Data Processing Agreement
Last updated: April 7, 2026
1. Introduction & Scope
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service (the "Agreement") between Maazi ("Processor", "we", "us"), and the customer entity that has agreed to the Terms of Service ("Controller", "you", "your").
This DPA applies to all personal data that the Processor processes on behalf of the Controller in connection with the provision of the Maazi hiring platform (the "Service"). It sets out the parties' obligations regarding data protection in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR as retained in UK law.
This DPA becomes effective when the Controller begins using the Service and remains in effect for the duration of the Agreement. By using the Service, the Controller confirms acceptance of this DPA.
2. Definitions
In this DPA, the following terms have the meanings set out below. Where not defined here, terms have the meaning given to them in the GDPR or the Agreement.
- Personal Data means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.
- Data Subject means the identified or identifiable natural person to whom the personal data relates, as defined in Article 4(1) of the GDPR.
- Controller means the natural or legal person that determines the purposes and means of the processing of personal data, as defined in Article 4(7) of the GDPR. In this DPA, the Controller is the customer entity.
- Processor means the natural or legal person that processes personal data on behalf of the Controller, as defined in Article 4(8) of the GDPR. In this DPA, the Processor is Maazi Ltd.
- Subprocessor means any third party engaged by the Processor to process personal data on behalf of the Controller.
- Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the GDPR.
3. Roles & Responsibilities
The Controller determines the purposes and means of processing personal data. The Controller is responsible for ensuring that it has a lawful basis for providing personal data to the Processor, and for maintaining compliance with applicable data protection laws in relation to its own processing activities.
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR, the UK GDPR, or any other applicable data protection provisions.
4. Data Processing Details
The following table summarises the nature, purpose, and scope of the data processing carried out by the Processor on behalf of the Controller.
| Purpose of Processing | Providing the Maazi hiring platform service, including candidate screening, AI-assisted scoring and summaries, interview scheduling, email notifications, and collaboration tools for the Controller's hiring team. |
| Categories of Data Subjects | Candidates (job applicants who apply to the Controller's roles) and Users (hiring managers, team members, and collaborators invited by the Controller). |
| Types of Personal Data | Candidates: name, email address, LinkedIn URL, resume/CV, screening responses (text, video, code, and file submissions), AI-generated scores and summaries, interview scheduling data, and consent records. Users: name, email address, and company affiliation. |
| Duration of Processing | For the term of the Agreement plus the data retention period of 6 months after role closure or filling, unless the Controller requests earlier deletion or applicable law requires longer retention. |
5. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, as set out in this DPA and the Agreement, unless required to do so by applicable law.
- Ensure that all personnel authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6.
- Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR.
- Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with Data Protection Impact Assessments (DPIAs) where required.
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the personal data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
6. Security Measures
The Processor implements and maintains the following technical and organisational security measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage:
- Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: All stored data, including database records and uploaded files, is encrypted at rest using AES-256 or equivalent encryption provided by the infrastructure provider.
- Authentication: User authentication is managed through Clerk, an industry-standard authentication provider, with support for multi-factor authentication and secure session management.
- Database security: Database access is managed via connection pooling with no persistent connections (NullPool configuration), reducing the attack surface for database-level exploits.
- Role-based access control: Users are granted access to data and functionality based on their assigned roles within their organisation. Team members can only access roles and candidates within their own company.
- API rate limiting: API endpoints are protected by rate limiting to prevent abuse and brute-force attacks.
- Candidate access via cryptographic tokens: Candidates access their screening journeys and interviews via unique, cryptographically generated tokens rather than account credentials, limiting the scope of data exposure.
- Dependency management: Dependencies are regularly updated to address known security vulnerabilities.
- Error monitoring: Application errors are monitored in real time via Sentry, enabling rapid detection and response to potential security incidents. Sentry is configured to exclude personally identifiable information from error reports.
- Infrastructure: The backend is hosted on Render and the frontend on Vercel, both of which are SOC 2 compliant providers with their own rigorous security programmes.
- File storage: Uploaded files (resumes, video recordings, and other candidate submissions) are stored in Supabase Storage. Access to stored files is controlled via signed URLs with time-limited validity, preventing unauthorised access.
7. Subprocessors
The Controller grants the Processor general written authorisation to engage subprocessors to carry out specific processing activities on behalf of the Controller. The Processor currently uses the following subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI scoring, journey generation, chat | US |
| Supabase | Database, file storage | US |
| Clerk | Authentication | US |
| Paddle | Billing and payments | UK |
| Resend | Transactional email | US |
| Deepgram | Video transcription | US |
| Vercel | Frontend hosting | US / EU |
| Render | Backend hosting | US |
| Sentry | Error monitoring | US |
| Upstash | Redis job queue | US |
The Processor shall notify the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller at least 30 days' prior written notice. The Controller may object to the appointment or replacement of a subprocessor within 14 days of receiving notice. If the Controller's objection cannot be reasonably resolved, the Controller may terminate the Agreement with respect to the Service.
The Processor shall ensure that each subprocessor is bound by data protection obligations no less onerous than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each subprocessor's obligations.
8. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
If the Processor receives a request directly from a data subject relating to the Controller's data, the Processor shall promptly notify the Controller and shall not respond to the request unless instructed to do so by the Controller or required to do so by applicable law.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data.
The notification shall include, to the extent reasonably available:
- A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
- The name and contact details of the Processor's data protection contact point from which further information can be obtained.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to be taken by the Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
10. International Data Transfers
Personal data may be processed in the United States and the European Union. Where the Processor or its subprocessors transfer personal data outside the European Economic Area (EEA) or the United Kingdom, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR.
For transfers to countries that have not received an adequacy decision from the European Commission, the Processor relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) and, for UK transfers, the International Data Transfer Agreement or UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office.
Where required, the Processor shall implement supplementary measures to ensure that the level of protection afforded to personal data is not undermined by the transfer.
11. Audit Rights
The Controller, or a third-party auditor appointed by the Controller, may audit the Processor's compliance with this DPA. The Controller shall provide the Processor with at least 30 days' written notice of any audit.
The Processor shall cooperate with the audit and provide reasonable access to relevant records, systems, and facilities. Audits shall be conducted during normal business hours and carried out in a manner that minimises disruption to the Processor's operations.
The Controller shall bear the cost of any audit, unless the audit reveals material non-compliance by the Processor with this DPA, in which case the Processor shall bear the reasonable costs of the audit.
12. Data Return & Deletion
Upon termination of the Agreement, the Processor shall, at the Controller's written instruction, either delete or return all personal data processed on behalf of the Controller within 30 days. The Controller may request a data export in a commonly used, machine-readable format before termination.
The Processor may retain personal data to the extent required by applicable law, provided that the Processor ensures the confidentiality of such data and processes it only for the purposes required by law.
Any personal data held in backup systems shall be deleted within 90 days of termination of the Agreement. The Processor shall certify the deletion of personal data in writing upon the Controller's request.
13. Term & Termination
This DPA shall remain in effect for the duration of the Agreement. The provisions of this DPA that by their nature should survive termination (including, without limitation, obligations regarding data protection, confidentiality, data return, and deletion) shall survive the termination or expiry of the Agreement.
This DPA shall automatically terminate when all personal data processed under it has been deleted or returned to the Controller in accordance with Section 12.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law provisions. The courts of England and Wales shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA.
For Controllers established in the European Union, the GDPR applies as the overriding data protection framework. In the event of any conflict between this DPA and the GDPR, the GDPR shall prevail.
15. Contact
For questions about this Data Processing Agreement or to exercise any rights or obligations described herein, please contact our Data Protection team:
Email: hello@maazi.io