Enterprise Privacy & Compliance Framework — BlueNexus

Introduction

This Enterprise Privacy and Compliance Framework supplements BlueNexus Tech Pty Ltd's Global Privacy Policy. It provides detailed regulatory compliance information for enterprise customers, developers, partners, and auditors to support due diligence, security reviews, and regulatory assessments.

Clarification on "We", "Us", "Our"

These terms refer to BlueNexus as a legal entity and its personnel (employees, contractors, administrators). They do not refer to automated platform processing where human access to decrypted data does not occur.

The framework includes:

1. Data Sovereignty Principles
2. ANNEX A — GDPR & UK GDPR Compliance
3. ANNEX B — CCPA/CPRA Compliance
4. ANNEX C — Australian Privacy Act Compliance
5. ANNEX D — U.S. State Privacy Laws
6. ANNEX E — International Data Transfers
7. ANNEX F — Subprocessor Annex
8. ANNEX G — HIPAA Disclaimer
9. ANNEX H — Definitions & Roles
10. ANNEX I — Technical Architecture Overview
11. Jurisdiction / Governing Law Disclaimer

---

Data Sovereignty Principles

1. User-Controlled Encryption & Permissions

Platform features enable user-controlled environments where users manage:

• encryption and decryption keys
• access permissions granted to applications
• deletion, region, and routing preferences
• compute mode (TEE or non-TEE)

BlueNexus cannot decrypt content in these environments.

2. Developer-Controlled Routing & Processing

Developers integrating the Platform are responsible for:

• selecting processing regions
• defining data flows
• ensuring lawful bases and user notices
• retaining, modifying, or deleting data per obligations

BlueNexus processes developer-routed data solely on documented instructions as Processor.

3. Confidential Compute & Zero-Access Design

For workloads processed in Trusted Execution Environments (TEEs), the Platform relies on trusted third-party hardware and software vendors. These secure enclaves provide:

• encrypted-in-use processing
• memory isolation
• hardware attestation
• operator isolation

This architecture prevents BlueNexus personnel from accessing decrypted enclave content.

4. Region Selection & Data Localisation

Where supported, users and developers may select preferred regions for:

• data routing
• storage
• compute operations

The Platform enforces these selections without redirecting data unless required for security or performance, where permitted by contract.

---

ANNEX A — GDPR & UK GDPR Compliance

1. Roles Under GDPR / UK GDPR

1.1 Controller / Processor

Developer-Managed Data

• Developer is the Data Controller
• BlueNexus is the Data Processor
• Governed by the DPA

Sovereign or User-Controlled Accounts

• User is the Controller
• BlueNexus does not act as Controller or Processor
• Content stored in user-controlled environments is encrypted and inaccessible

Operational Account & Platform Data

• BlueNexus acts as Controller
• For authentication, fraud detection, platform security, billing, etc.

1.2 Joint Controllers

BlueNexus does not become a Joint Controller unless explicitly agreed in writing.

2. Lawful Bases for Processing (Article 6)

Processing Activity	Purpose	Lawful Basis
Account creation and authentication	Access to Services	Article 6(1)(b) — Contract
Security logs and fraud detection	Platform integrity	Article 6(1)(f) — Legitimate Interests
Support communications	Responding to inquiries	Article 6(1)(b) or (a)
Website analytics	Improve performance	Article 6(1)(f)
Compliance obligations	AML/CTF, tax, legal duties	Article 6(1)(c)

When BlueNexus is the Processor, the Developer/Enterprise Customer determines the lawful basis.

3. Special Category Data (Articles 9 & 10)

• BlueNexus does not determine lawful basis for special category data processing
• If developers or enterprise customers route health, biometric, or sensitive data, they must supply an Article 9 lawful basis
• Processing typically occurs inside secure environments such as TEEs

4. Data Subject Rights (Articles 12–23)

Sovereign / User-Controlled Accounts

Rights exercised directly through the user's dashboard or authorized applications.

Developer-Managed Data

Data subjects must contact the Controller (developer or enterprise customer). BlueNexus will assist under DPA Art. 28(3)(e).

When BlueNexus is Controller

Requests may be submitted to: legal@bluenexus.ai

Response periods:

• GDPR: 1 month
• UK GDPR: 1 month

5. International Transfers (Chapter V)

BlueNexus uses:

• EU Standard Contractual Clauses (SCCs) Modules 2 & 3
• UK GDPR Addendum
• Additional technical and organisational safeguards:
  • encryption in transit, at rest, and in use
  • confidential compute (TEE) isolation
  • hardware-backed attestation
  • role-based access controls
  • verified machine identities
  • zero-access design

If an EU/UK representative is required under Article 27, BlueNexus will appoint one and update this Annex.

6. Processor Commitments (Article 28)

BlueNexus shall:

• process data only on documented instructions
• maintain confidentiality
• implement Article 32 security measures
• assist with rights requests and DPIAs
• return or delete data upon termination
• maintain records of processing
• permit audits as agreed
• engage subprocessors only with authorisation

7. Supervisory Authorities

• EU Supervisory Authority: determined by Controller
• UK ICO: ico.org.uk

---

ANNEX B — California CCPA / CPRA Compliance

1. Notice at Collection

BlueNexus may collect:

• identifiers (email, device metadata)
• commercial information (billing data)
• internet or network activity
• geolocation (approximate)
• developer-submitted data (only if routed)

BlueNexus does not:

• sell personal information
• share personal information for cross-context behavioural advertising
• use sensitive personal information beyond essential services

2. California Consumer Rights

Consumers may have rights to:

• know
• delete
• correct
• opt out of sale/sharing (not applicable but mechanisms offered)
• data portability
• limit use of sensitive personal information (not applicable)
• non-discrimination

Requests: legal@bluenexus.ai

3. Appeals Process

If a request is denied, users may appeal by submitting an email referencing the decision. BlueNexus will respond within required timelines.

---

ANNEX C — Australian Privacy Act (APPs)

This Annex outlines compliance with the Australian Privacy Principles.

APP 1 — Open & Transparent Management

BlueNexus maintains internal governance and data handling policies.

APP 2 — Anonymity & Pseudonymity

Anonymous browsing permitted; identification required for account creation.

APP 3 — Collection

Personal information collected only where reasonably necessary.

APP 4 — Unsolicited Information

Deleted when not required.

APP 5 — Notification

Users are informed of:

• BlueNexus's identity/contact details
• purposes of collection
• consequences if data is not provided
• disclosures to subprocessors
• cross-border transfers (regions listed)

APP 6 — Use & Disclosure

Used only for the primary purpose or as permitted by law.

APP 7 — Direct Marketing

No direct marketing without consent.

APP 8 — Cross-Border Disclosure

Reasonable steps taken to ensure overseas recipients handle data appropriately.

APP 11 — Security

Technical and organisational measures used, including TEE-based confidential compute.

APP 12–13 — Access & Correction

Users may request access or correction by contacting BlueNexus.

---

ANNEX D — U.S. State Privacy Laws

1. Rights Provided

Residents may exercise rights to:

• access
• correction
• deletion
• portability
• opt out of targeted advertising / sales / profiling

BlueNexus does not engage in targeted advertising or selling without explicit user consent.

2. Sensitive Data

If developers route sensitive data, they must obtain affirmative consent.

3. Appeals

Denied requests may be appealed within the statutory timeframe.

4. Processor Duties

Where BlueNexus acts as Processor:

• follow controller instructions
• implement safeguards
• permit audits
• disclose subprocessors

---

ANNEX E — International Data Transfers

1. Regions of Processing

Processing may occur in:

• Australia
• United States
• European Union
• United Kingdom
• Regions selected by users or developers

BlueNexus does not process or store data in geographic regions other than those explicitly selected or authorised.

2. Transfer Safeguards

Where required:

• SCCs (Modules 2 & 3)
• UK Addendum
• Encryption at rest, in transit, and in use
• TEE-based confidential compute to minimise transfer risk
• Zero-access data architecture
• Transfer risk assessments (TRAs / TIAs) where applicable

3. Data Localisation Support

If specific customers require data residency restrictions, BlueNexus can restrict regions at the customer's direction (subject to availability).

---

ANNEX F — Subprocessor Annex

BlueNexus uses the following categories of subprocessors:

1. Infrastructure & Compute Providers

• Cloud hosting
• Confidential compute / enclave providers
• Load balancing and routing

2. Authentication & Security Providers

• Identity verification
• Fraud prevention
• Abuse detection

3. Observability & Monitoring

• System availability monitoring
• Performance monitoring
• Security event logging

4. Payments

• Payment gateways
• Subscription management tools

5. Communications

• Email delivery
• Customer messaging tools

A public list of subprocessors is available at bluenexus.ai.

Enterprise customers will receive prior notice of material changes in accordance with the DPA.

---

ANNEX G — HIPAA Disclaimer

Some developers or enterprise customers may route health or medical information through the Services.

The Platform is designed to support HIPAA-compliant deployments. However, BlueNexus does not act as a Business Associate under HIPAA unless a separate, written Business Associate Agreement (BAA) is agreed.

By default, the Services are not provided on a HIPAA-compliant basis unless explicitly agreed in writing.

Developers and customers are responsible for obtaining any required consents, authorisations, or approvals regarding health-related data processed using the Services.

---

ANNEX H — Definitions & Roles

"Personal Information" / "Personal Data": Information relating to an identified or identifiable individual.

"Developer" / "Controller": Entity determining the purpose and means of data processing.

"Processor": Entity processing personal information on behalf of a Controller.

"Sovereign Account / User-Controlled Account": Non-custodial account where the user controls access keys, encryption keys and permissions.

"Confidential Compute / TEE": Hardware-backed secure environment providing encrypted-in-use processing.

"Subprocessor": Third party engaged by BlueNexus to support service functionality.

---

ANNEX I — Technical Architecture Overview

This section provides a high-level technical overview of the Platform for compliance teams, auditors, and enterprise customers.

1. Confidential Compute (Trusted Execution Environments — TEEs)

The Platform supports processing within Trusted Execution Environments, which provide:

• Encrypted-in-use processing — data decrypted only within CPU/GPU-level secure enclaves
• Hardware-backed isolation — OS, hypervisor, and operator isolation
• Remote attestation — verifying enclave integrity
• Tamper resistance — detection of attempts to inspect or alter enclave memory

BlueNexus cannot view, modify, or extract data processed inside TEEs.

2. Encrypted Storage & Routing Layers

All data handled by the Services is protected with:

• encryption in transit (TLS)
• encryption at rest
• encryption-in-use (for enclave-supported workloads)

Routing metadata may be collected to maintain availability, performance and security, but decrypted content is never logged.

3. Machine Identity & Attestation

The Platform uses:

• hardware-attested identities
• verified compute nodes
• isolated hardware-backed workloads
• region-bound execution constraints

These controls restrict workloads to authorised environments only.

4. Zero-Access Operational Model

The technical architecture is designed to ensure BlueNexus cannot access decrypted user or developer content through:

• restricted operator privileges
• isolated runtime environments
• strict RBAC on system metadata
• no access to decrypted TEEs
• no logging of decrypted data

This model supports compliance with GDPR recommendations on supplementary measures, including EDPB Recommendations 01/2020.

5. Supported Processing Modes

Developers and enterprise customers may be able to choose:

• TEE mode
• Non-TEE mode
• Developer-hosted or hybrid compute
• Region-specific routing

Details vary by product configuration and customer contract.

---

Jurisdiction / Governing Law Disclaimer

This Enterprise Privacy and Compliance Framework and the Global Privacy Policy do not establish governing law, forum, or venue for disputes.

Jurisdiction, venue, and dispute resolution procedures are governed solely by the Enterprise Agreement, Terms of Service, or other applicable contractual documents between the parties.