Maira Data Processing Addendum
Document Name: Maira Data Processing Addendum Document Code: DPA Version: v2026-04-28
This Data Processing Addendum (this Addendum) forms part of and is incorporated into the Master Services Agreement, Order Form, or other written agreement (the Agreement) between RealLM REALTY Inc. (Maira) and the customer identified in the Agreement (Customer).
This Addendum applies only to the extent Maira Processes Personal Data on behalf of Customer in connection with the Services. If and to the extent there is any conflict between this Addendum and the Agreement with respect to the Processing of Personal Data, this Addendum controls.
1. Definitions
Capitalized terms not defined in this Addendum have the meanings given in the Agreement.
Applicable Data Protection Law means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss FADP, the CCPA, and other applicable U.S. state privacy laws, in each case as amended from time to time.
CCPA means the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act, and its implementing regulations.
Controller, Processor, Business, Service Provider, Contractor, Consumer, Data Subject, Personal Data, Personal Information, Process or Processing, and Sell, Share, and Sensitive Personal Information have the meanings given in Applicable Data Protection Law.
Customer Personal Data means Personal Data processed by Maira on behalf of Customer in connection with the Services.
Data Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Maira, excluding unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful pings, port scans, denial-of-service attempts, or other unsuccessful network attacks.
Subprocessor means any third party authorized by Maira or a Maira Affiliate to Process Customer Personal Data in connection with the Services.
Standard Contractual Clauses or SCCs means, as applicable, Module Two (Controller to Processor) or Module Three (Processor to Processor) of the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914, as may be updated, replaced, or superseded.
2. Roles and Scope
The parties acknowledge and agree that, with respect to Customer Personal Data processed under this Addendum, Customer acts as a Controller or Processor, as applicable, and Maira acts as a Processor or subprocessor, as applicable. This Addendum does not apply to processing for which Maira acts as a Controller, including processing of business contact details, account information, billing data, service procurement data, and Usage Data processed for Maira's own business operations, security, accounting, product administration, and legal compliance.
This Addendum applies only to Processing performed by Maira on behalf of Customer in connection with the Services described in the Agreement.
3. Customer Instructions
Maira will Process Customer Personal Data only on documented instructions from Customer, including as set forth in the Agreement, this Addendum, and Customer's configuration and use of the Services, unless otherwise required by applicable law. If Maira is required by applicable law to Process Customer Personal Data for any other purpose, Maira will, unless prohibited by law, inform Customer of that legal requirement before the Processing.
Customer instructs Maira to Process Customer Personal Data as necessary to provide, secure, support, maintain, and improve the Services, to perform the Agreement, to prevent fraud or misuse, to comply with applicable law, and as further documented in this Addendum and the Agreement.
Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
4. Confidentiality of Processing Personnel
Maira will ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and receive access only to the extent necessary to perform their duties.
5. Security of Processing
Maira will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the Processing, the state of the art, implementation costs, and the risks presented by the Processing.
The technical and organizational measures implemented by Maira as of the effective date of this Addendum are described in Schedule 1. Maira may update or modify those measures from time to time, provided that Maira does not materially reduce the overall security of the Services.
6. Data Incidents
Maira will notify Customer without undue delay after becoming aware of a Data Incident. To the extent reasonably available, such notice will describe the nature of the Data Incident, the categories of affected data, the likely consequences, and the measures taken or proposed to address the Data Incident.
Maira will take reasonable steps to contain, investigate, mitigate, and remediate each Data Incident and will provide Customer with reasonably requested information about the Data Incident to the extent necessary for Customer to meet its obligations under Applicable Data Protection Law.
Maira's notification of or response to a Data Incident will not be construed as an admission of fault or liability.
7. Assistance with Data Subject Requests and Compliance
Taking into account the nature of the Processing, Maira will provide Customer with reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, insofar as Customer cannot access or address such requests through the Services.
Taking into account the nature of the Processing and the information available to Maira, Maira will provide reasonable assistance to Customer with data protection impact assessments, risk assessments, consultations with supervisory authorities, and other similar obligations under Applicable Data Protection Law, in each case solely to the extent required by law and related to Maira's Processing of Customer Personal Data under this Addendum.
To the extent permitted by law, Customer will reimburse Maira for reasonable costs incurred in providing assistance under this Section to the extent such assistance exceeds Maira's standard obligations in connection with the Services.
8. Subprocessors
Customer generally authorizes Maira to engage Subprocessors in connection with the Services. Maira will ensure that each Subprocessor is bound by written obligations that require data protection protections no less protective than those set out in this Addendum, to the extent applicable to the Subprocessor's Processing.
Maira remains responsible for the acts and omissions of its Subprocessors to the same extent Maira would be responsible if performing the relevant services directly, subject to the limitations of liability in the Agreement and this Addendum.
The Subprocessors authorized as of the effective date of this Addendum are listed in Schedule 2.
Maira will provide notice of a new Subprocessor by updating its published subprocessor schedule or by other reasonable written notice. If Applicable Data Protection Law requires an objection right, Customer may object in writing to a new Subprocessor on reasonable data protection grounds within ten (10) days after notice. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection within a reasonable period, Maira may, at its option, provide the affected functionality without the objected-to Subprocessor, recommend a commercially reasonable change in Customer's configuration or use of the Services, or terminate the affected portion of the Services without liability other than refunding any prepaid fees for the terminated unused portion of the applicable Subscription Term.
9. International Data Transfers
Customer authorizes Maira and its Subprocessors to Process Customer Personal Data in the United States and in other jurisdictions in which Maira, its Affiliates, or its Subprocessors maintain operations, subject to this Section.
If Customer Personal Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred to a jurisdiction that does not provide an adequate level of protection under Applicable Data Protection Law, the SCCs are incorporated by reference into this Addendum and apply as follows:
| Transfer Scenario | Applicable SCC Module |
|---|---|
| Customer is a Controller and Maira is a Processor | Module Two |
| Customer is a Processor and Maira is a subprocessor | Module Three |
For UK transfers, the SCCs are deemed supplemented by the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office, as may be updated or replaced. For Swiss transfers, references to the GDPR include the Swiss FADP to the extent required, references to Member State law refer to Swiss law where applicable, and the competent authority and courts will be interpreted accordingly.
The SCCs will be completed as stated in Schedule 3.
10. Audits and Demonstration of Compliance
Maira will make available to Customer, upon reasonable written request, information reasonably necessary to demonstrate Maira's compliance with this Addendum. Maira may satisfy this obligation by providing then-current audit summaries, certifications, independent third-party assessments, security questionnaires, or similar materials.
If Applicable Data Protection Law requires an audit right beyond the information described above, Customer may, no more than once annually and at Customer's expense, conduct or appoint an independent auditor bound by confidentiality obligations to conduct a limited audit of Maira's relevant policies, procedures, and records, provided that: (a) Customer provides reasonable prior written notice; (b) the audit occurs during normal business hours; (c) the audit does not unreasonably interfere with Maira's business operations or compromise the security, confidentiality, or privacy of other customers or Maira systems; and (d) Customer first reasonably uses materials already made available by Maira to avoid unnecessary duplication. Nothing in this Section requires Maira to disclose trade secrets, penetration test results, source code, vulnerability details that could reasonably compromise security, or information restricted by law or third-party obligations.
11. Return and Deletion
Upon expiration or termination of the Agreement, Maira will delete or return Customer Personal Data in accordance with the Agreement and Customer's instructions, unless applicable law requires retention. Customer acknowledges that Maira may retain Customer Personal Data to the extent required for backup, archival, legal hold, accounting, fraud prevention, or legal compliance purposes, provided that any retained data remains protected under this Addendum and is not further processed except as required or permitted by applicable law.
12. CCPA and U.S. State Privacy Terms
To the extent the CCPA or similar U.S. state privacy laws apply to Customer Personal Data, the parties agree that Maira is acting as a Service Provider or Contractor, as applicable, with respect to the relevant Customer Personal Data.
Maira will not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purposes set out in the Agreement and this Addendum, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Services; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties, except as permitted by the CCPA; or (d) combine Customer Personal Data with personal information that Maira receives from another source except as permitted by the CCPA.
Maira certifies that it understands the restrictions in this Section and will comply with them.
Customer may take reasonable and appropriate steps to help ensure that Maira uses Customer Personal Data in a manner consistent with Customer's obligations under the CCPA. Maira will notify Customer if Maira determines that it can no longer meet its obligations under this Section.
13. Liability
Except where prohibited by Applicable Data Protection Law, the liability of each party arising out of or relating to this Addendum will be subject to the exclusions, limitations, and caps of liability set forth in the Agreement. Nothing in this Addendum limits either party's liability to the extent such limitation is prohibited by Applicable Data Protection Law or by the SCCs.
14. Processing Details
The details of the Processing carried out under this Addendum are set out in Schedule 4.
Schedule 1 – Technical and Organizational Measures
| Category | Measures |
|---|---|
| Governance and access management | Role-based access practices; authentication through session controls, JWT, SSO, OTP, and developer API keys as applicable; scoped permissions; and access limited to authorized personnel with a need to know. |
| Encryption in transit | HTTPS enforcement, TLS for database and internal service connections where supported, and encrypted communications for service-to-service and database connectivity. |
| Encryption at rest | Cloud-provider encryption at rest for managed infrastructure where available; application-layer encryption for certain sensitive fields using strong modern encryption methods; and encrypted persistent storage where supported by infrastructure providers. |
| Tenant separation | Logical tenant separation through application-layer tenant scoping and service-level access controls. |
| Logging and monitoring | Application logging, monitoring, error tracking, and performance tracing with redaction of specified secrets and sensitive headers from logs and monitoring systems. |
| Network and application safeguards | Security headers, origin allowlisting, webhook verification, rate limiting, and other application-layer protections designed to reduce abuse and unauthorized access. |
| Secrets handling | Encrypted or hashed storage of sensitive secrets and API keys where applicable, including scoped developer keys and redaction of credentials from logs. |
| Resilience and operations | Hosted infrastructure with managed cloud providers, operational monitoring, and backup or retention mechanisms implemented according to service architecture and operational needs. |
| Personnel confidentiality | Confidentiality obligations for personnel and service providers with access to Customer Personal Data. |
| Incident response | Processes for identifying, responding to, mitigating, and notifying Customer of Data Incidents in accordance with this Addendum and applicable law. |
Schedule 2 – Authorized Subprocessors
| Subprocessor | Purpose | Primary Data Categories |
|---|---|---|
| Neon | Managed PostgreSQL database hosting | Application records, tenant data, user and document data, metadata |
| Vercel | Application hosting and edge compute | Request logs, application traffic, analytics, hosted application content |
| Fly.io | Infrastructure hosting for agent runtimes, workers, and supporting services | Runtime data, event streams, hosted processing data |
| Upstash | Redis caching, rate limiting, OTP storage, scheduled jobs | Counters, ephemeral authentication data, job metadata |
| Stripe | Billing and payment processing | Billing identifiers, subscription metadata, payment event data |
| Stack Auth | Authentication and session management | User identity and session data |
| Sentry | Error monitoring and performance tracing | Error payloads, performance traces, limited diagnostic metadata |
| Anthropic | Language model inference | Prompts, instructions, contextual text submitted for model inference |
| OpenAI | Language model and embedding inference | Prompts, instructions, contextual text, embedding text |
| Google (Gemini) | Language model inference | Prompts, instructions, contextual text submitted for model inference |
| MiniMax | Language model inference | Prompts, instructions, contextual text submitted for model inference |
| Brave | Web search API | Search queries and related query context |
| Pinecone | Vector database and embedding search | Embeddings, vector metadata, indexed search content |
| Resend | Transactional email delivery | Recipient addresses and report or message content |
| Vapi | Voice AI and onboarding workflows | Phone numbers, call content, recordings, workflow data |
| Telnyx | SMS, voice, and messaging services | Phone numbers and message content |
| Composio | OAuth connection broker for third-party SaaS integrations | OAuth tokens, connection metadata, user-authorized tool execution data |
| Slack | Alert delivery and event relay | Webhook payloads and event data |
| Honcho (Plastic Labs) | Conversation memory services | Session and conversation context |
| Graphiti MCP (Zep AI) | Knowledge graph processing | Entity and relationship extraction data from interactions |
Schedule 3 – SCC Completion Terms
| SCC Topic | Completion Term |
|---|---|
| Clause 7 (Docking Clause) | Optional; applies. |
| Clause 9(a) (Use of Subprocessors) | Option 2 applies; the time period for prior notice of new Subprocessors is as set out in Section 8 of this Addendum. |
| Clause 11(a) (Redress) | The optional language does not apply unless required by applicable law. |
| Clause 17 (Governing Law) | The law of the Republic of Ireland, unless another EEA jurisdiction is required by applicable law. |
| Clause 18(b) (Forum and jurisdiction) | Courts of Dublin, Ireland. |
| Annex I.A | The data exporter is Customer and the data importer is Maira; each party's contact details are as set forth in the Agreement or applicable Order Form. |
| Annex I.B | The transfer description is described in Schedule 4 to this Addendum. |
| Annex I.C | The competent supervisory authority is determined under the GDPR based on Customer's role and establishment. |
| Annex II | The technical and organizational measures are set forth in Schedule 1 to this Addendum. |
| Annex III | The list of Subprocessors is set forth in Schedule 2 to this Addendum. |
For UK transfers, the UK International Data Transfer Addendum is deemed completed using the details set forth in the Agreement, this Addendum, and its schedules.
Schedule 4 – Details of Processing
| Topic | Description |
|---|---|
| Subject matter | Provision of the Services under the Agreement, including hosted software, managed organizational agent features, retrieval, workflow orchestration, integrations, support, supervision, and related Professional Services where applicable. |
| Duration | For the Subscription Term and any period during which Maira Processes Customer Personal Data to provide the Services, perform post-termination obligations, or comply with applicable law. |
| Nature of Processing | Collection, storage, organization, structuring, retrieval, hosting, indexing, annotation, analysis, transmission, disclosure by transmission, alignment, combination, pseudonymization, deletion, and other Processing necessary to provide the Services. |
| Purpose of Processing | To provide, secure, support, maintain, improve, and monitor the Services; to carry out Customer-configured workflows; to authenticate users; to enable integrations and communications; to provide reporting and supervision features; and to comply with applicable law. |
| Categories of Data Subjects | Customer personnel; Customer contractors and agents; Customer prospects, leads, clients, and counterparties; Customer end users; individuals appearing in Customer communications, documents, transcripts, or records; and any other individuals whose Personal Data is included in Customer Data. |
| Categories of Personal Data | Business contact details, identity data, account credentials and authentication data, communications content, documents and files, employment or workforce data, phone numbers, email addresses, billing identifiers, CRM and engagement data, tool and workflow inputs, message logs, support content, and any other Personal Data submitted by or for Customer through the Services. |
| Sensitive data | Only to the extent submitted by Customer and supported under the Agreement. Customer is responsible for determining whether special protections or additional contractual terms are required for any sensitive or regulated data. |
| Frequency | Continuous or as initiated by Customer and its Authorized Users during use of the Services. |
| Subprocessors | As listed in Schedule 2, as updated from time to time in accordance with this Addendum. |