'%20fill='%23fff'%3e%3cpath%20d='M24%20364.337V24h141.909c25.481%200%2046.833%203.601%2064.056%2010.803%2017.222%207.191%2030.183%2017.279%2038.882%2030.24s13.049%2027.972%2013.049%2045.041c0%2012.961-2.72%2024.513-8.148%2034.645-5.429%2010.142-12.906%2018.534-22.431%2025.174-9.526%206.651-20.548%2011.299-33.069%2013.953v3.325c13.732.661%2026.451%204.383%2038.134%2011.134%2011.684%206.762%2021.077%2016.155%2028.168%2028.17%207.092%2012.025%2010.638%2026.231%2010.638%2042.628%200%2018.281-4.647%2034.601-13.952%2048.939-9.305%2014.35-22.762%2025.648-40.381%2033.908-17.607%208.248-38.992%2012.377-64.143%2012.377H24zm82.258-200.414h45.534c8.975%200%2016.947-1.497%2023.929-4.493s12.432-7.312%2016.374-12.961c3.931-5.65%205.902-12.466%205.902-20.439%200-11.409-4.041-20.384-12.135-26.926-8.082-6.53-18.995-9.801-32.738-9.801h-46.866v74.62zm0%20134.109h50.853c17.839%200%2030.987-3.381%2039.466-10.131%208.479-6.762%2012.708-16.178%2012.708-28.247%200-8.755-2.049-16.309-6.145-22.686-4.096-6.365-9.922-11.298-17.443-14.789-7.532-3.491-16.561-5.231-27.089-5.231h-52.339v81.095l-.011-.011zM388.865%2024v340.337h-81.256V24h81.256zm181.618%20230.159V109.082h81.091v255.255h-77.435v-47.529h-2.665c-5.649%2015.616-15.263%2028.004-28.829%2037.145-13.578%209.14-29.941%2013.71-49.102%2013.71-17.398%200-32.683-3.986-45.864-11.97-13.181-7.973-23.433-19.14-30.745-33.489s-11.023-31.165-11.133-50.437V109.082h81.256v146.739c.11%2013.854%203.766%2024.767%2010.968%2032.74s17.002%2011.96%2029.413%2011.96c8.082%200%2015.372-1.795%2021.847-5.407%206.486-3.601%2011.628-8.865%2015.45-15.781%203.821-6.927%205.737-15.318%205.737-25.174h.011zm224.376%20115.002c-26.704%200-49.718-5.286-69.044-15.869-19.337-10.583-34.181-25.703-44.532-45.371-10.362-19.668-15.537-43.069-15.537-70.215s5.208-49.445%2015.614-69.212c10.418-19.779%2025.096-35.174%2044.037-46.197s41.261-16.53%2066.962-16.53c18.17%200%2034.787%202.83%2049.851%208.48s28.08%2014.007%2039.048%2025.086%2019.501%2024.734%2025.591%2040.966%209.14%2034.81%209.14%2055.756v20.273H694.145v-47.199h146.226c-.11-8.633-2.159-16.342-6.145-23.104s-9.448-12.047-16.374-15.869-14.866-5.726-23.841-5.726-17.233%202.015-24.424%206.057c-7.202%204.052-12.906%209.537-17.112%2016.452-4.207%206.927-6.431%2014.757-6.652%2023.512v48.025c0%2010.417%202.049%2019.525%206.145%2027.332s9.911%2013.876%2017.454%2018.193c7.532%204.317%2016.506%206.486%2026.924%206.486%207.201%200%2013.731-1.002%2019.612-2.995%205.869-1.993%2010.912-4.923%2015.119-8.81%204.206-3.876%207.367-8.645%209.47-14.294l74.616%202.158c-3.105%2016.728-9.889%2031.264-20.361%2043.62s-24.182%2021.937-41.129%2028.743c-16.947%206.816-36.559%2010.219-58.825%2010.219l.011.033z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='A'%3e%3cpath%20fill='%23fff'%20transform='translate(24%2024)'%20d='M0%200h892v345.161H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
We Rewrote Our Legal Foundation
24TB of pirated content, 19,000 customers, and a V2 coming. Why we rewrote Blue's legal foundation.
In the last few months, there have been three main signals that Blue’s terms and conditions needed to be updated.
- We had 24 terabytes of pirated content on our servers.
Over the past few months, we terminated more than 100 accounts for uploading copyrighted material — software, films, music, books — that had no business being on Blue. These terminations were harder than they should have been, because our terms of service didn’t give us clean language to act on.
- Blue runs the daily operations of 19,000+ organizations now.
Some of them are healthcare providers. Some are in financial services. Some are enterprises with procurement teams that read our DPA line by line before they’ll sign. The legal docs we started with — written when we were a much smaller, much simpler company — were not going to carry us into the next chapter.
- V2 is coming. Our full platform rewrite ships soon.
It didn’t feel right to launch a new product with completely new infrastructure, on top of an old legal foundation.
So over the past few weeks, we rewrote it.
Legal as product
I’ve come to think that legal documents, for a SaaS company, are part of the product.
Not in a compliance-theater way. In the literal sense: what your Terms say changes what you can build, what you can promise, who will buy from you, and what you have to do when things go wrong. The docs are contracts with the real world. Writing them well is engineering with words.
So I treated this rewrite the way I’d treat a significant product release. We started with principles — what do we actually do, and what won’t we do? — mapped the surface area (nine documents, around 2,000 lines of prose), and rebuilt from the ground up.
What changed — the headlines
If you don’t want to read the rest, here’s the short version:
- Two new documents. An Acceptable Use Policy and a unified list of Sub-Processors page.
- Terms of Service rewritten. Numbered, modern structure. Clearer language. Explicit AI section. A document hierarchy so conflicts resolve predictably, especially for customers with custom contracts.
- DPA modernized. Rewritten to contemporary enterprise standard — UK GDPR, Standard Contractual Clauses, UK IDTA, 72-hour breach notification, annual audit rights.
- Sub-processors centralized. One page. Updated in one place. Clear PHI-authorized subset for healthcare customers.
- AI scanning, explicit. We’ve clarified our position on using AI to scan content for abuse. We now say what we scan, why, and who makes the final call (a human, always).
- Retention, unified. On termination, we send a CSV of direct download links for all your files — you have 30 days to pull everything. Data is then deleted from active systems within 90 days, and from backups within 90 days of that. The same numbers appear in every document.
- “Blue is not a backup service.” Written into the AUP explicitly.
Splitting out the Acceptable Use Policy
The biggest structural change is the new Acceptable Use Policy.
Everything about prohibited content, prohibited uses, storage abuse, and enforcement used to be buried inside Terms of Service. That made it hard to update, hard for customers to find, and hard to cite when we needed to act on a violation.
The new AUP has its own page and its own lifecycle. It defines what abuse means, what happens when we see it, and — importantly — what happens to your data after. Accounts terminated for hosting pirated content get a seven-day export window for non-infringing data. CSAM (i.e. child sexual abuse material) is a zero-notice, zero-export termination, reported to NCMEC and law enforcement. Everything else has a proportional response and an appeals process with a 30-day human review.
Splitting this out means we can update acceptable-use rules as threats evolve without amending the entire Terms of Service every time.
A real sub-processor list
Our sub-processors used to be mentioned across three different documents, sometimes got out of sync with reality, and had different levels of detail.
Now there’s one page, with a table: who the sub-processor is, what they do, and where the data lives. It’s the canonical list. The DPA points to it. The BAA points to it. If we add or remove a vendor, there’s one file to update.
There’s also a separate PHI-authorized subset — only four vendors are permitted to touch Protected Health Information under our Business Associate Agreement. That used to be implicit. Now it’s explicit.
The DPA, brought forward
Our old Data Processing Agreement was functional but dated. The new one is rebuilt around how enterprise procurement teams actually read these documents in 2026.
Specifically: UK GDPR alongside EU GDPR. Standard Contractual Clauses and the UK IDTA as transfer mechanisms. A real security-incidents section with a 72-hour notification window, down from the old 14 days. An explicit audit clause, satisfiable by a SOC 2 Type II report. Clear sub-processor change procedures — 30 days’ notice, 14 days to object.
None of this is novel. All of it was missing. Enterprise buyers noticed.
AI, written down
Our policy on using AI to scan content for abuse has always been that AI systems flag potential violations. All enforcement decisions are made by humans.
The rewrite clarifies that in three places — the Terms, the Privacy Policy, and the GDPR page. The line we repeat across all three is the same: AI systems flag potential violations. All enforcement decisions are made by humans. That’s how we actually operate, and now it’s what the documents say.
Two other AI points are now explicit. We do not use your content to train AI models. And AI content scanning runs on EU-based endpoints, so your data doesn’t leave the EU for that purpose either.
Onward
Go read the updated Terms of Service, Acceptable Use Policy, Privacy Policy, and Data Processing Agreement. If you’re a healthcare customer, the HIPAA page and Business Associate Agreement have been updated too. If you’re in procurement, the Sub-Processors page is probably what you’re looking for.
V2 ships on top of this foundation. It feels right to build on something solid.