Data Processing Agreement (DPA)

Effective Date: May 5, 2025

This Data Processing Agreement (“Agreement”) is entered into by and between:

Mazala Global, LLC
(“Company,” “Mazala,” or “Data Controller”)

and any Service Provider, Vendor, Subcontractor, or Client (“Data Processor”) that receives or processes personal information on behalf of Mazala or its business divisions, including but not limited to: Mazala EnergyMazala Logistics, and Mazala Insurance (which includes bonding services).

1. Purpose of this Agreement

This Agreement governs the processing of personal information by the Data Processor in connection with services performed on behalf of Mazala. It is designed to ensure compliance with all applicable U.S. data privacy laws, including:

  • The California Consumer Privacy Act (CCPA/CPRA)
  • The Gramm-Leach-Bliley Act (GLBA) for financial and insurance services
  • General industry standards and best practices related to data security and consumer rights

2. Definitions

  • Personal Information: Any data that identifies, relates to, describes, or could reasonably be linked to a specific individual or business contact (e.g., name, contact information, energy usage, shipment details, insurance or bonding applications).
  • Data Controller: Mazala Global, LLC and its DBAs, which determine the purposes and means of processing personal data.
  • Data Processor: Any vendor, service provider, or contractor that processes personal data on behalf of Mazala.
  • Processing: Any operation performed on personal data, including but not limited to collection, storage, transmission, access, analysis, and deletion.

3. Roles and Obligations

a. Mazala’s Responsibilities (Data Controller):

  • Provide personal data only to the extent necessary for contracted services
  • Ensure that data processing has a lawful basis under applicable laws
  • Respond to privacy-related rights requests (e.g., access, deletion, correction)

b. Data Processor’s Responsibilities:

  • Process personal information only on documented instructions from Mazala
  • Maintain appropriate technical and organizational safeguards
  • Not sell, share, or use the data for any purpose other than contracted services
  • Ensure that personnel with access to personal data are trained and bound by confidentiality
  • Cooperate with audits or information requests as needed to demonstrate compliance

4. Subprocessors

The Data Processor may not engage any third-party subprocessors without prior written approval from Mazala. Any approved subprocessors must be contractually bound to data protection terms that are at least as protective as this Agreement.

5. Security Measures

The Data Processor shall implement and maintain safeguards that include:

  • Encryption of personal data in transit and at rest
  • Secure user access controls and multi-factor authentication
  • Regular updates, patching, and vulnerability assessments
  • Physical and digital security of data storage and transmission systems
  • Secure disposal of data and hardware in accordance with industry standards

6. Data Breach Notification

In the event of a security incident or data breach, the Data Processor must:

  • Notify Mazala without undue delay, and in any case within 72 hours of discovery
  • Provide details on the nature, scope, and mitigation steps of the breach
  • Fully cooperate with Mazala in responding to the breach, including communications with regulators and affected individuals

7. Data Subject Requests

If the Data Processor receives a request from an individual or business user (e.g., request for deletion, access, or correction of personal data), it must:

  • Notify Mazala within 5 business days
  • Not respond directly without Mazala’s written consent
  • Assist Mazala in fulfilling its obligations under CCPA/CPRA, GLBA, or other applicable laws

8. Retention and Deletion

Upon contract termination or service completion:

  • The Data Processor shall return or securely delete all personal information unless required to retain it by law
  • Upon request, provide written certification of deletion or de-identification of all retained data

9. International Data Transfers

The Data Processor shall not transfer personal information outside of the United States unless:

  • Explicitly authorized in writing by Mazala
  • Adequate legal safeguards (e.g., Standard Contractual Clauses) are in place

10. Liability and Indemnification

The Data Processor shall:

  • Be fully liable for any unauthorized disclosure, data misuse, or regulatory noncompliance
  • Indemnify and hold harmless Mazala Global, LLC for any damages, fines, or liabilities resulting from breach of this Agreement or applicable privacy laws

11. Term and Termination

This Agreement remains in effect throughout the duration of the service relationship between the parties. Either party may terminate this Agreement with 30 days’ written notice. Upon termination, all provisions related to data retention, security, and liability shall survive as required.

12. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, U.S.A., without regard to conflict of law rules. Any disputes arising under this Agreement shall be resolved in the courts of Delaware.

13. Contact Information

For questions, complaints, or data protection inquiries, please contact:

Mazala Global, LLC
Email: compliance@mazala-insurance.com

Scroll to Top