Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR / EU GDPR.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Controller" means you, the customer who determines the purposes and means of Processing.
• "Processor" means Maturo Ltd, which Processes Personal Data on behalf of the Controller.
• "Sub-processor" means a third party engaged by the Processor to assist in Processing Personal Data. See our Subprocessor List.
• "Data Subject" means the individual whose Personal Data is Processed.
• "Supervisory Authority" means the UK Information Commissioner's Office (ICO) or the relevant EU data protection authority.

When you use Maturo to build and host applications, we process two categories of data:

• Platform data — your account information, project configuration, and usage data. Maturo acts as the Controller for this data, governed by our Privacy Policy.
• Customer application data — personal data of your end users stored in the database and services we provision on your behalf. Maturo acts as the Processor for this data, governed by this DPA.

Maturo shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
  • AES-256 encryption of stored credentials and API keys
  • TLS encryption for all data in transit
  • Role-based access control with audit logging
  • Regular security patching and dependency monitoring
  • Network-level isolation of customer databases
• Not engage a sub-processor without prior written authorisation from the Controller (see Section 6)
• Assist the Controller in fulfilling its obligations regarding Data Subject rights (access, rectification, erasure, portability, restriction, objection)
• Assist the Controller in ensuring compliance with obligations relating to security, breach notification, impact assessments, and prior consultation
• At the choice of the Controller, delete or return all Personal Data upon termination of the agreement, and delete existing copies unless retention is required by law
• Make available all information necessary to demonstrate compliance and allow for audits

In the event of a Personal Data breach, Maturo shall:

• Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach
• Provide sufficient information to enable the Controller to meet its own notification obligations to the Supervisory Authority and affected Data Subjects
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach

Breach notifications will be sent to the email address associated with the Controller's Maturo account.

The Controller authorises the engagement of the sub-processors listed on our Subprocessor List. Maturo shall:

• Notify the Controller at least 30 days before adding or replacing a sub-processor
• Impose data protection obligations on each sub-processor that are no less protective than those in this DPA
• Remain fully liable to the Controller for the performance of each sub-processor's obligations

If the Controller objects to a new sub-processor within 30 days of notification, the Controller may terminate the affected service without penalty.

Where Personal Data is transferred outside the UK or EEA, Maturo shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK ICO
• Adequacy decisions where applicable
• Supplementary measures as recommended by the EDPB where necessary

The Controller may choose an Azure region within the EU (e.g. West Europe) to keep application data within the EEA. Platform data may be processed in the US by sub-processors listed on the Subprocessor List.

Maturo shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR. This includes:

• Providing tools to export end-user data from the provisioned database
• Providing tools to delete end-user data (project teardown deletes all application data and infrastructure)
• Cooperating with reasonable requests for data access, rectification, or restriction

The Controller has the right to audit Maturo's compliance with this DPA, subject to:

• Reasonable prior written notice (at least 30 days)
• Audits being conducted during normal business hours
• The Controller bearing the costs of the audit
• Confidentiality obligations regarding any proprietary information disclosed during the audit

Maturo may satisfy audit requests by providing relevant third-party certifications, audit reports, or other documentation demonstrating compliance.

Upon termination or expiry of the agreement:

• Maturo will delete all Customer Application Data within 30 days, unless the Controller requests a return of data
• Project teardown removes: Azure resources (database, hosting, storage), Auth0 organisation, GitHub repository, Stripe connected account, and all related database records
• Backup retention follows the configured Azure PostgreSQL policy (default: 7-day point-in-time recovery)
• Logs are retained for 30 days in Azure Monitor and 90 days in Sentry, after which they are automatically purged

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

For questions about this DPA or to exercise your rights, contact privacy@maturo.ai.