Data Processing Addendum
This Data Processing Addendum applies to individuals and businesses using Maze. This is the current version of these terms, dated 25/03/2021
This data processing addendum ("DPA") applies as set out in clause 11 of the Agreement.
In the event of any conflict between the Agreement and this DPA, this DPA shall prevail.
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following words and expressions shall have the following meanings:
1. "Adequate Country" means a country or territory outside the EEA that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the EU GDPR.
"Customer Personal Data" means the personal data described here and any other personal data that Maze processes on your behalf in connection with your use of the Service;
2. "Data Protection Laws" means any applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data, including without limitation the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("EU GDPR"), the EU GDPR as it forms part of United Kingdom ("UK") law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR") and any other applicable data protection law, in particular the UK Data Protection Act 2018;
3. "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
4. "Party" means each of you and Maze;
"Restricted Country" means a country or territory outside the EEA that is not an Adequate Country.
2. "Restricted** Transfer**" means: (i) a transfer of Customer Personal Data from you to Maze in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from Maze to a Sub-processor in a Restricted Country, (in each case) where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the EU GDPR and UK GDPR.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any of the Customer Personal Data;
2. "Standard Contractual Clauses" means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Controllers established inside the EEA to Processors established in Restricted Countries; and
3. "Sub-processor" means any any third party appointed by or on behalf of Maze to Process Customer Personal Data.
The terms "Personal Data", "Controller", "Processor", "Data Subject", "Process", "Special Category Personal Data" and "Supervisory Authority" shall have the same meaning as set out in the EU GDPR.
Instructions for Data Processing. In respect of Customer Personal Data, the Parties acknowledge that Maze acts as the Processor and you act as the Controller. You instruct Maze to Process Customer Personal Data as necessary to provide the Service to you and to perform its obligations and exercise its rights under the Agreement. Maze may terminate the Agreement in its entirety upon written notice to you with immediate effect if Maze considers (in its reasonable discretion):
1. that it is unable to adhere to, perform or implement any instructions issued by you due to the technical limitations of its systems, equipment and/or facilities; and/or
2. that adherence, performance or implementation of any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
Maze will only Process Customer Personal Data in accordance with
the Agreement, to the extent necessary to provide the Service to you, and
2. your written instructions, unless Processing is required by European Union, Member State or domestic UK law to which Maze is subject, in which case Maze shall, to the extent permitted by applicable law, inform you of that legal requirement before Processing Customer Personal Data in that way.
The Agreement (subject to any changes to the Service agreed between the Parties) and this DPA shall be your complete and final instructions to Maze in relation to the processing of Customer Personal Data. Processing outside the scope of this DPA or the Agreement will require prior written agreement between you and Maze on additional instructions for Processing.
Where applicable by virtue of Articles 28(3)(h) of the EU GDPR and UK GDPR, Maze shall immediately notify you in the event that Maze believes your instructions conflict with the requirements of the EU GDPR, UK GDPR or other EU, Member State or other domestic UK law.
Annex 1 sets out certain information regarding Maze's Processing of Customer Personal Data as required by Articles 28(3) of the EU GDPR and UK GDPR.
Right to Process. You represent and warrant on an ongoing basis that Maze (and any Sub-processors) are legally permitted to Process the Customer Personal Data as contemplated under the Agreement and Statements of Work, including as follows:
1. the Processing of any Customer Personal Data will be consistent with the information communicated to the relevant Data Subjects or as otherwise necessary in accordance with Data Protection Laws; and
where required by applicable Data Protection Laws, you have a valid legal basis for the Processing by Maze of Customer Personal Data (including any and all instructions issued by you from time to time in respect of such Processing).
Transfer of personal data
Authorized Sub-processors. You agree that Maze may use the entities listed hereas Sub- processors to Process Customer Personal Data.
You agree that Maze may use Sub-processors to fulfill its contractual obligations under the Agreement and Maze shall notify you from time to time of the identity of any amendments to the Sub-processors it engages and you may within fourteen (14) days days of receipt of such notice, object (on reasonable grounds) to the proposed appointment.
Maze shall be liable for the acts and omissions of all Sub-processors under or in connection with this DPA.
Data security, audits and security notifications
Maze Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Maze shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Details of Maze's technical and organizational security measures are set out in Annex 2.
Upon your reasonable request, Maze shall make available all information as Maze (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.
Security Incident Notification. If Maze becomes aware of a Security Incident, Maze will
1. notify you of the Security Incident without undue delay, and
provide such reasonable assistance to you as required to allow you to meet any obligations under Data Protection Laws to report the Security Incident to affected Data Subjects and/or the relevant Supervisory Authority(ies) (as may be determined in accordance with the Data Protection Laws).
Maze shall at your sole cost and expense co-operate with you and take such reasonable commercial steps as may be directed by you to assist in the investigation, mitigation and remediation of each such Security Incident.
Security audit. Maze shall perform a self technical and organisational security audit, on a quarterly basis. Maze runs a security bug bounty program, aiming to proactively and continuously ensure the highest level of security.
Maze Employees and Personnel. Maze shall treat Customer Personal Data as your Confidential Information, and shall ensure that any employees or other personnel have agreed to protect the confidentiality and security of Customer Personal Data.
Access requests and data subject rights
Data Subject Requests. Save as required (or where prohibited) under applicable law, Maze shall notify you of any request received by Maze from a Data Subject in respect of their personal data included in Customer Personal Data, and shall not respond to the Data Subject.
Maze shall provide you with the ability to correct, delete, block, access or copy Customer Personal Data in accordance with the functionality of the Service.
Government Disclosure. Maze shall notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Maze shall, at your cost:
provide you with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist you in fulfilling your obligation to respond to Data Subject Requests ; and
provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervisory Authorities, which you reasonably consider to be required of you by Articles 35 or 36 of the EU GDPR and UK GDPR, in each case solely in relation to the Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Maze.
6.2 Maze shall make available to you on request such information as Maze (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. [In the event that you (acting reasonably) are able to provide documentary evidence that the information made available by Maze is not sufficient in the circumstances to demonstrate Maze's compliance with this DPA,] Maze shall allow for and contribute to audits, including on premise inspections, by you or an auditor mandated by you in relation to the Processing of Customer Personal Data by Maze. You shall give Maze reasonable notice of any audit or inspection (which shall in no event be less than 14 days' notice, unless otherwise required by a Supervisory Authority) and shall use your best efforts (and ensure that each of your mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Maze in respect of, any damage, injury or disruption to Maze's premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Maze's other customers or the availability of Maze's services to such other customers) while your personnel and/or your auditor's personnel (if applicable) are on those premises in the course of any onpremise inspection. Maze need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of their identity and authority:
(b) to any auditor whom Maze has not given its prior written approval (not to be unreasonably withheld);
(c) unless the auditor enters into a non-disclosure agreement with Maze on terms acceptable to Maze;
(d) where, and to the extent that, Maze considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Maze's other customers or the availability of Maze's services to such other customers;
(e) outside normal business hours at those premises; or
(f) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which you are required to carry out under Data Protection Laws or by a Supervisory Authority, where you have identified the relevant requirement in its notice to Maze of the audit or inspection.
6.3 The Parties shall discuss and agree the costs of any inspection or audit to be carried out by you or on your behalf in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, you shall bear any third party costs in connection with such inspection or audit and reimburse Maze for all costs incurred by Maze and time spent by Maze (at Maze's then-current professional services rates) in connection with any such inspection or audit.
Duration and termination
Deletion of data. Subject to 7.2 and 7.3 below, Maze shall, within 90 (ninety) days of the date of termination of the Agreement:
1. return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by you to Maze; and
2. delete all other copies of Customer Personal Data in Maze's control.
Subject to section 7.3 below, you may in your absolute discretion notify Maze in writing within 30 (thirty) days of the date of termination of the Agreement to require Maze to delete all copies of Customer Personal Data Processed by Maze. Maze shall, within 90 (ninety) days of the date of termination of the Agreement:
1. comply with any such written request; and
2. where this section 7.2 applies, Maze shall not be required to provide a copy of Customer Personal Data to you.
Maze and its Sub-processors may retain Customer Personal Data to the extent required and for such period as required by applicable laws and always provided that Maze shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
8. Restricted Transfers
8.1 Subject to section 8.3, to the extent that any Processing by either Maze or any Sub-processor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
(a) you – as "data exporter"; and
(b) Maze or the Sub-processor (as applicable) – as "data importer",
shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing in accordance with section 8.3.
8.2 In respect of any Standard Contractual Clauses entered into pursuant to section 8.1:
(a) Clause 9 of such Standard Contractual Clauses shall be populated as follows:
"The Clauses shall be governed by the law of the Member State in which the data exporter is established."
(b) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
"The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established."
(c) Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1; and
(d) Appendix 2 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 2."
8.3. The Standard Contractual Clauses shall be deemed to come into effect under section 8.1 automatically upon the commencement of the relevant Restricted Transfer provided that section 8.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of Data Protection Laws.
Annex 1: Details of the processing of customer personal data
This page includes certain details of the processing of Customer Personal Data as required by Articles 28(3) of the EU GDPR and UK GDPR.
The provision of the Service to you.
Subject matter and duration of the Processing of Customer Personal Data
The Processing of Customer Personal Data in connection with your access to the Service on the terms set out in the Agreement.
The nature and purpose of the Processing of Customer Personal Data
The provision of the Service to you.
The types of Customer Personal Data to be processed
Any Personal Data uploaded or created on the Service, including name, contact details, profile information, and any Personal Data contained in Customer Content uploaded or created on the Service. No special category Personal Data.
The categories of data subject to whom the Customer Personal Data relates
Your obligations and rights
The obligations and rights of the Customer are as set out in this DPA.
Annex 2: Technical and organisational security measures
Maze maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
- secure any Personal Data Processed by Maze against accidental or unlawful loss, access or disclosure;
- identify reasonably foreseeable and internal risks to security and unauthorised access to the Personal Data Processed by Maze;
- minimise security risks, including through risk assessment and regular testing.
Maze will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
Maze will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
Maze will provide its staff with regular training on data security and privacy issues relevant to staff members' job role.