Data Processing Addendum

Last updated: 08 November 2021

This Data Processing Addendum applies to individuals and businesses using Maze. This is the current version of these terms, dated 08 November 2021.

Background

This data processing addendum ("DPA") applies as set out in the Agreement.

In the event of any conflict between the Agreement and this DPA, this DPA shall prevail.

1. Definitions

Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following words and expressions shall have the following meanings:

"Adequate Country" means: (i) in the context of the EEA, a country or territory outside the EEA; and (ii) in the context of the UK, a country or territory outside the UK, in each case that the Relevant Body has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance the GDPR;

"Customer Personal Data" means the personal data described here and any other personal data that Maze Processes on your behalf in connection with your use of the Service;

"Data Protection Laws" means any applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data, including without limitation: (i) the EU GDPR; (ii) the UK GDPR; and (iii) any other applicable data protection law;

"Data Subject Request" means the exercise by a Data Subject of their rights under, and in accordance with, Data Protection Laws in respect of Customer Personal Data;

"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;

"GDPR" means, as appropriate and as amended from time to time: (i) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) ("EU GDPR"); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR");

"Party" means each of you and Maze;

"Restricted Transfer" means the disclosure, grant of access or other transfer of Customer Personal Data from you to Maze: (i) in the context of the EEA, to any country or territory outside the EEA which is not an Adequate Country; and (ii) in the context of the UK, to any country or territory outside the UK which is not an Adequate Country;

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any of the Customer Personal Data while in the custody of Maze or any Sub-processor;

"Standard Contractual Clauses" or "SCCs" means the EEA SCCs or UK SCCs, as appropriate;

"Sub-processor" means any third party appointed by or on behalf of Maze to Process Customer Personal Data;

"EEA SCCs" means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021;

"Relevant Body" means: (i) in the context of the UK, the UK Information Commissioner's Office; or (ii) in the context of the EEA, the European Commission;

"UK SCCs" means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2010/87; and

"UK" means the United Kingdom.

The terms "Personal Data", "Controller", "Processor", "Data Subject", "Process", "Special Category Personal Data" and "Supervisory Authority" shall have the same meaning as set out in the EU GDPR.

2. Data processing

In respect of Customer Personal Data, the Parties acknowledge that Maze acts as the Processor and you act as the Controller. You instruct Maze to Process Customer Personal Data as necessary to provide the Service to you and to perform its obligations and exercise its rights under the Agreement. Maze may terminate the Agreement in its entirety upon written notice to you with immediate effect if Maze considers (in its reasonable discretion):

2.1.1 that it is unable to adhere to, perform or implement any instructions issued by you due to the technical limitations of its systems, equipment and/or facilities; and/or

2.1.2 that adherence, performance or implementation of any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).

Maze will only Process Customer Personal Data in accordance with:

2.2.1 the Agreement, to the extent necessary to provide the Service to you, and

2.2.2 your written instructions, unless Processing is required by European Union, Member State or domestic UK law to which Maze is subject, in which case Maze shall, to the extent permitted by applicable law, inform you of that legal requirement before Processing Customer Personal Data in that way.

The Agreement (subject to any changes to the Service agreed between the Parties) and this DPA shall be your complete and final instructions to Maze in relation to the processing of Customer Personal Data. Processing outside the scope of this DPA or the Agreement will require prior written agreement between you and Maze on additional instructions for Processing.

Where applicable by virtue of Articles 28(3)(h) of the GDPR, Maze shall immediately notify you in the event that Maze believes your instructions conflict with the requirements of the EU GDPR, UK GDPR or other EU, Member State or other domestic UK law.

Annex 1 sets out certain information regarding Maze's Processing of Customer Personal Data as required by Articles 28(3) of the GDPR.

3. Right to Process

You represent and warrant on an ongoing basis that Maze (and any Sub-processors) are legally permitted to Process the Customer Personal Data as contemplated under the Agreement and Statements of Work, including as follows:

3.1 the Processing of any Customer Personal Data will be consistent with the information communicated to the relevant Data Subjects or as otherwise necessary in accordance with Data Protection Laws; and

3.2 where required by applicable Data Protection Laws, you have a valid legal basis for the Processing by Maze of Customer Personal Data (including any and all instructions issued by you from time to time in respect of such Processing).

4. Sub-processors

You agree that Maze may use the entities listed here, and hereby approve the appointment of those entities, as Sub-processors to Process Customer Personal Data.

You agree that Maze may use Sub-processors to fulfil its contractual obligations under the Agreement and Maze shall notify you from time to time of the identity of any amendments to the Sub-processors it engages and you may within fourteen (14) days of receipt of such notice, object (on reasonable grounds) to the proposed appointment. If, within fourteen (14) days of receipt of such notice, you notify Maze in writing of any objection (on reasonable grounds) to the proposed appointment: (i) Maze shall work with you in good faith to make available a commercially reasonable change in the provision of the Service which avoids the use of the proposed Sub-processor; and (ii) where such a change cannot be made within a further fourteen (14) days from Maze's receipt of your objection, notwithstanding anything in the Agreement, Maze may by written notice to you terminate the Agreement with immediate effect either (at its option) in whole or to the extent that it relates to the Service which require the use of the proposed Sub-processor.

Maze shall be liable for the acts and omissions of all Sub-processors under or in connection with this DPA.

5. Data security, audits and security notifications

5.1 Maze security obligations

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Maze shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Details of Maze's technical and organizational security measures are set out in Annex 2.

Upon your reasonable request, Maze shall make available all information as Maze (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.

5.2 Security Incident notification

If Maze becomes aware of a Security Incident, Maze will:

5.2.1 notify you of the Security Incident without undue delay, providing you with sufficient information to allow you to meet any obligations under Data Protection Laws to inform affected Data Subjects and/or Supervisory Authorities of the Security Incident, and:

5.2.2 provide such reasonable assistance to you as required to allow you to meet any obligations under Data Protection Laws to report the Security Incident to affected Data Subjects and/or the relevant Supervisory Authorities (as may be determined in accordance with the Data Protection Laws).

Maze shall, at your sole cost and expense, co-operate with you and take such reasonable commercial steps as may be directed by you to assist in the investigation, mitigation and remediation of each such Security Incident.

5.3 Security audits

Maze shall perform a self technical and organisational security audit, on a quarterly basis. Maze runs frequent external web vulnerability scans and annual penetration tests against its platform, aiming to proactively and continuously ensure the highest level of security.

5.4 Maze employees and personnel

Maze shall treat Customer Personal Data as your confidential information, and shall ensure that any employees or other personnel who have access to it have agreed to protect the confidentiality and security of Customer Personal Data.

6. Access requests and Data Subject rights

6.1 Data Subject Requests

Saved where prohibited by applicable law, Maze shall notify you of any Data Subject Request it receives, and shall not respond to the Data Subject Request unless instructed to do so by you.

Maze shall provide you with the ability to correct, delete, block, access or copy Customer Personal Data in accordance with the functionality of the Service.

6.2 Government disclosure

Maze shall notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority), unless otherwise prohibited by law or a legally binding order of such body or agency.

6.3 Assistance

Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Maze shall, at your sole cost and expense:

6.3.1.1 provide you with such assistance as may be reasonably necessary and technically possible in the circumstances to assist you in fulfilling your obligation to respond to Data Subject Requests, solely to the extent that you are unable to action the Data Subject Request using automated tools made available on the Service; and

6.3.1.2. provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervisory Authorities, which you reasonably consider to be required of you by Articles 35 or 36 of the GDPR, in each case solely in relation to the Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Maze.

Maze shall make available to you on request such information as Maze (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. In the event that you (acting reasonably and in good faith) are able to provide documentary evidence that the information made available by Maze is not sufficient in the circumstances to demonstrate Maze's compliance with this DPA, Maze shall allow for and contribute to audits, including on premise inspections, by you or an auditor mandated by you in relation to the Processing of Customer Personal Data by Maze. You shall give Maze reasonable notice of any audit or inspection (which shall in no event be less than fourteen (14) days' notice, unless otherwise required by a Supervisory Authority) and shall use your commercially reasonable efforts (and ensure that each of your mandated auditors uses its commercially reasonable efforts) to avoid causing, any damage, injury or disruption to Maze's premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Maze's other customers or the availability of Maze's services to such other customers) while your personnel and/or your auditor's personnel are on those premises in the course of any on premise inspection. Maze need not give access to its premises for the purposes of such an audit or inspection:

6.3.2.1. to any individual unless he or she produces reasonable evidence of their identity and authority;

6.3.2.2 to any auditor whom Maze has not given its prior written approval to (not to be unreasonably withheld);

6.3.2.3. unless the auditor enters into a non-disclosure agreement with Maze on terms acceptable to Maze;

6.3.2.4. where, and to the extent that, Maze considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Maze's other customers or the availability of Maze's services to such other customers;

6.3.2.5. outside normal business hours at those premises; or

6.3.2.6. on more than one (1) occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which you are required to carry out under Data Protection Laws or by a Supervisory Authority, where you have identified the relevant requirement in its notice to Maze of the audit or inspection.

The Parties shall discuss and agree the costs of any inspection or audit to be carried out by you or on your behalf in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, you shall bear any third party costs in connection with such inspection or audit (other than audits performed by regulatory agencies) and reimburse Maze for all costs incurred by Maze and time spent by Maze (at Maze's then-current professional services rates) in connection with any such inspection or audit.

7. Deletion of Customer Personal Data

7.1 Subject to sections 7.2 and 7.3 below, Maze shall, within 90 (ninety) days of the date of termination of the Agreement:

7.1.1. return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by you to Maze; and

7.1.2. delete all other copies of Customer Personal Data in Maze's control.

7.2 Subject to section 7.3 below, you may in your absolute discretion notify Maze in writing within 30 (thirty) days of the date of termination of the Agreement to require Maze to delete all copies of Customer Personal Data Processed by Maze. Maze shall, within 90 (ninety) days of the date of termination of the Agreement:

7.2.1. comply with any such written request; and

7.2.2. where this section 7.2 applies, not be required to provide a copy of Customer Personal Data to you

7.3 Maze may retain Customer Personal Data to the extent required and for such period as required by applicable law, and provided that Maze shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

8. Restricted Transfers

8.1 Subject to sections 8.2, 8.3 and 8.4 below, to the extent that any Processing by either Maze or any Sub-processor of Customer Personal Data involves a Restricted Transfer, the Parties hereby agree to incorporate into this DPA by reference: (i) in the context of a Restricted Transfer originating in the EEA, the EEA SCCs; and (ii) in the context of a Restricted Transfer originating in the UK, the UK SCCs, in each case between:

8.1.1 you – as 'data exporter'; and

8.1.2. Maze or the relevant Sub-processor (as applicable) – as 'data importer'.

8.2 The applicable SCCs shall be deemed to come into effect under section 8.1 automatically upon the commencement of any relevant Restricted Transfer.

8.3 In the context of a Restricted Transfer originating in the EEA:

8.3.1 Clause 7 of the EEA SCCs (which is optional) shall be deemed deleted;

8.3.2 for the purposes of Clause 9 of the EEA SCCs, Option 2 (General Written Authorisation) shall be deemed selected by the Parties, and Maze shall notify you of the addition or replacement of any Sub-processors at least fourteen (14) days in advance;

8.3.3 the optional language at Clause 11 of the EEA SCCs shall be deemed deleted;

8.3.4 for the purposes of Clause 17 of the EEA SCCs, Option 2 shall be deemed selected by the Parties, and the governing law shall be the law of the country where the Restricted Transfer originates;

8.3.5 Annex I of the EEA SCCs shall be populated with the corresponding information set out in the Annex 1 of this DPA; and

8.3.6 Annex II of the EEA SCCs shall be populated by reference to the security measures set out in Annex 2 of this DPA.

8.4 In the context of a Restricted Transfer originating in the UK:

8.4.1 the governing law for the purposes of Clauses 9 and 11(3) of the UK SCCs shall be the law of the country where the Restricted Transfer originates;

8.4.2 Appendix 1 of the UK SCCs shall be populated with the corresponding information set out in the Annex 1 of this DPA; and

8.4.3 Appendix 2 of the UK SCCs shall be populated by reference to the security measures set out in Annex 2 of this DPA.

8.5 In the event of any conflict or inconsistency between this DPA and the applicable SCCs, the terms of the applicable SCCs shall prevail.

Annex 1: Details Of The Processing Of Customer Personal Data

This page includes certain details of the processing of Customer Personal Data: (i) as required by Article 28(3) of the GDPR; and (ii) to populate the appropriate SCCs (where applicable).

Maze's activities

  • The provision of the Service to you.

Subject matter and duration of the Processing of Customer Personal Data:

  • The Processing of Customer Personal Data in connection with your access to the Service on the terms set out in the Agreement.

Nature and purpose of the Processing of Customer Personal Data:

  • The provision of the Service to you.

Types of Customer Personal Data to be Processed:

  • Any Personal Data uploaded or created on the Service, including name, contact details, profile information, and any Personal Data contained in Customer Content uploaded or created on the Service.
  • No special category of Personal Data.

Categories of Data Subjects to whom the Customer Personal Data relates:

  • Customer, Customer's employees and Customer's testers.

Authorised Sub-processors:

  • Those Sub-processors listed here, and any other Sub-processors approved by you in accordance with this DPA.

Data retention:

  • Maze will delete the Customer Personal Data from its systems on expiry or termination of the Service in accordance with its usual data retention practices, provided always that it complies with the provisions of this DPA.

Competent Supervisory Authority:

  • The Supervisory Authority competent at the location of your main establishment.

Your obligations and rights:

  • The obligations and rights of the Customer are as set out in this DPA.

Annex 2: Technical And Organisational Security Measures

  • Maze maintains internal policies and procedures, or procures that its Sub-processors do so, which are designed to:
    • secure any Personal Data Processed by Maze against accidental or unlawful loss, access or disclosure;
    • identify reasonably foreseeable and internal risks to security and unauthorised access to the Personal Data Processed by Maze; and
    • minimise security risks, including through risk assessment and regular testing.
  • Maze will, and will use reasonable efforts to procure that its Sub-processors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
  • Maze will, and will use reasonable efforts to procure that its Sub-processors periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
  • Maze will provide its staff with regular training on data security and privacy issues relevant to staff members' job role.