Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Agreement between Maven AGI Inc. (“Vendor”) and any company using their products (“Customer”) (together, the “Parties”). This DPA sets forth Customer’s instructions for the processing of Personal Data in connection with the Services and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Agreement, this DPA will govern to the extent of the conflict.

1. Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement. All other terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in Privacy Laws.

Controller to Processor Clauses” means (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time. 

EU/UK Privacy Laws” means: (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time. 

Personal Data” means any information Vendor processes on behalf of Customer to provide the Services that is defined as “personal data” or “personal information” under any Privacy Law.

Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time. 

Processor to Processor Clauses” means (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time. 

US Privacy Laws” means, as applicable, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any similar law of any other state which relates to data protection, privacy or the use of Personal Data.

2. Amendments. The Parties agree to negotiate in good faith modifications to this DPA if changes are required for Vendor to continue to process the Personal Data as contemplated by the Agreement or this DPA in compliance with Privacy Laws, or to address the legal interpretation of the Privacy Laws.

3. Roles of the Parties. The Parties acknowledge that for purposes of Privacy Laws, Customer is the “service recipient,” “controller,” “business,” or any similar term provided under Privacy Laws, and Vendor is the “service provider,” “processor,” “contractor,” or any similar term provided under Privacy Laws. 

4. Details of Processing. The Parties agree that the details of processing are as described in Annex 1.

5. Customer Obligations. Customer shall comply with all Privacy Laws in providing Personal Data to Vendor in connection with the Services. Customer represents and warrants that: (a) the Privacy Laws applicable to Customer do not prevent Vendor from fulfilling the instructions received from Customer and performing Vendor’s obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Customer has a lawful basis for disclosing the Personal Data to Vendor and enabling Vendor to process the Personal Data as set out in this DPA. Customer shall notify Vendor without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, Vendor shall not be required to continue processing such Personal Data. 

6. Processing of Personal Data.

a. Vendor shall only process Personal Data (i) on behalf of Customer for the limited and specific purpose of performing the Services as further described in Annex 1, and in accordance with and for the purposes set out in the documented instructions from Customer from time to time, and (ii) at all times in compliance with Privacy Laws and the terms of the Agreement, unless required to process such Personal Data by applicable law to which Vendor is subject; 

b. Vendor shall notify Customer without undue delay if it makes a determination that it can no longer meet its obligations under applicable Privacy Laws or cannot comply with any instruction from Customer with respect to the use of Personal Data;

c. to the extent required by Privacy Laws, and upon reasonable written notice that Customer reasonably believes Vendor is using Personal Data in violation of Privacy Laws or this DPA, Vendor shall grant Customer the right to take reasonable and appropriate steps to help ensure that Vendor uses the Personal Data in a manner consistent with Customer’s obligations under Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and

d. Vendor shall require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data in accordance with the provisions of this Agreement.

7. Prohibitions. To the extent required by applicable Privacy Laws, Vendor is prohibited from:

a. selling the Personal Data; 

b. sharing the Personal Data for cross-context behavioral advertising purposes; 

c. retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the Services; 

d. retaining, using, or disclosing the Personal Data outside of the direct business relationship between Vendor and Customer; and 

e. combining the Personal Data received from, or on behalf of, Customer with any Personal Data that may be collected from Vendor’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources, except to perform a business purpose or as otherwise permitted by Privacy Laws.

8. Use of Subcontractors. To the extent Vendor engages any subcontractors to process Personal Data on its behalf:

a. Customer hereby grants Vendor general written authorization to engage the subcontractors set out in Annex 2, subject to the requirements of this Section 8.

b. If Vendor appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor, it shall provide Customer with 20 business days’ prior written notice by posting updates [here], during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Privacy  Laws (and if Customer does not so object, Vendor may proceed with the appointment or replacement).

c. Vendor shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant subcontractor than the obligations on Vendor under this DPA.

9. Assistance. To the extent required by Privacy Laws, and taking into account the nature of the processing, Vendor shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide reasonable assistance to Customer, through appropriate technical and organizational measures, in

a. responding to requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible; 

b. implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure; 

c. notifying relevant competent authorities and/or affected individuals of Personal Data breaches;

d. conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities; and 

e. entering into this DPA.

10. Security Measures. Vendor shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement, and ensure that its authorized personnel comply with, appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 3, or otherwise agreed and documented between Customer and Vendor from time to time. To the extent required by Privacy Laws, Vendor shall without undue delay notify Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, with further information about the breach provided in phases as more details become available.

11. Access and Audits. Upon reasonable request of Customer, Vendor shall make available to Customer such information in its possession as is reasonably necessary to demonstrate Vendor’s compliance with its obligations under this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer and reasonably accepted by Vendor. Customer shall be permitted to conduct such an assessment no more than once every 12 months, upon 30 days’ advance written notice to Vendor, and only after the Parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality. As an alternative to an audit performed by or at the direction of Customer, to the extent permitted by Privacy Laws, Vendor may arrange for a qualified and independent auditor to conduct, at Vendor’s expense, an assessment of Vendor’s policies and technical and organizational measures in support of its obligations under Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessment, and will provide a report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall Vendor be required to give Customer access to information, facilities or systems to the extent doing so would cause Vendor to be in violation of confidentiality obligations owed to other customers or its legal obligations.

12. Deletion of Personal Data.  At Customer’s written direction, Vendor shall delete or return all Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law. 

13. Data Transfers. To the extent Vendor processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, Vendor shall comply with the data importer’s obligations and Customer shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and:

a. for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, Customer is a controller and Vendor is a processor, and the parties, contact person’s details and processing details set out in the Agreement, this DPA and Annex 1 shall apply and the Start Date is the effective date of the Agreement, and the signature(s) (in any form) given in connection with the execution of this Agreement by a party and the dates of such signature(s) shall apply as the dated signature required from that party;

b. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 13;

c. for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organizational security measures, and the technical and organizational measures taken by Vendor to assist Customer, as each are set out in Annex 3, shall apply; and 

d. if applicable, for the purposes of Annex III or Part 1 (as relevant) of such Controller to Processor Clauses, the list of authorized sub-contractors set out in Schedule 4 (Authorized Sub-contractors) shall apply; and

e. if applicable, for the purposes of: (i) Clause 9, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 8 shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be [ ⬤ ]; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be The Republic of Ireland[ ⬤ ]; (vi) Part 1, Vendor as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum.

Customer acknowledges and agrees that Vendor may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Vendor shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer.

ANNEX 1

Details of Processing

Nature of the processing

  • Access, use, disclosure, storage, deletion and/ or other processing of Personal Data by Vendor in connection with providing Vendor’s software application product to Customer as set out in the Agreement.  

Purpose(s) of the processing

  • Providing the services by Vendor to Customer as set out in the Agreement

Categories of individuals whose Personal Data is processed

  • Customer personnel, including employees, agents, consultants, and independent contractors

Categories of Personal Data processed

  • Customer and employee contact data – ID, name, email
  • Device data – Internet Protocol (IP) address, browser technology 
  • Log data - contains device data and usage patterns

Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws

Customer, and/or its personnel shall not provide any sensitive or special category data under this Agreement

Frequency (e.g. one-off or continuous) and duration of the processing

Relevant Personal Data is processed on a continuous basis, for the duration of the term of the Agreement and any post-termination retention period as set out in the Agreement

The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 8 

As set out in this Annex 1 and in Annex 2

ANNEX 2

Authorized Sub-Processors

Name of Sub-Processor
Type of Service
Location of Processing Activity
Azure
Cloud Service Provider
USA
Auth0
Identity and SSO
USA
Amplitude
Product Usage Data
USA

ANNEX 3

Security Measures

Maven | Data, Privacy, and Security

At Maven, we prioritize enterprise-grade security as an essential component of our mission to provide exceptional service to our clients. We are committed to safeguarding the privacy, security, and integrity of user data throughout our platform.

 Sensitive Data

Sensitive Data refers to any information that can be used to identify an individual, either directly or indirectly, by combining it with other relevant data. Examples of Sensitive Data include social tax identifiers, credit card numbers, debit card numbers, banking details, passport numbers, drivers license numbers, ip addresses and phone numbers.

 To protect our users' privacy, Maven implements the following measures:

  1. Sensitive Data Scrubbing at Point of Ingestion: Maven diligently scrubs all Sensitive Data during the creation of the Knowledge Graph and prior to sending any information to external APIs, such as Azure. This process ensures that users' sensitive information remains secure and is not inadvertently disclosed to third parties.
  2. No External Model Training: Maven does not use user data for the purpose of training, retraining, or improving the Foundation models or APIs utilized within our platform. This policy ensures that our users' private information remains secure and is not exploited for purposes beyond the scope of the services we provide.
  3. Data Retention and Deletion: Maven adheres to strict data retention policies, ensuring that users' personal data is stored only for as long as necessary to fulfill the purposes for which it was collected. Upon request or when data is no longer required, we promptly delete it from our systems in accordance with legal and regulatory requirements.
  4. Continuous Monitoring and Improvement: Maven continuously monitors its data privacy and security policies, implementing improvements and updates as needed to ensure the highest level of protection for our users' data. We strive to stay at the forefront of industry best practices and evolving legal requirements to maintain the trust and confidence of our clients.

 By implementing these measures, Maven is dedicated to upholding the highest standards of data privacy and security, enabling our users to benefit from our services with