DATA PROCESSING AGREEMENT (DPA)

Effective Date: May 5, 2025

This Data Processing Agreement (“Agreement”) is entered into by and between:

Mazala Group, represented by:

  • Mazala Global, LLC (a Delaware limited liability company, USA), and
  • Mazala Limited (a private company limited by shares, incorporated in Hong Kong SAR)

(collectively referred to as “Mazala,” “Company,” or “Data Controller”),

and any Service Provider, Vendor, Subcontractor, or Client (“Data Processor”) that receives or processes personal information on behalf of Mazala or its operational divisions:

  • Mazala Energy (energy brokerage)
  • Mazala Logistics (freight and logistics brokerage)
  • Mazala Insurance & Bonds (commercial insurance and surety bond services)
  • Mazala Travel (tourism services and bookings)
  • Mazala Cloud (domain registration, hosting, SSL, DNS, and digital infrastructure)

1. PURPOSE OF THIS AGREEMENT

This Agreement governs how personal data is processed and handled to ensure compliance with applicable global and regional data protection laws, including but not limited to:

  • California Consumer Privacy Act (CCPA/CPRA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Applicable U.S. state-level privacy and insurance/energy laws
  • Hong Kong Personal Data (Privacy) Ordinance (PDPO)
  • EU GDPR (for cross-border integrations with registrars or cloud partners)

2. DEFINITIONS

  • Personal Information: Any data that identifies or could reasonably be linked to an individual or entity (e.g., contact details, billing records, utility usage, shipment info, WHOIS data, travel records, or account activity).
  • Data Controller: Mazala Group, which determines the purposes and means of personal data processing.
  • Data Processor: Any third party acting on behalf of Mazala to process personal information.
  • Processing: Includes collection, storage, access, transmission, usage, modification, or deletion of personal data.

3. ROLES AND OBLIGATIONS

A. MAZALA (DATA CONTROLLER) SHALL:

  • Provide personal data only where necessary and lawful
  • Maintain a legal basis for processing, including consumer consent where applicable
  • Handle and respond to data subject requests, legal inquiries, and regulatory notices

B. DATA PROCESSOR SHALL:

  • Process personal data only on written instruction from Mazala
  • Maintain confidentiality and appropriate security measures
  • Avoid resale, repurposing, or disclosure of data without express authorization
  • Ensure all personnel handling data are trained and authorized
  • Support audits, due diligence, and compliance verification

4. SUBPROCESSORS

The Data Processor may only engage subprocessors with prior written consent from Mazala. All subprocessors must sign legally binding agreements that impose data protection obligations equivalent to this Agreement.

5. SECURITY MEASURES

The Data Processor agrees to apply technical and organizational measures such as:

  • TLS/SSL encryption during data transmission
  • Encryption of data at rest where applicable
  • Firewalls, intrusion detection, access controls, and MFA
  • Timely updates and patching of vulnerabilities
  • Secure destruction of storage devices and documents

6. DATA BREACH NOTIFICATION

In the event of a confirmed or suspected data breach, the Data Processor must:

  • Notify Mazala within 72 hours
  • Share incident details, scope, affected records, and remediation steps
  • Cooperate fully with investigations, compliance filings, and user notifications

7. DATA SUBJECT RIGHTS

If a Data Processor receives any data subject request (e.g., access, deletion, opt-out):

  • Notify Mazala within 5 business days
  • Take no direct action unless authorized in writing
  • Assist in fulfilling requests as required by applicable law

8. RETENTION AND DELETION

Upon termination of the business relationship:

  • All personal data must be either returned to Mazala or securely deleted
  • Any retained data (e.g., per domain registry, energy/bonding regulation) must be justified under applicable retention laws
  • A deletion confirmation may be required in writing

9. INTERNATIONAL DATA TRANSFERS

Cross-border transfers of personal data (especially involving domain registries, cloud/CDN providers, or third-party logistics) are prohibited unless:

  • Explicit written approval is obtained from Mazala
  • Transfers comply with Standard Contractual Clauses (SCCs)Binding Corporate Rules (BCRs), or local legal transfer frameworks (e.g., HK PDPO, EU GDPR, U.S. adequacy mechanisms)

10. LIABILITY AND INDEMNIFICATION

The Data Processor agrees to:

  • Accept responsibility for any breach of this Agreement or relevant laws
  • Indemnify Mazala for any damages, fines, or liabilities caused by unauthorized disclosure, breach, negligence, or non-compliance

11. TERM AND TERMINATION

  • This Agreement remains in force for the full duration of the business relationship
  • Either party may terminate with 30 days’ written notice
  • Sections 8 (Retention and Deletion) and 10 (Indemnification) shall survive termination

12. GOVERNING LAW

This Agreement shall be governed by:

  • The laws of the State of Delaware, USA, for matters related to Mazala Global, LLC
  • The laws of Hong Kong SAR, for matters related to Mazala Limited

Jurisdiction shall align with the contracting party and relevant data controller entity.

13. CONTACT INFORMATION

For questions, data access requests, or compliance matters:

Mazala Group

📧 Email: compliance@mazalagroup.com

Scroll to Top