Search
Ask AI
Terms & Privacy

Annex II — Data Processing Agreement (Customers outside EEA)

Annex II (EU)

Data Processing Agreement

For Customers established outside the European Economic Area

Last update: 05/18/2026 

This Annex II (EU) (Data Processing Agreement, the "DPA") forms part of the Software as a Service Agreement (the "SSA") between Maestra B.V. ("Provider" or "data importer") and the Customer identified in the Engagement Letter ("Customer" or "data exporter"). This DPA applies whenever Customer is established outside the European Economic Area (EEA) and the GDPR is applicable to the Processing of Personal Data through the Services by reason of the targeting or monitoring criteria set forth in Article 3 of the GDPR.

Capitalized terms not defined in this DPA have the meanings given in the SSA. Where the terms used in this DPA are defined in the GDPR, those terms shall have the same meaning as in the GDPR.

1. Incorporation of the Standard Contractual Clauses

1.1. The Parties incorporate by reference into this DPA the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "SCCs"). The SCCs as incorporated into this DPA shall be deemed executed between the Parties as of the Effective Date of the SSA. The authoritative text of the SCCs is available at:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

1.2. The Parties acknowledge that the SCCs constitute appropriate safeguards within the meaning of Article 46(2)(c) of the GDPR for the transfer of Personal Data to a third country.

1.3. If there is any discrepancy between any copy of the SCCs and the authoritative text published by the European Commission, the authoritative text shall prevail.

1.4. Provider shall not modify the SCCs. The Parties may add information to the Appendix tables set forth in this DPA, and may add other clauses or additional safeguards in this DPA or in the SSA, provided that they do not contradict, directly or indirectly, the SCCs or prejudice the fundamental rights or freedoms of data subjects.

2. Module and Option Selections

The Parties select the following modules and options under the SCCs:

(a) Module: Module Two (Controller to Processor) applies. Customer acts as the controller; Provider acts as the processor.

(b) Clause 7 (Docking Clause): the optional Docking Clause does NOT apply. Additional parties may not accede to these Clauses without the written consent of both Parties.

(c) Clause 9 (Sub-processors): the Parties select Option 2 — General Written Authorisation. Provider shall give notice of any intended changes to its sub-processor list at least thirty (30) calendar days in advance; provided that, where Provider needs to add or replace a sub-processor on shorter notice due to (i) the sub-processor’s insolvency, (ii) a material security incident affecting the sub-processor, (iii) the sub-processor’s material breach of its data protection obligations, or (iv) any other circumstance requiring immediate action to protect the security or integrity of the Services or the Personal Data, Provider may make such addition or replacement on as much advance notice as is reasonably practicable (and in any event with not less than five (5) working days’ notice where reasonably possible), with prompt notice to Customer of the circumstances justifying the shortened notice period.

(d) Clause 11 (Redress): the optional independent dispute resolution language does NOT apply. The standard redress mechanisms set forth in Clause 11 apply without modification.

(e) Clause 17 (Governing Law): the Parties select the law of the Kingdom of the Netherlands as the governing law of the SCCs, consistent with Section 16.13 of the SSA.

(f) Clause 18(b) (Choice of Forum and Jurisdiction): the Parties select the competent courts of Amsterdam, the Netherlands, as the courts having jurisdiction over disputes arising from the SCCs, consistent with Section 16.13 of the SSA, and without prejudice to the data subject’s right to bring proceedings in the Member State of his or her habitual residence.

3. Future Updates to the SCCs

3.1. If the European Commission adopts a successor decision that materially amends, replaces, or repeals the SCCs, or if a competent supervisory authority issues binding guidance that materially affects the operation of the SCCs as incorporated in this DPA, the Parties shall negotiate in good faith any amendments to this DPA required to implement such successor decision or guidance.

3.2. If the Parties do not reach mutual agreement on the required amendments within sixty (60) days from the date the successor decision or guidance enters into force, either Party may terminate the SSA in respect of the Processing of Personal Data under this DPA upon thirty (30) days’ written notice to the other Party. Customer shall pay all Fees accrued through the effective date of such termination, and Provider shall refund any Fees prepaid for periods after that date on a pro rata basis.

4. Relationship to the SSA

4.1. This DPA forms part of the SSA. In the event of any conflict between this DPA and the body of the SSA on the subject matter of data protection or Personal Data Processing, this DPA (including the SCCs incorporated by reference) shall prevail in accordance with Section 16.7 of the SSA.

4.2. The limitations of liability set forth in Section 13 of the SSA shall apply to the Parties’ liability as between themselves under this DPA, to the maximum extent permitted by the SCCs and applicable Law. For the avoidance of doubt: (a) the liability of either Party to a data subject for material or non-material damages under Article 82 of the GDPR or under the SCCs is governed exclusively by the GDPR and the SCCs and cannot be limited by this Section 4.2 as between the Parties and the data subject; and (b) the SCCs themselves continue to operate as drafted notwithstanding any limitation in the SSA.

4.3. The Processing of Resultant Data is not Processing on behalf of the Customer under this DPA. Resultant Data is governed exclusively by Section 10.1 of the SSA, and Provider may retain and use Resultant Data indefinitely in accordance with that Section.

Appendix to the SCCs

The following Appendix forms part of the SCCs incorporated by reference into this DPA and completes the Annexes referred to in the SCCs.

Annex I.A — List of Parties

Data Exporter

Name: Customer, as identified in the Engagement Letter.

Address: as set forth in the Engagement Letter.

Contact person’s name, position and contact details: as set forth in the Engagement Letter.

Activities relevant to the data transferred under the SCCs: the Processing activities described in Annex I.B.

Role: controller.

Data Importer

Name: Maestra B.V.

Address: as set forth in the Engagement Letter.

Contact person’s name, position and contact details: Data Privacy Manager, dpo@maestra.io.

Activities relevant to the data transferred under the SCCs: provision of the Maestra Service, a software platform for marketing automation distributed as Software-as-a-Service, in the course of which Maestra B.V. Processes certain Personal Data as a processor on behalf of the Customer.

Role: processor.

Annex I.B — Description of the Transfer

Categories of Data Subjects

The Personal Data transferred relates to the following categories of data subjects:

  • End Customers of the Customer (natural persons receiving marketing communications from the Customer through the Services), including potential, current, and former End Customers;

  • Anonymous visitors to the Customer’s websites or applications whose browsing behavior is tracked through the Services;

  • Customer’s Authorized Users (the Customer’s employees, contractors, or agents who use the Services on the Customer’s behalf).

Categories of Personal Data

The Personal Data transferred concerns the following categories of data:

  • Identification data: Maestra ID, name, surname, login, internal ID;

  • Contact data: email address, phone number, postal address, city, region, postal index;

  • Demographic data: gender, date of birth, age;

  • Online identifiers: IP address, web ID, app ID, device UUID, browser type and version, operating system, type of device and display resolution, geolocation data (country or town);

  • Behavioural data: pages opened, buttons clicked, products viewed, product categories viewed, order history, order amount, items in shopping bag, time spent on website, history of website visits, traffic source, UTM tags, URL from which a lead was obtained, history of interaction with newsletters and products;

  • Marketing data: segment membership, subscription status (per channel), behavioral triggers, response to campaigns, message open rate, click rate, unsubscriptions, conversions, revenue attribution;

  • Loyalty programme data: loyalty card activation, bonus point accruals and redemptions, loyalty programme membership status;

  • Authentication and access data: login, password (hashed), access level, two-factor authentication settings;

  • Any other Personal Data submitted by the Customer through the Services in the form of extra fields, custom attributes, or comments.

Sensitive Data

The Parties do not intend for the Customer to transfer "sensitive data" (within the meaning of Clause 8.7 of the SCCs) through the Services. Customer shall not upload or otherwise provide to the Services any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences, unless the Parties have agreed in writing on additional safeguards.

Frequency of the Transfer

The Personal Data is transferred on a continuous basis throughout the Term of the SSA.

Nature of the Processing

The Processing operations include: collection, recording, organisation, structuring, storage, retrieval, consultation, analysis (including for the generation of analytics and recommendations), profiling and segmentation, use for the purpose of sending electronic marketing communications via the channels selected by the Customer (email, SMS, mobile push, web push, on-site personalisation), transmission to communication channel providers, restriction, erasure, and destruction.

Purpose of the Processing

The Personal Data is Processed for the purpose of providing the Services to the Customer in accordance with the SSA, including: creating End Customer profiles in the CDP; segmenting End Customers; building automated communication workflows; sending marketing communications across the channels selected by the Customer; generating personalised product recommendations; performing website and in-app personalisation; integrating with the Customer’s advertising tools (where elected by the Customer); managing loyalty programmes; and generating analytics and reports for the Customer.

Duration of the Processing

The Personal Data is Processed for the duration of the SSA. Following termination or expiration of the SSA, the Personal Data is deleted within thirty (30) days, plus a further period of up to six (6) months thereafter during which the data remains in backups before being removed. Resultant Data is retained by Provider indefinitely in accordance with Section 10.1 of the SSA.

Sub-processors

For the purpose of providing the Services, Provider engages the sub-processors listed in Annex III to this DPA. Provider shall give notice of any intended changes to that list in accordance with Clause 9(a) of the SCCs and Section 2(c) of this DPA.

Annex I.C — Competent Supervisory Authority

The competent supervisory authority for the data exporter, in accordance with Clause 13 of the SCCs, is determined as follows:

(a) Where the data exporter is established in an EEA Member State, the competent supervisory authority is the supervisory authority of that Member State;

(b) Where the data exporter is not established in an EEA Member State but has appointed a representative in an EEA Member State pursuant to Article 27 of the GDPR, the competent supervisory authority is the supervisory authority of the Member State in which the representative is established;

(c) Where the data exporter is not established in an EEA Member State and has not appointed an Article 27 representative, the competent supervisory authority is the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority), with the following contact details:

Autoriteit Persoonsgegevens

Postbus 93374

2509 AJ DEN HAAG

Telephone: (+31) (0)70 – 888 85 00

Website: https://autoriteitpersoonsgegevens.nl/en

Annex II — Technical and Organisational Measures

The technical and organisational measures implemented by the data importer (Maestra B.V.) to ensure the security of the Personal Data, including measures to protect against a personal data breach, are described in Exhibit C (EU) (Information Security Policy) to the SSA, which is incorporated into this Annex II by reference. The measures cover, at a minimum, the following categories:

  • Access control policy and role-based access management (RBAC); differentiation of access rights; logging of administrative access; ability of the Customer to configure access masking for Maestra B.V. employees;

  • Authentication controls: two-factor authentication, protection against brute-force attacks (account lockout after 5 failed login attempts), Customer-configurable password expiration, session tokens, and signed-link authentication where applicable;

  • Network security: network segmentation, VLAN-level Access Control Lists, enterprise-grade firewalls, blocking of unused ports, external web application vulnerability scanning;

  • Encryption: data in transit is encrypted using industry-standard transport-layer protocols; data at rest is encrypted, with the encryption type configurable by the Customer in its account;

  • Data masking: Personal Data may be masked in the product interface for Maestra B.V. employees and for designated Customer employees as configured by the Customer;

  • Logging and monitoring: comprehensive audit logs of user and administrator activity; the Customer can view actions of Provider support employees in its action log; centralised security log collection;

  • Personnel security: signed non-disclosure agreements with employees and counterparties; documented onboarding and offboarding procedures; mandatory information security training; formalised list of positions authorised to Process Personal Data;

  • Physical security: CCTV at office entrances; equipment sited per manufacturer security recommendations; clean desk, clean screen, and lock screen policies;

  • Backup and recovery: daily data backups; off-site backup storage; backups of deleted data retained for six (6) months;

  • Incident management: documented information security incident log; established processes for breach notification consistent with Clause 8.6(c) of the SCCs and Articles 33 and 34 of the GDPR;

  • Audit and certification: SOC 2 Type II certification (further detailed in Exhibit C (EU)); annual information security risk analysis; annual external information security audits;

  • Data subject rights support: technical capability for the Customer to set retention periods, mask Personal Data in employee accounts, and respond to data subject requests through the Service interface.

For the avoidance of doubt, the measures described in this Annex II apply in addition to, and not in lieu of, any further measures required under the SCCs or under the GDPR.

Annex III — List of Sub-processors

The data importer engages sub-processors in connection with the Services. The sub-processors are organised into two categories: Core sub-processors, which are engaged for every Customer, and Module-specific sub-processors, which are engaged only when the Customer activates the relevant module. The Customer has the right to enable or disable each module at any time, in which case the corresponding Module-specific sub-processors will (or will cease to) be engaged accordingly.

Core sub-processors (engaged for every Customer)

Sub-processor Location Purpose of Processing Categories of Personal Data
Amazon Web Services EMEA SARL European Economic Area (EEA) Cloud infrastructure hosting of the Services and storage of Personal Data All categories of Personal Data Processed through the Services
Microsoft Corporation (Azure) European Economic Area (EEA) Cloud infrastructure hosting of the Services and storage of Personal Data All categories of Personal Data Processed through the Services
Leaseweb Deutschland GmbH Germany (EEA) Data centre and dedicated server hosting All categories of Personal Data Processed through the Services
Google LLC United States. Transfers covered by standard contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914. Mobile push notification delivery via Firebase Cloud Messaging (Android); web push notification delivery Push notification tokens, sender IDs, device identifiers, content of push messages
Apple Inc. United States. Transfers covered by standard contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914. Mobile push notification delivery via Apple Push Notification Service (APNs) to iOS devices Push notification tokens, content of push messages

Module-specific sub-processors (engaged only when Customer activates the relevant module)

Sub-processor Module triggering engagement Location Purpose of Processing Categories of Personal Data
Albato Limited Ad Optimization European Economic Area (EEA). Albato hosts Personal Data with Amazon Web Services. The onward transfer from Albato to Amazon Web Services in the United States is covered by standard contractual clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 between Albato and Amazon Web Services. Albato is contractually required under its agreement with the data importer to maintain such Chapter V safeguards for any onward transfer of Personal Data to a third country. Integration with the Customer’s advertising tools (e.g. Facebook Pixel) and collection of contacts from lead forms Email, phone number, name, surname, gender, date of birth, region, city, postal index, segment, Customer database extracts (where elected by the Customer)
Huawei Technologies Co. Ltd. Mobile App SDK / Huawei People’s Republic of China. No adequacy decision under Article 45 of the GDPR. Huawei is contractually required under its agreement with the data importer to implement appropriate transfer safeguards under Chapter V of the GDPR. The Customer is responsible for providing the corresponding Article 13 / Article 14 information notices to its End Customers prior to enabling the Huawei push channel. Mobile push notification delivery via Huawei Push Kit to Huawei devices Push notification tokens, device identifiers, content of push messages

For each sub-processor located outside the European Economic Area, the data importer maintains an appropriate transfer mechanism under Chapter V of the GDPR (in particular, standard contractual clauses or equivalent safeguards), and requires each such sub-processor to implement equivalent safeguards for any onward transfer of Personal Data to a third country.

Provider may update this Annex III from time to time in accordance with Clause 9(a) of the SCCs and Section 2(c) of this DPA. The Customer may object to any addition or replacement of a sub-processor during the applicable notice period.

— End of Annex II (EU) —