Data Processing Addendum

Effective Date: November 26, 2025
Version: 1.0
Last Updated: November 26, 2025

⚠️ Legal Disclaimer

This Data Processing Addendum (DPA) has been prepared for general informational purposes and does not constitute legal advice. This document should be reviewed by qualified legal counsel before implementation or execution. Mavaro Systems LLC makes no warranties regarding the legal sufficiency of this template for your specific use case.

This DPA is effective only when executed by both parties through a written agreement or through acceptance of terms during service activation.

1. Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the Master Service Agreement, Terms of Service, or other written or electronic agreement between Mavaro Systems LLC ("Processor") and the customer ("Controller") (collectively, the "Agreement").

This DPA applies to the processing of Personal Data (as defined below) by Processor on behalf of Controller in connection with the Services provided under the Agreement.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in applicable Data Protection Laws.

"Data Protection Laws" means all applicable laws and regulations regarding data protection and privacy, including but not limited to:

European Union General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Other federal, state, and international privacy laws

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Standard Contractual Clauses" (SCCs) means the European Commission decision on standard contractual clauses for international transfers of personal data.

"Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 of the GDPR.

3. Roles of the Parties

3.1 Processor and Controller Roles

Controller: Controller determines the purposes and means of processing Personal Data
Processor: Processor processes Personal Data on behalf of Controller in accordance with Controller's documented instructions

3.2 Nature of Processing

Subject Matter: The processing of Personal Data through the provision of cloud-based software services
Duration: The duration of the Agreement plus the period from termination until deletion or return of Personal Data
Nature and Purpose: Provision of software services, technical support, and related professional services
Categories of Personal Data: As specified in the Agreement and Appendix A
Categories of Data Subjects: As specified in the Agreement and Appendix A

4. Lawful Basis for Processing

Processor's processing of Personal Data shall be based on Controller's documented lawful basis for processing, which may include:

Consent: Where Controller has obtained valid consent from Data Subjects
Contract Performance: Processing necessary for performance of a contract with Data Subjects
Legal Obligation: Processing necessary for compliance with legal obligations
Legitimate Interests: Processing necessary for legitimate interests pursued by Controller

Controller represents and warrants that it has established a lawful basis for processing Personal Data and will maintain appropriate documentation of such basis.

5. Processor Obligations

5.1 Processing Instructions

Processor shall:

Process Personal Data only on documented instructions from Controller
Immediately inform Controller if instructions violate applicable Data Protection Laws
Maintain records of processing activities as required by Article 30 of the GDPR

5.2 Confidentiality

Processor shall ensure that persons authorized to process Personal Data:

Are bound by confidentiality obligations
Have received appropriate training on data protection requirements
Have undergone background checks where legally permitted

5.3 Security Measures

Processor shall implement and maintain appropriate technical and organizational security measures including:

Encryption of Personal Data in transit and at rest
Access controls and authentication mechanisms
Regular security assessments and vulnerability testing
Incident detection and response procedures

5.4 Data Breach Notification

Processor shall notify Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach, providing:

Description of the nature of the breach
Categories and approximate numbers of affected records
Likely consequences of the breach
Measures taken or proposed to address the breach

5.5 Data Subject Rights Assistance

Processor shall assist Controller in responding to Data Subject requests for exercising their rights under Data Protection Laws, including:

Access to Personal Data
Rectification of inaccurate data
Erasure of Personal Data
Restriction of processing
Data portability
Objection to processing

5.6 International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA) or other restricted transfer jurisdictions:

Processor shall ensure appropriate safeguards are in place
Standard Contractual Clauses (SCCs) or other approved transfer mechanisms shall be implemented
Controller and Processor shall cooperate to ensure compliance with transfer restrictions

6. Subprocessor Commitments

6.1 Authorization

Controller authorizes Processor to engage subprocessors for the processing of Personal Data, subject to:

Due diligence assessment of subprocessor's data protection capabilities
Execution of data processing agreements containing equivalent data protection obligations
Ongoing monitoring of subprocessor compliance

6.2 Subprocessor List

A current list of subprocessors is maintained and available at: Subprocessors List

6.3 Notification and Objection Rights

Processor shall notify Controller at least 30 days before engaging any new subprocessor
Controller may object to the engagement of a subprocessor on reasonable grounds
Processor shall provide alternative solutions where objections cannot be resolved

6.4 Subprocessor Liability

Processor shall remain fully liable to Controller for the subprocessor's performance of its data processing obligations.

7. Audit and Assurance Rights

7.1 Audit Rights

Controller may audit Processor and subprocessors' compliance with this DPA:

Upon reasonable notice (minimum 30 days)
During normal business hours
No more than once per year unless legally required or a breach has occurred
At Controller's expense, unless material non-compliance is found

7.2 Certification and Documentation

Processor shall provide upon request:

SOC 2 Type II or equivalent security certifications
ISO 27001 certification or equivalent
Penetration testing reports and vulnerability assessments
Compliance with industry standards (NIST, CIS Controls)

7.3 Information Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA.

8. Data Return and Deletion

8.1 Deletion Obligations

Upon termination of the Agreement or Controller's written request, Processor shall:

Delete all Personal Data within 30 days of termination
Provide confirmation of deletion within 45 days
Delete all copies of Personal Data from backup systems within 90 days

8.2 Return Procedures

At Controller's option, Processor shall:

Return Personal Data in a commonly used electronic format
Provide secure data transfer procedures
Ensure data integrity during transfer process

8.3 Legal Hold Exception

Processor may retain Personal Data where required by law, provided:

Retention is limited to legally required purposes
Data is segregated and access is restricted
Processor notifies Controller of legal hold requirements

9. Security Measures Summary

Processor implements the following security measures:

9.1 Technical Safeguards

Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
Access Control: Multi-factor authentication, role-based access controls, principle of least privilege
Network Security: Firewalls, intrusion detection systems, network segmentation
Application Security: Secure coding practices, regular vulnerability assessments, penetration testing

9.2 Organizational Safeguards

Personnel Security: Background checks, confidentiality agreements, security awareness training
Physical Security: Controlled access facilities, environmental safeguards, secure equipment disposal
Incident Response: 24/7 monitoring, incident response procedures, breach notification protocols
Business Continuity: Disaster recovery plans, backup procedures, continuity testing

9.3 Compliance Monitoring

Regular security assessments and audits
Continuous monitoring and threat detection
Compliance with applicable security frameworks
Regular review and update of security measures

10. Liability and Indemnification

10.1 Processor Liability

Processor's liability arising from this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.

10.2 Indemnification

Processor shall indemnify and hold harmless Controller from claims arising from:

Processor's breach of this DPA
Processor's failure to implement appropriate security measures
Processor's negligent or intentional processing of Personal Data

11. Term and Termination

11.1 Effective Period

This DPA shall remain in effect for the duration of the Agreement or until all Personal Data is returned or deleted.

11.2 Survival

The provisions of this DPA shall survive termination of the Agreement to the extent necessary for the continued protection of Personal Data.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, without regard to conflict of laws principles.

13. Entire Agreement

This DPA constitutes the entire agreement between the parties concerning the processing of Personal Data and supersedes all prior discussions, representations, or agreements relating to such processing.

Appendix A: Processing Details

Categories of Personal Data

Contact Information (names, email addresses, phone numbers)
Account Information (usernames, profile data)
Usage Data (service interaction logs, analytics data)
Technical Data (IP addresses, device information, cookies)
Business Information (company data, job titles, business addresses)

Categories of Data Subjects

Customer employees and users
Business contacts and prospects
End users of customer applications
Customer representatives and agents

Retention Periods

Active Service Period: Throughout the term of service
Post-Termination: 30 days for deletion, 90 days for backup systems
Legal Compliance: As required by applicable law

Document Control:

Prepared by: Legal and Compliance Team
Reviewed by: External Legal Counsel [Required]
Approved by: Chief Executive Officer
Next Review Date: November 26, 2026
Classification: Confidential - Legal Document

This document contains confidential and proprietary information. Distribution is restricted to authorized personnel only.

⚠️ Legal Disclaimer​

1. Introduction and Scope​

2. Definitions​

3. Roles of the Parties​

3.1 Processor and Controller Roles​

3.2 Nature of Processing​

4. Lawful Basis for Processing​

5. Processor Obligations​

5.1 Processing Instructions​

5.2 Confidentiality​

5.3 Security Measures​

5.4 Data Breach Notification​

5.5 Data Subject Rights Assistance​

5.6 International Data Transfers​

6. Subprocessor Commitments​

6.1 Authorization​

6.2 Subprocessor List​

6.3 Notification and Objection Rights​

6.4 Subprocessor Liability​

7. Audit and Assurance Rights​

7.1 Audit Rights​

7.2 Certification and Documentation​

7.3 Information Rights​

8. Data Return and Deletion​

8.1 Deletion Obligations​

8.2 Return Procedures​

8.3 Legal Hold Exception​

9. Security Measures Summary​

9.1 Technical Safeguards​

9.2 Organizational Safeguards​

9.3 Compliance Monitoring​

10. Liability and Indemnification​

10.1 Processor Liability​

10.2 Indemnification​

11. Term and Termination​

11.1 Effective Period​

11.2 Survival​

12. Governing Law and Jurisdiction​

13. Entire Agreement​

Appendix A: Processing Details​

Categories of Personal Data​

Categories of Data Subjects​

Retention Periods​