Data Processing Agreement

In plain terms: you decide what happens to your customers' data (you are the Controller). Mazza only processes that data to run the Services for you, following your instructions (we are the Processor). This DPA sets out the rules we both follow.

This DPA applies to personal data Mazza processes on the Client's behalf in providing the Services ("Client Personal Data"), as described in Annex 1. With respect to Client Personal Data, the Client is the Controller and Mazza is the Processor. Where the Client is itself a processor for another controller, Mazza acts as a sub-processor and the same obligations apply.

Mazza is a separate, independent controller for the limited account and billing data it collects about the Client itself; that processing is governed by our Privacy Policy, not this DPA.

Mazza will:

• Process Client Personal Data only on the Client's documented instructions (including those given through configuration of the Services), and as needed to provide the Services, unless required to do otherwise by law - in which case we will inform the Client where legally permitted.
• Not sell Client Personal Data, and not use it for our own purposes, advertising, or to train AI models.
• Ensure that personnel authorized to process Client Personal Data are bound by confidentiality.
• Implement and maintain the technical and organizational security measures described in Annex 2.
• Assist the Client, taking into account the nature of processing, in responding to data-subject requests and in meeting the Client's obligations around security, breach notification, and impact assessments.
• Engage sub-processors only as set out in section 03.
• Delete or return Client Personal Data as set out in section 09.
• Make available the information reasonably necessary to demonstrate compliance with this DPA.

The Client provides general authorization for Mazza to engage the sub-processors listed at mazzaai.com/subprocessors, each of which provides part of the Services (for example AI, voice, messaging, hosting, authentication, payments, and email). Mazza imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance.

Mazza will give the Client reasonable prior notice (for example by updating the Sub-processors page and, where the Client subscribes, by notification) before adding or replacing a sub-processor. If the Client has a reasonable, data-protection-based objection, it may raise it with us; we will work in good faith to address it, and if we cannot, the Client may terminate the affected Services.

Client Personal Data is hosted primarily in Singapore and is processed by sub-processors located in the United States and globally, as listed on our Sub-processors page. Where personal data is transferred outside the UAE (or, for GDPR-relevant data, outside the EU/EEA), the transfer is made under appropriate safeguards, such as data-processing terms and, where applicable, the EU Standard Contractual Clauses or equivalent contractual protections. The Client, as Controller, is responsible for confirming that it has a valid basis to transfer its customers' data internationally through the Services.

Mazza maintains appropriate technical and organizational measures designed to protect Client Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as detailed in Annex 2. We may update these measures over time provided the level of protection is not reduced.

Mazza will notify the Client without undue delay after becoming aware of a personal-data breach affecting Client Personal Data, and will provide the information reasonably available to help the Client meet its own notification obligations to the UAE Data Office (or other competent authority) and affected individuals. Mazza will take reasonable steps to contain and remediate the breach.

The Services give the Client tools to access, export, correct, and delete Client Personal Data directly, including deletion of a specific customer's records. Where a data subject contacts Mazza directly about Client Personal Data, we will refer them to the Client. Taking into account the nature of the processing, Mazza will assist the Client by appropriate measures in responding to data-subject requests under the PDPL or GDPR.

Mazza will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and subject to confidentiality, will respond to the Client's reasonable audit requests. Audits must not unreasonably disrupt Mazza's operations and are limited to once per year unless required by a supervisory authority or following a breach.

On termination of the Services, the Client may export Client Personal Data for a reasonable period. After that, Mazza will delete or anonymize Client Personal Data from its active systems, except where retention is required by law. Data in routine encrypted backups is overwritten on the normal backup cycle. Records deleted within the Services are held in a recoverable trash for 30 days and then permanently purged.

This DPA is part of, and subject to, the Terms of Service, including their limitation of liability. If there is a conflict between this DPA and the Terms regarding the processing of Client Personal Data, this DPA controls. If there is a conflict between this DPA and a separate signed data-processing agreement between the parties, the signed agreement controls.

• Encryption of data in transit using TLS.
• Strict multi-tenant isolation enforced at the database level (row-level security keyed to each organization), so one client cannot access another's data.
• Encryption of stored integration credentials and access tokens using authenticated encryption (AES-256-GCM) with key versioning.
• Private media storage served only through short-lived, scoped signed links.
• Signature verification on all inbound webhooks, and authenticated, role-based access to the dashboard and APIs.
• Card data handled entirely by our PCI-compliant payment provider (Stripe); no card numbers stored by Mazza.
• Principle of least privilege for personnel access, confidentiality obligations, and logging of sensitive operations.
• Regular review of access, dependencies, and configuration.

Questions about this DPA? Contact admin@mazzaai.com.