Data Processing Agreement (Enterprise)

Between: [CONTROLLER NAME] (“Controller”) And: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust, trading as Provii (“Processor”)

Effective Date: [DATE] Version: 1.0 Draft (Pending Legal Review) Agreement Type: Enterprise

Recitals

WHEREAS, the Controller operates large-scale online services requiring age verification for substantial user volumes;

WHEREAS, the Processor provides zero knowledge age verification services with enterprise-grade security, compliance, and support commitments;

WHEREAS, the parties wish to enter into a data processing relationship with enhanced security controls and audit rights, compliant with applicable privacy laws including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Australian Privacy Act 1988, and other applicable data protection laws;

WHEREAS, this Enterprise Agreement provides additional protections, transparency, and service commitments beyond the Standard DPA;

NOW, THEREFORE, in consideration of the mutual covenants contained herein, the parties agree as follows:

1. Definitions

1.1 Key Terms

For purposes of this Agreement:

(a) “Controller” means the entity that determines the purposes and means of processing personal data, as identified in the signature block above.

(b) “Processor” means Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust, trading as Provii, which processes personal data on behalf of the Controller.

(c) “Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

(d) “Data Protection Laws” means all applicable laws and regulations relating to privacy and data protection, including but not limited to:

GDPR (General Data Protection Regulation (EU) 2016/679)
UK GDPR and Data Protection Act 2018
Australian Privacy Act 1988
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
Any successor or replacement legislation

(e) “Data Subject” means an identified or identifiable natural person whose personal data is processed under this Agreement.

(f) “Sub-Processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.

(g) “Processing” has the meaning given in applicable Data Protection Laws and includes collection, storage, use, disclosure, and deletion of personal data.

(h) “Services” means the age verification services provided by Provii as described in Section 2.

(i) “Service Agreement” means the master enterprise services agreement between the parties governing the provision of Services.

(j) “Zero knowledge Proof” means a cryptographic method that allows one party to prove to another party that a statement is true without revealing any information beyond the validity of the statement itself.

(k) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(l) “Supervisory Authority” means an independent public authority established by a Member State of the EU/EEA or other jurisdiction to monitor the application of Data Protection Laws.

(m) “Business Day” means a day other than Saturday, Sunday, or a public holiday in [SPECIFY JURISDICTION].

(n) “Response Timeline” means the DSAR response timeline set out in Section 6.6. No contractual uptime or service availability SLA is provided.

1.2 Interpretation

References to GDPR articles apply equally to equivalent provisions in other Data Protection Laws. Capitalized terms not defined herein have the meanings assigned in the Service Agreement.

2. Processing Details

2.1 Subject Matter of Processing

The Processor provides enterprise-grade zero knowledge age verification services that enable the Controller to verify whether end users meet specified age thresholds (e.g., 18 years or older) without the Processor or Controller receiving the user’s actual date of birth or identity information.

2.2 Duration of Processing

This Agreement commences on the Effective Date and continues until termination of the Service Agreement or earlier termination of this Agreement in accordance with Section 11.

2.3 Nature and Purpose of Processing

The Processor processes personal data for the following purposes only:

(a) Age Verification: Cryptographic verification of zero knowledge proofs submitted by end users to determine if they meet Controller-specified age thresholds (e.g., 13+, 16+, 18+, 21+, custom thresholds)

(b) Anti-Fraud and Security: Detection and prevention of fraudulent verification attempts, abuse, credential forgery, and security threats including:

Rate limiting and DDoS mitigation
Replay attack prevention
Anomalous pattern detection
Credential ban list management

Session management and challenge-response verification
API request routing and load balancing
Performance monitoring and optimisation
Incident detection and response

(d) Legal Compliance: Compliance with applicable laws, regulatory requirements, and legal obligations including:

Responding to lawful requests from authorities
Audit and compliance reporting
Regulatory investigation cooperation

(e) Service Improvement: Aggregated, anonymized analytics to improve service performance, security, and reliability (no individual-level analytics or profiling)

2.4 Categories of Personal Data

Due to Provii’s zero knowledge architecture, the Processor processes minimal personal data:

Data Category	Data Elements	Retention Period	Purpose	Security Controls
Network Identifiers	IP addresses (hashed with SHA-256)	90 days	Anti-fraud, rate limiting, abuse detection	Pseudonymisation, encryption at rest, access logging
Technical Metadata	User-Agent strings, HTTP headers, timestamps	90 days (anonymised)	Security monitoring, service diagnostics	Aggregation, sanitisation, encrypted storage
Session Identifiers	Challenge IDs (random UUIDs), PKCE verifiers	5 minutes (active session state); 90 days (audit log entries)	Verification session management, replay prevention	Automatic expiry, encryption, secure deletion
Cryptographic Data	Credential nullifiers (one-way hashes), proof data	Retained on the ban list for the operational lifetime of the associated issuer key or until key rotation removes the associated credential epoch, whichever is earlier (legal basis: legitimate interests — fraud and replay prevention); reviewed at each key rotation	Replay prevention, fraud detection	One-way hashing (cannot reverse to PII), encrypted storage

Architectural Design Note: The Processor’s zero knowledge architecture is designed so that the following data is not persistently stored by Processor systems:

Names, email addresses, physical addresses, phone numbers
Dates of birth (transmitted once during credential issuance to compute a cryptographic commitment, then immediately discarded - never stored or logged)
Identity documents, government IDs, passport numbers, driver’s licenses
Biometric data (facial recognition, fingerprints, iris scans)
Financial information (credit cards, bank accounts)
Behavioural data (browsing history, location tracking, cross-site tracking)
Persistent user identifiers across verifications (each verification is unlinkable)

2.5 Categories of Data Subjects

End users of Controller’s services who request age verification, including:

Visitors to Controller’s websites or applications (global user base)
Users of Controller’s online services requiring age-gating
Individuals of any age (including minors) seeking to verify age eligibility
High-volume user bases (enterprise scale)

Estimated Volume: [SPECIFY: e.g., “Up to 10 million verifications per month”]

2.6 Controller and Processor Obligations

The parties acknowledge and agree that:

(a) Controller Obligations:

Determines purposes and means of processing personal data
Ensures lawful basis for processing under Data Protection Laws
Conducts Data Protection Impact Assessments (DPIAs) as required
Provides clear privacy notices to data subjects regarding age verification processing
Responds to data subject requests (with Processor assistance as provided in Section 6)
Ensures compliance with Data Protection Laws for its processing activities
Maintains records of processing activities (ROPA) as required by GDPR Article 30(1)

(b) Processor Obligations:

Processes personal data only on documented instructions from Controller (Section 3)
Implements appropriate technical and organisational security measures (Section 5)
Maintains ISO 27001:2022 and ISO 27701:2019 aligned ISMS
Assists Controller with data subject rights requests within SLA timelines (Section 6)
Notifies Controller of personal data breaches within 4 hours (Section 5.6)
Deletes or returns personal data upon termination (Section 11.3)
Maintains records of processing activities (Section 3.6)
Provides enhanced reporting and transparency (Section 12)

3. Processor Obligations

3.1 Processing Instructions

(a) The Processor shall process personal data only on documented instructions from the Controller, unless required to process by applicable law (in which case the Processor shall inform the Controller of such legal requirement before processing, unless prohibited by law).

(b) The Controller’s instructions are set forth in:

This Agreement (Section 2.3 - Nature and Purpose of Processing)
The Service Agreement
Written instructions provided by Controller’s designated administrators through:
Provii Enterprise Admin Dashboard
API configuration parameters
Written email instructions to privacy@maelstrom.au or designated account manager

(c) If the Processor believes an instruction violates Data Protection Laws, it shall immediately inform the Controller and suspend processing until the instruction is confirmed or modified (within 24 hours).

(d) Change Control: Material changes to processing instructions shall be documented in a change request form and approved by both parties’ designated representatives.

3.2 Confidentiality

(a) The Processor shall ensure that all personnel authorised to process personal data:

Have committed themselves to confidentiality through written agreements
Are subject to appropriate statutory obligations of confidentiality
Receive annual data protection training
Undergo background checks (for personnel with access to production systems)

(b) The Processor maintains written confidentiality agreements with all employees and contractors who may access personal data or systems processing personal data.

(c) The Processor shall maintain a register of personnel with access to Controller’s personal data, available upon request.

3.3 Prohibited Processing

The Processor shall NOT:

Process personal data for purposes other than those specified in Section 2.3
Disclose personal data to third parties except as authorised by this Agreement (Section 4)
Transfer personal data outside approved territories (Section 7) without appropriate safeguards
Retain personal data beyond the retention periods specified in Section 2.4 and Section 11.3
Use personal data for Processor’s own purposes, marketing, or to provide services to other clients
Combine personal data from multiple Controllers to create user profiles
Engage in any form of cross-site tracking or behavioural profiling
Sell, rent, or otherwise monetize personal data

3.4 Data Protection Laws Compliance

The Processor shall:

Maintain familiarity with applicable Data Protection Laws affecting Controller’s business
Implement measures to ensure compliance with Data Protection Laws
Monitor regulatory developments and guidance from supervisory authorities
Notify Controller promptly (within 5 Business Days) of any changes in Data Protection Laws that may affect processing
Provide reasonable assistance to Controller in assessing new legal requirements
Maintain alignment with ISO 27701:2019 Privacy Information Management standards (certification pursued when commercially justified)
Cooperate with Controller to ensure joint compliance with Data Protection Laws

3.5 Records of Processing Activities

The Processor shall maintain records of processing activities as required by GDPR Article 30(2) and equivalent provisions in other Data Protection Laws, including:

(a) Mandatory ROPA Elements:

Name and contact details of Processor, Controller, and Data Protection Officer (if applicable)
Categories of processing activities carried out on behalf of each Controller
Categories of personal data subjects and personal data processed
Categories of recipients of personal data (including Sub-Processors)
International data transfers and safeguards (SCCs, adequacy decisions)
General description of technical and organisational security measures
Data retention periods and deletion procedures

(b) Enterprise Enhancements:

Processing volume metrics (number of verifications per month)
Data subject rights request statistics
Security incident log and breach history
Sub-Processor change log
Audit history (internal and external)

Controller upon request (within 5 Business Days)
Supervisory authorities upon lawful request
External auditors during compliance audits

[LEGAL REVIEW REQUIRED: Verify completeness of processor obligations under applicable Data Protection Laws and enterprise customer expectations]

4. Sub-Processors

4.1 General Authorisation

(a) The Controller provides general authorisation for the Processor to engage Sub-Processors, subject to the strict requirements of this Section 4.

(b) The Processor shall impose on Sub-Processors the same data protection obligations as set out in this Agreement, through a written contract meeting GDPR Article 28(3) requirements.

4.2 Current Sub-Processors

The Processor currently engages the following Sub-Processors:

Cloudflare, Inc.

Services. Cloud infrastructure, serverless computing platform (Workers, KV, Durable Objects, R2), DDoS protection, content delivery network, Web Application Firewall
Location. United States (primary), European Union, Asia-Pacific, 300+ global edge locations
Data Processed. IP addresses (hashed), cryptographic proofs, session identifiers, API request/response data, audit logs
Safeguards:
Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2)
ISO 27001:2013 certified
SOC 2 Type II certified
PCI DSS Level 1 Service Provider
C5 (Cloud Computing Compliance Controls Catalogue - Germany)
Data Processing Addendum executed (2024)
Security Controls. AES-256 encryption at rest, TLS 1.3 in transit, DDoS protection, WAF, SOC monitoring
Data Residency. Cloudflare processes data at edge locations globally; Maelstrom AI does not currently offer region-restricted processing
Contract. Cloudflare DPA available at https://www.cloudflare.com/cloudflare-customer-dpa/

4.3 Sub-Processor Approval Process (Enhanced)

(a) Prior Notice: The Processor shall provide the Controller with at least 60 days’ prior written notice of any intended changes concerning the addition or replacement of Sub-Processors (vs. 30 days in Standard DPA).

(b) Notice Method: Notice shall be provided via:

Email to Controller’s designated privacy/compliance contact
In-app notification in Provii Enterprise Admin Dashboard
Update to public Sub-Processor list at https://provii.app/legal/sub-processors

Sub-Processor name, address, and contact details
Services to be provided
Location(s) where data will be processed
Categories of personal data to be processed
Transfer safeguards (SCCs, certifications, security controls)
Justification for engaging the Sub-Processor
Alternatives considered (if any)

(d) Objection Rights: The Controller may object to a new or replacement Sub-Processor on reasonable grounds relating to data protection within 30 days of receiving notice (vs. 14 days in Standard DPA).

(e) Reasonable Grounds for Objection include:

Sub-Processor lacks adequate security certifications (ISO 27001, SOC 2)
Sub-Processor located in jurisdiction with inadequate data protection laws
Sub-Processor has history of data breaches or security incidents
Sub-Processor’s processing activities conflict with Controller’s legal obligations
Controller’s legal counsel or compliance team raises substantiated concerns

(f) Resolution Process: If the Controller objects:

The parties shall meet within 10 Business Days to discuss the objection
The Processor shall provide additional information and safeguards to address concerns
If the parties cannot resolve the objection within 30 days:
The Controller may terminate the affected Services without penalty (with 90 days’ notice to allow migration)
The Processor may choose not to engage the Sub-Processor
The parties may negotiate alternative Sub-Processors or technical solutions

4.4 Sub-Processor Requirements

The Processor shall only engage Sub-Processors that:

Are bound by written contracts imposing GDPR Article 28(3) equivalent obligations
Maintain ISO 27001 or equivalent security certifications
Provide Standard Contractual Clauses for international transfers (if applicable)
Undergo annual security assessments by the Processor
Have no history of material data breaches in the past 3 years
Agree to breach notification obligations (within 24 hours to Processor)
Provide audit rights to Processor (and indirectly to Controller)

4.5 Sub-Processor List and Monitoring

(a) Current List: An up-to-date list of Sub-Processors is available at: https://provii.app/legal/sub-processors

(b) Change Notifications: The Controller may subscribe to email notifications of Sub-Processor changes via the Enterprise Admin Dashboard.

(c) Annual Review: The Processor shall conduct annual security reviews of all Sub-Processors and provide summary reports to Controller upon request.

4.6 Sub-Processor List

The Processor currently uses the Sub-Processors listed in Section 4.2 and will notify the Controller before engaging additional Sub-Processors per the approval process in Section 4.3.

[LEGAL REVIEW REQUIRED: Confirm sub-processor provisions exceed GDPR Article 28(2) requirements and provide enterprise-appropriate protections]

5. Security Measures

5.1 Security Obligations

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account:

The state of the art in cybersecurity and cryptography
The costs of implementation
The nature, scope, context, and purposes of processing
The risk of varying likelihood and severity for the rights and freedoms of data subjects
Industry best practices and standards (ISO 27001, NIST, OWASP)

5.2 Technical Security Measures (Enhanced)

The Processor implements the following technical measures:

(a) Encryption:

In Transit. TLS 1.3 (minimum) for all data transmission, with Perfect Forward Secrecy (PFS)
At Rest. AES-256 encryption for all data stored in databases, object storage, and backups
Cryptographic Proofs. Groth16 ZK-SNARKs with 128-bit security level (BLS12-381 elliptic curve)
Key Management. Cloudflare Workers Secrets for cryptographic key storage

(b) Access Controls:

Authentication:
Multi-factor authentication (MFA) required for all administrative access
Hardware security keys (e.g., YubiKey) required for production system access
API authentication using HMAC-SHA256 with API key rotation every 90 days
Authorisation:
Role-based access control (RBAC) with granular permissions (viewer, admin, super_admin roles)
Principle of least privilege enforced (documented in access control matrix)
Just-in-time (JIT) access provisioning for privileged operations
Access Reviews. Quarterly access reviews with documentation provided to Controller upon request
Segregation of Duties. No single individual has complete access to all systems

IP addresses hashed with SHA-256 before storage in audit logs
Random UUIDs (version 4) for session identifiers
One-way cryptographic nullifiers (cannot be reversed to reveal personal data)
No persistent user identifiers across verification sessions
Zero knowledge architecture is designed to avoid collection of PII

(d) Network Security:

DDoS Protection. Cloudflare Enterprise DDoS mitigation (300+ Tbps capacity)
Web Application Firewall (WAF). OWASP Top 10 protection, custom rule sets
Rate Limiting. Per-IP (configurable), per-API-key, and global rate limits
Threat Detection. Cloudflare WAF and rate limiting provide automated threat detection

(e) Monitoring and Logging:

Security Event Logging. Logging with 90-day retention for standard events; critical security events retained up to 365 days
Anomaly Detection. Automated detection of unusual patterns (rate limit violations, authentication failures, proof forgeries)
Audit Trails. Audit logs for all administrative actions

(f) Vulnerability Management:

Automated Scanning. Daily vulnerability scans (cargo audit, npm audit, Dependabot)
Penetration Testing. Annual third-party penetration testing (report summary provided to Controller)
Vulnerability Disclosure. Responsible disclosure programme (security@maelstrom.au)
Patch Management. Critical vulnerabilities patched within 48 hours, high severity within 7 days

5.3 Organisational Security Measures (Enhanced)

The Processor implements the following organisational measures:

(a) Access Management:

Background Checks. Criminal background checks for all personnel with access to production systems
Confidentiality Agreements. Signed confidentiality and non-disclosure agreements for all employees and contractors
Security Awareness Training. Annual security and data protection training for all staff (completion tracked)
Privacy Training. Specialized training for personnel handling data subject requests or security incidents
Access Termination. Immediate access revocation upon personnel termination (documented process)

(b) Privacy by Design and Default:

Architecture Reviews. Privacy impact assessment for all new features and material changes
Zero knowledge First. Architectural principle to avoid collecting PII wherever possible
Data Minimization. Default configuration collects minimum data necessary
Security-First Development. Secure coding practices, threat modeling, security testing integrated into SDLC

Security Assessments. Documented security assessment for all critical vendors and Sub-Processors
Data Processing Agreements. DPAs with all Sub-Processors meeting GDPR Article 28(3) requirements
Annual Reviews. Annual vendor security and compliance reviews
Continuous Monitoring. Monitoring of vendor security advisories and incident notifications

(d) Incident Response:

On-Call Coverage. Best-efforts on-call incident response; no contractual 24/7 SLA is guaranteed
Detection Target. 24-hour breach detection target (enhanced monitoring reduces typical detection time)
Response Plan. Documented incident response playbooks for common scenarios (breach, DDoS, API abuse)
Tabletop Exercises. Quarterly incident response drills and tabletop exercises
Post-Incident Reviews. Lessons learned documentation after each incident

(e) Business Continuity and Disaster Recovery:

Backup Frequency. Daily automated backups with 90-day retention (configurable)
Backup Encryption. AES-256 encrypted backups stored in geographically separate locations
Recovery Time Objective (RTO). 4 hours for critical systems
Recovery Point Objective (RPO). 24 hours maximum data loss
Disaster Recovery Testing. Annual disaster recovery drills with documented results

5.4 Certifications and Compliance Standards

(a) Current Certifications:

ISO 27001:2022 aligned (certification planned when commercially justified)
ISO 27701:2019 aligned (certification planned when commercially justified)
OWASP ASVS 5.0.0 Level 3 self-assessed (provii-verifier)

(b) Sub-Processor Certifications (Cloudflare):

ISO 27001:2013 certified
SOC 2 Type II certified (reports available upon request)
PCI DSS Level 1 Service Provider
C5 (Germany Cloud Computing Compliance)

GDPR (EU General Data Protection Regulation)
CCPA/CPRA (California privacy laws)
Australian Privacy Principles (Privacy Act 1988)
PIPEDA (Canada)
NIST Cybersecurity Framework aligned

5.5 Security Documentation and Evidence

Upon reasonable request (maximum once per quarter), the Processor shall provide Controller with:

ISO 27001/27701 Certification Reports. Certification certificates and summary audit reports (when obtained)
SOC 2 Type II Reports. Cloudflare SOC 2 reports (subject to Cloudflare’s standard NDA)
Security Policy Summaries. Information Security Policy, Incident Response Policy, Access Control Policy summaries
Penetration Test Results. Executive summaries of annual penetration tests (full reports subject to security review)
Vulnerability Scan Reports. Summary of vulnerability management activities
Compliance Attestations. Written attestations of compliance with this Section 5

5.6 Personal Data Breach Notification (Enhanced SLA)

(a) Initial Notification - 4 Hours: The Processor shall notify the Controller within 4 hours (vs. 24 hours in Standard DPA) after becoming aware of a personal data breach affecting Controller’s data.

(b) Notification Method:

Critical Breaches. Phone call to designated emergency contact + email to privacy and security contacts
High/Medium Breaches. Email to designated contacts
Low Breaches. Email notification + in-app dashboard alert

Description of the nature of the breach (what happened)
Approximate time of breach discovery
Immediate actions taken to contain the breach
Processor’s designated incident response contact
Estimated severity level (Critical / High / Medium / Low)

(d) Detailed Notification - 24 Hours: Within 24 hours of initial notification, the Processor shall provide:

Categories and approximate number of data subjects affected
Categories and approximate number of personal data records affected
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate harm
Recommendations for Controller’s response actions
Root cause analysis (preliminary)

(e) Final Report - 10 Business Days: Within 10 Business Days, the Processor shall provide:

root cause analysis
Complete timeline of events
Full assessment of impact
Remediation actions completed
Preventive measures implemented to avoid recurrence
Lessons learned and security improvements

(f) Assistance with Regulatory Notifications:

The Processor shall provide reasonable assistance to the Controller in:
Assessing whether the breach requires notification to supervisory authorities (GDPR Article 33 - 72 hours)
Assessing whether the breach requires notification to affected data subjects (GDPR Article 34)
Preparing breach notification letters or reports
Responding to supervisory authority inquiries
Dedicated support during breach response (prioritised above other support requests)

(g) Breach Documentation: The Processor shall document all personal data breaches (even those not requiring notification) and make such documentation available to the Controller and supervisory authorities upon request.

5.7 No Material Security Degradation

The Processor shall not materially degrade the security measures described in this Section 5 without:

Providing 60 days’ advance notice to Controller
Demonstrating that alternative measures provide equivalent or better protection
Obtaining Controller’s written consent (not to be unreasonably withheld)

[LEGAL REVIEW REQUIRED: Verify security obligations exceed GDPR Article 32 requirements and meet enterprise security standards]

6. Assistance with Data Subject Rights

6.1 General Assistance Obligation

The Processor shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising data subject rights under Data Protection Laws.

6.2 Data Subject Rights Under GDPR

The Processor shall assist the Controller in responding to requests to exercise the following rights:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / “right to be forgotten” (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Rights related to automated decision-making and profiling (Article 22) - N/A for Provii

6.3 Zero knowledge Architecture Implications

Due to Provii’s zero knowledge architecture:

(a) Limited Data Retrieval: The Processor holds minimal personal data (hashed IP addresses only). Most data subject access requests (DSARs) will yield minimal information from Processor systems.

(b) User-Controlled Credentials: Age verification credentials are stored locally in the data subject’s wallet application, not on Processor servers. Data subjects have direct control over credential deletion and portability.

(c) No Rectification Needed: The Processor does not store dates of birth or identity information requiring rectification. Users update credentials locally in their wallet application.

(d) Transparency Advantage: The Processor can confirm to data subjects that their date of birth is processed only ephemerally during credential issuance and immediately discarded, and is not stored, logged, or retained on Provii servers by design. Name and identity information are not processed at all.

6.4 Request Handling Process (Enhanced)

(a) Redirecting Requests: If a data subject submits a request directly to the Processor:

The Processor shall redirect the data subject to the Controller
The Processor shall inform the Controller of the request within 1 Business Day (vs. 2 in Standard DPA)
The Processor shall provide Controller with data subject’s contact information (if provided)

(b) Controller Requests: If the Controller forwards a data subject request to the Processor:

Acknowledgment. Within 1 Business Day (vs. 2 in Standard DPA)
Data Retrieval. Search Processor systems for relevant personal data
Response. Provide available data to Controller within 5 Business Days (vs. 10 in Standard DPA) in machine-readable format (JSON, CSV, or Controller-specified format)
Deletion Confirmation. Confirm data deletion within 2 Business Days (vs. 5 in Standard DPA)

The Processor can provide hashed IP address logs associated with verification sessions within the 90-day retention period (if IP can be linked to the data subject)
Controller must provide sufficient information to identify the data subject’s sessions (e.g., verification timestamps, API key used, approximate IP address)
Response format: JSON export with fields: {timestamp, hashed_ip, api_key_id, verification_result, challenge_id}

(d) Erasure Requests: For deletion requests:

The Processor shall delete IP address logs associated with the data subject (if identifiable) within 2 Business Days
The Processor shall confirm deletion in writing to Controller with deletion certificate
Note. Most data auto-deletes within 90 days regardless of deletion request

(e) Portability Requests: For data portability:

The Processor shall provide data in Controller-specified machine-readable format (JSON, CSV, XML)
Data export shall include all personal data processed within the retention period
Export provided via secure download link or API (Controller’s choice)

(f) Restriction Requests: For restriction of processing:

The Processor shall mark the data subject’s records as “restricted” in systems
Processing shall be limited to storage only (no active processing except with data subject consent or for legal compliance)
Restriction shall be lifted only upon Controller’s instruction

6.5 Dedicated DSAR Support

(a) Designated Contact: The Processor shall provide DSAR support via:

Email: privacy@maelstrom.au

(b) Prioritisation: DSARs from Controller shall be prioritised above standard support requests.

6.6 Service Level Agreement (SLA) for DSAR Assistance

The Processor commits to the following SLAs:

Request Type	Acknowledgment	Response / Action	Format
Access Request	1 Business Day	5 Business Days	JSON, CSV, or specified
Deletion Request	1 Business Day	2 Business Days	Deletion certificate
Portability Request	1 Business Day	5 Business Days	JSON, CSV, XML, or specified
Restriction Request	1 Business Day	3 Business Days	Confirmation email
Rectification Request	1 Business Day	N/A (not applicable to Provii’s architecture)	-
Objection Request	1 Business Day	3 Business Days	Confirmation email

SLA Exceptions: SLAs may be extended in cases of:

Force majeure events (natural disasters, wars, etc.)
Extremely complex requests requiring manual investigation
Requests requiring legal review (e.g., conflicting legal obligations)
Controller-caused delays (e.g., insufficient information provided)

In such cases, the Processor shall notify Controller of the delay and provide regular status updates.

6.8 No Fee for Standard Assistance

The Processor shall provide assistance with data subject rights requests at no additional charge for:

Up to 100 requests per calendar year (vs. 10 in Standard DPA)
Standard SLA timelines
Standard formats (JSON, CSV)

Additional requests or expedited services may be subject to reasonable fees based on effort required (fee schedule provided in Service Agreement).

6.9 Training and Cooperation

The Processor shall:

Provide training to Controller’s privacy team on Provii’s DSAR process (annual session)
Cooperate with Controller to streamline DSAR handling
Recommend improvements to DSAR processes based on experience
Participate in Controller’s DSAR drills or exercises upon request

[LEGAL REVIEW REQUIRED: Confirm data subject rights assistance exceeds GDPR Article 28(3)(e) requirements and meets enterprise customer expectations]

7. Data Protection Impact Assessment (DPIA) Assistance

7.1 DPIA Assistance Obligation

The Processor shall provide reasonable assistance to the Controller in ensuring compliance with GDPR Articles 35 and 36 (Data Protection Impact Assessment and prior consultation with supervisory authority), taking into account the nature of processing and information available to the Processor.

7.2 Information Provided for DPIA

Upon Controller’s request, the Processor shall provide:

(a) Processing Details:

Systematic description of processing operations (documented in this Agreement Section 2)
Purposes of processing
Assessment of necessity and proportionality of processing

(b) Risk Assessment:

Risks to data subjects’ rights and freedoms
Processor’s risk assessment for Provii services (from ISMS risk register)
Privacy architecture documentation demonstrating minimal risk (zero knowledge design)

Technical and organisational measures (Section 5)
ISO 27001/27701 certification reports (when available)
Security architecture documentation

(d) Sub-Processor Information:

List of Sub-Processors (Section 4)
Sub-Processor security assessments
Data transfer safeguards (Section 7)

(e) Compliance Evidence:

GDPR compliance statement
Records of Processing Activities (ROPA)
Privacy policies and procedures

7.3 Prior Consultation Assistance

If Controller determines that prior consultation with a supervisory authority is required (GDPR Article 36), the Processor shall:

Provide necessary information and documentation
Respond to supervisory authority questions (coordinated with Controller)
Implement any measures required by supervisory authority (at Processor’s expense if due to Processor’s non-compliance)

[LEGAL REVIEW REQUIRED: Confirm DPIA assistance meets GDPR Article 28(3)(f) requirements]

8. International Data Transfers

8.1 Transfer Locations

Personal data may be transferred to and processed in the following locations:

United States. Cloudflare infrastructure (San Francisco, CA headquarters and US data centres)
European Union. Cloudflare infrastructure (Ireland, Germany, France, Netherlands, other EU member states)
United Kingdom. Cloudflare infrastructure (London)
Australia. Processor registered address (PO Box 169, St Arnaud VIC 3478)
Asia-Pacific. Cloudflare infrastructure (Singapore, Japan, Australia, Hong Kong, India)
Other Locations. Cloudflare operates 300+ edge locations globally

8.2 Transfer Mechanisms

Where personal data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognised as providing adequate protection under GDPR Article 45:

(a) Standard Contractual Clauses (Primary Mechanism):

The parties shall execute the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914, Module 2: Controller-to-Processor)
SCCs are incorporated as Annex A to this Agreement and form an integral part of this DPA
Annexes to SCCs include:
Annex I. List of parties, description of transfer, competent supervisory authority
Annex II. Technical and organisational measures (reference to Section 5)
Annex III. List of Sub-Processors (reference to Section 4)

(b) UK International Data Transfer Agreement (UK Addendum):

For transfers from the United Kingdom, the parties shall execute the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs, as applicable
UK Addendum executed as Annex B to this Agreement

For transfers from Switzerland, the parties shall execute appropriate amendments to address Swiss Federal Act on Data Protection (FADP) requirements
Swiss amendments executed as Annex C to this Agreement

(d) Alternative Mechanisms:

EU-US Data Privacy Framework. If applicable and Controller consents
Derogations (GDPR Article 49). For specific situations with Controller’s explicit consent

8.4 Sub-Processor Transfers

The Processor shall ensure that Sub-Processors (Cloudflare) provide equivalent safeguards for international data transfers through:

(a) Cloudflare Data Processing Addendum:

Cloudflare has executed a Data Processing Addendum incorporating SCCs
Cloudflare DPA available at: https://www.cloudflare.com/cloudflare-customer-dpa/
Cloudflare provides EU Model Clauses (Module 2: Controller-to-Processor) for transfers from EEA

(b) Cloudflare Certifications:

ISO 27001:2013 certified (global operations)
SOC 2 Type II certified (annual reports available)
PCI DSS Level 1 Service Provider
C5 attestation (Germany Cloud Computing Compliance Controls Catalogue)
EU-US Data Privacy Framework participant (verification at dataprivacyframework.gov)

Encryption. AES-256 at rest, TLS 1.3 in transit (cryptographic keys held by Processor, not Cloudflare)
Pseudonymization. IP addresses hashed before storage (SHA-256, irreversible)
Data Minimization. Only minimal operational data transferred (no PII by design)
Short Retention. 90-day maximum retention for IP logs (auto-deletion)
Access Controls. Cloudflare personnel access restricted (logged and monitored)

8.5 Transfer Impact Assessment (TIA)

(a) Completed TIA: The Processor has completed a Transfer Impact Assessment for transfers to the United States via Cloudflare infrastructure, as required by the Schrems II decision (CJEU Case C-311/18).

(b) TIA Conclusions:

Risk Level. Low
Reasoning:
Minimal personal data transferred (hashed IP addresses only, no other PII)
Strong encryption in transit (TLS 1.3) and at rest (AES-256)
Pseudonymization reduces identifiability (SHA-256 hashing)
Short retention period (90 days) minimises exposure window
No government surveillance interest (age verification data has no intelligence value)
Cloudflare has legal and technical safeguards against government access
SCCs provide contractual protections
Supplementary Measures. Implemented as described in Section 8.4(c)
Assessment. SCCs provide adequate safeguards given minimal data transfer and strong supplementary measures

(c) TIA Documentation: Full Transfer Impact Assessment available to Controller upon request (summary provided in Annex D to this Agreement).

8.6 Government Access Requests

(a) Notification Obligation: If the Processor or Sub-Processor receives a legally binding request from a government authority for disclosure of personal data transferred under this Agreement, the Processor shall:

Notify the Controller immediately (within 24 hours) unless prohibited by law
Provide details of the request (requesting authority, legal basis, scope)
Seek to redirect the request to the Controller (as the Controller is responsible for responding to lawful requests)
Challenge the request if there are reasonable grounds to do so (e.g., overly broad, lacks legal basis)
Provide only the minimum data necessary to comply if disclosure is legally unavoidable

(b) Transparency Report: The Processor shall publish an annual transparency report disclosing:

Number of government requests received (if any)
Number of requests challenged
Number of requests where data was disclosed
Number of requests redirected to Controllers
Aggregate statistics (no Controller-specific information unless legally required)

8.7 Alternative Transfer Mechanisms (Future-Proofing)

If SCCs are invalidated, deemed ineffective, or Controller requires alternative mechanisms, the parties shall cooperate in good faith to implement alternative lawful transfer mechanisms, which may include:

(a) Data Localization: Configure Processor systems to process Controller’s data solely within EEA/UK/approved jurisdictions (subject to feasibility and additional fees)

(b) EU-US Data Privacy Framework: If Processor certifies to the DPF and Controller consents

(d) Adequacy Decisions: Rely on new adequacy decisions issued by the European Commission (e.g., if US receives adequacy decision)

(e) Derogations (GDPR Article 49): For specific situations where derogations apply (e.g., explicit data subject consent, necessary for contract performance)

8.8 Controller Consent for Transfers

By executing this Agreement, the Controller consents to international data transfers as described in this Section 8, subject to:

Execution of SCCs (Annex A) and applicable addenda (Annexes B, C)
Processor’s implementation of supplementary security measures (Section 8.4(c))
Processor’s compliance with notification obligations (Section 8.6(a))

[LEGAL REVIEW REQUIRED: Verify transfer mechanisms comply with GDPR Chapter V, Schrems II decision, and emerging guidance from supervisory authorities]

9. Audits and Inspections

9.1 Audit Rights (Enhanced)

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

9.2 Audit Process

(a) Notice: The Controller shall provide at least 20 Business Days’ advance written notice of any intended audit (vs. 30 days in Standard DPA).

(b) Frequency:

Scheduled Audits. Up to two (2) audits per calendar year at no charge (vs. one in Standard DPA)
Additional Audits. Permitted without restriction in the following cases:
Required by a supervisory authority
Following a personal data breach affecting Controller’s data
Based on reasonable evidence of Processor’s non-compliance with this Agreement
Requested by Controller’s external auditors or regulators

Compliance with this Agreement (all sections)
Security measures described in Section 5
Sub-Processor management (Section 4)
Processing activities relevant to Controller’s data
Records of Processing Activities (ROPA)
Incident response and breach notification procedures
Data subject rights handling (DSAR processes)
International transfer safeguards (Section 8)

(d) Conduct: Audits shall be conducted:

During Processor’s business hours (9:00 AM - 5:00 PM Australian Eastern Time, Monday-Friday)
With minimal disruption to Processor’s operations (Processor may request rescheduling of activities that would cause material disruption)
Subject to Processor’s reasonable security and confidentiality requirements (e.g., no photography of infrastructure, auditor NDAs)
By auditors bound by confidentiality obligations (auditors must sign Processor’s standard NDA)
In accordance with Processor’s site security policies (badge requirements, escort requirements)

(e) Remote Audits: Controller may conduct remote audits via:

Documentation review (Processor provides documents electronically)
Video conference interviews with Processor personnel
Screen sharing sessions demonstrating system controls

9.3 Documentation Audits (Preferred Method)

As a less intrusive and more efficient alternative to on-site audits, the Controller may request documentation audits, whereby the Processor provides:

(a) Compliance Documentation:

ISO 27001:2022 certification reports (when available)
ISO 27701:2019 certification reports (when available)
Internal security audit results (summary or full report at Processor’s discretion)
Compliance attestations (signed by ISMS Owner or designated officer)
Records of Processing Activities (ROPA) - see Section 3.5

(b) Security Documentation:

Information Security Policy (public version)
Incident Response Policy summary
Business Continuity and Disaster Recovery Plan summary
Access Control Policy summary
Encryption and Key Management procedures summary

Cloudflare SOC 2 Type II reports (annual, subject to Cloudflare’s standard NDA)
Penetration test results (executive summary; full report subject to Processor’s approval)
Vulnerability scan reports (summary of findings and remediation)

(d) Operational Metrics:

Uptime statistics (availability metrics)
Security incident log (sanitized to protect confidentiality)
Data subject rights request statistics (number, types, response times)
Sub-Processor changes log

9.4 Third-Party Certifications and Reports

(a) The Processor shall make available the following compliance documentation upon request:

ISO 27001:2022. ISMS aligned with standard (certification planned when commercially justified); alignment documentation available upon request
ISO 27701:2019. PIMS aligned with standard (certification planned when commercially justified); alignment documentation available upon request
SOC 2 Type II (supplier-held, via Cloudflare): Service Organisation Control report covering security, availability, confidentiality (annual)

(b) Sharing Process:

Controller requests certification reports via email to privacy@maelstrom.au
Processor provides reports within 10 Business Days
SOC 2 reports subject to Cloudflare’s standard NDA (Processor facilitates access)
ISO certification reports provided as PDF (summary or full report)

9.5 Audit Costs

(a) Controller Costs: The Controller shall bear the following costs:

Auditor fees and expenses
Controller personnel time and travel
Reasonable Processor cooperation time up to 40 hours per audit (vs. 16 in Standard DPA)

(b) Processor Billable Time: If an audit exceeds 40 hours of Processor cooperation time:

Additional time charged at Processor’s standard professional services rates: [SPECIFY RATE]
Processor shall provide advance notice if audit is approaching the 40-hour limit
Controller may elect to continue audit (and pay additional fees) or conclude audit

Processor shall bear the reasonable costs of follow-up remediation audits
Processor shall reimburse Controller for reasonable audit costs incurred
“Material non-compliance” means violations that pose significant risk to data subjects or violate legal requirements

(d) No-Charge Documentation Audits: Documentation audits (Section 9.3) are provided at no charge up to four (4) times per calendar year.

9.6 Supervisory Authority Audits

(a) The Processor shall cooperate with and contribute to audits conducted by supervisory authorities (data protection authorities, regulators).

(b) The Processor shall inform the Controller of supervisory authority audits:

Within 5 Business Days of receiving notice of the audit (unless prohibited by law)
Providing Controller with scope and expected timeline of the audit
Sharing audit outcomes and any remediation requirements (unless prohibited by law)

Notify Controller within 5 Business Days of receiving findings
Provide Controller with summary of findings and required corrective actions
Implement corrective actions within supervisory authority’s timeline
Provide Controller with evidence of corrective action completion

9.7 Audit Rights for Data Subjects

Upon request from a data subject (coordinated through Controller), the Processor shall provide reasonable evidence of compliance with data protection obligations, which may include:

Confirmation that Processor’s architecture is designed not to store data subject’s PII (architectural design note)
Summary of security measures protecting data subject’s data
Confirmation of data deletion (if applicable)

9.8 Audit Report and Findings

(a) Following an audit, the Controller or auditor shall provide the Processor with:

Audit report (draft for Processor review before finalization)
Findings (categorised by severity: Critical, High, Medium, Low)
Recommended corrective actions

(b) The Processor shall:

Review audit report for factual accuracy (Processor may request corrections)
Respond to findings within 15 Business Days
Develop corrective action plan for identified issues
Implement corrective actions within agreed timelines (Critical: 30 days; High: 60 days; Medium: 90 days; Low: best effort)
Provide evidence of corrective action completion to Controller

[LEGAL REVIEW REQUIRED: Confirm audit rights exceed GDPR Article 28(3)(h) requirements and provide enterprise-appropriate transparency]

10. Liability and Indemnification

10.1 Processor Liability

(a) The Processor shall be liable for damages caused by processing where it:

Has not complied with obligations under Data Protection Laws specifically directed to processors (GDPR Article 28)
Has acted outside or contrary to lawful instructions of the Controller
Has failed to implement security measures as specified in Section 5
Has engaged Sub-Processors in violation of Section 4
Has transferred data internationally without adequate safeguards (Section 8)

(b) The Processor shall not be liable where it proves that it is not in any way responsible for the event giving rise to the damage.

Data subjects may claim compensation for material or non-material damage from Controller or Processor
Controller or Processor liable for damage is exempt from liability if it proves it is not responsible
Where multiple parties are liable, each shall be held liable for the entire damage (joint and several liability)
Processor may be held directly liable by data subjects for violations of processor-specific obligations

10.2 Limitation of Liability

(a) Subject to Section 10.2(b) and to the maximum extent permitted by applicable law, the Processor’s total aggregate liability under this Agreement shall not exceed the amount specified in the executed Service Agreement as the liability cap. Where no cap is specified, liability is limited to the amount paid by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim.

(b) Non-Excludable Liabilities: Nothing in this Agreement excludes or limits liability to the extent that applicable law prohibits such exclusion or limitation, including rights under the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) and the Privacy Act 1988 (Cth). Subject to the foregoing, no other liabilities are excluded or extended beyond what the law requires.

Covered. Direct damages, regulatory fines (see Section 10.4), data subject compensation
Excluded. Indirect, incidental, consequential, special, or punitive damages; lost profits; lost revenue; lost data (except personal data breach); loss of reputation

10.3 Indemnification

(a) Processor Indemnity: Subject to Section 10.2 and to the maximum extent permitted by applicable law, the Processor shall indemnify, defend, and hold harmless the Controller from and against losses, damages, costs, liabilities, and expenses (including reasonable legal costs) arising from:

Processor’s breach of this Agreement
Processor’s violation of Data Protection Laws
Claims by data subjects arising from Processor’s unlawful processing
Personal data breaches caused by Processor’s negligence or failure to implement security measures (Section 5)
Processor’s failure to notify Controller of personal data breaches within required timelines (Section 5.6)
Sub-Processor’s violations (Processor remains liable for Sub-Processor acts)
Processor’s violation of international transfer requirements (Section 8)
Processor’s unauthorized processing outside Controller’s instructions

(b) Controller Indemnity: Subject to the maximum extent permitted by applicable law, the Controller shall indemnify, defend, and hold harmless the Processor from and against losses, damages, costs, liabilities, and expenses (including reasonable legal costs) arising from:

Controller’s unlawful instructions to Processor (despite Processor’s notification under Section 3.1(c))
Controller’s breach of Data Protection Laws unrelated to Processor’s processing
Claims that Controller’s services, content, or business model violate applicable laws
Controller’s failure to provide required privacy notices to data subjects
Controller’s failure to obtain required consents from data subjects
Controller’s failure to respond to data subject rights requests (where Processor has provided required assistance)
Claims arising from Controller’s use of data provided by Processor in response to DSARs

Prompt Notice. The indemnified party shall notify the indemnifying party promptly (within 10 Business Days) upon becoming aware of any claim
Cooperation. The indemnified party shall cooperate reasonably with the indemnifying party in the defence, including providing relevant documents and information
Control of Defence. The indemnifying party shall control the defence and settlement of the claim, provided that:
The indemnified party may participate in the defence with its own counsel (at its own expense)
The indemnifying party shall not settle any claim without the indemnified party’s prior written consent (not to be unreasonably withheld) if settlement would:
Impose obligations on the indemnified party
Admit fault or liability on behalf of the indemnified party
Require the indemnified party to cease any business activities
Mitigation. The indemnified party shall take reasonable steps to mitigate damages

10.4 Regulatory Fines and Penalties

(a) Processor-Caused Fines: If the Controller is fined or penalized by a supervisory authority due to Processor’s breach of this Agreement or Data Protection Laws:

Processor shall reimburse Controller for such fines and penalties (subject to the liability cap in Section 10.2(a) and non-excludable rights under Section 10.2(b))
Processor shall reimburse Controller for reasonable legal fees incurred in responding to the supervisory authority
Processor shall cooperate with Controller to challenge or appeal the fine (if appropriate)

(b) Controller-Caused Fines: If the Processor is fined or penalized by a supervisory authority due to Controller’s unlawful instructions or Controller’s breach of Data Protection Laws:

Controller shall reimburse Processor for such fines and penalties
Controller shall reimburse Processor for reasonable legal fees incurred in responding to the supervisory authority

Each party shall bear the portion of the fine attributable to its own conduct
If proportions cannot be determined, the fine shall be split equally
The parties shall cooperate in good faith to allocate responsibility fairly

(d) Supervisory Authority Appeals: The parties shall consult before appealing any supervisory authority decision to ensure coordinated approach.

10.5 Data Subject Compensation

(a) If a data subject successfully claims compensation for material or non-material damage under GDPR Article 82:

The party found liable shall compensate the data subject
If both parties are found liable (joint and several liability), the paying party may seek contribution from the other party based on responsibility for the damage
The parties shall cooperate to defend against data subject claims and minimise liability

(b) Notice Requirement: Each party shall promptly notify the other of any data subject claim (within 10 Business Days of becoming aware).

10.6 Insurance

The Processor does not assert specific insurance coverage or minimum cover amounts. Insurance details are available on request, subject to confirmed coverage at the relevant time. No representation is made that any particular coverage is or will be in place.

10.7 Disclaimer of Warranties

To the maximum extent permitted by applicable law, the Processor provides the Services and performs its obligations under this Agreement without warranty of any kind, express or implied, including any implied warranty of merchantability, fitness for a particular purpose, or non-infringement. Nothing in this clause excludes or limits any right the Controller may have under the Australian Consumer Law or the Privacy Act 1988 (Cth) that cannot be excluded or limited by law.

10.8 Survival of Liability

Liability and indemnification obligations shall survive termination of this Agreement for:

Claims arising from processing conducted during the term of this Agreement
Statute of limitations period under applicable law (typically 3-6 years)

[LEGAL REVIEW REQUIRED: Verify liability provisions comply with GDPR Article 82, are enforceable under applicable law, and meet enterprise customer expectations. Confirm insurance requirements are reasonable and obtainable.]

11. Term and Termination

11.1 Term

This Agreement commences on the Effective Date and continues until:

Termination of the Service Agreement, or
Earlier termination in accordance with this Section 11

11.2 Termination Rights

(a) Termination for Convenience:

Either party may terminate this Agreement upon 90 days’ written notice (vs. 30 in Standard DPA) if the Service Agreement is also terminated
Early termination fee may apply if terminated before minimum commitment period (as specified in Service Agreement)

(b) Termination for Breach:

Either party may terminate this Agreement upon 30 days’ written notice if the other party materially breaches this Agreement and fails to cure within 30 days of written notice
Immediate termination without cure period for:
Material security breach affecting Controller’s data
Repeated breaches of the same or similar obligations
Breach that cannot be cured
Insolvency or bankruptcy proceedings

The Controller may terminate this Agreement if the parties cannot resolve a Sub-Processor objection under Section 4.3(f)
Termination effective 90 days after notice to allow Controller to migrate to alternative solution
No early termination fee applies for Sub-Processor objection terminations

(d) Termination by Supervisory Authority:

This Agreement may be terminated immediately if required by a supervisory authority
Each party shall cooperate to minimise impact of required termination

(e) Termination for Legal Prohibition:

Either party may terminate immediately if continued performance would violate applicable law
Terminating party shall provide evidence of legal prohibition to the other party

11.3 Data Deletion or Return (Enhanced)

(a) Controller Election: Upon termination or expiration of this Agreement, the Controller shall elect (in writing) within 30 days of termination:

Option 1: Delete all personal data processed under this Agreement and existing copies, OR
Option 2: Return all personal data to the Controller in a commonly used machine-readable format (JSON, CSV, or Controller-specified format)

(b) Default: If no election is provided within 30 days, the Processor shall delete all personal data.

Data deletion or return shall be completed within 30 days of termination (or Controller’s election, whichever is later)
Expedited deletion/return available upon request (within 10 Business Days)

(d) Return Process (if Controller elects Option 2):

Format. JSON, CSV, XML, or other machine-readable format specified by Controller
Delivery Method:
Secure download link (encrypted, password-protected)
API export (Controller retrieves via API)
Encrypted file transfer
Contents. All personal data categories listed in Section 2.4 within retention period
Structure. Structured data export with documentation of fields and formats
Encryption. All returned data encrypted in transit and at rest (until Controller confirms receipt)

(e) Deletion Process (if Controller elects Option 1 or by default):

Secure Deletion. Processor shall delete data in accordance with industry best practices:
Cryptographic erasure (delete encryption keys)
Overwriting of storage media (for non-encrypted data)
Physical destruction of backup media (if containing personal data)
Deletion Certificate. Processor shall provide written certification of deletion within 10 days of completion, including:
Confirmation that all personal data has been deleted
List of systems from which data was deleted
Date and method of deletion
Statement signed by ISMS Owner or designated officer

(f) Automatic Deletion: Due to Maelstrom AI’s automated retention policies:

IP addresses auto-delete after 90 days (Cloudflare Workers Logs shipped to Grafana Loki, 90-day Loki tenant retention)
Challenge records auto-delete after 5 minutes
Most personal data will be automatically deleted within 90 days of termination regardless of Controller election

(g) Verification: Controller may request verification of deletion through:

Audit (within 90 days of termination)
Attestation from Processor’s external auditor
Technical demonstration of deletion (screen sharing, logs)

11.4 Retention Exceptions

(a) The Processor may retain personal data to the extent and for such period as required by applicable law, provided that:

The Processor ensures confidentiality of retained data (encryption, access controls)
The Processor processes retained data only as required by law (no other use)
The Processor deletes retained data when the legal requirement expires
The Processor notifies Controller of legal retention requirements (specifying data retained, legal basis, expected retention period)

(b) Examples of Legal Retention Requirements:

Tax and accounting records: 7 years (Australian law)
Litigation hold: Duration of legal proceedings
Regulatory investigation: Duration of investigation
Supervisory authority order: As specified in order

(c) Backup Retention: Personal data in backups shall be deleted in accordance with Processor’s backup retention policy (90 days maximum) or when backups are next rotated/purged.

11.5 Transition Assistance

(a) Upon termination, the Processor shall provide reasonable transition assistance to the Controller for up to 90 days following termination, including:

Answering questions about data export format
Providing documentation of Processor’s system architecture (to aid migration)
Coordinating data return or deletion
Providing support for Controller’s migration to alternative solution

(b) Transition Assistance Fees:

Reasonable transition assistance included at no additional charge

11.6 Post-Termination Obligations

Following termination, the following obligations survive:

(a) Confidentiality (Section 3.2): Indefinitely

(b) Data Deletion/Return (Section 11.3): Until completion

(c) Personal Data Breach Notification (Section 5.6): For breaches discovered within 90 days post-termination that occurred during the term

(d) Liability and Indemnification (Section 10): For the applicable statute of limitations period

(e) Retention Exceptions (Section 11.4): Until legal retention requirements expire

(f) Audit Rights (Section 9): For 12 months post-termination (to verify deletion or return)

(g) General Provisions (Section 12): As specified in Section 12

11.7 Suspension of Services

(a) The Processor may suspend Services (without terminating this Agreement) if:

Controller fails to pay undisputed fees within 30 days of due date (after 10-day written notice)
Controller’s use of Services violates applicable law (after notice and opportunity to cure, unless immediate suspension required by law)
Controller’s use of Services poses security risk to Processor or other customers (after notice, unless immediate suspension required for security)

(b) Notice: Processor shall provide at least 10 days’ advance notice of suspension (except for security or legal emergencies requiring immediate suspension)

(c) Reinstatement: Services shall be reinstated within 48 hours of Controller curing the issue (e.g., paying overdue fees)

(d) No Liability: Processor shall not be liable for damages resulting from suspension if suspension was justified under this Section 11.7

[LEGAL REVIEW REQUIRED: Verify termination provisions meet GDPR Article 28(3)(g) requirements for data deletion/return and are reasonable for enterprise customers]

12. Enhanced Transparency and Reporting

12.1 Reporting

Upon Controller’s request, the Processor shall provide:

(a) Annual Compliance Summary:

ISO 27001/27701 certification status
Sub-Processor changes
Summary of security enhancements

12.2 Security Incident Reporting

(a) All Security Incidents: The Processor shall notify Controller of security incidents affecting Controller’s data within the following timelines:

Critical Incidents (personal data breach): 4 hours (Section 5.6)
High Incidents (potential breach, not confirmed): 24 hours
Medium Incidents (security event with no data exposure): 72 hours
Low Incidents (security event with no impact): Monthly summary report

(b) Incident Report Contents:

Incident description and timeline
Affected systems and data
Impact assessment
Root cause analysis (preliminary for initial report, final for follow-up)
Remediation actions taken
Preventive measures implemented

12.3 Service Performance Reporting

(a) Performance Reporting: The Processor shall provide monthly performance reports showing:

API uptime percentage (best-efforts availability; no contractual uptime SLA is provided)
Average API response time (best-efforts target)
DSAR response time compliance (Section 6.6 timelines)
Security incident response time compliance (Section 5.6 timelines)

12.4 Regulatory Change Notifications

The Processor shall notify Controller of significant regulatory or legal developments affecting Services:

New Data Protection Laws or amendments
Supervisory authority guidance or enforcement actions
Court decisions affecting data transfers (e.g., Schrems-type decisions)
New security standards or requirements
Changes to Sub-Processor legal obligations

Notification Timeline: Within 15 Business Days of Processor becoming aware of the development

12.5 Documentation Access

Upon request, the Processor shall provide Controller with access to:

Current Sub-Processor list
Compliance documentation (ISO alignment status, policies)
Security incident reports (Controller-specific)

12.6 Annual Compliance Meeting

The Processor shall offer an annual compliance review meeting with Controller, including:

Review of compliance posture and any gaps
Discussion of regulatory developments
Roadmap for security and privacy enhancements
Q&A with Processor’s ISMS Owner, Security Lead, or Privacy Officer
Opportunity to provide feedback on Services

[LEGAL REVIEW REQUIRED: Confirm reporting obligations are feasible and meet enterprise transparency expectations]

13. General Provisions

13.1 Entire Agreement

This Agreement, together with the Service Agreement and any annexes or schedules, constitutes the entire agreement between the parties concerning personal data processing and supersedes all prior agreements, whether written or oral.

Order of Precedence: In the event of conflict:

This Data Processing Agreement (Enterprise)
Annexes to this DPA (SCCs, UK Addendum, etc.)
Service Agreement

13.2 Amendment

(a) This Agreement may be amended only by written agreement signed by both parties’ authorised representatives.

(b) Exception - Processor Unilateral Updates: The Processor may update the following without Controller consent (subject to notification requirements):

Sub-Processor lists (subject to Section 4.3 notification and objection rights)
Security measures (provided they maintain or improve the level of protection; Controller notified 30 days in advance)
Contact details and addresses (Controller notified promptly)
Legal and regulatory references (to reflect new laws or successor legislation)

(c) Material Changes: Material changes to processing activities, data categories, or Sub-Processors require Controller’s prior written consent (not to be unreasonably withheld).

13.3 Governing Law

(a) This Agreement shall be governed by and construed in accordance with the laws of:

Victoria, Australia (unless otherwise agreed in the executed agreement)

(b) Data Protection Laws: To the extent applicable, this Agreement shall be subject to:

GDPR and Member State implementing legislation
UK GDPR and Data Protection Act 2018
Australian Privacy Act 1988
Other applicable Data Protection Laws

(c) Conflict of Laws: The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement.

13.4 Dispute Resolution

(a) Negotiation: The parties shall attempt in good faith to resolve any dispute arising out of or relating to this Agreement through negotiation between senior executives (e.g., Controller’s Chief Privacy Officer and Processor’s ISMS Owner) within 30 days.

(b) Mediation: If negotiation fails, the parties shall attempt mediation before a mutually agreed mediator or mediation service (e.g., JAMS, AAA, CEDR) within 60 days.

(c) Litigation: Disputes not resolved through negotiation or mediation shall be resolved through litigation in the courts of Victoria, Australia, and each party irrevocably submits to the exclusive jurisdiction of such courts.

(d) Injunctive Relief: Nothing herein shall prevent either party from seeking injunctive relief or other equitable remedies in any court of competent jurisdiction to:

Prevent personal data breaches
Enforce confidentiality obligations
Prevent irreparable harm
Preserve the status quo pending arbitration or litigation

(e) Data Subject Rights: Data subjects may enforce their rights under this Agreement in accordance with applicable Data Protection Laws (GDPR Article 79 - right to an effective judicial remedy against a controller or processor).

13.5 Supervisory Authority Rights and Data Subject Rights

(a) Third-Party Beneficiaries: Data subjects and supervisory authorities are intended third-party beneficiaries of this Agreement to the extent required by Data Protection Laws, with rights to enforce:

Provisions relating to data subject rights (Section 6)
Security obligations (Section 5)
Personal data breach notification (Section 5.6)
International transfer safeguards (Section 8, SCCs)
Other provisions conferring rights on data subjects or supervisory authorities

(b) Direct Enforcement: Data subjects may enforce their rights directly against the Processor as provided by GDPR Article 82 and equivalent provisions in other Data Protection Laws.

13.6 Conflict

In the event of conflict between:

This Agreement and the Service Agreement: This Agreement prevails with respect to personal data processing
This Agreement and SCCs (Annexes): SCCs prevail with respect to international data transfers
Different language versions: English language version prevails

13.7 Severability

If any provision of this Agreement is held invalid, illegal, or unenforceable:

The remaining provisions shall remain in full force and effect
The invalid provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the original provision
If replacement is not possible and the invalid provision is essential to this Agreement, the parties shall negotiate in good faith to replace the invalid provision

13.8 Waiver

(a) No waiver of any provision of this Agreement shall be effective unless in writing and signed by the waiving party.

(b) No waiver shall constitute a continuing waiver or a waiver of any other provision.

13.9 Assignment

(a) General Rule: Neither party may assign, transfer, or delegate this Agreement or any rights or obligations hereunder without the prior written consent of the other party (consent not to be unreasonably withheld).

(b) Permitted Assignments: Either party may assign this Agreement without consent:

To a successor in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets, provided that:
The assignee agrees in writing to be bound by this Agreement
The assignee has substantially equivalent financial resources and capabilities
The assigning party provides 30 days’ advance notice to the other party
To an affiliate controlled by, controlling, or under common control with the assigning party, provided the assigning party remains liable for the affiliate’s performance

13.10 Notices

(a) All notices under this Agreement shall be in writing and delivered to the addresses below:

Controller: [Controller Name] [Address] Attention: [Privacy Officer / Legal / Compliance] Email: [Email]

Processor: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii) PO Box 169, St Arnaud VIC 3478, Australia Attention: ISMS Owner Email: privacy@maelstrom.au Copy: legal@provii.app

(b) Delivery Methods (notices deemed received):

Email: Upon confirmation of receipt (if sent during business hours) or next business day (if sent outside business hours)
Certified mail / registered post: 5 Business Days after mailing
Courier / hand delivery: Upon delivery

Phone call to designated emergency contact
Followed by written confirmation via email within 4 hours

(d) Update of Contact Information: Each party shall notify the other promptly (within 10 Business Days) of any changes to notice contact information.

13.11 Counterparts and Electronic Signatures

(a) This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

(b) Electronic signatures (including DocuSign, Adobe Sign, or similar) shall be valid and binding to the same extent as handwritten signatures.

(c) Delivery of executed signature pages by email (PDF) or electronic signature platform shall constitute valid delivery.

13.12 Language

(a) This Agreement is executed in the English language.

(b) If this Agreement is translated into any other language, the English language version shall prevail in the event of any conflict or ambiguity.

13.13 Force Majeure

Neither party shall be liable for failure or delay in performance of its obligations under this Agreement (other than payment obligations) to the extent caused by events beyond its reasonable control, including:

Acts of God (earthquakes, floods, pandemics)
War, terrorism, civil unrest
Government actions (embargoes, sanctions)
Utility failures, internet outages (beyond Processor’s network)
Labor disputes (strikes, lockouts)

Mitigation: The affected party shall use commercially reasonable efforts to mitigate the effects of the force majeure event.

Termination: If force majeure continues for more than 90 days, either party may terminate this Agreement upon written notice without liability.

13.14 Publicity and References

(a) Press Releases: Neither party shall issue press releases or public announcements concerning this Agreement without the other party’s prior written consent.

(b) Customer References: The Processor shall not identify the Controller as a customer without the Controller’s prior written consent.

(c) Confidential Relationship: The parties agree to keep the existence and terms of this Agreement confidential, except as required by law or for disclosure to:

Professional advisors (lawyers, accountants)
Actual or potential investors or acquirers (under NDA)
Supervisory authorities or regulators (upon request)

13.15 Independent Contractors

The parties are independent contractors. This Agreement does not create a partnership, joint venture, agency, or employment relationship. Neither party has authority to bind the other or to make commitments on the other’s behalf.

[LEGAL REVIEW REQUIRED: Verify general provisions are appropriate for target markets, comply with applicable law, and reflect standard enterprise contract terms]

14. Annexes

Annex A: Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller-to-Processor)

See separate document: Standard Contractual Clauses (SCCs) Addendum
Includes Annex I (Parties and Transfer Details), Annex II (Technical and Organisational Measures), Annex III (Sub-Processors)

Annex B: UK International Data Transfer Agreement (UK Addendum to EU SCCs)

Applicable for transfers from United Kingdom
To be executed upon Controller’s request if processing data of UK data subjects

Annex C: Swiss Data Protection Addendum

Applicable for transfers from Switzerland
To be executed upon Controller’s request if processing data of Swiss data subjects

Annex D: Transfer Impact Assessment Summary

Summary of Processor’s Transfer Impact Assessment for transfers to United States via Cloudflare
Available upon Controller’s request

Signatures

CONTROLLER:

By: ________________________________ Name: Title: Date:

PROCESSOR: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)

By: ________________________________ Name: Title: Chief Technology Officer Date:

Document Information

Document Title: Data Processing Agreement (Enterprise) Version: 1.0 Draft Status: Pending Legal Review Date: 2026-02-13 Classification: Legal Template Owner: ISMS Owner Next Review: Upon legal counsel review

Differences from Standard DPA:

Enhanced audit rights (2 audits/year vs. 1, 40 hours cooperation vs. 16)
Enhanced DSAR SLAs (1 BD acknowledgment vs. 2 BD, 5 BD response vs. 10 BD)
Enhanced breach notification (4 hours vs. 24 hours for initial notification)
Enhanced Sub-Processor approval process (60 days notice vs. 30, detailed information requirements)
Custom security controls option (Annex E)
Transparency reporting (Section 12)
Insurance details available on request, subject to confirmed coverage
Longer termination notice (90 days vs. 30 days for convenience termination)
DSAR support for up to 100 requests/year (vs. 10 in Standard)
Dedicated account management and support

Target Customers: Large enterprises with significant compliance requirements, high user volumes, or enhanced security needs

DISCLAIMER: This is a draft template requiring review by qualified legal counsel before use. It is provided for informational purposes only and does not constitute legal advice. Both parties should consult with legal counsel, compliance officers, and privacy professionals before executing this Agreement.

Gap Closure: This document addresses GAP-M007 (Medium severity, High business impact) - “No DPA templates exist for B2B customers” with enhanced enterprise-grade provisions.

Compliance Mapping:

GDPR Article 28 (Processor obligations) — the identified requirements have been addressed
GDPR Article 32 (Security of processing) — the identified requirements have been addressed
GDPR Article 33 (Breach notification) — the identified requirements have been addressed (4-hour internal target vs. 72-hour legal notification deadline)
GDPR Article 46 (International transfers - SCCs) — the identified requirements have been addressed
ISO 27701:2019 (A.7.4.8 - Contracts with processors) — the identified requirements have been addressed

END OF DOCUMENT