Data Processing Agreement
Maya Verdant, LLC · Last updated: March 2026
Data Processing Agreement
Last Updated: March 1, 2026
This Data Processing Agreement ("DPA") forms part of the Maya Terms of Service and Privacy Policy and applies where Maya Verdant, LLC processes personal data subject to the GDPR, UK GDPR, or other applicable data protection laws.
Note for individual consumers: If you are an individual consumer using Maya's personal shopping concierge service, this DPA describes how Maya handles your personal data and the protections in place. The detailed legal mechanics described here primarily govern Maya's relationships with its subprocessors and any future business partners.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable individual, as defined under applicable data protection law (including GDPR Art. 4(1)).
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Data Controller" means the party that determines the purposes and means of processing Personal Data.
"Data Processor" means the party that processes Personal Data on behalf of the Data Controller.
"Subprocessor" means any third party engaged by Maya to process Personal Data in connection with Maya's services.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Roles
Maya as Data Controller: When Maya processes personal data of individual consumers (phone numbers, message content, preferences, device data) to deliver its concierge service, Maya acts as the Data Controller. Your rights as a data subject are described in the Privacy Policy and EU/EEA Additional Terms.
Maya as Data Processor: In future business arrangements where a business partner (e.g., a carrier or retailer) engages Maya to process their customers' data on that partner's behalf, Maya would act as a Data Processor. In those cases, a separate executed DPA will govern the arrangement.
3. Maya's Subprocessors
Maya engages the following categories of subprocessors to process personal data in connection with its services:
| Subprocessor | Category | Purpose | Location |
|---|---|---|---|
| Anthropic, PBC | AI provider | LLM processing of messages | United States |
| OpenAI, LLC | AI provider | Audio transcription (Whisper) | United States |
| Telnyx, LLC | Telecommunications | SMS delivery and routing | United States |
| Vercel, Inc. | Hosting | Website and API hosting | United States / Global CDN |
| Salesforce, Inc. | CRM | Customer data and records | United States |
Maya may update this list as subprocessors change. Material changes to subprocessors will be communicated with reasonable notice via our website or email.
EU/UK Standard Contractual Clauses: Where Maya transfers Personal Data from the EEA or UK to processors or subprocessors in third countries (such as the United States), Maya relies on the EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK International Data Transfer Agreement (IDTA), as applicable, or other transfer mechanisms approved under applicable data protection law.
4. Security Measures
Maya implements and maintains appropriate technical and organizational measures to protect personal data, including:
- Encryption of data in transit (TLS) and at rest
- Access controls and least-privilege principles
- Regular security reviews and vulnerability assessments
- Incident response procedures
- Data minimization — collecting only what is necessary for service delivery
Maya's subprocessors are required to maintain equivalent security standards under contract.
5. Data Retention
Maya retains personal data only as long as necessary for the purposes described in the Privacy Policy. See the Privacy Policy for specific retention periods.
Upon termination of Maya's services (account deletion), Maya will delete or anonymize personal data within 90 days, unless retention is required by law.
6. Data Subject Rights
Maya honors data subject rights requests (access, rectification, erasure, portability, objection) as described in the Privacy Policy. Maya will respond to verified requests within the timeframes required by applicable law (generally 30 days under GDPR).
Where Maya receives a data subject request regarding data it processes as a Data Processor on behalf of a business partner, Maya will promptly forward that request to the relevant Data Controller.
7. Breach Notification
Maya will notify affected parties of confirmed personal data breaches in accordance with applicable law, including:
- GDPR: Supervisory authority notification within 72 hours of becoming aware (Art. 33); individual notification where required (Art. 34)
- UK GDPR: ICO notification within 72 hours
- US state laws: State-specific notification timelines as required
8. B2B Data Processing Arrangements
If you are a business that wishes to engage Maya to process your customers' personal data on your behalf (e.g., as part of a carrier or retailer integration), a separate executed DPA will be required before any such processing begins.
To initiate a DPA for a B2B arrangement, contact [email protected] with a description of the intended data flows, the categories of data subjects, and the processing activities required.
9. Governing Law
This DPA is governed by the laws applicable to the underlying agreement between the parties. For EU/EEA data subjects, the GDPR and applicable EU law apply. For UK data subjects, UK GDPR and the Data Protection Act 2018 apply.
10. Contact
For data processing questions, DPA requests, or subprocessor information:
Email: [email protected] Mail: Maya Verdant, LLC, SJO-560727, #25331 Miami, Florida 33102 USA