Data Processing Addendum
Last updated: 11 October 2024
Table of Contents
- Background
- 1. Definitions
- 2. Data processing
- 3. Right to Process
- 4. Sub-processors
- 5. Data security, audits and security notifications
- 6. Access requests and Data Subject rights
- 7. Deletion of Customer Personal Data
- 8. Restricted Transfers
- ANNEX 1: DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
- ANNEX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
- ANNEX 3: POPULATION OF SCCs
This Data Processing Addendum applies to individuals and businesses using Maze. This is the current version of these terms, dated 11 October 2024.
Background
This data processing addendum ("DPA") applies as set out in the Agreement.
In the event of any conflict between the Agreement and this DPA, this DPA shall prevail.
1. Definitions
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following words and expressions shall have the following meanings:
"Customer Personal Data" means the Personal Data described here and any other Personal Data that Maze Processes on your behalf in connection with your use of the Services;
"Data Protection Laws" means any applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing
of Customer Personal Data, including without limitation: (i) the EU GDPR; (ii) the UK GDPR; and (iii) any other applicable data protection law;
"Data Subject Request" means the exercise by a Data Subject of their rights under, and in accordance with, Data Protection Laws in respect of Customer Personal Data;
"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
"GDPR" means, as appropriate and as amended from time to time: (i) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) ("EU GDPR"); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and/or (iii) any legislation, and/or regulation implementing or made pursuant to them or which amends, replaces, re-enacts or consolidates any of them;
"Party" means each of you and Maze;
“Relevant Body” means: (i) in the context of the UK, the Information Commissioner’s Office (ICO); and (ii) in the context of the EEA, the European Commission;
"Restricted Country" means: (i) in the context of the UK, a country or territory outside the UK; and (ii) in the context of the EEA, a country or territory outside the EEA, in each case that the Relevant Body has not deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR;
"Restricted Transfer" means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, a Restricted Country outside the EEA (an "EEA Restricted Transfer"); and/or (ii) in the context of the UK, a Restricted Country outside the UK (a "UK Restricted Transfer");
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any of the Customer Personal Data while in the custody of Maze or any Sub-processor;
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914);
"Sub-processor" means any third party appointed by or on behalf of Maze to Process Customer Personal Data;
"UK" means the United Kingdom; and
"UK Transfer Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner's Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the "Mandatory Clauses").
The terms "Personal Data", "Controller", "Processor", "Data Subject", "Process", "Special Category Personal Data" and "Supervisory Authority" shall have the same meaning as set out in the EU GDPR.
2. Data processing
2.1 In respect of Customer Personal Data, the Parties acknowledge that Maze acts as the Processor and you act as the Controller. You instruct Maze to Process Customer Personal Data as necessary to provide the Services to you and to perform its obligations and exercise its rights under the Agreement. Maze may terminate the Agreement in its entirety upon written notice to you with immediate effect if Maze considers (in its reasonable discretion):
2.1.1 that it is unable to adhere to, perform or implement any instructions issued by you due to the technical limitations of its systems, equipment and/or facilities; and/or
2.1.2 that adherence, performance or implementation of any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.2 Maze will only Process Customer Personal Data in accordance with:
2.2.1 the Agreement, to the extent necessary to provide the Services to you, and
2.2.2 your written instructions, unless Processing is required by European Union, Member State or domestic UK law to which Maze is subject, in which case Maze shall, to the extent permitted by applicable law, inform you of that legal requirement before Processing Customer Personal Data in that way.
2.3 The Agreement (subject to any changes to the Services agreed between the Parties) and this DPA shall be your complete and final instructions to Maze in relation to the processing of Customer Personal Data. Processing outside the scope of this DPA or the Agreement will require prior written agreement between you and Maze on additional instructions for Processing.
2.4 Where applicable by virtue of Articles 28(3)(h) of the GDPR, Maze shall immediately notify you in the event that Maze believes your instructions conflict with the requirements of the EU GDPR, UK GDPR or other EU, Member State or other domestic UK law.
2.5 Annex 1 sets out certain information regarding Maze's Processing of Customer Personal Data as required by Articles 28(3) of the GDPR.
3. Right to Process
You represent and warrant on an ongoing basis that Maze (and any Sub-processors) are legally permitted to Process the Customer Personal Data as contemplated under the Agreement and Statements of Work, including as follows:
3.1 the Processing of any Customer Personal Data will be consistent with the information communicated to the relevant Data Subjects or as otherwise necessary in accordance with Data Protection Laws; and
3.2 where required by applicable Data Protection Laws, you have a valid legal basis for the Processing by Maze of Customer Personal Data (including any and all instructions issued by you from time to time in respect of such Processing).
4. Sub-processors
You agree that Maze may use the entities listed here, and hereby approve the appointment of those entities, as Sub-processors to Process Customer Personal Data.
You agree that Maze may use Sub-processors to fulfil its contractual obligations under the Agreement and Maze shall notify you from time to time of the identity of any amendments to the Sub-processors it engages and you may within fourteen (14) days of receipt of such notice, object (on reasonable grounds) to the proposed appointment. If, within fourteen (14) days of receipt of such notice, you notify Maze in writing of any objection (on reasonable grounds) to the proposed appointment: (i) Maze shall work with you in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of the proposed Sub-processor; and (ii) where such a change cannot be made within a further fourteen (14) days from Maze's receipt of your objection, notwithstanding anything in the Agreement, Maze may by written notice to you terminate the Agreement with immediate effect either (at its option) in whole or to the extent that it relates to the Services which require the use of the proposed Sub-processor.
Sub-processor notifications are handled via https://compliance.maze.co/updates. We encourage our customers to subscribe for realtime notice of change.
Maze shall be liable for the acts and omissions of all Sub-processors under or in connection with this DPA.
5. Data security, audits and security notifications
5.1 Maze security obligations
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Maze shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Details of Maze's technical and organizational security measures are set out in Annex 2. You acknowledge and agree that you have reviewed the security measures listed in Annex 2 and satisfied yourself that they are sufficient for your purposes.
Upon your reasonable request, Maze shall make available all information as Maze (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.
5.2 Security Incident notification
If Maze becomes aware of a Security Incident, Maze will:
5.2.1 notify you of the Security Incident without undue delay, providing you with sufficient information to allow you to meet any obligations under Data Protection Laws to inform affected Data Subjects and/or Supervisory Authorities of the Security Incident, and:
5.2.2 provide such reasonable assistance to you as required to allow you to meet any obligations under Data Protection Laws to report the Security Incident to affected Data Subjects and/or the relevant Supervisory Authorities (as may be determined in accordance with the Data Protection Laws).
Maze shall, at your sole cost and expense, co-operate with you and take such reasonable commercial steps as may be directed by you to assist in the investigation, mitigation and remediation of each such Security Incident.
5.3 Security audits
Maze shall perform a self technical and organisational security audit, on a quarterly basis. Maze runs frequent external web vulnerability scans and annual penetration tests against its platform, aiming to proactively and continuously ensure the highest level of security.
5.4 Maze employees and personnel
Maze shall treat Customer Personal Data as your confidential information, and shall ensure that any employees or other personnel who have access to it have agreed to protect the confidentiality and security of Customer Personal Data.
6. Access requests and Data Subject rights
6.1 Data Subject Requests
Saved where prohibited by applicable law, Maze shall notify you of any Data Subject Request it receives, and shall not respond to the Data Subject Request unless instructed to do so by you.
Maze shall provide you with the ability to correct, delete, block, access or copy Customer Personal Data in accordance with the functionality of the Services.
6.2 Government disclosure
Maze shall notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority), unless otherwise prohibited by law or a legally binding order of such body or agency.
6.3 Assistance and audits
6.3.1 Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Maze shall, at your sole cost and expense:
6.3.1.1 provide you with such assistance as may be reasonably necessary and technically possible in the circumstances to assist you in fulfilling your obligation to respond to Data Subject Requests, solely to the extent that you are unable to action the Data Subject Request using automated tools made available on the Services; and
6.3.1.2. provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervisory Authorities, which you reasonably consider to be required of you by Articles 35 or 36 of the GDPR, in each case solely in relation to the Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Maze.
6.3.2 Maze shall make available to you on request such information as Maze (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. In the event that you (acting reasonably and in good faith) are able to provide documentary evidence that the information made available by Maze is not sufficient in the circumstances to demonstrate Maze's compliance with this DPA, Maze shall allow for and contribute to audits, including on premise inspections, by you or an auditor mandated by you in relation to the Processing of Customer Personal Data by Maze. You shall give Maze reasonable notice of any audit or inspection (which shall in no event be less than fourteen (14) days' notice, unless otherwise required by a Supervisory Authority) and shall use your commercially reasonable efforts (and ensure that each of your mandated auditors uses its commercially reasonable efforts) to avoid causing, any damage, injury or disruption to Maze's premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Maze's other customers or the availability of Maze's services to such other customers) while your personnel and/or your auditor's personnel are on those premises in the course of any on premise inspection. Maze need not give access to its premises for the purposes of such an audit or inspection:
6.3.2.1. to any individual unless he or she produces reasonable evidence of their identity and authority;
6.3.2.2 to any auditor whom Maze has not given its prior written approval to (not to be unreasonably withheld);
6.3.2.3. unless the auditor enters into a non-disclosure agreement with Maze on terms acceptable to Maze;
6.3.2.4. where, and to the extent that, Maze considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Maze's other customers or the availability of Maze's services to such other customers;
6.3.2.5. outside normal business hours at those premises; or
6.3.2.6. on more than one (1) occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which you are required to carry out under Data Protection Laws or by a Supervisory Authority, where you have identified the relevant requirement in its notice to Maze of the audit or inspection.
6.3.3 The Parties shall discuss and agree the costs of any inspection or audit to be carried out by you or on your behalf in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, you shall bear any third party costs in connection with such inspection or audit (other than audits performed by regulatory agencies) and reimburse Maze for all costs incurred by Maze and time spent by Maze (at Maze's then-current professional services rates) in connection with any such inspection or audit.
7. Deletion of Customer Personal Data
7.1 Subject to sections 7.2 and 7.3 below, Maze shall, within 90 (ninety) days of the date of termination of the Agreement:
7.1.1. return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by you to Maze; and
7.1.2. delete all other copies of Customer Personal Data in Maze's control.
7.2 Subject to section 7.3 below, you may in your absolute discretion notify Maze in writing within 30 (thirty) days of the date of termination of the Agreement to require Maze to delete all copies of Customer Personal Data Processed by Maze. Maze shall, within 90 (ninety) days of the date of termination of the Agreement:
7.2.1. comply with any such written request; and
7.2.2. where this section 7.2 applies, not be required to provide a copy of Customer Personal Data to you
7.3 Maze may retain Customer Personal Data to the extent required and for such period as required by applicable law, and provided that Maze shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
8. Restricted Transfers
8.1 You acknowledge and agree that Maze may store and Process Customer Personal Data outside of the EEA or the UK. The Parties agree that, to the extent you transfer Customer Personal Data to Maze in a Restricted Country, this shall result in a Restricted Transfer. To allow such Restricted Transfer to take place without breach of applicable Data Protection Laws, the Parties agree as follows:
8.1.1. in the event of an EEA Restricted Transfer, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (i) populated in accordance with Part 1 of Annex 3; and (ii) entered into by the Parties and incorporated by reference into this DPA; and
8.1.2. in the event of a UK Restricted Transfer, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (i) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum; (ii) populated in accordance with Part 2 of Annex 3; and (iii) entered into by the Parties and incorporated by reference into this DPA.
8.2 In the event of any conflict between the terms of this DPA and the terms of the applicable SCCs, the terms of the applicable SCCs shall prevail to the extent of such conflict.
8.3 If required by any Supervisory Authority or the mandatory laws or regulatory procedures of any jurisdiction in relation to an EEA Restricted Transfer and/or UK Restricted Transfer, the Parties shall execute or re execute the applicable SCCs as separate documents setting out the proposed transfers of Customer Personal Data in such manner as may be required.
ANNEX 1: DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
This page includes certain details of the processing of Customer Personal Data: (i) as required by Article 28(3) of the GDPR; and (ii) to populate the appropriate SCCs (where applicable).
Maze's activities
- The provision of the Services to you.
Subject matter and duration of the Processing of Customer Personal Data:
- The Processing of Customer Personal Data in connection with your access to the Services on the terms set out in the Agreement.
Nature and purpose of the Processing of Customer Personal Data:
- The provision of the Services to you.
Types of Customer Personal Data to be Processed:
- Full name;
- Unique identifier;
- Email address;
- Profile information;
- Video footage captured using the ‘Clips’ and ‘Live Website Testing’ features;
- Screen recordings captured using the ‘Clips’ and ‘Live Website Testing’ features; and
- Any other Personal Data contained in Customer Content uploaded or created on the Services.
Categories of Data Subjects to whom the Customer Personal Data relates:
- Customer, Customer's employees and Customer's participants.
Authorised Sub-processors:
- Those Sub-processors listed here, and any other Sub-processors approved by you in accordance with this DPA.
Data retention:
- Maze will delete the Customer Personal Data from its systems on expiry or termination of the Services in accordance with its usual data retention practices, provided always that it complies with the provisions of this DPA.
Competent Supervisory Authority:
- The Supervisory Authority competent at the location of your main establishment.
Your obligations and rights:
- The obligations and rights of the Customer are as set out in this DPA.
ANNEX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Maze agrees to implement and maintain the following security measures:
- Organizational management and dedicated staff responsible for the development,
implementation and maintenance of Maze’s information security program. - Audit and risk assessment procedures for the purposes of periodic review and
assessment of risks to Maze’s organization, monitoring and maintaining compliance with Maze’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management. - Data security controls which may include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
- Password controls designed to manage and control password strength, expiration
and usage. - System audit or event logging and related monitoring procedures to proactively
record user access and system activity. - Physical and environmental security of data centers, server room facilities and other
areas containing Customer Personal Data designed to protect information assets
from unauthorized physical access or damage. - Operational procedures and controls to provide for configuration, monitoring and
maintenance of technology and information systems, including secure disposal of
systems and media to render all information or data contained therein as
undecipherable or unrecoverable prior to final disposal or release from Maze’s
possession. - Change management procedures and tracking mechanisms designed to test,
approve, and monitor all material changes to Maze’s technology and information
assets. - Incident management procedures designed to allow Maze to investigate, respond to,
mitigate, and notify of events related to Maze’s technology and information assets. - Network security controls and procedures for network services and components.
- Vulnerability assessment and threat protection technologies and scheduled
monitoring procedures designed to identify, assess, mitigate, and protect against
identified security threats, viruses, and other malicious code. - Business resiliency/ continuity and disaster recovery procedures designed to
maintain service and/or recovery from foreseeable emergency situations or disaster.
Please see https://compliance.maze.co/ for more information and to collect our SOC2 Type II report as updated from time-to-time.
ANNEX 3: POPULATION OF SCCs
Notes:
- In the context of any EEA Restricted Transfer, the SCCs populated in accordance with Part 1 of this Annex 3 are incorporated by reference into and form an effective part of the DPA.
- In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Annex 3 are incorporated by reference into and form an effective part of the DPA.
PART 1: EEA RESTRICTED TRANSFERS
1. SIGNATURE OF THE SCCs
Where the SCCs apply in accordance with section 4 of this DPA, each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
2. MODULE
Module Two of the SCCs shall apply to any EEA Restricted Transfer.
3. POPULATION OF THE BODY OF THE SCCs
3.1.1 The SCCs shall be populated as follows:
- The optional "Docking Clause" in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
- In Clause 9, OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-processors shall be the advance notice period set out in section 4 of this DPA.
- In Clause 11, the optional language is not used and is deleted.
- In Clause 13, all square brackets are removed and all text therein is retained.
- In Clause 17, OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer.
- For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
4. POPULATION OF ANNEXES TO THE SCCs
4.1.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 to this DPA, with you being "data exporter" and Maze being "data importer".
4.1.2 Part C of Annex I to the Appendix to the SCCs is populated as below:
The competent Supervisory Authority shall be determined as follows:
- Where you are established in an EU Member State: the competent Supervisory Authority shall be the Supervisory Authority of that EU Member State in which you are established.
- Where you are not established in an EU Member State, Article 3(2) of the GDPR applies and you have appointed an EU representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State in which your EU representative relevant to the processing hereunder is based (from time-to-time).
- Where you are not established in an EU Member State, Article 3(2) of the GDPR applies, and you have not appointed an EU representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State notified in writing to Maze's contact point, which must be an EU Member State in which the Data Subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored,
are located.
4.1.3 Annex II to the Appendix to the SCCs is populated by reference to Annex 2 to
this DPA.
PART 2: UK RESTRICTED TRANSFERS
Where relevant in accordance with section 8 of this DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below:
(a) Part 1 of the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree that:
- Tables 1, 2 and 3 of Part 1 of the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 to this DPA and the foregoing provisions of Part 1 of this Annex 3 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
- Table 4 of Part 1 of the UK Transfer Addendum is completed by the box labelled "Data Importer" being deemed to have been ticked.
(b) Part 2 of the UK Transfer Addendum. The Parties agree to be bound by the Mandatory Clauses of the UK Transfer Addendum.
In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs shall be read as a reference to those SCCs as varied in the manner set out in this Part 2.