Data Processing Agreement (DPA)

Effective Date: May 5, 2025

This Data Processing Agreement (“Agreement”) is entered into by and between:

Mazala Global, LLC
(“Company,” “Mazala,” or “Data Controller”)

and any Service Provider, Vendor, Subcontractor, or Client (“Data Processor”) that receives or processes personal information on behalf of Mazala or its business units: Mazala Energy, Mazala Logistics, and Mazala Insurance.

1. Purpose of this Agreement

This Agreement governs the processing of personal information in connection with services provided by the Data Processor on behalf of Mazala and ensures compliance with applicable U.S. laws, including the California Consumer Privacy Act (CCPA/CPRA)Gramm-Leach-Bliley Act (GLBA) for insurance, and general data protection standards.

2. Definitions

  • Personal Information: Any data that identifies, relates to, describes, or could reasonably be linked to an individual or business contact (e.g., name, contact details, utility usage, shipment details, insurance application data).
  • Data Controller: Mazala Global, LLC and its DBAs, determining the purposes and means of data processing.
  • Data Processor: A vendor, partner, or contractor processing personal data on behalf of Mazala.
  • Processing: Any operation performed on personal data, whether by automated means or not (e.g., collection, storage, use, transfer, deletion).

3. Roles and Obligations

a. Mazala’s Responsibilities (Data Controller):

  • Provide personal data only as necessary for contracted services.
  • Ensure a lawful basis for data processing under applicable law.
  • Respond to individual rights requests, such as access, correction, or deletion.

b. Data Processor’s Responsibilities:

  • Process personal information only on documented instructions from Mazala.
  • Implement appropriate technical and organizational measures to protect data.
  • Refrain from selling or sharing personal information or using it for any other purpose.
  • Ensure that personnel with access to data are trained and bound by confidentiality.
  • Cooperate with audits and provide information necessary to demonstrate compliance.

4. Subprocessors

Data Processor shall not engage any third-party subprocessor without prior written authorization from Mazala. Any approved subprocessor must be subject to similar data protection obligations under a written contract.

5. Security Measures

The Data Processor shall implement and maintain administrative, technical, and physical safeguards, including but not limited to:

  • Encryption of data in transit and at rest
  • Access controls and multi-factor authentication
  • Regular vulnerability assessments and system updates
  • Secure data storage and secure disposal protocols

6. Data Breach Notification

In the event of a data breach involving personal information processed on behalf of Mazala, the Data Processor must:

  • Notify Mazala without undue delay (and no later than 72 hours)
  • Provide full details of the breach, including scope, risk assessment, and corrective actions
  • Cooperate fully with Mazala’s mitigation and notification efforts to regulators or affected parties

7. Data Subject Requests

If the Data Processor receives a request (e.g., access, deletion, opt-out) from a consumer or business user regarding their personal data, it must:

  • Notify Mazala within 5 business days
  • Not respond directly unless authorized in writing
  • Assist Mazala in fulfilling its obligations under privacy laws

8. Retention and Deletion

Upon termination of the business relationship or service contract, the Data Processor shall:

  • Return or securely delete all personal information, unless required to retain it under applicable law
  • Certify the destruction or de-identification of all data upon Mazala’s written request

9. International Data Transfers

The Data Processor must not transfer personal data outside the United States unless:

  • Specifically authorized in writing
  • Appropriate safeguards are in place (e.g., standard contractual clauses or similar frameworks)

10. Liability and Indemnification

The Data Processor shall indemnify Mazala against any claims, fines, or damages resulting from its breach of this Agreement or applicable privacy laws, including unauthorized disclosures, failures to secure data, or unlawful processing.

11. Term and Termination

This Agreement shall remain in effect for the duration of the service relationship. Either party may terminate with 30 days’ written notice. Upon termination, all personal data must be returned or destroyed in accordance with Section 8.

12. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict of law principles. Any disputes shall be resolved in Delaware courts.

13. Contact Information

For all privacy and compliance matters:

Mazala Global, LLC
Email: compliance@mazala.io

Scroll to Top