What the DPA covers
- Roles. Customer is the controller. MAIA is the processor. Subprocessors act under MAIA's instruction.
- Subject matter and duration. Processing is limited to what's required to deliver the service in the order form, for the duration of the contract plus a defined post-term retention window.
- Categories of data and data subjects. Documented per integration. Defaults err to the minimum necessary.
- International transfers. Standard Contractual Clauses (Module 2 + Module 3 where applicable), the UK IDTA, and supplementary measures (encryption in transit and at rest, access controls, audit logging).
- Security. Article 32 GDPR-aligned controls, enumerated as a technical and organizational measures (TOMs) annex.
- Breach notification. Without undue delay and no later than seventy-two hours after MAIA becomes aware of a personal data breach.
- Subprocessor management. Public list at /subprocessors. Material changes announced with at least thirty days notice. Right to object.
- Data subject requests. MAIA assists controllers in responding to access, deletion, portability, and objection requests.
- Audit rights. Annual third-party audit reports (SOC 2 once issued) shared under NDA. On-site audit available with reasonable notice.
- Deletion and return. On termination, return or delete Customer Data within thirty days, subject to legal retention requirements.
How to get a signed copy
Email legal@maiaintelligence.io with your company name, jurisdiction, and the order form or pilot statement of work the DPA will attach to. We will return a counter- signed copy within three business days, faster if you have a hard deadline. We accept redlines and respond on the same timeline.
Public-sector notes
- Canadian federal and provincial customers, we execute the federal SACC PSPC privacy clauses and provincial equivalents on request.
- US state and federal customers, we negotiate jurisdiction-specific data residency and FedRAMP-equivalent control mappings as part of the order form.
- EU and UK, default to SCCs (Module 2/3) and the UK IDTA, with a documented Transfer Impact Assessment available on request.