This Data Processing Addendum (“DPA”) forms part of the agreement between the Client and Maveon AI and governs the processing of personal data by Maveon on behalf of the Client in connection with the Maveon Service. This DPA is incorporated by reference into the Maveon Terms of Service. By using the Service, the Client agrees to the terms of this DPA.
For the purposes of this DPA, the following definitions apply:
2.1 The parties acknowledge and agree that:
2.2 Nothing in this DPA is intended to characterize Maveon as a controller in respect of End User Personal Data. Where Maveon processes data for its own purposes (such as platform security, fraud detection, and service improvement using only aggregated or anonymized data), it does so as an independent controller.
| Element | Details |
|---|---|
| Subject matter | Operation of AI-powered conversational agents on behalf of the Client |
| Duration | For the term of the Client’s subscription plus the data retention period set out in the Privacy Policy |
| Nature of processing | Collection, storage, transmission to AI model providers, display to Client, and deletion of End User Personal Data |
| Purpose of processing | Providing conversational AI responses to end users on the Client’s behalf; storing conversation logs for Client review |
| Categories of data subjects | End users of the Client’s website or application who interact with the Chatbot |
| Categories of personal data | Names (if provided), email addresses (if provided), conversation content (questions and responses), IP addresses (depending on configuration), and any other personal data submitted by end users through the Chatbot interface |
| Special categories of data | Not processed by default. Clients must not configure Chatbots to solicit special category data (health, biometric, religious, etc.) without specific written agreement and enhanced safeguards. |
4.1 Maveon shall:
5.1 The Client grants Maveon general written authorization to engage Sub-processors for the purposes of providing the Service. Maveon’s current Sub-processors for End User Personal Data processing are:
| Sub-processor | Location | Purpose |
|---|---|---|
| Anthropic PBC | United States | AI language model inference (Claude) |
| OpenAI, LLC | United States | AI language model inference (optional) |
| Google LLC | United States | AI model inference and cloud infrastructure (optional) |
| Railway Corp. | United States | Cloud hosting and database infrastructure |
5.2 Maveon will notify the Client of any intended addition or replacement of Sub-processors by updating this DPA with at least 14 days’ notice. If the Client objects on reasonable data protection grounds to a new Sub-processor, it may terminate the relevant Service upon written notice.
5.3 Maveon imposes data protection obligations on Sub-processors by contract, requiring them to implement appropriate technical and organizational measures and process personal data only as necessary to perform their services.
6.1 Maveon implements the following technical and organizational measures to protect End User Personal Data against unauthorized access, loss, or disclosure:
6.2 The Client is responsible for implementing appropriate security measures on their end, including securing API credentials, embedding code, and access to the Maveon dashboard.
7.1 Upon becoming aware of a Security Incident affecting End User Personal Data, Maveon will without undue delay and in any event within 72 hours notify the Client by email to the registered account address.
7.2 The notification will include, to the extent available: (a) the nature of the Security Incident; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of personal data records affected; (d) likely consequences; and (e) measures taken or proposed to address the incident.
7.3 The Client is responsible for determining whether the Security Incident requires notification to data protection authorities or affected data subjects under Applicable Data Protection Law and for making any such notifications.
8.1 End User Personal Data processed through the Service may be transferred to and processed in the United States and other jurisdictions where Maveon’s Sub-processors operate.
8.2 For transfers of personal data of individuals in the EEA or UK to Maveon or its Sub-processors in non-adequate third countries, the parties agree that the Standard Contractual Clauses adopted by the European Commission (as updated from time to time) are incorporated by reference into this DPA and shall apply to such transfers. The Client acts as “data exporter” and Maveon as “data importer” for the purposes of those clauses.
8.3 For transfers subject to PIPEDA from Canada, the Client consents to the cross-border transfer of personal data as described in Maveon’s Privacy Policy.
9.1 The Client represents, warrants, and undertakes that:
10.1 This DPA is effective for as long as Maveon processes End User Personal Data on behalf of the Client and terminates automatically upon the expiry or termination of the Client’s subscription.
10.2 Upon termination, Maveon will, at the Client’s election, either delete or return End User Personal Data within 30 days, unless applicable law requires longer retention.