What is Backend as a Service (BaaS)?

Backend as a Service (BaaS) is a cloud service model that provides developers with ready-made backend components like authentication, databases, and APIs, eliminating the need to build and maintain backend infrastructure from scratch. 23blocks offers opinionated, production-ready API blocks that save thousands of development hours.

How is 23blocks different from Firebase or Supabase?

23blocks offers opinionated, production-ready API blocks with built-in business logic, not just infrastructure. Our plug-and-play modules save thousands of development hours with best practices already implemented. Unlike Firebase or Supabase, we focus on providing complete business functionality, not just database and auth primitives.

Can I use 23blocks with any frontend framework?

Yes! 23blocks provides REST APIs that work with any frontend framework including React, Angular, Vue, Next.js, Svelte, and more. Our APIs are framework-agnostic, so you can integrate them into any tech stack.

Is there a free tier for indie developers?

Yes! 23blocks offers a generous free tier to help indie developers and startups get started. You can build and test your application without any upfront costs. We also offer pay-as-you-go pricing that scales with your usage.

How secure is the authentication block?

Our authentication block is built with enterprise-grade security best practices. It includes JWT authentication, OAuth & SSO support, magic link authentication, multi-factor authentication (MFA), session management, and secure password hashing. All data is encrypted in transit and at rest.

What kind of support do you offer?

We provide comprehensive documentation, code examples for popular frameworks, and customer support to help you integrate our API blocks. Our team is committed to helping you succeed with rapid development and deployment.

Data Processing Agreement

Name: 23blocks
Author: 23blocks Inc.

This Data Processing Agreement (the "DPA") is entered into as of May 11, 2026 by and between:

23blocks Inc., a Delaware corporation ("Processor" or "23blocks"), and

[CUSTOMER LEGAL NAME] ("Controller" or "Customer").

This DPA supplements the Terms of Service or Master Services Agreement and any applicable Order Document(s) (collectively, the "Services Agreement").

Recitals

A. Customer is a "Controller" within the meaning of GDPR Article 4(7) with respect to certain personal data of data subjects in the European Economic Area, the United Kingdom, and similar jurisdictions.

B. 23blocks provides Services to Customer that may involve Processing personal data on Customer's behalf. In the course of those Services, 23blocks may be deemed a "Processor" within the meaning of GDPR Article 4(8).

C. The Parties enter into this DPA to comply with GDPR, the UK GDPR, the UK Data Protection Act 2018, and similar data protection laws in jurisdictions where Customer does business or where Customer's data subjects are located ("Data Protection Laws").

NOW, THEREFORE, the Parties agree as follows.

1. Definitions

Capitalized terms not defined here have the meanings given in GDPR. The following terms have the meanings below:

"Personal Data" means personal data as defined in Article 4(1) GDPR, processed by 23blocks on Customer's behalf in connection with the Services.
"Processing" has the meaning given in Article 4(2) GDPR.
"Data Subject" has the meaning given in Article 4(1) GDPR.
"Data Protection Laws" means GDPR, UK GDPR, the UK Data Protection Act 2018, and any other applicable data protection laws.
"Sub-processor" means any Processor engaged by 23blocks to Process Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision 2021/914 of 4 June 2021, as amended.

2. Scope and Roles

Customer is the Controller. 23blocks is the Processor. Each Party is responsible for its respective compliance with Data Protection Laws.

3. Subject Matter, Duration, and Categories

Item	Description
Subject matter of Processing	The provision of the Services described in the Services Agreement
Duration	The duration of the Services Agreement, plus any required retention period
Nature and purpose	Processing necessary to provide the Services, including hosting, storage, transmission, and Customer-directed use of the Blocks
Categories of Personal Data	As Customer determines and submits via the Services. Typical categories: name, email, phone, account credentials, profile data, transactional data, and any other data Customer chooses to submit
Categories of Data Subjects	Customer's End Users, employees, customers, contacts, and other individuals about whom Customer submits Personal Data via the Services

4. Customer's Obligations as Controller

Customer represents, warrants, and undertakes that:

(a) Customer has and will maintain a lawful basis for the Processing of Personal Data via the Services for the duration of the Services Agreement.

(b) Customer has informed Data Subjects about the Processing in accordance with Articles 13–14 GDPR.

(d) Customer is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

(e) Customer will respond to Data Subject requests under Articles 15–22 GDPR; 23blocks's role is limited to providing reasonable assistance per Section 6.

5. 23blocks's Obligations as Processor

5.1 Documented Instructions

23blocks shall Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Data Protection Law. The Services Agreement and any subsequent written instructions from Customer constitute Customer's complete instructions.

5.2 Confidentiality

23blocks shall ensure that persons authorized to Process the Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

5.3 Security

23blocks shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as required by Article 32 GDPR. A description of 23blocks's technical and organizational measures is in Annex 1.

5.4 Sub-processors

(a) General authorization. Customer authorizes 23blocks to engage Sub-processors. The current list of Sub-processors is at 23blocks.com/legal/subprocessors.

(b) Notice of changes. 23blocks will notify Customer of any intended addition or replacement of Sub-processors with at least thirty (30) days' notice.

(c) Right to object. Customer may object on reasonable grounds within fourteen (14) days of notice. The Parties will discuss in good faith. If unresolved, Customer's exclusive remedy is to terminate the affected Service Line.

(d) Sub-processor obligations. 23blocks will impose on Sub-processors the same data protection obligations as set out in this DPA, by contract or other legal instrument.

(e) Liability. 23blocks remains liable to Customer for the performance of Sub-processor obligations.

5.5 Assistance with Data Subject Rights

Taking into account the nature of the Processing, 23blocks shall assist Customer by appropriate technical and organizational measures, insofar as possible, in the fulfillment of Customer's obligations to respond to requests for exercising Data Subject rights under Articles 15–22 GDPR. 23blocks's reasonable assistance includes providing standard data export functionality.

5.6 Assistance with Compliance

23blocks shall assist Customer in ensuring compliance with the obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of the Processing and the information available to 23blocks.

5.7 Personal Data Breach Notification

23blocks shall notify Customer without undue delay, and in no event later than forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. 23blocks's notification shall include, to the extent then known:

(a) A description of the nature of the Breach.

(b) The categories and approximate number of Data Subjects concerned.

(d) The likely consequences.

(e) Measures taken or proposed to address the Breach.

5.8 Deletion or Return

At the choice of Customer, upon termination or expiration of the Services Agreement, 23blocks shall delete or return all Personal Data and delete existing copies, unless retention is required by Data Protection Law. 23blocks's standard deletion timeframe is thirty (30) days, consistent with ToS Section 13.3.

5.9 Audit Rights

23blocks shall make available to Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

(a) Standard audit. 23blocks's compliance is demonstrated by 23blocks's published security documentation, third-party audit reports (e.g., SOC 2 Type II), and responses to Customer's reasonable security questionnaires. Customer's audit obligations are satisfied by these.

(b) On-site audit. Customer's right to on-site audit is exercisable not more than once per calendar year (except in case of a Personal Data Breach), with at least thirty (30) days' written notice, during 23blocks's regular business hours, by a mutually-agreed independent auditor, at Customer's cost. Customer's auditor shall sign confidentiality and non-disclosure obligations satisfactory to 23blocks before the audit.

6. International Transfers

6.1 EU/EEA to U.S. Transfers

To the extent that 23blocks (a U.S. company) Processes Personal Data of Data Subjects in the European Economic Area, the Parties incorporate by reference Module Two (Controller-to-Processor) of the Standard Contractual Clauses.

For purposes of the SCCs:

Data Exporter: Customer.
Data Importer: 23blocks Inc.
Module: Module Two (Controller-to-Processor) — Customer is the Controller and 23blocks is the Processor.
Clause 7 (Docking Clause): Optional; not used unless an additional party is to be added.
Clause 9 (Sub-processors): Option 2 — General Authorization, with thirty (30) days' notice per Section 5.4(b).
Clause 11 (Redress): Option 1 (no independent dispute resolution body) selected.
Clause 17 (Governing Law): The law of Ireland.
Clause 18 (Choice of Forum): The courts of Ireland.

6.2 UK Transfers

For Personal Data of UK Data Subjects, the Parties incorporate the UK Information Commissioner's Office International Data Transfer Addendum to the SCCs (the "UK IDTA"), with the SCCs above modified by the UK IDTA as appropriate.

6.3 Other International Transfers

Where Personal Data is transferred to other jurisdictions, 23blocks will implement appropriate safeguards consistent with applicable Data Protection Laws.

6.4 Annex 2

Annex 2 to this DPA contains the description of the transfer required by the SCCs.

7. Liability and Indemnification

Each Party's liability under this DPA is subject to the limitation of liability in ToS Section 21, except as required otherwise by GDPR Articles 82–84.

Customer indemnifies 23blocks per ToS Section 22.2 for claims arising out of (a) Customer's failure to maintain a lawful basis for Processing, (b) Customer's failure to inform Data Subjects, (c) Customer's submission of Personal Data outside the categories agreed, or (d) Customer's other failures of Controller obligations under Data Protection Laws.

8. Term and Termination

This DPA is effective on the Effective Date and continues until the earlier of (a) termination of the Services Agreement, or (b) deletion of all Personal Data per Section 5.8.

The provisions of Section 5.7 (Breach Notification — for Breaches discovered before termination), Section 5.8 (Deletion or Return), Section 6 (International Transfers — for residual data), Section 7 (Liability), and Section 9 (Miscellaneous) survive termination.

9. Miscellaneous

9.1 Inconsistencies

In the event of inconsistency between this DPA and the Services Agreement, this DPA controls solely with respect to the Processing of Personal Data. The Services Agreement controls in all other respects.

9.2 Governing Law

This DPA is governed by the laws of the State of Delaware per ToS Section 25.10, except that for matters relating to the SCCs and UK IDTA, the law specified in the SCCs and UK IDTA respectively applies.

9.3 Notices and Counterparts

Notices follow ToS Section 25.8. This DPA may be executed in counterparts, including electronic signature.

9.4 No Third-Party Beneficiaries

This DPA does not create rights in any third party, except as required by Data Protection Laws (e.g., the SCCs' third-party-beneficiary provisions).

10. Acceptance and Signatures

23blocks Inc. (Processor)	[Customer Legal Name] (Controller)
Signature: _______________________	Signature: _______________________
Name: Juan Pelaez	Name: ___________________________
Title: CTO	Title: ___________________________
Date: ____________________________	Date: ____________________________

Annex 1 — Technical and Organizational Measures

23blocks implements the following technical and organizational measures:

A. Pseudonymization and Encryption

Personal Data in transit: TLS 1.2 minimum, TLS 1.3 preferred.
Personal Data at rest: AES-256 (or equivalent) for databases, file storage, and backups.
Where applicable, pseudonymization or tokenization of identifying fields.

B. Confidentiality, Integrity, Availability, and Resilience

IAM with least-privilege principles.
MFA required for administrative access.
Network segmentation between environments.
Regular automated backups with documented retention.
Disaster recovery procedures with documented RTO and RPO.

C. Restoration

Tested restoration procedures from backups.
Multi-AZ or multi-region resilience for production environments (Dedicated Cloud and 7x24 plans).

D. Regular Testing

Vulnerability scanning of infrastructure and applications.
Annual third-party penetration testing.
Annual SOC 2 Type II audit (or equivalent).

E. Personnel

Background checks on personnel with access to Personal Data.
Confidentiality obligations.
Annual security training.

F. Asset Management and Access Control

Inventory of systems Processing Personal Data.
Documented access provisioning and de-provisioning procedures.
Logging of access to Personal Data.

G. Incident Response

Documented incident response procedures.
24/7 on-call rotation for security incidents.
Defined escalation paths for Personal Data Breaches per Section 5.7.

Annex 2 — Description of Transfer (for SCC purposes)

A. List of Parties

Customer (Data Exporter / Controller) and 23blocks Inc. (Data Importer / Processor) per the introductory clauses.

B. Description of Transfer

Categories of Data Subjects: As described in Section 3.
Categories of Personal Data: As described in Section 3.
Sensitive Personal Data: Customer is prohibited from submitting sensitive Personal Data unless covered by the BAA (for PHI) or another specifically agreed addendum.
Frequency of transfer: Continuous, as Customer uses the Services.
Nature of Processing: As necessary for 23blocks to provide the Services.
Purpose of transfer: Provision of the Services.
Duration of Processing: Term of the Services Agreement.

C. Competent Supervisory Authority

The supervisory authority of the EU Member State in which the Customer (Data Exporter) is established, or for UK transfers, the UK Information Commissioner's Office (ICO).