Legal · Data Processing AddendumEffective 2026-04-27

Data Processing Addendum.

How MAIA processes customer data on your behalf. The DPA governs MAIA's role as a processor of personal data on behalf of customer controllers. It supplements your MSA.

What the DPA covers

  • Roles. Customer is the controller. MAIA is the processor. Subprocessors act under MAIA's instruction.
  • Subject matter and duration. Processing is limited to what's required to deliver the service in the order form, for the duration of the contract plus a defined post-term retention window.
  • Categories of data and data subjects. Documented per integration. Defaults err to the minimum necessary.
  • International transfers. Standard Contractual Clauses (Module 2 + Module 3 where applicable), the UK IDTA, and supplementary measures (encryption in transit and at rest, access controls, audit logging).
  • Security. Article 32 GDPR-aligned controls, enumerated as a technical and organizational measures (TOMs) annex.
  • Breach notification. Without undue delay and no later than seventy-two hours after MAIA becomes aware of a personal data breach.
  • Subprocessor management. Public list at /subprocessors. Material changes announced with at least thirty days notice. Right to object.
  • Data subject requests. MAIA assists controllers in responding to access, deletion, portability, and objection requests.
  • Audit rights. Annual third-party audit reports (SOC 2 once issued) shared under NDA. On-site audit available with reasonable notice.
  • Deletion and return. On termination, return or delete Customer Data within thirty days, subject to legal retention requirements.

How to get a signed copy

Email legal@maiaintelligence.io with your company name, jurisdiction, and the order form or pilot statement of work the DPA will attach to. We will return a counter-signed copy within three business days, faster if you have a hard deadline. We accept redlines and respond on the same timeline.

Public-sector notes

  • Canadian federal and provincial customers, we execute the federal SACC PSPC privacy clauses and provincial equivalents on request.
  • US state and federal customers, we negotiate jurisdiction-specific data residency and FedRAMP-equivalent control mappings as part of the order form.
  • EU and UK, default to SCCs (Module 2/3) and the UK IDTA, with a documented Transfer Impact Assessment available on request.

Related documents

Questions? Email legal@maiaintelligence.io.