DATA PROCESSING AGREEMENT (DPA)

Effective Date: May 5, 2025

This Data Processing Agreement (“Agreement”) is entered into by and between:

Mazala Global, LLC

(“Mazala,” “Company,” or “Data Controller”)

and any Service Provider, Vendor, Subcontractor, or Client (“Data Processor”) that receives or processes personal information on behalf of Mazala or its U.S.-based operational divisions:

  • Mazala Energy – Licensed energy brokerage
  • Mazala Logistics – Licensed freight brokerage
  • Mazala Insurance – Insurance and surety bond brokerage

1. PURPOSE OF THIS AGREEMENT

This Agreement governs the lawful and secure processing of personal data under relevant U.S. privacy and cybersecurity laws, including but not limited to:

  • California Consumer Privacy Act (CCPA/CPRA)
  • Gramm-Leach-Bliley Act (GLBA)
  • State-level energy and insurance privacy regulations
  • Applicable cybersecurity compliance frameworks

2. DEFINITIONS

Personal Information – Any data that identifies or can be reasonably linked to a specific person or business, including contact details, quote data, billing records, or policy submissions.

Data Controller – Mazala Global, LLC and its business divisions, which determine the purpose and method of processing personal data.

Data Processor – Any entity or individual who processes personal information on Mazala’s behalf.

Processing – Any action involving personal data, including collection, access, storage, sharing, transmission, or deletion.

3. ROLES AND OBLIGATIONS

A. Mazala’s Responsibilities (Data Controller):

  • Provide personal data solely for specified, lawful purposes
  • Maintain a lawful basis for all data collection and sharing
  • Respond to regulatory or consumer data rights requests
  • Limit data sharing to only what is necessary for the intended service

B. Data Processor’s Responsibilities:

  • Process personal data only under written instruction from Mazala
  • Maintain strict confidentiality and prevent unauthorized use or disclosure
  • Train all personnel involved in handling personal data
  • Cooperate with Mazala on audits, compliance reviews, and incident response

4. SUBPROCESSORS

The Data Processor must not engage any subprocessor without prior written approval from Mazala. All approved subprocessors must be contractually bound to the same data protection obligations as outlined herein.

5. SECURITY MEASURES

The Data Processor shall implement robust security protocols including, at a minimum:

  • Encryption in transit and at rest using SSL/TLS or equivalent
  • Access controls, firewalls, and multi-factor authentication
  • Routine vulnerability assessments and software updates
  • Secure disposal of data and devices at end-of-life

6. DATA BREACH NOTIFICATION

If a security breach involving Mazala data occurs:

  • The Data Processor must notify Mazala within 72 hours
  • The notification must include scope, type of data affected, and remediation steps
  • Full cooperation is required for internal investigation and legal reporting obligations

7. DATA SUBJECT REQUESTS

If a consumer or third party contacts the Data Processor regarding their data:

  • Notify Mazala within 5 business days
  • Do not respond directly unless explicitly authorized
  • Support Mazala’s compliance efforts related to access, correction, or deletion

8. DATA RETENTION AND DELETION

Upon termination of services or upon request:

  • All personal data must be returned or securely deleted
  • Exceptions only apply where legally mandated (e.g., insurance policy retention)
  • Written confirmation of deletion must be provided upon request

9. INTERNATIONAL DATA TRANSFERS

No international data transfers are permitted unless:

  • Mazala provides prior written consent, and
  • Transfers are secured through legal safeguards such as Standard Contractual Clauses (SCCs)Binding Corporate Rules (BCRs), or other approved mechanisms

10. LIABILITY AND INDEMNIFICATION

The Data Processor shall:

  • Be fully liable for any violations of this Agreement or applicable laws
  • Indemnify Mazala for any breach-related costs, regulatory fines, or claims arising from data mishandling, unauthorized disclosure, or non-compliance

11. TERM AND TERMINATION

  • This Agreement remains in effect throughout the duration of the business relationship
  • Termination requires 30 days’ written notice from either party
  • Sections 8 (Retention & Deletion) and 10 (Liability & Indemnification) survive termination

12. GOVERNING LAW

This Agreement is governed by the laws of the State of Delaware, U.S.A. Any disputes shall be subject to the exclusive jurisdiction of Delaware state or federal courts.

13. CONTACT INFORMATION

For any questions, compliance concerns, or notifications under this Agreement, contact:

Mazala Global, LLC
📧 Email: compliance@mazala.io

Scroll to Top