Data Processing Agreement 2026.1

Key Terms

The key legal terms of the DPA are as follows:

Agreement

Reference to sales contract will be set when sending agreement

Approved Subprocessors

https://www.teammaven.io/sub-processors

Provider will store and process Customer Personal Data within the EU/EEA. Any transfers outside the EU/EEA will only occur subject to a valid GDPR transfer mechanism (such as Standard Contractual Clauses).

Provider Security Contact

jp@teammaven.io

Security Policy

Provider will use commercially reasonable efforts to secure the Service from unauthorized access, alteration, or use and other unlawful tampering.

Other Changes to the DPA Standard Terms

Section 7.2(b) of the DPA Standard Terms is amended to read as follows:
“Provider will give Customer the certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer asks for one.”

Restricted Transfers & Governing Member State

EEA Transfers: Netherlands

UK Transfers: England and Wales

Data Exporter

Name: the Customer

Activities relevant to transfer: See Annex 1(B)

Role: Controller

Data Importer

Name: the Provider

Contact person: JP Olivier, Founder

Address: Boompjes 44 3011 XB Rotterdam, Rotterdam, South Holland 3011 XB, NLD

Activities relevant to transfer: See Annex 1(B)

Role: Processor

Annex I(B) Description of Transfer and Processing Activities

Service

Provision of cloud services for employee recognition, performance reviews and goal setting.

Categories of Data Subjects

Customer's employees

Categories of Personal Data

Name

Contact information such as email, phone number, or address

Employment information such as employee ID or compensation

Professional or biographic information such as resume or CV

Location information

Special Category Data

Is special category data (as defined in Article 9 of the GDPR) Processed?

Frequency of Transfer

Continuous

Nature and Purpose of Processing

Receiving data, including collection, accessing, retrieval, recording, and data entry

Holding data, including storage, organization, and structuring

Using data, including analysis, consultation, testing, automated decision making, and profiling

Updating data, including correcting, adaption, alteration, alignment, and combination

Protecting data, including restricting, encrypting, and security testing

Sharing data, including disclosure, dissemination, allowing access, or otherwise making available

Returning data to the data exporter or data subject

Erasing data, including destruction and deletion

Duration of Processing

Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

Annex I(C)

Competent Supervisory Authority

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II

Technical and Organizational Security Measures

Pseudonymization and encryption of personal data: TeamMaven encrypts all customer data in transit using TLS 1.3 and encrypts data at rest using Transparent Data Encryption (TDE) via Azure SQL Database with AES-256. Passwords are securely hashed and salted. Data is logically separated per customer using organisation IDs, ensuring strong internal boundaries between tenant data.

Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services: The platform is built on Microsoft Azure’s EU data centres, which provide robust infrastructure-level security and scalability. Access to production systems is limited to authorised personnel. All key platform components are monitored using Azure’s built-in services and logging tools. MFA is available for administrator access, and role-based permissions are used within the application to prevent unauthorised actions.

Ability to restore the availability of and access to the Customer Personal Data in a timely manner following a physical or technical incident: Azure SQL Database performs automated backups of the TeamMaven database. Differential backups run every 12 hours, and point-in-time restore (PITR) is available for up to 35 days. These backups enable timely recovery in the event of a service interruption or data incident.

Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures used to secure Processing: TeamMaven continuously monitors platform health and error reporting using Azure services and internal alerts. Key workflows and security-relevant changes are thoroughly tested during deployments, and vulnerabilities are promptly addressed as they are identified. While not formally certified, the system is built using modern security standards.

User identification and authorization process and protection: Users authenticate via email and password with Multi-Factor Authentication (MFA) supported across the platform. Passwords are stored as salted hashes. Internal access is restricted by role, and actions are tracked using CreatedBy and ModifiedBy metadata on all core records.

Protecting Customer Personal Data during transmission (in transit): All data is transmitted over secure connections using TLS 1.3. This applies to both user-facing interfaces and internal API communications. Older protocols are disabled to ensure strong encryption standards are enforced.

Protecting Customer Personal Data during storage (at rest): Data is stored in Azure SQL Database with Transparent Data Encryption (TDE) enabled, using AES-256 encryption. Access to stored data is restricted and monitored.

Events logging: Core database entities store CreatedBy and ModifiedBy fields to track changes made to records. Additionally, system errors are logged and routed to internal alerting tools for real-time review and response.

Systems configuration, including default configuration: The platform is hosted using default secure configurations provided by Microsoft Azure, including TDE, secure TLS versions, and network-level access controls. All application-side configurations are reviewed to avoid exposing sensitive defaults.

Ensuring limited data retention: Data is retained for only as long as required by the customer or for operational purposes. Upon request, customer data can be fully deleted or exported. Backups are held for 35 days and automatically purged thereafter.

Ensuring accountability: Access to production systems is limited to authorised personnel. Internal actions are tracked at the entity level, and subprocessors are carefully selected and documented publicly. Customers have full transparency into data handling.

Allowing data portability and erasure: Customers may request the export or deletion of their data at any time. Exports are provided in accessible formats (e.g. CSV, PDF), and deletions are handled within a reasonable timeframe, including removal from backups after the retention window.

1. Processor and Subprocessor Relationships

1.1 Provider as Processor. Insituations where Customer is a Controllerof the Customer Personal Data, Provider will be deemed a Processor that isProcessing Personal Data on behalf of Customer.

1.2 Provider as Subprocessor. Insituations where Customer is a Processor of the Customer Personal Data, Providerwill be deemed a Subprocessor of the Customer Personal Data.

2. Processing

2.1 Processing Details. Annex I(B) on the Cover Page describes thesubject matter, nature, purpose, and duration of this Processing, as well asthe Categoriesof PersonalData collected and Categories of Data Subjects.

2.2 Processing Instructions. Customer instructs Provider to Process CustomerPersonal Data: (a) to provide and maintain the Service; (b) as may be furtherspecified through Customer’s use of the Service; (c) asdocumented in the Agreement; and (d) as documented in any otherwritten instructions given by Customer and acknowledged by Providerabout Processing Customer Personal Data under this DPA. Provider will abide by theseinstructions unless prohibited from doing so by Applicable Laws. Providerwill immediately inform Customer if it is unable to follow theProcessing instructions. Customer has given and will only giveinstructions that comply with Applicable Laws.

2.3 Processing by Provider. Providerwill only Process Customer Personal Data in accordance with this DPA, includingthe details in the Cover Page. If Provider updates the Service to updateexisting or include new products, features, or functionality, Providermay change the Categoriesof Data Subjects, Categories of Personal Data, SpecialCategory Data, Special Category Data Restrictions or Safeguards,Frequency ofTransfer, Nature and Purpose of Processing, and Duration ofProcessing as needed to reflect the updates by notifying Customerof the updates and changes.

2.4 Customer Processing. Where Customeris a Processor and Provider is a Subprocessor, Customerwill comply with all Applicable Laws that apply to Customer’s Processing ofCustomer Personal Data. Customer’s agreement with its Controller willsimilarly require Customer to comply with all Applicable Lawsthat apply to Customeras a Processor. In addition, Customer will comply with the Subprocessorrequirements in Customer’sagreement with its Controller.

2.5 Consent to Processing. Customerhas complied with and will continue to comply with all Applicable DataProtection Laws concerning its provision of Customer Personal Data to Providerand/or the Service, including making all disclosures, obtaining all consents,providing adequate choice, and implementing relevant safeguards required underApplicable Data Protection Laws.

2.6 Subprocessors.

(a) Providerwill not provide, transfer, or hand over any Customer Personal Data to aSubprocessor unless Customer has approved the Subprocessor. Thecurrent list of ApprovedSubprocessors includes the identities of the Subprocessors, theircountry of location, and their anticipated Processing tasks. Providerwill inform Customerat least 10 business days in advance and in writing of any intended changes tothe ApprovedSubprocessors whether by addition orreplacement of a Subprocessor, which allows Customer to have enough time toobject to the changes before the Provider begins using the new Subprocessor(s).Providerwill give Customerthe information necessary to allow Customer to exercise its right to object tothe change to ApprovedSubprocessors. Customer has 30 days afternotice of a change to the Approved Subprocessorsto object, otherwise Customer will be deemed to accept the changes. If Customer objects to the changewithin 30 days of notice, Customer and Provider will cooperate in goodfaith to resolve Customer’s objection or concern.

(b) When engaging a Subprocessor, Providerwill have a written agreement with the Subprocessor that ensures theSubprocessor only accesses and uses Customer Personal Data (i) to the extentrequired to perform the obligations subcontracted to it, and (ii) consistentwith the terms of Agreement.

(c) If the GDPR applies to the Processing ofCustomer Personal Data, (i) the data protection obligations described in thisDPA (as referred to in Article 28(3) of the GDPR, if applicable) are alsoimposed on the Subprocessor, and (ii) Provider’s agreement with the Subprocessorwill incorporate these obligations, including details about how Providerand its Subprocessor will coordinate to respond to inquiries or requests aboutthe Processing of Customer Personal Data. In addition, Provider will share, at Customer’srequest, a copy of its agreements (including any amendments) with itsSubprocessors. To the extent necessary to protect business secrets or otherconfidential information, including personal data, Provider may redact the text ofits agreement with its Subprocessor prior to sharing a copy.

(d) Providerremains fully liable for all obligations subcontracted to its Subprocessors,including the acts and omissions of its Subprocessors in Processing CustomerPersonal Data. Providerwill notify Customerof any failure by its Subprocessors to fulfill a material obligation aboutCustomer Personal Data under the agreement between Provider and the Subprocessor.

3. Restricted Transfers

3.1 Authorization. Customeragrees that Providermay transfer Customer Personal Data outside the EEA, the United Kingdom, orother relevant geographic territory as necessary to provide the Service. If Providertransfers Customer Personal Data to a territory for which the EuropeanCommission or other relevant supervisory authority has not issued an adequacydecision, Providerwill implement appropriate safeguards for the transfer of Customer PersonalData to that territory consistent with Applicable Data Protection Laws.

3.2 Ex-EEA Transfers. Customerand Provideragree that if the GDPR protects the transfer of Customer Personal Data, thetransfer is from Customer fromwithin the EEA to Provider outside of the EEA, and the transferis not governed by an adequacy decision made by the European Commission, thenby entering into this DPA, Customer and Provider are deemed to havesigned the EEA SCCs and their Annexes, which are incorporated by reference. Anysuch transfer is made pursuant to the EEA SCCs, which are completed as follows:

(a) Module Two (Controller to Processor) of theEEA SCCs apply when Customer is a Controller and Provideris Processing Customer Personal Data for Customer as a Processor.

(b) Module Three (Processor to Sub-Processor) ofthe EEA SCCs apply when Customer is a Processor and Provideris Processing Customer Personal Data on behalf of Customer as a Subprocessor.

(i) Theoptional docking clause in Clause 7 does not apply;

(ii) InClause 9, Option 2 (general written authorization) applies, and the minimumtime period for prior notice of Subprocessor changes is 10 business days;

(iii) InClause 11, the optional language does not apply;

(iv) Allsquare brackets in Clause 13 are removed;

(v) InClause 17 (Option 1), the EEA SCCs will be governed by the laws of GoverningMember State;

(vi) InClause 18(b), disputes will be resolved in the courts of the GoverningMember State; and

(vii) TheCover Page to this DPA contains the information required in Annex I, Annex II,and Annex III of the EEA SCCs.

3.3 Ex-UK Transfers. Customer and Provider agree that if the UKGDPR protects the transfer of Customer Personal Data, the transfer is from Customerfrom within the United Kingdom to Provider outside of the United Kingdom, andthe transfer is not governed by an adequacy decision made by the United KingdomSecretary of State, then by entering into this DPA, Customer and Providerare deemed to have signed the UK Addendum and their Annexes, which areincorporated by reference. Any such transfer is made pursuant to the UKAddendum, which is completed as follows:

(a) Section 3.2 of this DPA contains theinformation required in Table 2 of the UK Addendum.

(b) Table 4 of the UK Addendum is modified asfollows: Neither party may end the UK Addendum as set out in Section 19 of theUK Addendum; to the extent ICO issues a revised Approved Addendum under Section‎18 of the UK Addendum, the parties will work in good faith to revise this DPAaccordingly.

3.4 Other International Transfers. ForPersonal Data transfers where Swiss law (and not the law in any EEA memberstate or the United Kingdom) applies to the international nature of thetransfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extentlegally required, amended to refer to the Swiss Federal Data Protection Act orits successor instead, and the concept of supervisory authority will includethe Swiss Federal Data Protection and Information Commissioner.

4. Security Incident Response

Upon becoming aware of any Security Incident, Providerwill: (a) notify Customer without undue delay when feasible, but no laterthan 72 hours after becoming aware of the Security Incident; (b) provide timelyinformation about the Security Incident as it becomes known or as is reasonablyrequested by Customer;and (c) promptly take reasonable steps to contain and investigate the SecurityIncident. Provider’snotification of or response to a Security Incident as required by this DPA willnot be construed as an acknowledgment by Provider of any fault or liability for theSecurity Incident.

5. Audit & Reports

5.1 Audit Rights. Providerwill give Customerall information reasonably necessary to demonstrate its compliance with thisDPA and Providerwill allow for and contribute to audits, including inspections by Customer,to assess Provider’scompliance with this DPA. However, Provider may restrict access to data orinformation if Customer’saccess to the information would negatively impact Provider’s intellectual propertyrights, confidentiality obligations, or other obligations under ApplicableLaws. Customeracknowledges and agrees that it will only exercise its audit rights under thisDPA and any audit rights granted by Applicable Data Protection Laws byinstructing Providerto comply with the reporting and due diligence requirements below. Providerwill maintain records of its compliance with this DPA for 3 years after the DPAends.

5.2 Security Reports. Customeracknowledges that Provider is regularly audited against thestandards defined in the Security Policyby independent third-party auditors. Upon written request, Provider will give Customer,on a confidential basis, a summary copy of its then-current Report so that Customercan verify Provider’scompliance with the standards defined in the Security Policy.

5.3 Security Due Diligence. Inaddition to the Report, Provider will respond to reasonable requestsfor information made by Customer to confirm Provider’s compliance with thisDPA, including responses to information security, due diligence, and auditquestionnaires, or by giving additional information about its informationsecurity program. All such requests must be in writing and made to the ProviderSecurity Contactand may only be made once a year.

6. Coordination & Cooperation

6.1 Response to Inquiries. If Providerreceives any inquiry or request from anyone else about the Processing ofCustomer Personal Data, Provider will notify Customer about the request and Providerwill not respond to the request without Customer’s prior consent. Examples of thesekinds of inquiries and requests include a judicial or administrative orregulatory agency order about Customer Personal Data where notifying Customeris not prohibited by Applicable Law, or a request from a data subject. Ifallowed by Applicable Law, Provider will follow Customer’s reasonableinstructions about these requests, including providing status updates and otherinformation reasonably requested by Customer. If a data subject makes a validrequest under Applicable Data Protection Laws to delete or opt out of Customer’sgiving of Customer Personal Data to Provider, Provider will assist Customer in fulfilling therequest according to the Applicable Data Protection Law. Provider will cooperate with andprovide reasonable assistance to Customer, at Customer’s expense, in any legalresponse or other procedural action taken by Customer in response to athird-party request about Provider’s Processing of Customer Personal Dataunder this DPA.

6.2 DPIAs and DTIAs. Ifrequired by Applicable Data Protection Laws, Provider will reasonably assist Customerin conducting any mandated data protection impact assessments or data transferimpact assessments and consultations with relevant data protection authorities,taking into consideration the nature of the Processing and Customer PersonalData.

7. Deletion of Customer Personal Data

7.1 Deletion by Customer. Provider will enable Customer to delete CustomerPersonal Data in a manner consistent with the functionality of the Services. Providerwill comply with this instruction as soon as reasonably practicable exceptwhere further storage of Customer Personal Data is required by Applicable Law.

7.2 Deletion at DPA Expiration.

(a) After the DPA expires, Provider will return or deleteCustomer Personal Data at Customer’s instruction unless further storageof Customer Personal Data is required or authorized by Applicable Law. Ifreturn or destruction is impracticable or prohibited by Applicable Laws, Provider will make reasonable effortsto prevent additional Processing of Customer Personal Data and will continue toprotect the Customer Personal Data remaining in its possession, custody, orcontrol. For example, Applicable Laws may require Provider to continue hosting orProcessing Customer Personal Data.

(b) If Customer and Provider have entered the EEASCCs or the UK Addendum as part of this DPA, Provider will only give Customerthe certification of deletion of Personal Data described in Clause 8.1(d) andClause 8.5 of the EEA SCCs if Customer asks for one.

8. Limitation of Liability

8.1 Liability Caps and Damages Waiver. Tothe maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability tothe other party arising out of or related to this DPA will be subject to thewaivers, exclusions, and limitations of liability stated in the Agreement.

8.2 Related-Party Claims. Any claims made against Provider or its Affiliates arising out of orrelated to this DPA may only be brought by the Customerentity that is a party to the Agreement.

8.3 Exceptions. This DPAdoes not limit any liability to an individual about the individual’s dataprotection rights under Applicable Data Protection Laws. In addition, this DPAdoes not limit any liability between the parties for violations of the EEA SCCsor UK Addendum.

9. Conflicts Between Documents

This DPA forms part of and supplements the Agreement.If there is any inconsistency between this DPA, the Agreement, or any of theirparts, the part listed earlier will control over the part listed later for thatinconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3)the Agreement.

10. Term of Agreement

This DPA will start when Provider and Customeragree to a Cover Page for the DPA and sign or electronically accept the Agreementand will continue until the Agreement expires or is terminated. However, Providerand Customerwill each remain subject to the obligations in this DPA and Applicable DataProtection Laws until Customer stops transferring Customer PersonalData to Providerand Providerstops Processing Customer Personal Data.

11. Definitions.

11.1 “ApplicableLaws” means the laws, rules, regulations, court orders, and other bindingrequirements of a relevant government authority that apply to or govern aparty.

11.2 “ApplicableData Protection Laws” means the Applicable Laws that govern how the Servicemay process or use an individual’s personal information, personal data,personally identifiable information, or other similar term.

11.3 “Controller”will have the meaning(s) given in the Applicable Data Protection Laws for thecompany that determines the purpose and extent of Processing Personal Data.

11.4 “CoverPage” means a document that is signed or electronically accepted by theparties that incorporates these DPA Standard Terms and identifies Provider,Customer,and the subject matter and details of the data processing.

11.5 “CustomerPersonal Data” means Personal Data that Customer uploads or provides to Provideras part of the Service and that is governed by this DPA.

11.6 “DPA”means these DPA Standard Terms, the Cover Page between Provider and Customer,and the policies and documents referenced in or attached to the Cover Page.

11.7 “EEA SCCs” means the standardcontractual clauses annexed to the European Commission's Implementing Decision2021/914 of 4 June 2021 on standard contractual clauses for the transfer ofpersonal data to third countries pursuant to Regulation (EU) 2016/679 of the EuropeanParliament and of the European Council.

11.8 “EuropeanEconomic Area” or “EEA” meansthe member states of the European Union, Norway, Iceland, and Liechtenstein.

11.9 “GDPR”means European Union Regulation 2016/679 as implemented by local law in therelevant EEA member nation.

11.10 “PersonalData” will have the meaning(s) given in the Applicable Data Protection Lawsfor personal information, personal data, or other similar term.

11.11 “Processing”or “Process” will have themeaning(s) given in the Applicable Data Protection Laws for any use of, orperformance of a computer operation on, Personal Data, including by automaticmethods.

11.12 “Processor”will have the meaning(s) given in the Applicable Data Protection Laws for thecompany that Processes Personal Data on behalf of the Controller.

11.13 “Report” means audit reports prepared byanother company according to the standards defined in the Security Policy onbehalf of Provider.

11.14 “RestrictedTransfer” means (a) where the GDPR applies, a transfer of personal datafrom the EEA to a country outside of the EEA which is not subject to anadequacy determination by the European Commission; and (b) where the UK GDPRapplies, a transfer of personal data from the United Kingdom to any othercountry which is not subject to adequacy regulations adopted pursuant toSection 17A of the United Kingdom Data Protection Act 2018.

11.15 “Security Incident” means a PersonalData Breach as defined in Article 4 of the GDPR.

11.16 “Service”means the product and/or services described in the Agreement.

11.17 "Special Category Data” will havethe meaning given in Article 9 of the GDPR.

11.18 “Subprocessor”will have the meaning(s) given in the Applicable Data Protection Laws for acompany that, with the approval and acceptance of Controller, assists theProcessor in Processing Personal Data on behalf of the Controller.

11.19 “UKGDPR” means European Union Regulation 2016/679 as implemented by section 3of the United Kingdom’s European Union (Withdrawal) Act of 2018 in the UnitedKingdom.

11.20 “UKAddendum” means the international data transfer addendum to the EEA SCCsissued by the Information Commissioner for Parties making Restricted Transfersunder S119A(1) Data Protection Act 2018.