This Data Processing Addendum (this “DPA”) supplements and forms part of the Master Services Agreement (the “MSA”) between Mataki Labs LLC, a Wyoming limited liability company (“Mataki” or “Processor”), and the entity identified as Customer in the MSA (“Customer” or “Controller”). Capitalized terms not defined herein have the meanings set forth in the MSA.
This DPA applies to the extent that Mataki processes Personal Data on behalf of Customer in connection with the Services. In the event of a conflict between this DPA and the MSA, this DPA will prevail with respect to the processing of Personal Data.
1. Definitions
1.1 “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation as tailored by the Data Protection Act 2018 (“UK GDPR”); (c) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (“CPRA”) (collectively, “CCPA”); (d) the Swiss Federal Act on Data Protection (“FADP”); and (e) any other applicable data protection or privacy law in any jurisdiction where Customer or its end users are located, including the New Zealand Privacy Act 2020, the Australian Privacy Act 1988, Brazil’s Lei Geral de Proteção de Dados (“LGPD”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), and South Africa’s Protection of Personal Information Act (“POPIA”).
1.2 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.3 “Personal Data” means any information relating to a Data Subject that is processed by Mataki on behalf of Customer in connection with the Services. For purposes of this DPA, Personal Data includes “personal data” as defined in the GDPR, “personal information” as defined in the CCPA, and equivalent terms under other Applicable Data Protection Laws.
1.4 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Mataki under this DPA.
1.5 “Processing” (and its cognates, including “process” and “processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.6 “Standard Contractual Clauses” or “SCCs” means: (a) for transfers from the European Economic Area (“EEA”), the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914; (b) for transfers from the United Kingdom, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (“UK Addendum”); and (c) for transfers from Switzerland, the EU SCCs as amended to comply with the FADP.
1.7 “Sub-processor” means any third party engaged by Mataki (or by another Sub-processor of Mataki) to process Personal Data on behalf of Customer in connection with the Services.
1.8 “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR, the UK Information Commissioner’s Office, the Swiss Federal Data Protection and Information Commissioner, or any analogous authority under other Applicable Data Protection Laws.
2. Roles and Scope of Processing
2.1 Roles. With respect to the processing of Personal Data under this DPA: (a) Customer is the Controller (or, where Customer acts as a processor on behalf of its own customers, Customer is the disclosing processor); and (b) Mataki is the Processor (or sub-processor, as applicable). Each Party will comply with its obligations under Applicable Data Protection Law in its respective role.
2.2 Scope of Processing. Mataki will process Personal Data solely on behalf of and in accordance with Customer’s documented instructions, as set forth in this DPA, the MSA, and the applicable Service Orders. Customer instructs Mataki to process Personal Data to the extent necessary to provide the Services in accordance with the MSA. Additional instructions must be agreed upon in writing and may be subject to additional fees.
2.3 Details of Processing. The details of the processing activities are described in Annex 1 to this DPA and, where applicable, in the Data Processing section of the applicable Service Order. Together, these documents specify: (a) the subject matter and duration of processing; (b) the nature and purpose of processing; (c) the types of Personal Data processed; and (d) the categories of Data Subjects. To the extent a Service Order includes Customer-specific processing details, such details supplement and, where inconsistent, supersede the general descriptions in Annex 1 with respect to the Services ordered under that Service Order.
2.4 Compliance. Each Party will comply with its respective obligations under Applicable Data Protection Law. Customer is responsible for: (a) determining the lawful basis for processing Personal Data; (b) providing all required notices to Data Subjects; (c) obtaining all necessary consents, authorizations, and permissions; and (d) ensuring that Customer’s instructions to Mataki comply with Applicable Data Protection Law. Mataki will promptly notify Customer if, in Mataki’s reasonable opinion, an instruction from Customer violates Applicable Data Protection Law.
3. Processor Obligations
3.1 Documented Instructions. Mataki will process Personal Data only on the documented instructions of Customer, including with respect to transfers of Personal Data outside the EEA, UK, or Switzerland, unless required to do so by applicable law. In such case, Mataki will inform Customer of such legal requirement before processing, unless prohibited by law from doing so.
3.2 Confidentiality. Mataki will ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Mataki will ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.
3.3 Security Measures. Mataki will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Annex 2 to this DPA. Such measures include, as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
3.4 Assistance with Data Subject Rights. Taking into account the nature of the processing, Mataki will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). If Mataki receives a request directly from a Data Subject, Mataki will promptly redirect the Data Subject to Customer and notify Customer of the request, unless otherwise required by applicable law.
3.5 Assistance with Compliance. Taking into account the nature of processing and the information available to Mataki, Mataki will provide reasonable assistance to Customer in ensuring compliance with Customer’s obligations under Articles 32 through 36 of the GDPR (and equivalent obligations under other Applicable Data Protection Laws), including with respect to: (a) security of processing; (b) notification of Personal Data Breaches to Supervisory Authorities and Data Subjects; (c) data protection impact assessments; and (d) prior consultation with Supervisory Authorities. Mataki may charge a reasonable fee for any assistance that is not required by Applicable Data Protection Law or that goes beyond the scope of the Services.
3.6 Data Protection Officer. To the extent required by Applicable Data Protection Law, Mataki has appointed a Data Protection Officer who can be contacted at: privacy@mataki.dev (or such other address as Mataki may communicate to Customer from time to time).
4. Sub-Processors
4.1 General Authorization. Customer provides Mataki with a general written authorization to engage Sub-processors to process Personal Data on behalf of Customer in connection with the Services, subject to the requirements of this Section 4.
4.2 Current Sub-processors. The list of Mataki’s current Sub-processors is available at https://mataki.dev/legal/sub-processors (the “Sub-processor List”). Customer acknowledges and approves the Sub-processors listed as of the Effective Date of this DPA.
4.3 Notification of Changes. Mataki will notify Customer at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor (“Sub-processor Change”). Notification will be provided via: (a) email to the contact address specified in the applicable Service Order; and (b) update to the Sub-processor List. The notification will include the name of the Sub-processor, its role, the nature of the processing, and the location of processing.
4.4 Objection Right. If Customer has a reasonable, good-faith objection to a Sub-processor Change based on data protection grounds, Customer will notify Mataki in writing within fifteen (15) days of receiving notification of the Sub-processor Change, specifying the basis for the objection. The Parties will work together in good faith to find a mutually acceptable resolution, which may include: (a) Mataki providing an alternative Sub-processor or making reasonable changes to the Services to avoid the use of the objected-to Sub-processor; or (b) Customer terminating the affected Service Order(s) without penalty, with a pro rata refund of any prepaid Fees for the unused portion of the Subscription Term. If the Parties are unable to reach a resolution within thirty (30) days of Customer’s objection, Customer may terminate the affected Service Order(s) as set forth in clause (b) above.
4.5 Sub-processor Obligations. Mataki will: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA; (b) remain fully responsible and liable for the acts and omissions of its Sub-processors to the same extent Mataki would be liable if performing the processing directly; and (c) conduct appropriate due diligence on each Sub-processor’s ability to meet its data protection obligations prior to engagement.
5. International Data Transfers
5.1 Transfer Mechanisms. To the extent that the processing of Personal Data involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, Mataki will ensure that an appropriate transfer mechanism is in place, including: (a) the Standard Contractual Clauses, as set forth in Section 5.2; (b) binding corporate rules approved by a Supervisory Authority; (c) an adequacy decision by the European Commission, the UK Secretary of State, or the Swiss Federal Council; or (d) any other lawful transfer mechanism under Applicable Data Protection Law.
5.2 Standard Contractual Clauses. The Parties agree that the Standard Contractual Clauses (EU SCCs, Module Two: Controller to Processor) are hereby incorporated into this DPA by reference and apply to transfers of Personal Data from the EEA to Mataki in a country without an adequacy decision. For purposes of the SCCs:
(a) Customer is the “data exporter” and Mataki is the “data importer”;
(b) Clause 7 (Docking clause): The optional docking clause is included;
(c) Clause 9(a) (Use of sub-processors): Option 2 (General written authorization) applies, and the time period for prior notice of Sub-processor Changes is thirty (30) days as specified in Section 4.3;
(d) Clause 11 (Redress): The optional language regarding independent dispute resolution is not included;
(e) Clause 13(a) (Supervision): The Supervisory Authority of the EU Member State in which the data exporter is established, or where the data exporter is not established in the EU, the Supervisory Authority of the EU Member State in which the data exporter’s EU representative is established, will act as the competent Supervisory Authority. If Customer is not established in the EU and has no EU representative, the Irish Data Protection Commission will act as the competent Supervisory Authority;
(f) Clause 17 (Governing law): Option 1 applies, and the governing law is the law of Ireland;
(g) Clause 18(b) (Choice of forum and jurisdiction): Disputes will be resolved before the courts of Ireland;
(h) Annex I of the SCCs is deemed completed with the information in Annex 1 of this DPA, as supplemented by the Data Processing section of the applicable Service Order;
(i) Annex II of the SCCs is deemed completed with the information in Annex 2 of this DPA; and
(j) Annex III of the SCCs is deemed completed with the information in the Sub-processor List.
5.3 UK Transfers. For transfers of Personal Data from the United Kingdom, the UK Addendum to the EU SCCs is hereby incorporated into this DPA. In the event of any conflict between the UK Addendum and the EU SCCs, the UK Addendum will prevail with respect to UK transfers.
5.4 Swiss Transfers. For transfers of Personal Data from Switzerland, the EU SCCs apply with the following modifications: (a) references to “Member State” include Switzerland; (b) the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner; (c) the governing law is Swiss law; and (d) the term “personal data” includes data about legal entities, to the extent required by the FADP.
5.5 Transfer Impact Assessment. Prior to relying on the Standard Contractual Clauses for any transfer, Mataki has conducted a transfer impact assessment considering: (a) the laws and practices of the destination country; (b) the supplementary measures implemented by Mataki; and (c) the nature, scope, context, and purposes of the transfer. Mataki will provide a summary of this assessment to Customer upon reasonable request.
6. Personal Data Breach
6.1 Notification. Mataki will notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach. Notification will be provided to the contact address specified in the applicable Service Order (and, if no contact is specified, to the primary contact email).
6.2 Notification Content. The notification will include, to the extent reasonably available at the time:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) the name and contact details of Mataki’s point of contact from whom further information can be obtained;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to be taken by Mataki to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
6.3 Cooperation. Mataki will: (a) promptly investigate the Personal Data Breach and take reasonable steps to contain, remediate, and mitigate its effects; (b) provide Customer with timely updates as additional information becomes available; (c) provide reasonable cooperation and assistance to Customer in connection with Customer’s obligations to notify Supervisory Authorities and Data Subjects under Applicable Data Protection Law; and (d) preserve evidence related to the Personal Data Breach.
6.4 Record of Breaches. Mataki will maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken. Such record will be made available to Customer upon request.
6.5 No Assessment of Risk. Mataki’s obligation to notify Customer of a Personal Data Breach is not conditioned on Mataki’s assessment of the risk to Data Subjects. The determination of whether a Personal Data Breach requires notification to Supervisory Authorities or Data Subjects is solely Customer’s responsibility.
7. Audits and Inspections
7.1 Audit Rights. Mataki will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, and will allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, subject to the requirements of this Section 7.
7.2 Audit Procedure. Customer will: (a) provide Mataki with at least thirty (30) days’ prior written notice of any audit; (b) conduct audits during normal business hours and in a manner that does not unreasonably disrupt Mataki’s operations; (c) ensure that any third-party auditor is bound by confidentiality obligations no less protective than those contained in the MSA; and (d) limit audits to no more than one (1) per twelve (12) month period, unless a Personal Data Breach has occurred or a Supervisory Authority requires an additional audit.
7.3 Third-Party Certifications. To the extent Mataki maintains current SOC 2 Type II, ISO 27001, or equivalent third-party certifications or audit reports, Mataki may satisfy its obligations under Section 7.1 by providing Customer with copies of such reports or certifications (subject to confidentiality obligations) in lieu of an on-site audit, unless Customer has reasonable grounds to believe that such reports are insufficient to demonstrate compliance.
7.4 Audit Costs. Each Party will bear its own costs in connection with any audit. If an audit reveals a material breach of this DPA by Mataki, Mataki will bear the reasonable costs of the audit and will promptly remediate the identified issues at its own expense.
7.5 SOC 2 Type II Certification. To the extent Mataki maintains a current SOC 2 Type II report covering the Services, Mataki will: (a) provide a copy of the report to Customer within thirty (30) days of Customer’s written request and annually thereafter, subject to the confidentiality obligations of the MSA; and (b) use commercially reasonable efforts to maintain the certification throughout the term of the MSA and any active Service Orders. If Mataki does not currently maintain a SOC 2 Type II report, Mataki will disclose this to Customer upon request and will provide its current security documentation, including a summary of its security posture and the measures described in Annex 2, as an interim alternative. Any timeline commitments for obtaining initial SOC 2 Type II certification, and any associated audit rights or termination rights in the event such certification is not obtained, will be documented in a separate Addendum or Service Order between the Parties.
8. Data Return and Deletion
8.1 Upon Termination. Upon termination or expiration of the MSA or the applicable Service Order, Mataki will, at Customer’s election (communicated in writing within thirty (30) days of termination or expiration): (a) return all Personal Data to Customer in a standard, machine-readable format; or (b) delete all Personal Data from its systems and certify such deletion in writing. If Customer does not make an election within the thirty (30) day period, Mataki will delete the Personal Data.
8.2 Retention Exceptions. Mataki may retain Personal Data to the extent and for the period required by applicable law, regulation, or legal process. Any retained Personal Data will continue to be subject to the protections of this DPA and will be processed only for the purpose for which it was retained. Mataki will notify Customer of any such retention requirement (unless prohibited by law).
8.3 Backup Systems. Personal Data contained in automated backup systems will be deleted in accordance with Mataki’s standard backup rotation schedule, which will not exceed ninety (90) days from the date of deletion from primary systems. During the retention period, backup data will be protected in accordance with the security measures set forth in Annex 2 and will not be actively processed.
9. CCPA-Specific Provisions
The following provisions apply to the extent that the CCPA applies to Customer’s processing of Personal Data and Mataki processes such data as a “service provider” (as defined in the CCPA) on behalf of Customer:
9.1 Service Provider Status. Mataki is a “service provider” as defined in the CCPA. Mataki will process Personal Data only for the business purposes specified in this DPA, the MSA, and the applicable Service Orders, and will not: (a) sell or share (as those terms are defined in the CCPA) Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than the business purposes specified herein, including any commercial purpose other than providing the Services; or (c) retain, use, or disclose Personal Data outside the direct business relationship between Mataki and Customer.
9.2 Notification of Inability to Comply. Mataki will notify Customer if it determines that it can no longer meet its obligations under the CCPA. Upon receiving such notification, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
9.3 Combination of Personal Data. Mataki will not combine Personal Data received from or on behalf of Customer with Personal Data received from or on behalf of any other person or entity, or collected from Mataki’s own interactions with Data Subjects, except to the extent permitted by the CCPA for service providers.
9.4 CCPA Certification. Mataki certifies that it understands and will comply with the restrictions set forth in this Section 9.
10. General
10.1 Order of Precedence. In the event of any conflict or inconsistency between this DPA and the MSA, this DPA will prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
10.2 Liability. Each Party’s liability under this DPA is subject to the limitations of liability set forth in the MSA, except that the limitations of liability in the MSA do not apply to, and will not limit: (a) either Party’s liability to Data Subjects under the Standard Contractual Clauses; or (b) either Party’s obligations to pay fines, penalties, or compensation ordered by a Supervisory Authority or court of competent jurisdiction.
10.3 Amendments to Applicable Law. The Parties acknowledge that Applicable Data Protection Law may be amended from time to time. If amendments to Applicable Data Protection Law require changes to this DPA, the Parties will negotiate in good faith to amend this DPA to ensure continued compliance. In the interim, Mataki will comply with the amended law to the extent applicable to its processing activities.
10.4 Term. This DPA will remain in effect for the duration of the MSA and any Service Orders, and will automatically terminate when Mataki ceases to process Personal Data on behalf of Customer, subject to Section 8 (Data Return and Deletion).
10.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will continue in full force and effect. The Parties will negotiate in good faith to replace the invalid or unenforceable provision with a valid and enforceable provision that achieves the original intent.
Annex 1: Details of Processing
A. List of Parties
| Role | Details |
|---|---|
| Data Exporter (Controller) | Customer, as identified in the MSA. |
| Contact | As specified in the applicable Service Order. |
| Activities | Use of Mataki’s cloud-based software services. |
| Role | Controller (or processor acting on behalf of its own controllers). |
| Data Importer (Processor) | Mataki Labs LLC |
| Address | Wyoming, United States |
| Contact | privacy@mataki.dev |
| Activities | Provision of cloud-based software services as described in the MSA and applicable Service Orders. |
| Role | Processor (or sub-processor, as applicable). |
B. Description of Processing
| Field | Details |
|---|---|
| Subject Matter | Processing of Personal Data by Mataki to provide the Services to Customer under the MSA and applicable Service Orders. |
| Duration | For the term of the MSA and applicable Service Orders, plus any period required for data return or deletion under Section 8 of the DPA. |
| Nature of Processing | Collection, storage, organization, retrieval, use, disclosure by transmission, and deletion of Personal Data as necessary to provide the Services, including hosting, computing, API processing, data analytics, notification delivery, and customer support. |
| Purpose of Processing | To provide, maintain, improve, and support the Services as described in the MSA and applicable Service Orders. |
| Types of Personal Data | Depending on the Services and Customer’s use thereof, Personal Data may include: names, email addresses, IP addresses, device identifiers, user agents, session identifiers, authentication credentials (hashed), usage data, content submitted by Data Subjects, and any other Personal Data submitted to the Services by or on behalf of Customer. |
| Categories of Data Subjects | Customer’s employees, contractors, agents, end users, customers, and any other individuals whose Personal Data is submitted to the Services by or on behalf of Customer. |
| Sensitive Data | The Services are not designed to process special categories of data (as defined in Article 9 of the GDPR) or sensitive personal information (as defined in the CCPA). Customer will confirm in the Data Processing section of each Service Order (Section 7.3) whether sensitive data will be submitted. If sensitive data processing is required, the applicable Service Order must expressly provide for such processing and document appropriate additional safeguards. |
| Frequency of Transfer | Continuous, for the duration of the Services. |
| Retention Period | As specified in the MSA, applicable Service Order, or as otherwise agreed between the Parties. Following termination, as specified in Section 8 of the DPA. |
Annex 2: Technical and Organizational Security Measures
1. Encryption
- Personal Data is encrypted in transit using TLS 1.2 or higher for all communications between Customer and the Services.
- Personal Data is encrypted at rest using AES-256 encryption (or equivalent) for all data stored in production databases, file storage, and backup systems.
- Encryption keys are managed using a dedicated key management service with automatic rotation and access controls.
2. Access Controls
- Access to Personal Data is restricted to authorized personnel on a need-to-know basis.
- Multi-factor authentication (MFA) is required for all administrative access to production systems.
- Role-based access control (RBAC) is implemented across all systems that process Personal Data.
- Access rights are reviewed at least quarterly and promptly revoked upon personnel departure or role change.
- Privileged access is logged and monitored.
3. Network Security
- Production systems are hosted in Google Cloud Platform data centers with physical security controls.
- Network segmentation separates production environments from development and corporate environments.
- Firewall rules restrict inbound and outbound traffic to authorized protocols and endpoints.
- Intrusion detection and prevention systems (IDS/IPS) monitor network traffic for suspicious activity.
- DDoS mitigation is implemented at the network edge.
4. Application Security
- Secure software development lifecycle (SDLC) practices are followed, including code review, static analysis, and dependency scanning.
- Vulnerability scanning is performed regularly on production systems.
- Penetration testing is conducted at least annually by a qualified third party.
- Security patches are applied in accordance with a risk-based patching schedule.
5. Data Isolation
- Customer Data is logically isolated from other customers’ data in multi-tenant environments.
- Tenant-level access controls prevent cross-tenant data access.
- Testing and development environments do not use production Personal Data.
6. Business Continuity and Disaster Recovery
- Production data is backed up regularly with geographically distributed replicas.
- Recovery procedures are documented and tested at least annually.
- Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and documented.
7. Incident Response
- A documented incident response plan is maintained and tested at least annually.
- An incident response team is designated with defined roles and escalation procedures.
- Security incidents are logged, investigated, and remediated in accordance with the incident response plan.
- Post-incident reviews are conducted to identify root causes and implement preventive measures.
8. Personnel Security
- Background checks are conducted on personnel with access to Personal Data, to the extent permitted by applicable law.
- Personnel receive security awareness training upon hire and at least annually thereafter.
- Personnel are bound by confidentiality obligations.
9. Vendor Management
- Sub-processors and third-party vendors with access to Personal Data are subject to security assessments prior to engagement.
- Contracts with Sub-processors include data protection obligations no less protective than those in this DPA.
- Sub-processor compliance is monitored on an ongoing basis.
10. Logging and Monitoring
- Access to Personal Data is logged, including the identity of the accessor, timestamp, and nature of access.
- Logs are retained for a minimum of twelve (12) months and protected against tampering.
- Automated monitoring alerts are configured for anomalous access patterns and security events.