Effective Date: August 15, 2025
This Data Processing Agreement (“DPA”) forms part of the Walkmaze Inc. Terms of Service, or other written or electronic agreement (the “Agreement”) between Walkmaze Inc. (“Walkmaze”, “Provider”, or “Data Importer”) and the Customer (“Customer”, “Controller” or “Data Exporter”).
This DPA reflects the parties’ agreement on the processing of Personal Data in accordance with:
The EU General Data Protection Regulation (GDPR);
The UK Data Protection Act 2018 and UK GDPR;
The California Consumer Privacy Act (CCPA/CPRA); and
Other applicable worldwide data protection laws.
This DPA incorporates by reference Walkmaze’s Privacy Policy (available at walkmaze.com/privacy-policy) and applies where Walkmaze processes Personal Data on behalf of the Customer in connection with the Agreement.
Customer means the entity that has entered into the Agreement with Walkmaze and that determines the purposes and means of processing Personal Data (as a Controller), or processes Personal Data on behalf of a Controller (as a Processor).
Walkmaze / Provider means Walkmaze Inc., which may act as a Processor or as a Controller as described in this DPA and its Schedules.
Personal Data, Controller, Processor, Data Subject, Processing, Supervisory Authority shall have the meanings given in the GDPR.
Standard Contractual Clauses (SCCs) means the clauses adopted by the European Commission implementing Article 46(2)(c) GDPR.
International Data Transfer Agreement (IDTA) means the template issued by the UK Information Commissioner under s119A(1) of the Data Protection Act 2018.
Subprocessor means any third-party Processor engaged by Walkmaze to assist with providing the Services.
2. Purpose And Scope
2.1 Walkmaze, as Processor, shall process Personal Data on behalf of the Customer (Controller) solely for the purpose of providing services under the Walkmaze Terms & Conditions.
2.2 The types of Personal Data and categories of data subjects are described in Schedule 1.
3. Compliance With Laws
3.1 Both Parties shall comply with all applicable data protection laws, including GDPR, UK GDPR, CCPA/CPRA, and other worldwide laws.
3.2 Walkmaze shall process Personal Data only in accordance with the Customer’s documented instructions.
4. Standard Contractual Clauses (SCCs)
4.1 The Parties agree to incorporate the European Commission’s SCCs (Controller-to-Processor) as set forth in Schedules 2–3.
4.2 The SCCs shall apply to any transfers of Personal Data from the European Economic Area (EEA) to third countries.
5. Subprocessors
5.1 Walkmaze may engage Subprocessors for specific processing activities.
5.2 A current list of Subprocessors is maintained and available upon request.
5.3 Subprocessors shall be bound by equivalent obligations as this DPA.
6. Data Subject Rights
6.1 Walkmaze shall assist the Customer in responding to requests from Data Subjects under applicable laws.
6.2 Walkmaze shall promptly notify the Customer of any such requests.
7. Security Measures
7.1 Walkmaze shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
7.2 These measures are described in Schedule 4 (TOMs).
8. Data Breach Notification
8.1 Walkmaze shall notify the Customer without undue delay in the event of a Personal Data breach.
8.2 Walkmaze shall provide sufficient information to enable compliance with notification obligations.
9. Data Retention And Deletion
9.1 Upon termination of services, Walkmaze shall delete or return all Personal Data per the Customer’s instructions.
9.2 Personal Data shall only be retained as required by law.
10. Audit Rights
10.1 Customer may audit Walkmaze’s compliance with this DPA.
10.2 Audits shall occur during business hours with reasonable notice.
11. Incorporation Of Privacy Policy
11.1 Walkmaze’s Privacy Policy, available at walkmaze.com/privacy-policy, is incorporated herein.
11.2 It sets out Walkmaze’s general data handling practices.
12.1 Transfers outside the EEA, UK, or Switzerland shall rely on:
EU SCCs (Modules 1–4 as applicable);
UK IDTA (Schedule 5);
Swiss Addendum to SCCs (if applicable). 12.2 Transfers to the United States shall comply with CCPA/CPRA and equivalent safeguards.
13. Terms and Termination
13.1 This DPA remains in effect for the term of the Agreement.
13.2 Either Party may terminate if the other materially breaches and fails to cure within 30
14. Governing Law
This DPA is governed by the laws of Delaware, USA, except as otherwise required by mandatory data protection law.
15. Liability And Indemnity
15.1 Each Party is responsible for breaches of its own obligations.
15.2 Walkmaze’s liability is limited per the Agreement.
Schedules
Schedule 1 – Description of Processing and Subprocessors
Walkmaze processes Personal Data relating to:
End users of the Customer’s applications;
Employees, contractors, or personnel of the Customer;
Any individuals whose Personal Data is submitted by the Customer.
Categories of Personal Data may include:
Contact information (names, emails, phone numbers);
Account data (usernames, billing details, login credentials);
Technical data (IP addresses, browser/device identifiers, logs);
Other data the Customer submits.
Walkmaze does not intentionally collect sensitive categories of Personal Data unless expressly agreed.
Purpose of Processing: To provide, maintain, secure, support, and improve the Walkmaze services, including hosting, routing, monitoring, customer support, fraud prevention, and compliance.
Retention: Data is retained only for the Agreement duration unless otherwise required by law.
Subprocessors: Walkmaze may engage approved Subprocessors, bound by equivalent data protection obligations. A current list is available at [insert link].
Schedule 2 – Controller-to-Controller International Transfers
Walkmaze processes Personal Data relating to:
Retention: Walkmaze retains Controller data only as long as necessary under its Privacy Policy.
EU SCCs (Module 1) apply with:
Clause 17: Dutch law applies.
Clause 18: Courts of the Netherlands.
Supervisory Authority: Dutch DPA.
Exporter = Customer, Importer = Walkmaze.
Swiss and UK Addenda apply mutatis mutandis.
Schedule 3 – Controller-to-Processor / Processor-to-Processor Transfers
Applies when Customer is Controller and Walkmaze is Processor.
EU SCCs (Module 2 or 3) apply.
Clause 9(a): 30-day Subprocessor notice.
Supervisory Authority: Member State of Customer.
Exporter = Customer, Importer = Walkmaze.
Schedule 4 – Technical and Organizational Measures (TOMs)
Walkmaze applies:
Encryption (TLS 1.2+, AES-256 at rest).
Multi-region hosting, redundancy, DR.
Role-based access, MFA, least privilege.
Logging & monitoring of security events.
SOC 2 / ISO 27001 compliance.
Physical security in data centers.
Incident response and remediation.
Schedule 5 – UK IDTA Addendum
Incorporates the UK International Data Transfer Agreement (A1.0, 21 March 2022).
Exporter = Customer (UK), Importer = Walkmaze.
References Schedules 1–4 for required “Table” information.
Prevails over EU SCCs where conflict arises for UK transfers.
Schedule 6 – U.S. Data Protection Addendum
Applies to processing of U.S. residents’ data (CCPA/CPRA and other state laws).
Exporter = “Business”, Importer = “Service Provider/Processor.”
Walkmaze shall not “sell” or “share” Personal Data.
Walkmaze shall assist with consumer rights requests.
Walkmaze shall maintain security measures consistent with NIST/ISO.
Subprocessors bound by equivalent obligations.
