DATA PROCESSING ADDENDUM
ARTICLE 1. RECITALS (WHEREAS CLAUSES)
This Data Processing Addendum (“DPA”) is entered into by and between:
MauTech, a commercial brand owned and operated by Mauseth Technologies ENK, Org. No. 925392243, Solbakken 32D, 6429 Molde, Norway (“Processor”, “Service Provider”, “MauTech”),
and
The entity or individual that has executed or is bound by the MauTech Terms of Service or any related commercial agreement (“Client”, “Controller”, “Business”).
This DPA forms an integral part of, and supplements, the underlying Terms of Service, Privacy Policy, and any other agreement executed between the Parties (collectively, the “Main Agreement”).
WHEREAS, MauTech provides AI-driven automation services, conversational AI (“Axel AI”), voice AI receptionist functionality (“MauTech Voice Assistant”), CRM workflow configuration, review management systems, SMS/email automation, and related software-as-a-service (“Services”);
WHEREAS, in the performance of such Services, MauTech may process Personal Data on behalf of Client, including Personal Data belonging to Client’s customers, leads, or end-users (“End Users”);
WHEREAS, the Parties seek to ensure that such processing complies with applicable data protection and privacy laws, including but not limited to GDPR, UK GDPR, CCPA/CPRA, U.S. privacy concepts, PIPEDA, the Australian Privacy Act, and other global frameworks;
NOW, THEREFORE, the Parties agree as follows.
ARTICLE 2. PURPOSE AND SCOPE OF THIS DPA
2.1 Purpose
This DPA governs MauTech’s Processing of Personal Data on behalf of Client solely for the purpose of delivering the Services described in the Main Agreement. MauTech shall process Personal Data only as documented in this DPA, the Main Agreement, and Client’s written instructions.
2.2 Scope
This DPA applies exclusively to the Processing of Personal Data that MauTech performs as a Processor/Service Provider on behalf of Client. It does not apply to any processing in which MauTech acts as an independent Controller (such as its handling of Client billing or account data).
2.3 In the Event of Conflict
If any provision of this DPA conflicts with the Main Agreement, the terms of this DPA shall control only with respect to the Processing of Personal Data.
ARTICLE 3. DEFINITIONS
For the purposes of this DPA:
3.1 “Applicable Data Protection Laws”
Means all global privacy and data protection legislation applicable to the Processing under this DPA, including but not limited to:
EU GDPR (Regulation (EU) 2016/679)
UK GDPR and Data Protection Act 2018
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
U.S. state-level privacy laws where applicable
PIPEDA (Canada)
Australian Privacy Act 1988 and Australian Privacy Principles (APPs)
LGPD (Brazil)
Any successor or implementing legislation
3.2 “Personal Data” / “Personal Information”
Means any information relating to an identified or identifiable natural person or household, including identifiers, contact details, profile data, activity logs, communications content, AI conversation data, or other data described in the Privacy Policy.
3.3 “Processing”
Means any operation or set of operations performed on Personal Data, whether or not by automated means, including: collection, recording, organization, structuring, storage, alteration, retrieval, transmission, dissemination, restriction, deletion, destruction, or any other usage.
3.4 “Controller” / “Business”
Means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Client is the Controller and/or Business.
3.5 “Processor” / “Service Provider”
Means the entity that Processes Personal Data on behalf of the Controller/Business. For purposes of this DPA, MauTech is the Processor and/or Service Provider.
3.6 “Sub-Processor”
Means any third party engaged by MauTech to assist in Processing Personal Data on behalf of Client, including infrastructure providers, communication vendors, AI model providers, and CRM platforms.
3.7 “Instructions”
Means the documented, lawful directions issued by Client to MauTech that specify how Personal Data shall be processed.
3.8 “Data Subject”
Means an identified or identifiable natural person to whom the Personal Data relates, including End Users, leads, or customers of the Client.
3.9 “Security Incident”
Means any actual or reasonably suspected breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3.10 “International Transfer”
Means any transfer of Personal Data from a jurisdiction where data protection laws restrict outbound transfers (e.g., EU/EEA, UK, certain APAC regions) to a third country such as the United States.
3.11 “CCPA Terms”
Means definitions and obligations derived from CCPA/CPRA, including “Sell,” “Share,” “Service Provider,” “Business Purpose,” and “Personal Information.”
3.12 “EU Standard Contractual Clauses (SCCs)”
Means the EU Commission-adopted clauses governing cross-border Personal Data transfers.
ARTICLE 4. RELATIONSHIP TO THE MAIN AGREEMENT
4.1 This DPA supplements the Main Agreement and is incorporated therein by reference.
4.2 All terms used but not defined in this DPA shall have the meanings assigned in the Main Agreement.
4.3 Except for provisions modified by this DPA, the Main Agreement remains in effect.
4.4 In case of conflict, this DPA controls solely regarding Personal Data processing obligations.
ARTICLE 5. ROLES OF THE PARTIES
5.1 Client as Controller / Business
Client is the entity determining the purposes and means of Processing Personal Data. Client is responsible for:
Ensuring its Processing activities comply with Applicable Data Protection Laws
Providing lawful instructions
Providing all required notices and obtaining all required consents
Ensuring that Personal Data is accurate, relevant, and up to date
Handling Data Subject requests (access, deletion, correction, etc.)
5.2 MauTech as Processor / Service Provider
MauTech:
Acts solely as a Processor under GDPR
Acts solely as a Service Provider under CCPA/CPRA
Does not determine purposes or means of Processing
Shall not “sell” or “share” Personal Information as defined under CPRA
Processes Personal Data only on documented Instructions
Shall not retain, use, or disclose Personal Data for any purpose other than providing the Services
Shall not combine Personal Data across Clients except as permitted by applicable law
5.3 Independence in Other Processing
For certain categories of data (e.g., Client account details, billing, fraud detection), MauTech may act as an independent Controller. Such processing is governed by the Privacy Policy and Main Agreement.
ARTICLE 6. GENERAL OBLIGATIONS & LAWFUL INSTRUCTIONS
6.1 MauTech shall process Personal Data exclusively in accordance with documented, lawful Instructions from Client.
6.2 Client shall not instruct MauTech to perform any Processing that violates Applicable Data Protection Laws.
6.3 MauTech shall:
- Follow only documented Client instructions
- Notify Client if instructions appear unlawful
- Not modify Personal Data except as instructed
- Not use Personal Data for training AI models unless expressly agreed in writing
6.4 Client acknowledges that MauTech relies on Client’s representations regarding the lawfulness of Processing.
ARTICLE 7. OVERVIEW OF PROCESSING
MauTech Processes Personal Data strictly for the following purposes:
- To provide AI automation, conversational agents, voice assistants, and related Services
- To deliver CRM workflows, review filtering, SMS/email automation, and appointment booking
- To support system integrity, performance, troubleshooting, analytics, and security
- To comply with legal obligations or respond to lawful requests
. As otherwise permitted by this DPA and the Main Agreement
No Personal Data is processed beyond these purposes.
ARTICLE 8. SUBJECT MATTER, NATURE, AND PURPOSE OF PROCESSING
8.1 Subject Matter
The subject matter of Processing under this DPA concerns the handling, storage, transmission, transformation, automated processing, and management of Personal Data provided or made accessible by Client or its End Users through the Services.
8.2 Nature of Processing
The Processing operations performed by MauTech include, without limitation:
- Collection and receipt of Personal Data through web forms, chat interfaces, SMS, telephony, email, API connections, and voice interactions;
- Automated decision-making, including AI-generated estimates, appointment routing, and conversational output;
- Storage, structuring, and organization of Personal Data within GoHighLevel subaccounts;
- Transmission of Personal Data to and from Sub-Processors such as Twilio, Mailgun, and OpenAI;
- Use of Personal Data for CRM workflows, review requests, lead nurturing, scheduling, and service coordination;
- Logging, monitoring, troubleshooting, and correction of system-level issues;
- Export, deletion, and retrieval of Personal Data upon Client request;
- Other Processing strictly necessary to perform the Services under the Main Agreement.
8.3 Purpose of Processing
Processing is conducted solely for the following purposes:
- To enable the functionalities of Axel AI (chat, SMS, knowledge-base responses, estimate generation);
- To enable the functionalities of MauTech Voice Assistant (inbound call reception, appointment booking, intent recognition);
- To provide CRM workflows, review management, and communication automation;
- To maintain and improve security, integrity, and performance of the Services;
- To comply with legal obligations applicable to MauTech;
- For internal administrative and billing operations relating solely to the Client;
- For no other purpose unless expressly authorized in writing by Client.
8.4 Duration of Processing
Processing continues for the duration of the Main Agreement or until Client’s instructions dictate deletion or return of Personal Data, subject to survival clauses concerning legal obligations, fraud prevention, and dispute resolution.
ARTICLE 9. CATEGORIES OF PERSONAL DATA PROCESSED
MauTech may process the following categories of Personal Data on behalf of Client. These categories reflect global privacy frameworks (GDPR Art. 4, CPRA §1798.140, and similar standards):
9.1 Identifiers
- Name
- Phone number
- Email address
- IP address
- Device identifiers
- Caller ID and telephony metadata
9.2 Contact and Profile Information
- End User contact details
- Business contact details of Client personnel
- Address (if provided)
- Customer preferences and service interests
9.3 Commercial Information
- Appointment requests
- Services booked or requested
- CRM tags
- Lead scores
- Transaction or quote history
- Product/service interest data
9.4 Internet and Device Activity
- Device and browser information
- Log files and session identifiers
- Behavioral events
- Approximate geolocation (IP-based)
- Interaction with landing pages, funnels, and chat/SMS workflows
9.5 Communications Content
- SMS message content
- AI chat logs
- Email routing metadata (via Mailgun/Twilio SendGrid equivalent)
- Voice interaction metadata
- Transcribed content (where applicable and lawful)
9.6 Sensitive Data
MauTech does not intentionally collect sensitive data as defined under GDPR Art. 9 or CPRA. If Client uploads such data, Client remains solely responsible for obtaining explicit consent and lawful basis.
9.7 Derived / Automated Data
- Lead qualification scores
- AI-generated estimates or automated responses
- Routing decisions
- System-generated metadata
ARTICLE 10. CATEGORIES OF DATA SUBJECTS
MauTech Processes Personal Data relating to:
10.1 End Users, including:
- Consumers interacting with Client’s business
- Leads submitting service inquiries
- Individuals engaging through chat, SMS, or voice AI
- Customers responding to review requests
- Website visitors using Service interfaces
10.2 Client Personnel, including:
- Authorized staff using the MauTech platform
- Administrators managing GHL subaccounts
- Representatives communicating with MauTech for support
10.3 MauTech does not knowingly collect data from minors under 13 or under applicable local age thresholds.
ARTICLE 11. DESCRIPTION OF SERVICES & PROCESSING OPERATIONS
11.1 AI Chat and SMS Automation (Axel AI)
Processing includes:
- Intent detection
- FAQ-style responses
- Parsing service requests
- Scheduling through GHL calendars
- Providing general non-binding estimates
- Logging interactions for Client review
- Routing data to CRM pipelines
11.2 Voice AI Receptionist
Processing includes:
- Call intake
- Voice-to-text processing
- AI-generated responses
- Appointment scheduling
- Metadata storage
- Call context routing
11.3 CRM, Workflow Automation, Review Management
Processing includes:
- Lead capture and organization
- Trigger-based automations
- Review request distribution and filtering
- Tagging and categorization
- Status updates and pipeline transitions
11.4 Data Storage & Infrastructure-Level Processing
Processing includes:
- Encryption
- Cross-border transmission
- Backup and redundancy
- Logging and system monitoring
11.5 Analytics & Troubleshooting
Processing includes:
- Performance metrics
- Error debugging
- Abuse detection
- QoS improvement
All Processing remains strictly limited to these functions unless modified via Client instructions.
ARTICLE 12. AUTOMATED DECISION-MAKING
12.1 MauTech performs certain automated Processing operations on behalf of Client, including:
- Generating automated responses based on prompts configured by Client
- Producing general price estimates based on Client-provided rules
- Routing leads to appropriate service categories
- Automatically booking appointments
- Segmenting or tagging leads for follow-up workflows
12.2 MauTech does not make legally binding decisions or professional determinations on behalf of Client or End Users.
12.3 Client assumes responsibility for reviewing, validating, and supervising any automated or AI-assisted Processing.
ARTICLE 13. CONFIDENTIALITY OBLIGATIONS
13.1 MauTech shall ensure that all personnel authorized to process Personal Data:
- Are bound by contractual confidentiality obligations
- Have received appropriate training
- Access Personal Data only as required to fulfill the Services
13.2 MauTech shall not disclose or permit disclosure of Personal Data to unauthorized third parties.
13.3 Client remains responsible for confidentiality obligations of its own personnel.
ARTICLE 14. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (TOMs)
MauTech shall implement and maintain industry-appropriate administrative, physical, and technical safeguards, including:
- Access controls and role-based authorization
- Multi-factor authentication where applicable
- Encryption in transit and at rest (where supported by Third-Party Platforms)
- Regular monitoring and logging
- Intrusion detection and anomaly monitoring
- Secure development protocols
- Vendor security evaluations
- Data minimization
- Network segmentation
- Backup and resilience mechanisms
- Disaster recovery capabilities
- Least-privilege access principles
- Secure API communication channels
- Regular review and testing of TOMs
14.2 MauTech may update TOMs from time to time to enhance security, provided security is not materially reduced.
14.3 MauTech shall maintain policies governing security, incident response, and vendor management.
ARTICLE 15. NO GUARANTEE OF ABSOLUTE SECURITY
15.1 While MauTech maintains commercially reasonable safeguards consistent with industry standards, no method of electronic storage or transmission is guaranteed to be 100% secure.
15.2 Client acknowledges and agrees:
It must independently secure its own systems, credentials, and GHL subaccounts
MauTech is not responsible for breaches caused by Client misconfiguration, credential theft, social engineering, or external compromise of Client-controlled assets
15.3 MauTech expressly disclaims all warranties, express or implied, regarding perfect or infallible security.
ARTICLE 16. APPROVED SUB-PROCESSORS
16.1 Authorization of Sub-Processors
Client hereby provides a general written authorization for MauTech to engage Sub-Processors for the purpose of fulfilling the Services. A “Sub-Processor” is any third party engaged by MauTech to process Personal Data on behalf of Client.
16.2 Current Authorized Sub-Processors
As of the Effective Date, Client expressly authorizes the engagement of the following Sub-Processors:
Core Infrastructure & CRM
- GoHighLevel (GHL) – CRM, automation, pipelines, contact management, user authentication, funnel hosting, tagging, workflow execution, appointment scheduling, and data storage.
Communication Vendors
- Twilio Inc. – SMS/MMS routing, telephony, VoIP routing, call metadata handling, and related communication infrastructure.
- Mailgun Technologies, Inc. – Email routing, metadata handling, deliverability, and related email services.
AI / LLM Providers
- OpenAI, L.L.C. – Natural language generation, classification, intent recognition, and conversational processing of End User inputs; limited submission of message snippets, tokens, or structured data as required for model execution.
Payment Processing
Stripe, Inc. – Payment processing, subscription handling, billing metadata storage, PCI-compliant transaction services.
Analytics, Tracking & Optimization
(Used if Client enables these features on funnels or hosted pages.)
- Google LLC – Analytics, performance measurement, optional tracking.
- Meta Platforms, Inc. – Optional tracking, analytics, and marketing integrations when enabled by Client.
Infrastructure Providers (as applicable)
Cloud hosting, CDN, or security vendors used by GHL, Twilio, Mailgun, or OpenAI, which may include AWS, Cloudflare, or equivalent enterprise-grade platforms.
16.3 Sub-Processor Agreements
MauTech shall:
- Execute written agreements with Sub-Processors imposing obligations no less protective than this DPA;
- Ensure Sub-Processors implement appropriate technical and organizational safeguards;
- Remain responsible for Sub-Processor performance.
16.4 Updates to Sub-Processor List
MauTech may add, replace, or remove Sub-Processors by providing reasonable notice to Client. Continued use of the Services after notice constitutes authorization.
16.5 Client Right to Object
Client may object to a new Sub-Processor only if Client reasonably demonstrates that the Sub-Processor materially increases risk to Personal Data. MauTech may, at its discretion:
- Provide an alternative means of Processing;
- Allow Client to disable impacted features; or
- Allow Client to terminate the affected portion of the Services.
No refunds are provided for Sub-Processor objections.
ARTICLE 17. INTERNATIONAL TRANSFERS
17.1 General Authorization
Client authorizes MauTech and its Sub-Processors to transfer, store, and process Personal Data in:
- The United States of America
- Norway
- Any jurisdiction where a Sub-Processor maintains operations
to the extent necessary to provide the Services.
17.2 Transfers Subject to GDPR
For transfers from the EU/EEA governed by Chapter V of GDPR:
- The Parties agree to rely on the EU Standard Contractual Clauses (SCCs), Module 2 (Controller → Processor) as a transfer mechanism.
- Where required, the UK Addendum or future UK-specific SCCs apply to UK-originating transfers.
- For Swiss-originating transfers, the Swiss-specific SCC adaptations apply.
17.3 Supplementary Measures & Transfer Impact Assessments (TIAs)
Where required, MauTech shall implement additional safeguards such as:
- Encryption in transit
- Organizational controls
- Vendor due diligence
- Data minimization practices
Client acknowledges that MauTech performs TIAs for its core Sub-Processors and maintains documentation of such assessments.
17.4 Client Responsibilities
Client acknowledges responsibility for:
- Ensuring lawful international transfer mechanisms apply to data it uploads or processes with MauTech
- Notifying End Users of international transfers via its privacy notice
17.5 Conflict Handling
In the event of a direct conflict between this DPA and SCCs/UK Addendum, the SCCs and applicable modules prevail for affected data.
ARTICLE 18. COMPLIANCE WITH DATA PROTECTION LAWS
18.1 Compliance Generally
MauTech shall comply with all Applicable Data Protection Laws in relation to its Processing of Personal Data as Processor, including GDPR, CPRA, PIPEDA, Australian APPs, and other global standards.
18.2 Compliance Assistance
MauTech shall, upon written request and to the extent reasonably required:
- Assist Client with demonstrating compliance
- Provide information necessary for security assessments
- Assist with data protection impact assessments (DPIAs)
- Assist with consultations with supervisory authorities
- Assist with CCPA/CPRA consumer rights fulfillment
18.3 Limitations of Assistance
All assistance:
- Shall not require disclosure of proprietary information
- Shall not impose disproportionate burden on MauTech
- May incur reasonable fees depending on scope
18.4 Instructions Must Be Lawful
Client warrants that all instructions issued to MauTech:
- Comply with all applicable laws
- Have a valid lawful basis under GDPR (where applicable)
- Do not require MauTech to process Special Category Data unless explicitly agreed
ARTICLE 19. DATA BREACH / SECURITY INCIDENT PROCEDURES
19.1 Notification of Security Incident
MauTech shall notify Client without undue delay after becoming aware of a Security Incident affecting Personal Data processed on behalf of Client.
19.2 Content of Notification
Such notice shall include, to the extent known:
- A description of the nature of the Security Incident
- Categories and approximate volume of affected Personal Data
- Likely consequences of the Security Incident
- Measures taken or proposed by MauTech to mitigate adverse effects
- Points of contact for further information
19.3 72-Hour GDPR Rule
Where GDPR applies, MauTech shall provide information in time for Client to meet its own supervisory authority notification obligations under Article 33.
19.4 Exclusions
Security Incidents do not include:
- Failed login attempts
- Pings, scans, or unsuccessful cyber attempts
- Incidents caused by Client’s actions, omissions, or misconfigurations
- Breaches of devices, accounts, or networks controlled by Client
19.5 Cooperation
MauTech shall:
- Cooperate in the investigation of the Security Incident
- Mitigate its effects
- Prevent recurrence
- Provide reasonable support for Client’s regulatory obligations
19.6 Liability for Data Breach
MauTech is not responsible for:
- Breaches resulting from Client systems, credentials, or devices
- Breaches caused by Client uploading unlawful or unauthorized content
- Breaches resulting from Third-Party Platforms beyond MauTech’s reasonable control
ARTICLE 20. DPIAS, AUDITS & INSPECTIONS
20.1 Data Protection Impact Assessments (DPIAs)
Upon request, MauTech shall provide Client with documentation necessary for conducting DPIAs relating to the Processing of Personal Data, provided such assistance does not:
- Require disclosure of proprietary information
- Impair security
- Create undue burden
20.2 Audit Rights
Subject to advance written notice (minimum 30 days), Client may conduct an audit once per 12-month period, limited to:
- Reviewing documentation demonstrating compliance
- Reviewing high-level security policies
- Reviewing Sub-Processor lists
MauTech may satisfy audit requirements through third-party certifications, SOC reports, or equivalent documentation.
20.3 Limitations on Audit Rights
Audits shall:
- Occur during normal business hours
- Not interrupt business operations
- Not require access to systems shared with other Clients
- Not expose proprietary code, models, or internal security mechanisms
- Be performed under confidentiality agreements
- Be conducted at Client’s expense
20.4 Refusal Right
MauTech may refuse an audit request that is:
- Excessive
- Duplicative
- Intrusive
- Poses a security risk
- Violates other clients’ confidentiality
ARTICLE 21. DATA SUBJECT RIGHTS (DSAR SUPPORT)
21.1 Assistance with Data Subject Requests
To the extent Client cannot independently access or retrieve Personal Data within the Services, MauTech shall, upon written request, provide reasonable assistance to enable Client to respond to:
- Right of access
- Right of erasure (“right to be forgotten”)
- Right of rectification
- Right of data portability
- Right to restrict processing
- Right to object (GDPR Art. 21)
- CCPA/CPRA rights to know, delete, and correct
21.2 Scope of Assistance
MauTech assists only as Processor. Client is solely responsible for:
- Verifying the identity of Data Subjects
- Evaluating the legal basis for each request
- Determining whether a request is lawful or exempt
- Communicating responses to Data Subjects
21.3 Timing
MauTech shall respond to Client’s DSAR-related assistance requests without undue delay, taking into account the nature and complexity of the request.
21.4 Limitations
MauTech shall not be required to:
- Provide access to proprietary systems or data
- Modify Client’s own misuse or unlawful data collection practices
- Provide more assistance than reasonably required under Applicable Data Protection Laws
21.5 Fees for Excessive Requests
If Client requests assistance that is:
- Excessive,
- Repetitive,
- Outside normal operational scope, or
- Requires disproportionate resources,
MauTech may charge reasonable fees.
ARTICLE 22. CCPA/CPRA SERVICE PROVIDER OBLIGATIONS
22.1 MauTech as Service Provider
For Personal Information governed by the California CCPA/CPRA, the Parties acknowledge:
- Client is the Business
- MauTech is the Service Provider
22.2 Prohibited Uses
MauTech shall not:
- Sell Personal Information
- Share Personal Information for cross-context behavioral advertising
- Retain, use, or disclose Personal Information for any purpose other than providing the Services
- Combine Client data with other Clients’ data except as permitted under CPRA §1798.140(ag)
22.3 Permitted Uses
MauTech may:
- Process Personal Information for the Business Purpose of providing Services;
- Retain and use Personal Information internally for security, debugging, or service integrity;
- Retain minimal metadata for legal compliance and fraud prevention.
22.4 Verification & Deletion Requests
MauTech shall support Client in responding to CCPA deletion, access, and correction requests, but the responsibility for verification lies exclusively with Client.
22.5 CPRA Contract Requirements
This DPA satisfies CPRA’s mandatory contractual requirements, including:
- Prohibition on selling
- Prohibition on unauthorized retention
- Prohibition on secondary use
- Requirement to comply with all applicable privacy laws
- Requirement to notify Client of subcontractor changes
ARTICLE 23. RETURN & DELETION OF DATA
23.1 Upon Termination
Upon termination of the Main Agreement, or upon Client’s written request, MauTech shall:
- Return Client Personal Data to Client in a commonly used format OR
- Delete Client Personal Data from systems under MauTech’s control
- Ensure deletion by Sub-Processors where feasible
23.2 Exclusions
The following may be retained:
- Backup archives retained for security or business continuity
- Data required to comply with legal obligations
- Data necessary to prevent fraud, abuse, or misuse
- Transaction or billing history required for accounting compliance
23.3 Timing of Deletion
Deletion shall occur within commercially reasonable timeframes, taking into account:
- Backup rotation policies
- System integrity requirements
- Operational constraints of Sub-Processors
23.4 Certification
Upon written request, MauTech shall certify that deletion has been completed, to the extent feasible.
ARTICLE 24. TERMINATION OF THIS DPA
24.1 Termination with Main Agreement
This DPA automatically terminates when the Main Agreement is terminated or expires.
24.2 Survival
The following provisions survive termination:
- Confidentiality
- Security Obligations
- International Transfers
- Sub-Processor obligations
- Data return/deletion requirements
- Liability & indemnification
- Governing law and arbitration
24.3 Effect of Termination
Upon termination, all Processing performed by MauTech on behalf of Client shall cease except to the extent required for:
- Legal obligations
- Data integrity preservation
- Fraud prevention
- Resolution of disputes
ARTICLE 25. LIABILITY AND INDEMNIFICATION
25.1 Limitation of Liability
MauTech’s liability arising from or relating to this DPA shall be subject to the limitation of liability clauses set forth in the Main Agreement and Terms of Service, including but not limited to:
- Caps on direct damages
- Exclusion of consequential or punitive damages
- Exclusion of liability for Third-Party Platform failures
25.2 Processor Liability
MauTech shall be liable only for:
- Processing activities where MauTech failed to follow lawful Client instructions
- Proven breach of MauTech’s direct obligations under this DPA
25.3 Client Indemnification
Client shall indemnify, defend, and hold MauTech harmless from all losses, claims, damages, costs, fines, or liabilities arising out of:
- Client’s unlawful Processing of Personal Data
- Client’s failure to obtain required consents
- Client’s violations of Applicable Data Protection Laws
- Instructions issued to MauTech that violate applicable law
- Client’s misuse of the Services
- Claims by Data Subjects arising from Client’s operations
25.4 Shared Liability Principle
Where liability cannot be clearly attributed between the Parties:
- Liability shall be apportioned based on degree of responsibility
MauTech shall not be liable for acts or omissions of Third-Party Platforms beyond its reasonable control
ARTICLE 26. CONFLICT & PRECEDENCE
26.1 Hierarchy of Documents
In the event of any conflict:
- SCCs / UK Addendum
- This DPA
- Terms of Service
- Main Agreement
- Privacy Policy
- Any other intra-party document
26.2 Interpretation
All terms shall be interpreted to afford maximum compliance with Applicable Data Protection Laws.
ARTICLE 27. GOVERNING LAW
27.1 Texas Law
This DPA, and any dispute arising from it, shall be governed by the laws of the State of Texas, without regard to conflicts of law principles.
27.2 No Other Jurisdiction Applies
GDPR, CPRA, and other laws apply only with respect to compliance obligations, not contract governance.
ARTICLE 28. ARBITRATION & DISPUTE RESOLUTION
28.1 Binding Arbitration
All disputes arising from or relating to this DPA shall be resolved exclusively via binding arbitration as outlined in the Main Agreement’s Arbitration Clause.
28.2 No Class Actions
Parties expressly waive:
- Class actions
- Class arbitration
- Representative or collective actions
28.3 Venue
Arbitration shall occur in Texas unless otherwise mutually agreed.
ARTICLE 29. MISCELLANEOUS PROVISIONS
29.1 No Third-Party Beneficiaries
This DPA creates no rights for any third party.
29.2 Assignment
Neither Party may assign rights under this DPA without written consent, except MauTech may assign to:
- Affiliates
- Successors
- Entities acquiring control of MauTech’s assets
29.3 Amendments
Any modification must be in writing and signed by both Parties unless otherwise permitted by Applicable Data Protection Laws.
29.4 Severability
If any provision is held invalid, the remaining provisions continue in full force.
29.5 Counterparts
This DPA may be executed electronically and in counterparts.
ARTICLE 30. CONTACT INFORMATION
For all privacy, compliance, and data protection matters, the Parties may contact:
MauTech
Operated by Mauseth Technologies ENK
Org. No: 925392243
Address: Solbakken 32D, 6429 Molde, Norway
Support Email: [email protected]
Legal Email: [email protected]
ARTICLE 31. EXECUTION
By using the Services or executing the Main Agreement, Client and MauTech agree to the terms of this Data Processing Addendum.
Electronic acceptance, continued use of the Services, or execution of any related Agreement constitutes full legal acceptance of this DPA.