intrusion detection, and DDoS protection are in place on all infrastructure.
Incident response: a documented Personal Data Breach response procedure is maintained, with 72-hour ICO notification capability.
Penetration testing: regular security assessments are conducted on the BSilk platform.
Staff training: all personnel with access to personal data receive regular data protection training.