Data Processing Agreement
Maya Verdant, LLC · Last updated: March 2026
Maya Data Processing Agreement
Last Updated: May 21, 2026
Who this document is for
- Business customers (“Customer”) — If you enter a written or order-form agreement with Maya Verdant, LLC to use Maya’s platform or services to process personal data about your customers, employees, or other individuals, this Data Processing Agreement (“DPA”) is incorporated into that agreement (the “Agreement”).
- Individual consumers — If you text or chat with Maya as a household member, Maya is generally the data controller. Your relationship is governed by the Privacy Policy and Terms of Service, not this B2B DPA.
Incorporation. This DPA is part of the Agreement. If there is a conflict between the Agreement and this DPA regarding the processing of Customer Personal Data (defined below), this DPA controls to the extent of the conflict.
Updates. We may update this DPA as laws and our services evolve. Material changes to subprocessors are handled in Section 5. Archived versions may be published at maya.markets/legal.
Defined terms not defined here have the meaning in the Agreement.
Table of contents
- Definitions
- Customer responsibilities
- Maya obligations as processor
- Data subject requests
- Sub-processors
- Data transfers
- Demonstration of compliance
- Additional provisions for European data
- Additional provisions for California personal information
- Optional partner data (controller-to-controller)
- Transfer mechanisms (SCCs and UK Addendum)
- General provisions
- Parties
- Annex 1 — Details of processing (Maya as processor)
- Annex 2 — Security measures
- Annex 3 — Sub-processor categories
1. Definitions
“Agreement” means the contract between Customer and Maya governing the Services, including order forms, statements of work, and the Maya Terms of Service where applicable by reference.
“California Personal Information” means Customer Personal Data subject to the California Consumer Privacy Act, as amended by the CPRA (“CCPA”).
“Customer Personal Data” means personal data contained in Customer Data that Maya processes on behalf of Customer in connection with the Services. Customer Data includes data Customer or its users submit to the Services (e.g., via messaging channels, APIs, or dashboards).
“Customer Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Maya or its Sub-processors in connection with the Services. Unsuccessful attempts (e.g., failed logins, port scans, denial-of-service) are not Customer Personal Data Breaches.
“Data Protection Laws” means all privacy and data protection laws applicable to the processing of personal data under the Agreement, including GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and other U.S. state privacy laws, as amended.
“Data Subject” means the identified or identifiable individual to whom personal data relates.
“Data Subject Request” means a request from a Data Subject to exercise rights under Data Protection Laws (access, deletion, correction, portability, restriction, objection, etc.).
“Controller,” “Processor,” “Processing,” “Personal Data,” “Supervisory Authority” have the meanings in applicable Data Protection Laws.
“Customer Instructions” means documented instructions Customer issues to Maya regarding Processing of Customer Personal Data, including via the Agreement, this DPA, configuration of the Services, and documented support tickets.
“Europe” means the European Union, the European Economic Area, the United Kingdom, and Switzerland, as applicable.
“European Data” means Customer Personal Data subject to European Data Protection Laws.
“European Data Protection Laws” means GDPR, UK GDPR, Swiss FADP, ePrivacy rules where applicable, and national implementations.
“Instructions” means Customer Instructions.
“Permitted Affiliates” means Customer’s affiliates permitted to use the Services under the Agreement that are not separate signatories but remain subject to Customer’s control and this DPA.
“Restricted Transfer” means a transfer of Personal Data from Europe to a country not recognized as providing adequate protection under European Data Protection Laws.
“Services” means Maya’s household buying assistant platform, messaging orchestration, automation, analytics, and related professional services described in the Agreement.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to European Commission Decision (EU) 2021/914 (4 June 2021), as amended or replaced.
“Sub-processor” means a third party engaged by Maya or its affiliates to process Customer Personal Data on Maya’s behalf in connection with the Services (excluding Maya employees and contractors under confidentiality duties).
“UK Addendum” means the UK Information Commissioner’s International Data Transfer Addendum (version B1.0 or successor) to the SCCs.
2. Customer responsibilities
2.1 Compliance with laws
Customer is responsible for compliance with Data Protection Laws as they apply to Customer in connection with Customer’s collection and use of Customer Personal Data, including:
- Lawful basis — establishing and documenting a lawful basis (or valid consent) for collection and Processing;
- Transparency — providing notices to Data Subjects that accurately describe Processing, including Maya as a processor and categories of Sub-processors;
- Rights — honoring Data Subject rights unless Maya assists under Section 4;
- Quality and legality — accuracy, quality, and legality of Customer Personal Data and means of collection;
- Instructions — ensuring Customer Instructions comply with Data Protection Laws;
- Messaging and marketing — compliance with TCPA, CAN-SPAM, and similar rules for SMS/email/voice, including opt-in, opt-out, and content rules;
- Sensitive data — not submitting special-category or sensitive personal data through the Services unless the Agreement expressly permits it and appropriate safeguards are in place.
Customer will notify Maya without undue delay if Customer cannot meet these obligations.
2.2 Customer Instructions
The Agreement (including this DPA) and Customer’s use of the Services in accordance with the Agreement constitute Customer’s complete initial Instructions to Maya. Customer may provide additional Instructions consistent with the Agreement and the nature of the Services. Maya is not required to follow Instructions that violate Data Protection Laws.
2.3 Security (Customer systems)
Customer is responsible for securing its accounts, API keys, integrations, and environments. Customer determines whether Maya’s security measures (Annex 2) meet Customer’s regulatory obligations.
2.4 Prohibited data
Customer will not submit:
- Data relating to children under 13 (or higher age where required);
- Data Customer is not authorized to share;
- Malicious code or unlawful content;
- Biometric identifiers for voice cloning unless a separate written addendum and consent program is executed.
3. Maya obligations as processor
3.1 Processing scope
Maya will process Customer Personal Data only:
- to provide and secure the Services;
- as described in Annex 1;
- in accordance with Customer Instructions; and
- as required by applicable law (in which case Maya will inform Customer unless prohibited).
Maya will not:
- Sell or Share (CCPA meanings) Customer Personal Data;
- use Customer Personal Data for third-party advertising;
- use Customer Personal Data to train general-purpose AI models for the benefit of third parties or for unrelated products, except as required to provide the Services under Instructions or as anonymized/aggregated data that cannot identify Data Subjects.
Inference providers. Where automation or AI Sub-processors process message or media content, Maya contractually requires they process content only to deliver the Services and not use Customer Personal Data to train their foundation models, except where Customer provides separate explicit written consent for a specified purpose.
3.2 Conflicting law
If Maya believes an Instruction violates Data Protection Laws, Maya will notify Customer and may suspend affected Processing until lawful Instructions are agreed.
3.3 Security
Maya will implement appropriate technical and organizational measures as described in Annex 2. Maya may update measures provided the overall protection level is not materially degraded.
3.4 Confidentiality
Maya ensures personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
3.5 Customer Personal Data Breaches
Maya will notify Customer without undue delay and, where feasible, within seventy-two (72) hours after Maya becomes aware of a confirmed Customer Personal Data Breach. Notice will include, as available: nature of the breach, categories and approximate volume of data, likely consequences, and measures taken or proposed. Maya will provide reasonable assistance for Customer’s regulatory or Data Subject notifications when required by law.
3.6 Deletion or return
Upon termination or expiration of the Services (or upon Customer’s written request), Maya will delete or return Customer Personal Data per the Agreement and Annex 1, except where retention is required by law or permitted for encrypted backups isolated from production. Backup deletion follows Maya’s documented retention schedule (target within ninety (90) days after production deletion unless law requires longer).
Maya will provide reasonable export assistance during the term if the Services support export.
4. Data subject requests
The Services may include controls for access, correction, deletion, or restriction. Where Customer cannot address a Data Subject Request through the Services, Maya will provide reasonable assistance on Customer’s written request, at Customer’s expense for material effort, within applicable legal timeframes.
If a Data Subject contacts Maya directly about Customer Personal Data, Maya will direct the individual to Customer unless law requires otherwise. Customer is responsible for substantive responses.
5. Sub-processors
5.1 Authorization
Customer authorizes Maya to engage Sub-processors listed in Annex 3 (by category) and to replace or add Sub-processors consistent with this Section.
5.2 Notice and objection
Maya will provide at least thirty (30) days’ prior notice of a new Sub-processor or material change to an existing Sub-processor’s role by:
- email to Customer’s designated privacy/security contact; or
- notice in the Services or a secure customer portal; or
- updating the named list provided under Section 5.3.
Customer may object on reasonable grounds relating to data protection within thirty (30) days of notice. Parties will discuss in good faith. If unresolved, Maya may (i) not use the Sub-processor for Customer’s data, or (ii) allow Customer to suspend or terminate affected Services without penalty for the affected portion (fees already paid are not refunded unless the Agreement says otherwise).
5.3 Named list (confidential)
Maya does not publish vendor or model names on public marketing pages. Customer may request the current named Sub-processor list (including country and processing purpose) at [email protected] or [email protected]. Maya will respond within thirty (30) days or sooner where required by law.
Material changes remain subject to Section 5.2.
5.4 Sub-processor obligations
Maya imposes data protection terms on Sub-processors providing no less protection than this DPA for Customer Personal Data, to the extent applicable. Maya remains liable for Sub-processor performance of Maya’s obligations under this DPA.
6. Data transfers
Customer acknowledges Maya and Sub-processors may process Customer Personal Data in the United States and other countries where they operate. Maya will ensure transfers comply with Data Protection Laws, including Section 11 for Restricted Transfers.
7. Demonstration of compliance
Upon written request, Maya will make available information reasonably necessary to demonstrate compliance with this DPA, such as security overview materials, summaries of assessments, or responses to reasonable questionnaires.
Audits. Customer may conduct audits required by Data Protection Laws by:
- reviewing materials Maya provides under this Section; and/or
- requesting one remote audit per twelve (12) months on thirty (30) days’ notice, during business hours, subject to confidentiality and scope limits that avoid disruption or exposure of other customers’ data.
Customer bears its own audit costs unless audit reveals material non-compliance attributable to Maya.
8. Additional provisions for European data
8.1 Scope
This Section applies to European Data Maya processes as Processor on Customer’s behalf.
8.2 Roles
Customer is the Controller (or Processor on behalf of another Controller). Maya is the Processor.
8.3 Instructions and DPIAs
Maya will inform Customer if Maya believes an Instruction infringes European Data Protection Laws. Maya will provide reasonable assistance with data protection impact assessments and supervisory authority consultations where required and where Maya has relevant information.
8.4 Restricted transfers
Maya will not transfer European Data to countries without adequate protection unless Section 11 safeguards are in place.
9. Additional provisions for California personal information
9.1 Scope
Applies to California Personal Information Maya processes as a Service Provider for Customer.
9.2 Service Provider certification
Maya certifies it will process California Personal Information only for the business purposes in the Agreement and this DPA, and will not:
- Sell or Share California Personal Information;
- process outside the direct business relationship except as required by law;
- combine California Personal Information with personal information Maya receives from other sources for unrelated purposes, except as permitted for Service Providers under the CCPA.
9.3 Notice of inability to comply
Maya will notify Customer if Maya determines it can no longer meet Service Provider obligations.
9.4 No consideration for disclosure
Disclosure of California Personal Information by Customer to Maya does not constitute sale or consideration for sharing under the CCPA.
10. Optional partner data (controller-to-controller)
10.1 Scope
This Section applies only if the Agreement includes a Partner Integration under which each party independently determines purposes for Partner Data (defined in the Agreement).
10.2 Independent controllers
Each party is an independent Controller of Partner Data it collects. Nothing here restricts either party from processing data it lawfully obtained outside the other party’s Services.
10.3 Cooperation
Each party will comply with Data Protection Laws for Partner Data it shares. Data Subject requests relating solely to the other party’s data will be redirected to that party, with reasonable cooperation.
11. Transfer mechanisms
Where a Restricted Transfer requires safeguards, the parties agree:
11.1 Standard Contractual Clauses (EU)
The SCCs are incorporated by reference. For Customer Personal Data:
| SCC element | Selection |
|---|---|
| Module | Module Two (Controller to Processor) where Customer is Controller; Module Three (Processor to Processor) where Customer is Processor |
| Clause 7 (docking) | Applicable |
| Clause 9 (Sub-processors) | Option 2 — general authorization with Section 5 notice and objection |
| Clause 11 (redress) | Optional language not adopted |
| Clause 17 (governing law) | Republic of Ireland, unless Jurisdiction Specific Terms in the Agreement specify another EU Member State |
| Clause 18 (forum) | Courts of the Member State in Clause 17 |
| Annexes | Completed from Annex 1–3 of this DPA |
11.2 UK Addendum
For UK GDPR, the SCCs apply as modified by the UK Addendum; Tables 1–3 completed from this DPA’s Annexes; Table 4: neither party is UK Controller for Module One purposes under partner Section 10 unless Agreement states otherwise.
11.3 Switzerland
For Swiss law, SCCs apply with modifications: references to GDPR read as Swiss FADP; supervisory authority is the Swiss FDPIC; governing forum Switzerland where required.
11.4 Sub-processor transparency (Clause 9)
Maya fulfills Clause 9(c) obligations through Section 5. Maya will use reasonable efforts to make Sub-processor audit rights available or provide information Maya lawfully can.
11.5 Precedence and inability to comply
If SCCs conflict with this DPA, SCCs prevail for Restricted Transfers. If Maya cannot comply with SCCs, Maya will notify Customer; parties will cooperate on supplementary measures or suspension/termination of affected transfers as permitted by the Agreement.
11.6 Alternative mechanisms
If a new approved transfer tool replaces SCCs for a jurisdiction, parties may adopt it by written agreement.
Full SCC text: European Commission SCCs (2021/914)
12. General provisions
12.1 Order of precedence
Agreement → this DPA → SCCs (for Restricted Transfers) → Annexes.
12.2 Amendments
Maya may update this DPA as permitted in the Agreement. Material adverse changes to Sub-processors follow Section 5.
12.3 Severability
Invalid provisions are severed; remainder remains effective.
12.4 Liability
Liability arising from this DPA is subject to the Agreement’s limitation of liability, except that limits do not apply where prohibited for data protection claims under applicable law.
12.5 Governing law
As stated in the Agreement’s jurisdiction terms, unless Data Protection Laws require otherwise.
13. Parties
13.1 Maya entity
Maya Verdant, LLC
30 N Gould St, Ste R, Sheridan, Wyoming 82801 USA
[email protected] · [email protected]
13.2 Permitted affiliates (Customer)
Customer enters this DPA for itself and Permitted Affiliates. Customer’s contracting entity coordinates Instructions and notices. Remedies are pursued by the contracting entity on behalf of Affiliates unless the Agreement says otherwise.
13.3 Execution
For signed B2B deals, this DPA is effective when the Agreement is executed. Counterparts and electronic signatures are permitted.
Annex 1 — Details of processing (Maya as processor)
A. List of parties
Data exporter (Controller):
Customer — name, address, and contact details as in the Agreement or Order Form.
Role: Controller (or Processor acting on behalf of another Controller).
Activities: Submission of Customer Personal Data through the Services.
Data importer (Processor):
Maya Verdant, LLC — address above.
Contact: [email protected] (DPO/privacy inquiries).
Role: Processor.
Activities: Providing the Services under the Agreement.
B. Description of transfer
| Item | Details |
|---|---|
| Categories of Data Subjects | Customer’s end users, members, prospects, employees, contractors, and other individuals whose data Customer submits, as determined by Customer |
| Categories of Personal Data | Identifiers (phone, email, name); message content; device and plan attributes; shopping preferences; transaction and referral status; technical logs (IP, timestamps); audio/media Customer submits for transcription or voice features; other data Customer configures |
| Sensitive data | Not intended unless expressly agreed in writing with additional safeguards |
| Frequency | Continuous during the term |
| Nature of processing | Collection, storage, organization, retrieval, inference/automation, transmission (SMS/MMS/voice/chat), deletion, security monitoring |
| Purpose | Provide household buying assistant Services: messaging, recommendations, orchestration, analytics, fraud prevention, support |
| Retention | Per Agreement and Section 3.6; message-class data typically up to 24 months unless Customer requests earlier deletion or law requires longer |
Annex 2 — Security measures
Maya maintains measures appropriate to risk, including:
- Access control — role-based access, least privilege, authentication for administrative systems
- Encryption — TLS for data in transit; encryption at rest for production data stores where supported
- Network security — segmentation, monitoring, vulnerability management
- Secure development — change control, code review practices for production systems
- Vendor management — Sub-processor security review and contractual security terms
- Incident response — documented procedures for security events and Customer Personal Data Breaches
- Business continuity — backups and recovery procedures for critical systems
- Personnel — confidentiality obligations and security awareness for staff with data access
Details may be summarized in a security overview provided on request to [email protected]. Maya may update measures without materially reducing overall protection.
Annex 3 — Sub-processor categories
Maya uses Sub-processors in these categories (named entities available on request — Section 5.3):
| Category | Typical purpose | Typical locations |
|---|---|---|
| Cloud infrastructure and hosting | Applications, APIs, websites, storage | United States; global CDN |
| Messaging and telecommunications | SMS, MMS, voice delivery and related metadata | United States |
| Automation, inference, and speech | Message understanding, generation, synthetic voice, related media processing | United States; other countries as needed for service delivery |
| CRM and business records | Account, service, and operational records | United States |
| Analytics, monitoring, and security | Operations, fraud detection, reliability | United States; aggregated global |
| Payment and billing | Invoicing and payment processing for Maya services | United States |
Material changes to Sub-processors in these categories are subject to Section 5.2 (30-day notice and objection).
Named Sub-processor list: email [email protected] with subject “Sub-processor list request.”