Skip to main content

Data Processing Agreement

Effective date: May 2, 2026

Between: Customer (the “Controller”) and Mazurka Labs LLC, a New York limited liability company (“WaiverDrop” or the “Processor”; “WaiverDrop” is a product brand of Mazurka Labs LLC).

This Data Processing Agreement (“DPA”) supplements, and forms part of, the WaiverDrop Terms of Service or other agreement between the parties under which WaiverDrop provides the Service (“Principal Agreement”). This DPA applies to the Processing of Customer Personal Data by WaiverDrop on behalf of Customer.

In the event of any conflict between this DPA and the Principal Agreement, this DPA prevails with respect to Customer Personal Data.

1. Definitions

Terms not defined here have the meanings given in the Principal Agreement or in applicable Data Protection Laws.

  • “Customer Personal Data” means Personal Data Processed by WaiverDrop on behalf of Customer under the Principal Agreement, as described in Annex I.
  • “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other U.S. state privacy laws as they become applicable.
  • “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given in the GDPR. “Sell”, “Share”, “Service Provider”, and “Sensitive Personal Information” have the meanings given in the CCPA/CPRA.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
  • “Restricted Transfer” means a transfer of Customer Personal Data from the EEA, UK, or Switzerland to a jurisdiction not deemed adequate under applicable Data Protection Laws.
  • “SCCs” means the Standard Contractual Clauses adopted by European Commission Decision 2021/914, Module Two (controller to processor).
  • “Sub-processor” means any third party engaged by WaiverDrop to Process Customer Personal Data.
  • “UK Addendum” means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner’s Office.

2. Scope and Roles

2.1 Roles. Customer is the Controller and WaiverDrop is the Processor of Customer Personal Data. Where Customer itself acts as a processor for another controller, the parties agree that WaiverDrop shall be a sub-processor, and Customer is responsible for obtaining any necessary authorizations from its controller.

2.2 CCPA/CPRA Status. With respect to Customer Personal Data subject to the CCPA/CPRA, WaiverDrop is a Service Provider and will Process Customer Personal Data only for the Business Purposes described in Annex I and the Principal Agreement. WaiverDrop will not:

(a) Sell or Share Customer Personal Data;
(b) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer;
(c) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose, except as permitted by CCPA/CPRA; or
(d) combine Customer Personal Data with personal information WaiverDrop receives from or on behalf of any other person, except as permitted by CCPA/CPRA regulations.

WaiverDrop will notify Customer if it determines it can no longer meet its obligations under CCPA/CPRA.

3. Processing of Customer Personal Data

3.1 Documented Instructions. WaiverDrop will Process Customer Personal Data only on documented instructions from Customer, including with regard to Restricted Transfers. The Principal Agreement, this DPA, and Customer’s use and configuration of the Service are Customer’s documented instructions. WaiverDrop will notify Customer if, in its opinion, an instruction infringes Data Protection Laws.

3.2 Details of Processing. The subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Personal Data are set out in Annex I.

3.3 Compliance with Laws. Each party will comply with its obligations under applicable Data Protection Laws.

4. Customer Obligations

4.1 Lawful Basis and Notice. Customer is responsible for establishing a lawful basis for its collection and use of Customer Personal Data, providing all legally required notices to Data Subjects, and obtaining all legally required consents.

4.2 Accuracy. Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it was acquired.

4.3 Minors. Where Customer configures Waivers for minors, Customer warrants that it will obtain any legally required parent or guardian consent and will collect the minimum Personal Data necessary.

4.4 Retention Instructions. Customer acknowledges that WaiverDrop’s default retention period for Waiver Records is described in the Principal Agreement and Section 8 of the Privacy Policy (currently up to seven (7) years following the end of the 30-day post-termination export window). Customer is responsible for determining whether this default meets Customer’s legal obligations for Waiver Records, including any extended retention required for minor Signers (where applicable statutes of limitations may toll until the minor reaches the age of majority plus the applicable limitations period) and any industry-specific record-keeping obligations. Where Customer’s legal obligations require a longer retention period than the default, Customer will either (a) export and independently retain Waiver Records, or (b) contact WaiverDrop to discuss available retention options.

5. WaiverDrop Obligations as Processor

WaiverDrop will:

(a) Process Customer Personal Data only as described in Section 3.1;
(b) ensure persons authorized to Process Customer Personal Data are bound by confidentiality obligations;
(c) implement the technical and organizational measures described in Annex II;
(d) engage Sub-processors only on the terms in Section 8;
(e) assist Customer, taking into account the nature of Processing and the information available to WaiverDrop, in fulfilling its obligations to respond to Data Subject requests, to notify Personal Data Breaches, to conduct data protection impact assessments, and to consult with Supervisory Authorities;
(f) at Customer’s choice, return or delete Customer Personal Data as set out in Section 13; and
(g) make available information reasonably necessary to demonstrate compliance with this DPA.

6. Technical and Organizational Measures

WaiverDrop will implement and maintain the technical and organizational measures set out in Annex II to ensure a level of security appropriate to the risk. WaiverDrop may update these measures from time to time provided the overall level of protection is not materially diminished.

7. Personnel

WaiverDrop will ensure that personnel authorized to Process Customer Personal Data are informed of the confidential nature of Customer Personal Data, are bound by written confidentiality obligations or statutory duties of confidence, receive training appropriate to their role, and access Customer Personal Data only on a need-to-know basis.

8. Sub-processors

8.1 General Authorization. Customer grants WaiverDrop general authorization to engage Sub-processors, subject to this Section 8.

8.2 Current Sub-processors. WaiverDrop maintains a list of current Sub-processors at waiverdrop.com/subprocessors, including those identified in Annex III. Customer acknowledges and approves the Sub-processors listed in Annex III as of the Effective Date.

8.3 New Sub-processors. WaiverDrop will provide at least 14 days’ prior notice of any intended addition or replacement of a Sub-processor by updating the list and providing notice via email to the account’s designated privacy or billing contact (where Customer has subscribed to such notifications) or via in-product notice. Customer may object in writing within 10 days on reasonable data-protection grounds. If Customer objects, the parties will work together in good faith to find a mutually acceptable resolution; if none can be reached within 30 days, Customer may terminate the affected portion of the Service as its sole and exclusive remedy, with a pro-rata refund of pre-paid unused Fees.

8.4 Sub-processor Obligations. WaiverDrop will impose on each Sub-processor data protection obligations no less protective than those in this DPA, and WaiverDrop remains liable to Customer for the acts and omissions of its Sub-processors that cause WaiverDrop to breach this DPA.

9. Data Subject Requests

9.1 Assistance. Taking into account the nature of Processing, WaiverDrop will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests to exercise rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and, where applicable, opt-out of sale or sharing).

9.2 Forwarding. If WaiverDrop receives a request directly from a Data Subject whose Personal Data was submitted through a Customer’s Waiver, WaiverDrop will promptly inform the Data Subject that the request should be directed to the Customer and will, where practicable, forward the request to Customer.

9.3 Costs. WaiverDrop will provide the assistance required by this Section 9 at no additional cost where such assistance consists of making available standard Service functionality. For additional or bespoke assistance, WaiverDrop may charge reasonable time-and-materials fees.

10. Personal Data Breach Notification

10.1 Notification. WaiverDrop will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay after confirming the Breach, in a manner and timeframe consistent with its obligations as a processor under applicable Data Protection Laws (including Article 33(2) of the GDPR for processor-to-controller notifications) and taking into account the information reasonably available to WaiverDrop at the time. WaiverDrop will provide Customer with such information as is reasonably available and necessary for Customer to meet its own notification obligations to supervisory authorities and Data Subjects.

10.2 Content of Notification. To the extent information is available, the notice will include:

(a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected;
(b) the likely consequences of the Breach;
(c) the measures taken or proposed to address the Breach and mitigate adverse effects; and
(d) the contact details of a WaiverDrop point of contact.

WaiverDrop will provide updates as additional information becomes available.

10.3 Not an Admission. A notification under this Section 10 is not an acknowledgment of fault or liability.

11. Data Protection Impact Assessments and Prior Consultation

WaiverDrop will provide reasonable assistance to Customer in conducting data protection impact assessments and in consulting with Supervisory Authorities, taking into account the nature of Processing and the information available to WaiverDrop. Additional or bespoke assistance may be charged at reasonable time-and-materials rates.

12. International Data Transfers

12.1 Service Hosted in the United States. Customer acknowledges that WaiverDrop Processes Customer Personal Data in the United States and that certain Sub-processors may Process Customer Personal Data in other jurisdictions (see Annex III).

12.2 EU/EEA Transfers. To the extent Customer Personal Data originates in the EEA and is transferred to WaiverDrop in a country not covered by an adequacy decision, the SCCs are incorporated by reference into this DPA and apply as follows:

(a) Module Two (controller to processor) applies;
(b) in Clause 7 (docking clause), the optional language applies;
(c) in Clause 9 (sub-processors), Option 2 (general authorization) applies with the notice period in Section 8.3;
(d) in Clause 11 (redress), the optional language does not apply;
(e) in Clause 17 (governing law), the parties agree the law of Ireland governs;
(f) in Clause 18 (forum), the parties agree the courts of Ireland have jurisdiction;
(g) the relevant Supervisory Authority is the Irish Data Protection Commission, except where a different Member State’s Supervisory Authority is mandatory under applicable law based on the data exporter’s establishment;
(h) Annexes I, II, and III to this DPA populate Annexes I, II, and III of the SCCs.

12.3 UK Transfers. For transfers subject to the UK GDPR, the UK Addendum is incorporated by reference and populated by reference to the SCCs and the Annexes to this DPA. Where the UK Addendum and the SCCs conflict, the UK Addendum prevails.

12.4 Swiss Transfers. For transfers subject to the Swiss FADP, the SCCs apply with references to the GDPR interpreted as references to the FADP, and the Swiss Federal Data Protection and Information Commissioner acts as the Supervisory Authority.

12.5 Alternative Mechanisms. If the SCCs or UK Addendum are invalidated or replaced, the parties will work in good faith to adopt an alternative lawful transfer mechanism.

13. Return or Deletion of Customer Personal Data

13.1 Post-Termination — Default Rule. Upon termination or expiration of the Principal Agreement, at Customer’s choice, WaiverDrop will return or delete Customer Personal Data within thirty (30) days, except as set out in Section 13.2 and Section 13.3.

13.2 Waiver Records — Elected Retention. Customer acknowledges that a core feature of the Service is the long-term custody of signed waiver records so that Customer can produce them in legal proceedings where required. By selecting, configuring, and using the Service, Customer elects and instructs WaiverDrop to retain Waiver Records (signed waiver PDFs, signature images, and associated Signer data and metadata captured as part of the signing process) for the default period set out in the Principal Agreement and the Privacy Policy (currently up to seven (7) years following the end of the 30-day post-termination export window).

This election is Customer’s documented instruction to WaiverDrop as Processor. Customer may at any time vary or revoke this election by providing written instruction to WaiverDrop to delete Waiver Records earlier or to transfer them to Customer; any such change is subject to Customer’s own legal retention obligations.

For the avoidance of doubt, the Article 28(3)(g) return-or-deletion “choice of the controller” is exercised by Customer as follows: (i) for Account Holder Data, Customer’s default choice is deletion after thirty (30) days (Section 13.1); (ii) for Waiver Records, Customer’s default choice is the elected retention above, which Customer may modify in writing.

13.3 Legally Required Retention and Backups. The following data may be retained notwithstanding Sections 13.1 and 13.2:

(a) Customer Personal Data that WaiverDrop is required to retain by applicable law, which will continue to be protected in accordance with this DPA; and
(b) Customer Personal Data in backup media, which may persist for up to thirty (30) days after deletion from production systems before being overwritten in the ordinary course of operations.

13.4 Export. During the 30-day post-termination period, Customer may export Customer Personal Data using standard Service functionality (such as CSV and PDF exports).

13.5 Certification. Upon Customer’s written request, WaiverDrop will certify in writing that it has complied with this Section 13.

14. Audits and Information Rights

14.1 Records. WaiverDrop will maintain records of Processing activities carried out on behalf of Customer as required by applicable Data Protection Laws.

14.2 Audits. WaiverDrop will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer may satisfy its audit rights by:

(a) receiving a copy of WaiverDrop’s most recent third-party security assessment, where available; and
(b) submitting a reasonable written questionnaire annually (or more frequently if Customer reasonably believes a material breach has occurred), to which WaiverDrop will respond within a reasonable time.

14.3 On-Site Audits. On-site audits are not generally permitted except where required by a Supervisory Authority or where Customer reasonably believes, based on a concrete event, that a material breach of this DPA has occurred and remains unremedied. Any on-site audit will be conducted during business hours, with at least 30 days’ prior notice, at Customer’s cost, under strict confidentiality obligations, and limited in scope to matters directly relevant to the concern.

15. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions set out in the Principal Agreement. Where the Principal Agreement’s liability cap applies, it applies to aggregate liability under both the Principal Agreement and this DPA combined, not separately.

16. Changes to this DPA

WaiverDrop may update this DPA from time to time with at least 30 days’ prior notice. If an update is required to comply with Data Protection Laws or to reflect new transfer mechanisms, it will take effect on the date required by law or the transfer mechanism.

17. General

17.1 Precedence. This DPA supplements the Principal Agreement. In the event of conflict regarding Customer Personal Data, this DPA prevails.

17.2 Severability. If any provision of this DPA is held invalid or unenforceable, the remainder remains in full force.

17.3 Governing Law. This DPA is governed by the law stated in the Principal Agreement, except that the SCCs are governed as stated in Section 12.2(e) and the UK Addendum is governed by the laws of England and Wales.

17.4 Counter-signature. Signature of this DPA is not required for it to take effect where it is incorporated into the Principal Agreement by reference. Customer may request a counter-signed copy by emailing [email protected].

Annex I — Details of Processing

A. List of Parties.

  • Data Exporter / Controller: Customer (the entity that has entered into the Principal Agreement), acting as controller of the Customer Personal Data Processed through the Service.
  • Data Importer / Processor: Mazurka Labs LLC, a New York limited liability company, at its then-current registered agent address in New York; contact: [email protected].

B. Categories of Data Subjects.

  • Signers (end users who sign Waivers through the Service), including adult Signers and, where the Waiver involves a minor, the signing parent or guardian.
  • Minors on whose behalf a Waiver is signed (information submitted by the signing guardian).
  • Customer’s Authorized Users (only to the extent their information is included in audit logs, signatures on internally deployed Waivers, or similar).

C. Categories of Personal Data. As configured by Customer in its Waiver templates and Service settings. Typical categories include:

  • Identification data: full name, email address, phone number.
  • Demographic data: date of birth (including minor’s DOB where applicable).
  • Relationship data: guardian name, relationship to minor, emergency contact name and phone.
  • Signature data: drawn signature image, IP address, timestamp, browser user agent, device information.
  • Optional data: photograph captured at signing, custom fields configured by Customer.
  • Waiver content: the text of the Waiver presented to and accepted by the Signer, and the PDF record.

D. Sensitive Data; Special Categories. Customer configures its own Waivers and may, depending on its use case, collect information that could constitute special-category or sensitive Personal Data (for example, health information for a physical activity waiver). Customer is solely responsible for obtaining any explicit consent or other lawful basis required for such Processing and for configuring the Waiver to minimize collection of such data.

E. Nature and Purpose of Processing. Provision of a digital waiver creation, signing, and management platform, including storing, displaying, transmitting, indexing, searching, exporting, backing up, and generating PDF records of Waivers and signature metadata on behalf of Customer; communicating signature confirmations to Signers at Customer’s direction; and providing customer support.

F. Frequency of Transfer. Continuous during the term of the Principal Agreement.

G. Duration of Processing. For the term of the Principal Agreement, plus the retention period set out in Section 13 and the Privacy Policy.

H. Subject Matter and Duration of Sub-processor Processing. As set out in Annex III.

Annex II — Technical and Organizational Measures

WaiverDrop implements the following technical and organizational measures, appropriate to the risks presented by the Processing and the nature of the Customer Personal Data involved. WaiverDrop may update these measures from time to time; the overall level of security will not be materially diminished.

These measures reflect WaiverDrop’s current operating posture as a small, focused team running on managed infrastructure (Hetzner Cloud and Cloudflare).

1. Encryption.

  • TLS 1.3 (or the then-current minimum supported by Cloudflare) for all HTTP traffic to the Service, with TLS termination at the Cloudflare edge.
  • Encryption at rest for object storage holding signature images, generated PDF waiver records, and optional Signer photographs (Cloudflare R2, AES-256 server-side encryption by Cloudflare default).
  • The application database (SQLite) persists to attached block storage on the Kubernetes cluster hosted on Hetzner Cloud; the database is continuously replicated to Cloudflare R2 using Litestream, so that at-rest copies of the database are held in R2’s encrypted object storage.

2. Access Control.

  • Access to production systems, the application database, and object storage is limited to authorized personnel on a need-to-know, least-privilege basis. At current stage the authorized set is the founder.
  • Multi-factor authentication is enabled on administrative accounts with access to production infrastructure and third-party Sub-processor consoles (Cloudflare, Hetzner, Stripe, Resend, domain registrar, source control).
  • Application-level authentication uses modern password-hashing for Customer accounts.

3. Network and Infrastructure Security.

  • Segregation between production and non-production environments.
  • Network controls (Kubernetes ingress rules, Cloudflare edge controls) restricting access to production resources.
  • Container images and operating system dependencies are patched on an ongoing basis; security-critical updates are prioritized.
  • DDoS protection, WAF, and bot mitigation at the Cloudflare edge.

4. Application Security.

  • Secure-development practices appropriate to a small engineering team, including attention to the OWASP Top 10 class of web vulnerabilities.
  • Dependency management via Go modules; Go toolchain updates applied on an ongoing basis.
  • Application-layer rate limiting for sensitive endpoints; additional DDoS and WAF protections at the Cloudflare edge.
  • Error monitoring via a self-hosted application error-tracking instance (GlitchTip) running on the Service’s own infrastructure; error reports are not shared with any third-party error-tracking vendor.

5. Operational Security.

  • Continuous application monitoring and alerting via self-hosted infrastructure (GlitchTip) and log aggregation.
  • Written incident response and breach-notification procedures that inform response and Customer notification when an incident is identified.

6. Physical Security.

  • The application, attached block storage for the SQLite database, and the Kubernetes cluster are hosted on Hetzner Cloud infrastructure in Hetzner’s United States data center. Hetzner operates its data centers under its published security and compliance program (ISO/IEC 27001 certified), including controlled physical access, environmental controls, and monitoring.
  • Signature images, generated PDF waiver records, optional Signer photographs, and continuously replicated copies of the application database are stored in Cloudflare R2 object storage, operated by Cloudflare under its published security and compliance program.
  • Public traffic reaches the Service through Cloudflare edge infrastructure (CDN, DDoS protection, WAF, TLS termination).
  • Customer Personal Data is not stored on personnel endpoints in the ordinary course.

7. Resilience and Backup.

  • The application database is continuously replicated from production to Cloudflare R2 via Litestream, providing near-real-time off-site replication and point-in-time recovery capability for the application database.
  • R2 object storage (signatures, PDFs, photographs) is durably stored by Cloudflare under its published durability commitments.

8. Data Minimization and Retention.

  • Customer configures the fields collected from Signers via its Waiver templates; WaiverDrop does not require the collection of fields beyond those necessary to provide the Service.
  • Retention of Customer Personal Data follows the Privacy Policy and the Principal Agreement.
  • Deletion or anonymization on expiry of the applicable retention period.

9. Sub-processor and Vendor Management.

  • Security and privacy review before engaging a new Sub-processor.
  • Data-protection terms with each Sub-processor no less protective than those in this DPA.
  • Sub-processor list maintained at waiverdrop.com/subprocessors.

10. Incident Response.

  • Documented procedures for detecting, triaging, and responding to security incidents.
  • Notification to Customer as set out in Section 10 of this DPA.
  • Post-incident review and remediation tracking.

Annex III — List of Sub-processors

As of the Effective Date, WaiverDrop engages the following Sub-processors to Process Customer Personal Data:

  • Hetzner (Hetzner Online GmbH, Germany) — processing location: United States (Hetzner US data center). Purpose: application hosting, relational database, encrypted backups; also hosts WaiverDrop’s self-hosted analytics (GoatCounter) and error tracking (GlitchTip). Categories: Account Holder data (name, email, password hash, billing metadata); Signer data stored in the application database (name, email, phone, DOB, emergency contact, custom fields, IP, user agent, timestamp); application and audit logs.
  • Cloudflare (Cloudflare, Inc., United States) — processing location: global edge network, US control plane, R2 object storage. Purpose: (a) CDN, DDoS protection, WAF, DNS, TLS termination, and bot mitigation for all HTTP traffic; (b) R2 object storage for signature images, generated PDF waiver records, and optional Signer photographs. Categories: network-layer metadata (IP, user agent, request headers) transiting the edge; at rest in R2: signature images, PDF waiver records, and Signer photographs where the Customer has enabled photo capture.
  • Stripe (Stripe, Inc., United States) — processing location: United States. Purpose: payment processing for Customer subscription billing. Categories: Account Holder billing contact and last 4 of card; Stripe independently handles full card data as a PCI DSS Level 1 service provider.
  • Resend (Resend, Inc., United States) — processing location: United States. Purpose: transactional email delivery (waiver confirmations, password resets, billing receipts). Categories: recipient email address, email subject, and email body contents.

Self-hosted tools (not Sub-processors). The following tools run on WaiverDrop’s own Hetzner infrastructure and do not transmit Customer Personal Data to a third-party vendor:

  • GoatCounter — privacy-friendly product analytics (no tracking cookies, no fingerprinting).
  • GlitchTip — application error monitoring (Sentry-compatible).

Enterprise-specific. Where an Enterprise Customer enables SSO or SAML, the Customer’s own identity provider is not a Sub-processor of WaiverDrop — it is a third party selected by the Customer.

An up-to-date list is maintained at waiverdrop.com/subprocessors.