Data processing addendum

This page summarises our standard Data Processing Addendum (DPA). The signed DPA forms part of the master subscription agreement and takes precedence over this summary.

Roles

Customer is controller; Maaya is processor. Where we process data for our own operational purposes (for example, billing), we are an independent controller for that limited scope.

Categories of data and data subjects

• Data subjects: customer users, end-customers, employees (e.g. in HR modules), suppliers.
• Data categories: identity, contact, business, financial, HR, IoT/operational telemetry depending on modules in use.

Security measures

Maaya maintains the technical and organisational measures described in the Trust Center, including encryption in transit and at rest, RBAC, audit logging, backup, and recovery.

Subprocessors

A current list is maintained in an appendix. Updates are communicated per the DPA terms with a right to object for material changes.

International transfers

Where transfers occur, we rely on appropriate safeguards including EU Standard Contractual Clauses and, where applicable, supplementary measures.

Sub-processing and audits

Customers may audit Maaya's controls once per year on reasonable notice. Audit reports (SOC 2 once available) may be shared under NDA to reduce the need for direct audits.

Contact

To request the executable DPA, email legal@maayasoft.in.