Data Processing Agreement (Standard)

Standard DPA for Maelstrom AI B2B customers (Controllers)

Legal Template

Data Processing Agreement (Standard)

Between: [CONTROLLER NAME] (“Controller”) And: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust, trading as Provii (“Processor”)

Effective Date: [DATE] Version: 1.0 Draft (Pending Legal Review)

Recitals

WHEREAS, the Controller operates online services requiring age verification;

WHEREAS, the Processor provides zero knowledge age verification services designed to enable verification with minimal collection of personally identifiable information;

WHEREAS, the parties wish to enter into a data processing relationship compliant with applicable privacy laws including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Australian Privacy Act 1988, and other applicable data protection laws;

WHEREAS, this Agreement sets forth the terms under which the Processor will process personal data on behalf of the Controller;

NOW, THEREFORE, in consideration of the mutual covenants contained herein, the parties agree as follows:

1. Definitions

1.1 Key Terms

For purposes of this Agreement:

(a) “Controller” means the entity that determines the purposes and means of processing personal data, as identified in the signature block above.

(b) “Processor” means Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust, trading as Provii, which processes personal data on behalf of the Controller.

(c) “Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

(d) “Data Protection Laws” means all applicable laws and regulations relating to privacy and data protection, including but not limited to:

  • GDPR (General Data Protection Regulation (EU) 2016/679)
  • UK GDPR and Data Protection Act 2018
  • Australian Privacy Act 1988
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Any successor or replacement legislation

(e) “Data Subject” means an identified or identifiable natural person whose personal data is processed under this Agreement.

(f) “Sub-Processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.

(g) “Processing” has the meaning given in applicable Data Protection Laws and includes collection, storage, use, disclosure, and deletion of personal data.

(h) “Services” means the age verification services provided by Provii as described in Section 2.

(i) “Service Agreement” means the master services agreement or terms of service between the parties governing the provision of Services.

(j) “Zero knowledge Proof” means a cryptographic method that allows one party to prove to another party that a statement is true without revealing any information beyond the validity of the statement itself.

1.2 Interpretation

References to GDPR articles apply equally to equivalent provisions in other Data Protection Laws. Capitalized terms not defined herein have the meanings assigned in the Service Agreement.

2. Processing Details

2.1 Subject Matter of Processing

The Processor provides zero knowledge age verification services designed to enable the Controller to verify whether end users meet specified age thresholds (e.g., 18 years or older) without the Processor or Controller receiving the user’s actual date of birth or identity information under normal operation.

2.2 Duration of Processing

This Agreement commences on the Effective Date and continues until termination of the Service Agreement or earlier termination of this Agreement in accordance with Section 10.

2.3 Nature and Purpose of Processing

The Processor processes personal data for the following purposes only:

(a) Age Verification: Cryptographic verification of zero knowledge proofs submitted by end users to determine if they meet Controller-specified age thresholds

(b) Anti-Fraud and Security: Detection and prevention of fraudulent verification attempts, abuse, and security threats including rate limiting and replay attack prevention

(c) Service Provision: Technical operation and maintenance of the age verification service including session management and challenge-response verification

(d) Legal Compliance: Compliance with applicable laws and legal obligations

2.4 Categories of Personal Data

Due to Maelstrom AI’s zero knowledge architecture, the Processor processes minimal personal data:

Data CategoryData ElementsRetention PeriodPurpose
Network IdentifiersIP addresses (hashed with SHA-256)90 daysAnti-fraud, rate limiting, abuse detection
Technical MetadataUser-Agent strings, timestamps90 days (anonymised)Security monitoring, service diagnostics
Session IdentifiersChallenge IDs (random UUIDs)5 minutesVerification session management
Cryptographic DataCredential nullifiers (one-way hashes)Checked against ban list onlyReplay prevention

IMPORTANT: The Processor’s architecture is designed so that the following data is not processed by Processor systems:

  • Names, email addresses, physical addresses
  • Dates of birth (transmitted once during credential issuance to compute a cryptographic commitment, then immediately discarded. never stored or logged)
  • Identity documents or government IDs
  • Biometric data
  • Financial information
  • Behavioural data or tracking identifiers

2.5 Categories of Data Subjects

End users of Controller’s services who request age verification, including:

  • Visitors to Controller’s websites or applications
  • Users of Controller’s online services requiring age-gating
  • Individuals of any age (including minors) seeking to verify age eligibility

2.6 Controller and Processor Obligations

The parties acknowledge and agree that:

(a) Controller Obligations:

  • Determines purposes and means of processing personal data
  • Ensures lawful basis for processing under Data Protection Laws
  • Provides privacy notices to data subjects regarding age verification processing
  • Responds to data subject requests (with Processor assistance as provided in Section 6)
  • Ensures compliance with Data Protection Laws for its processing activities

(b) Processor Obligations:

  • Processes personal data only on documented instructions from Controller (Section 3)
  • Implements appropriate technical and organisational security measures (Section 5)
  • Assists Controller with data subject rights requests (Section 6)
  • Notifies Controller of personal data breaches (Section 5.5)
  • Deletes or returns personal data upon termination (Section 10.3)

3. Processor Obligations

3.1 Processing Instructions

(a) The Processor shall process personal data only on documented instructions from the Controller, unless required to process by applicable law (in which case the Processor shall inform the Controller of such legal requirement before processing, unless prohibited by law).

(b) The Controller’s instructions are set forth in:

  • This Agreement (Section 2.3 - Nature and Purpose of Processing)
  • The Service Agreement
  • Additional written instructions provided by Controller through Provii’s API configuration or admin dashboard

(c) If the Processor believes an instruction violates Data Protection Laws, it shall immediately inform the Controller and may suspend processing until the instruction is confirmed or modified.

3.2 Confidentiality

(a) The Processor shall ensure that all personnel authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(b) The Processor maintains written confidentiality agreements with all employees and contractors who may access personal data.

3.3 Prohibited Processing

The Processor shall NOT:

  • Process personal data for purposes other than those specified in Section 2.3
  • Disclose personal data to third parties except as authorised by this Agreement (Section 4)
  • Transfer personal data outside the territory specified in Section 7 without appropriate safeguards
  • Retain personal data beyond the retention periods specified in Section 2.4 and Section 10.3
  • Use personal data for Processor’s own purposes or to provide services to other clients

3.4 Data Protection Laws Compliance

The Processor shall:

  • Maintain familiarity with applicable Data Protection Laws
  • Implement measures to ensure compliance with Data Protection Laws
  • Notify Controller promptly of any changes in Data Protection Laws that may affect processing
  • Cooperate with Controller to ensure compliance with Data Protection Laws

3.5 Records of Processing Activities

The Processor shall maintain records of processing activities as required by GDPR Article 30(2) and equivalent provisions in other Data Protection Laws, including:

  • Name and contact details of Processor and Controller
  • Categories of processing activities
  • Categories of personal data subjects and personal data
  • Categories of recipients of personal data
  • International data transfers and safeguards
  • Retention periods
  • Security measures

[LEGAL REVIEW REQUIRED: Verify completeness of processor obligations under applicable Data Protection Laws]

4. Sub-Processors

4.1 General Authorisation

(a) The Controller provides general authorisation for the Processor to engage Sub-Processors, subject to the requirements of this Section 4.

(b) The Processor shall impose on Sub-Processors the same data protection obligations as set out in this Agreement, through a written contract.

(c) The Processor remains fully liable to the Controller for the performance of any Sub-Processor’s obligations.

4.2 Current Sub-Processors

The Processor currently engages the following Sub-Processors:

Cloudflare, Inc.

  • Services. Cloud infrastructure, serverless computing platform, DDoS protection, content delivery network
  • Location. United States, European Union, Asia-Pacific (global infrastructure)
  • Data Processed. IP addresses, cryptographic proofs, session identifiers, API request/response data
  • Safeguards. Standard Contractual Clauses (EU Commission Decision 2021/914), ISO 27001 certified, SOC 2 Type II certified

4.3 Sub-Processor Changes

(a) The Processor shall provide the Controller with at least 30 days’ prior written notice of any intended changes concerning the addition or replacement of Sub-Processors.

(b) Notice shall be provided via email to Controller’s designated contact and/or through the Provii admin dashboard.

(c) The Controller may object to a new or replacement Sub-Processor on reasonable grounds relating to data protection within 14 days of receiving notice.

(d) If the Controller objects and the parties cannot resolve the objection within a reasonable time:

  • The Controller may terminate the affected Services without penalty
  • The Processor may choose not to engage the Sub-Processor
  • The parties may negotiate alternative arrangements

4.4 Sub-Processor List

An up-to-date list of Sub-Processors is available at: https://provii.app/legal/sub-processors

[LEGAL REVIEW REQUIRED: Confirm sub-processor notification mechanism meets GDPR Article 28(2) requirements]

5. Security Measures

5.1 Security Obligations

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account:

  • The state of the art
  • The costs of implementation
  • The nature, scope, context, and purposes of processing
  • The risk of varying likelihood and severity for the rights and freedoms of data subjects

5.2 Technical Security Measures

The Processor implements the following technical measures:

(a) Encryption:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Zero knowledge cryptographic proofs (Groth16 ZK-SNARKs, 128-bit security level)

(b) Access Controls:

  • Role-based access control (RBAC) for administrative functions
  • Multi-factor authentication (MFA) required for production system access
  • API authentication using HMAC-SHA256
  • Principle of least privilege enforced

(c) Pseudonymization:

  • IP addresses hashed with SHA-256 in audit logs
  • Random UUIDs for session identifiers
  • One-way cryptographic nullifiers

(d) Network Security:

  • DDoS protection (Cloudflare)
  • Web Application Firewall (WAF)
  • Rate limiting per-IP and per-client
  • Automated threat detection

(e) Monitoring and Logging:

  • Security event logging with 90-day standard retention (critical security events may be retained up to 365 days)
  • Automated anomaly detection
  • Audit trails for all administrative actions

5.3 Organisational Security Measures

The Processor implements the following organisational measures:

(a) Access Management:

  • Background checks for personnel with access to systems
  • Confidentiality agreements signed by all personnel
  • Annual security awareness training
  • Regular access reviews (quarterly)

(b) Privacy by Design:

  • Zero knowledge architecture minimises PII collection
  • Architecture reviews for new features
  • Privacy impact assessment for material changes

(c) Vendor Management:

  • Security assessment for all Sub-Processors
  • Data Processing Agreements with Sub-Processors
  • Annual vendor security reviews

(d) Incident Response:

  • 24-hour breach detection target
  • Documented incident response procedures
  • Regular tabletop exercises

5.4 ISO 27001 Alignment

The Processor’s Information Security Management System (ISMS) is aligned with ISO 27001:2022 and ISO 27701:2019 standards. The Processor is pursuing formal certification when commercially justified.

5.5 Personal Data Breach Notification

(a) The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, and in any event within 24 hours of discovery.

(b) The notification shall include, to the extent possible:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of personal data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm

(c) The Processor shall provide reasonable assistance to the Controller in:

  • Investigating the breach
  • Notifying supervisory authorities (if required within 72 hours under GDPR Article 33)
  • Notifying affected data subjects (if required under GDPR Article 34)

(d) The Processor shall document all personal data breaches and make such documentation available to the Controller and supervisory authorities upon request.

5.6 Security Documentation

Upon reasonable request, the Processor shall provide Controller with documentation demonstrating compliance with this Section 5, which may include:

  • ISO 27001/27701 certification (when obtained)
  • SOC 2 Type II reports (from Cloudflare)
  • Security policy summaries
  • Results of security audits or penetration tests (subject to confidentiality)

[LEGAL REVIEW REQUIRED: Verify security obligations meet GDPR Article 32 requirements and industry standards]

6. Assistance with Data Subject Rights

6.1 General Assistance Obligation

The Processor shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising data subject rights under Data Protection Laws.

6.2 Data Subject Rights Under GDPR

The Processor shall assist the Controller in responding to requests to exercise the following rights:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / “right to be forgotten” (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

6.3 Zero knowledge Architecture Implications

Due to Maelstrom AI’s zero knowledge architecture:

(a) Limited Data Retrieval: The Processor holds minimal personal data (IP addresses only, hashed). Most data subject access requests will yield minimal information from Processor systems.

(b) User-Controlled Credentials: Age verification credentials are designed to be stored locally in the data subject’s wallet application and are not stored on Processor servers under the standard architecture. Data subjects have direct control over credential deletion and portability.

(c) No Rectification Needed: The Processor does not store dates of birth or identity information requiring rectification. Users update credentials locally in their wallet.

6.4 Request Handling Process

(a) Redirecting Requests: If a data subject submits a request directly to the Processor, the Processor shall redirect the data subject to the Controller and inform the Controller of the request within 2 business days.

(b) Controller Requests: If the Controller forwards a data subject request to the Processor, the Processor shall:

  • Acknowledge receipt within 2 business days
  • Search Processor systems for relevant personal data
  • Provide available data to Controller within 10 business days in machine-readable format (JSON)
  • Confirm data deletion if requested

(c) IP Address Logs: For access requests, the Processor can provide hashed IP address logs associated with verification sessions within the 90-day retention period (if IP can be linked to the data subject).

(d) Erasure Requests: For deletion requests, the Processor shall:

  • Delete IP address logs associated with the data subject (if identifiable) within 5 business days
  • Confirm deletion in writing to Controller
  • Note that most data auto-deletes within 90 days regardless

6.5 No Fee for Standard Assistance

The Processor shall provide assistance with data subject rights requests at no additional charge for up to 10 requests per calendar year. Additional requests may be subject to reasonable fees based on effort required.

[LEGAL REVIEW REQUIRED: Confirm data subject rights assistance meets GDPR Article 28(3)(e) requirements]

7. International Data Transfers

7.1 Transfer Locations

Personal data may be transferred to and processed in the following locations:

  • United States (Cloudflare infrastructure)
  • European Union (Cloudflare infrastructure)
  • Australia (Processor headquarters)
  • Other locations where Cloudflare operates edge infrastructure (300+ global locations)

7.2 Transfer Mechanisms

Where personal data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognised as providing adequate protection:

(a) Standard Contractual Clauses: The parties shall execute the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914, Module 2: Controller-to-Processor), incorporated as Annex A to this Agreement.

(b) UK Addendum: For transfers from the United Kingdom, the parties shall execute the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs, as applicable.

(c) Swiss Addendum: For transfers from Switzerland, the parties shall execute appropriate amendments to address Swiss data protection requirements.

7.3 Sub-Processor Transfers

The Processor shall ensure that Sub-Processors (Cloudflare) provide equivalent safeguards for international data transfers through:

  • Cloudflare’s Data Processing Addendum incorporating SCCs
  • ISO 27001 and SOC 2 Type II certifications
  • Supplementary security measures (encryption, pseudonymization, short retention)

7.4 Transfer Impact Assessment

The Processor has completed a Transfer Impact Assessment (TIA) for transfers to the United States via Cloudflare, concluding:

  • Risk Level. Low
  • Reasoning. Minimal personal data transferred (hashed IP addresses only), strong encryption, pseudonymisation, short retention (90 days), no government access concerns
  • Supplementary Measures. IP hashing (SHA-256), AES-256 encryption at rest, TLS 1.3 in transit

7.5 Notification of Legal Requests

If the Processor receives a legally binding request from a government authority for disclosure of personal data transferred under this Agreement, the Processor shall:

  • Notify the Controller immediately (unless prohibited by law)
  • Challenge the request if there are reasonable grounds to do so
  • Seek to redirect the request to the Controller
  • Provide minimum data necessary to comply if disclosure is legally required

7.6 Alternative Transfer Mechanisms

If SCCs are invalidated or become ineffective, the parties shall cooperate to implement alternative lawful transfer mechanisms, which may include:

  • EU-US Data Privacy Framework (if Processor certifies)
  • Binding Corporate Rules
  • Derogations under GDPR Article 49 (if applicable)
  • Localization of data processing within EEA

[LEGAL REVIEW REQUIRED: Verify transfer mechanisms comply with GDPR Chapter V and Schrems II decision]

8. Audits and Inspections

8.1 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

8.2 Audit Process

(a) Notice: The Controller shall provide at least 30 days’ advance written notice of any intended audit.

(b) Frequency: Audits may be conducted no more than once per calendar year, unless:

  • Required by a supervisory authority
  • Following a personal data breach
  • Based on reasonable evidence of non-compliance

(c) Scope: Audits shall be limited to:

  • Compliance with this Agreement
  • Security measures described in Section 5
  • Sub-Processor management (Section 4)
  • Processing activities relevant to Controller’s data

(d) Conduct: Audits shall be conducted:

  • During business hours (Australian Eastern Time)
  • With minimal disruption to Processor’s operations
  • Subject to Processor’s reasonable security and confidentiality requirements
  • By auditors bound by confidentiality obligations

8.3 Documentation Audits

As a less intrusive alternative to on-site audits, the Controller may request documentation audits, whereby the Processor provides:

  • ISO 27001/27701 certification reports (when available)
  • SOC 2 Type II reports (from Cloudflare)
  • Internal security audit results
  • Compliance documentation (ROPA, privacy policies, security policies)

8.4 Third-Party Certifications

The Processor shall pursue and, where held, maintain third-party security certifications and make summaries available to Controller:

  • ISO 27001:2022 certification (aligned with standard, certification planned when commercially justified)
  • ISO 27701:2019 certification (aligned with standard, certification planned when commercially justified)
  • Cloudflare SOC 2 Type II reports (annual)

8.5 Audit Costs

(a) The Controller shall bear the costs of audits, including:

  • Auditor fees
  • Controller personnel time
  • Reasonable Processor cooperation time (up to 16 hours per audit)

(b) If an audit exceeds 16 hours of Processor cooperation time, additional time may be charged at the Processor’s standard professional services rates.

(c) If an audit identifies material non-compliance by the Processor, the Processor shall bear the reasonable costs of remediation audits.

8.6 Supervisory Authority Audits

The Processor shall cooperate with and contribute to audits conducted by supervisory authorities, and shall inform the Controller of such audits upon request (unless prohibited by law).

[LEGAL REVIEW REQUIRED: Confirm audit rights meet GDPR Article 28(3)(h) requirements]

9. Liability and Indemnification

9.1 Processor Liability

(a) The Processor shall be liable for damages caused by processing where it:

  • Has not complied with obligations under Data Protection Laws specifically directed to processors
  • Has acted outside or contrary to lawful instructions of the Controller

(b) The Processor shall not be liable where it proves that it is not in any way responsible for the event giving rise to the damage.

9.2 Limitation of Liability

(a) To the maximum extent permitted by law, the Processor’s total aggregate liability under this Agreement shall not exceed the amounts paid by Controller to Processor in the 12 months preceding the claim.

(b) Nothing in this Agreement excludes, restricts, or modifies any right or remedy, or any guarantee, warranty, or other term or condition, that cannot be excluded under applicable law, including under the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) and the Privacy Act 1988 (Cth). Subject to that, nothing in this Agreement shall limit liability for:

  • Death or personal injury caused by negligence
  • Fraud or fraudulent misrepresentation
  • Breach of confidentiality obligations
  • Indemnification obligations under Section 9.3

9.3 Indemnification

(a) Processor Indemnity: The Processor shall indemnify and hold harmless the Controller from and against any losses, damages, costs, and expenses (including reasonable legal fees) arising from:

  • Processor’s breach of this Agreement
  • Processor’s violation of Data Protection Laws
  • Claims by data subjects arising from Processor’s processing
  • Personal data breaches caused by Processor’s negligence or failure to implement security measures

(b) Controller Indemnity: The Controller shall indemnify and hold harmless the Processor from and against any losses, damages, costs, and expenses (including reasonable legal fees) arising from:

  • Controller’s unlawful instructions to Processor
  • Controller’s breach of Data Protection Laws
  • Claims that Controller’s services or content violate applicable laws
  • Controller’s failure to provide required notices to data subjects

(c) Indemnification Process: The indemnified party shall:

  • Notify the indemnifying party promptly of any claim
  • Cooperate reasonably with the indemnifying party in the defence
  • Allow the indemnifying party to control the defence (subject to indemnified party’s approval of settlements)

9.4 Regulatory Fines and Penalties

(a) If the Processor is fined or penalized by a supervisory authority due to Controller’s unlawful instructions or Controller’s breach of Data Protection Laws, the Controller shall reimburse such fines and penalties.

(b) If the Controller is fined or penalized by a supervisory authority due to Processor’s breach of this Agreement or Data Protection Laws, the Processor shall reimburse such fines and penalties, subject to the limitation of liability in Section 9.2.

9.5 Insurance

The Processor does not assert any specific insurance coverage in this Agreement. Insurance details are available on request, subject to confirmed coverage at the time of the request.

9.6 Disclaimer of Warranties

To the maximum extent permitted by law, and except as expressly set out in this Agreement, the Processor provides the Services without any warranty, express or implied, including any implied warranty of merchantability, fitness for a particular purpose, or non-infringement. Nothing in this section excludes any guarantee, warranty, or right that cannot be excluded under the Australian Consumer Law or any other applicable mandatory law.

[LEGAL REVIEW REQUIRED: Verify liability provisions comply with GDPR Article 82 and are enforceable under applicable law]

10. Term and Termination

10.1 Term

This Agreement commences on the Effective Date and continues until:

  • Termination of the Service Agreement, or
  • Earlier termination in accordance with this Section 10

10.2 Termination Rights

(a) Termination for Convenience: Either party may terminate this Agreement upon 30 days’ written notice if the Service Agreement is also terminated.

(b) Termination for Breach: Either party may terminate this Agreement immediately upon written notice if:

  • The other party materially breaches this Agreement and fails to cure within 30 days of written notice
  • The other party becomes insolvent or subject to bankruptcy proceedings
  • Continued performance would violate applicable law

(c) Termination for Sub-Processor Objection: The Controller may terminate this Agreement if the parties cannot resolve a Sub-Processor objection under Section 4.3(d).

(d) Termination by Supervisory Authority: This Agreement may be terminated if required by a supervisory authority.

10.3 Data Deletion or Return

(a) Upon termination or expiration of this Agreement, the Processor shall, at the Controller’s election:

  • Delete all personal data processed under this Agreement and existing copies, OR
  • Return all personal data to the Controller in a commonly used machine-readable format (JSON)

(b) The Controller shall notify the Processor of its election within 30 days of termination. If no election is provided, the Processor shall delete all personal data.

(c) Timeline: Data deletion or return shall be completed within 30 days of termination (or Controller’s election).

(d) Certification: The Processor shall provide written certification of deletion or return within 10 days of completion.

(e) Automatic Deletion: Due to Maelstrom AI’s automated retention policies, most personal data (IP addresses) will auto-delete within 90 days of termination regardless of Controller election.

10.4 Retention Exceptions

The Processor may retain personal data to the extent and for such period as required by applicable law, provided that:

  • The Processor ensures confidentiality of retained data
  • The Processor processes retained data only as required by law
  • The Processor deletes retained data when the legal requirement expires

10.5 Survival

The following provisions shall survive termination:

  • Section 3.2 (Confidentiality)
  • Section 5.5 (Breach Notification - for breaches discovered post-termination)
  • Section 9 (Liability and Indemnification)
  • Section 10.4 (Retention Exceptions)
  • Section 11 (General Provisions)

[LEGAL REVIEW REQUIRED: Confirm termination provisions meet GDPR Article 28(3)(g) requirements for data deletion/return]

11. General Provisions

11.1 Entire Agreement

This Agreement, together with the Service Agreement and any annexes or schedules, constitutes the entire agreement between the parties concerning personal data processing and supersedes all prior agreements, whether written or oral.

11.2 Amendment

This Agreement may be amended only by written agreement signed by both parties, except that the Processor may update:

  • Sub-Processor lists (subject to Section 4.3 notification requirements)
  • Security measures (provided they maintain or improve the level of protection)
  • Contact details and addresses

11.3 Governing Law

This Agreement shall be governed by and construed in accordance with:

  • The laws of Victoria, Australia
  • To the extent applicable, the GDPR and other Data Protection Laws

11.4 Dispute Resolution

(a) Negotiation: The parties shall attempt in good faith to resolve any dispute through negotiation between senior executives.

(b) Mediation: If negotiation fails within 30 days, the parties shall attempt mediation before an agreed mediator.

(c) Arbitration/Litigation: If mediation fails, disputes shall be resolved through:

  • Litigation in the courts of Victoria, Australia, and each party irrevocably submits to the exclusive jurisdiction of such courts

(d) Injunctive Relief: Nothing herein shall prevent either party from seeking injunctive relief in any court of competent jurisdiction.

11.5 Supervisory Authority Rights

Data subjects and supervisory authorities are third-party beneficiaries of this Agreement to the extent required by Data Protection Laws, with rights to enforce applicable provisions.

11.6 Conflict

In the event of conflict between this Agreement and the Service Agreement, this Agreement shall prevail with respect to personal data processing.

11.7 Severability

If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be replaced with a valid provision that most closely approximates the intent of the original.

11.8 Waiver

No waiver of any provision of this Agreement shall be effective unless in writing and signed by the waiving party. No waiver shall constitute a continuing waiver.

11.9 Assignment

Neither party may assign this Agreement without the prior written consent of the other party, except that either party may assign to a successor in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee agrees to be bound by this Agreement.

11.10 Notices

All notices under this Agreement shall be in writing and delivered to:

Controller: [Controller Name] [Address] Email: [Email]

Processor: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (ABN 61 633 823 792) PO Box 169, St Arnaud VIC 3478, Australia Email: privacy@maelstrom.au

11.11 Counterparts

This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

12. Annexes

Annex A: Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2) - See separate document: /trust/legal/dpa-sccs-addendum.md

Annex B: Technical and Organisational Security Measures (Detailed) - Incorporated by reference to Section 5

Annex C: Sub-Processor List - Available at https://provii.app/legal/sub-processors

Signatures

CONTROLLER:

By: __________________________ Name: Title: Date:

PROCESSOR: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust (trading as Provii)

By: __________________________ Name: Title: Chief Technology Officer Date:

Document Information

Document Title: Data Processing Agreement (Standard) Version: 1.0 Draft Status: Pending Legal Review Date: 2026-02-13 Classification: Legal Template Owner: ISMS Owner Next Review: Upon legal counsel review

DISCLAIMER: This is a draft template requiring review by qualified legal counsel before use. It is provided for informational purposes only and does not constitute legal advice. Maelstrom AI recommends that both parties consult with legal counsel before executing this Agreement.

Gap Closure: This document addresses GAP-M007 (Medium severity, High business impact) - “No DPA templates exist for B2B customers”. The identified requirements have been addressed, subject to legal counsel review before execution.

Compliance Mapping (identified requirements addressed, pending legal review):

  • GDPR Article 28 (Processor obligations)
  • GDPR Article 32 (Security of processing)
  • GDPR Article 33 (Breach notification)
  • GDPR Article 46 (International transfers)
  • ISO 27701:2019 (A.7.4.8 - Contracts with processors)

END OF DOCUMENT