Maybe* Data Processing Addendum (DPA)

Last Updated July 2025

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the Maybe* Terms & Conditions (“Terms”) available here, or any other agreement governing your use of the Maybe* AI Agent Platform (the “Agreement”) between Maybe Solutions Ltd (“Maybe*”, “we”, “our”) and you, the client (“you”, “your”, or “Client”).

This DPA reflects the parties’ agreement with respect to the processing of Personal Data under the Agreement, in compliance with applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and the EU General Data Protection Regulation (EU) 2016/679 (“EU GDPR”).

2. Roles of the Parties

2.1 Processor Role

When you submit or provide Personal Data to the Maybe* Platform and instruct Maybe* to process it for your purposes (e.g., through your use of AI Agents to process your customer or employee data), you act as Data Controller and Maybe* acts as your Data Processor, processing such Personal Data solely on your documented instructions and in accordance with this DPA and the Agreement.

2.2 Independent Controller Role

For certain processing activities required to operate, administer, and improve the Maybe* Platform such as collecting account registration data, usage analytics, and maintaining platform security, Maybe* acts as an independent Data Controller. In these contexts, Maybe* determines the purposes and means of processing, as described in our Privacy Policy.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person processed under the Agreement.

  • Processing, Data Subject, Controller, Processor, Subprocessor, and Supervisory Authority: As defined under the GDPR.

  • Standard Contractual Clauses (SCCs): The standard contractual clauses approved by the European Commission for transfers of Personal Data to third countries under the GDPR.

4. Data Processing Obligations

When acting as Processor, Maybe* shall:

a) Process Personal Data only on your documented instructions, unless required otherwise by applicable law.
b) Ensure that persons authorised to process Personal Data are bound by confidentiality.
c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
d) Assist you, insofar as possible, in responding to data subjects’ requests under GDPR (e.g., access, erasure, restriction).
e) Assist you in ensuring compliance with GDPR obligations regarding security, breach notifications, impact assessments, and consultations with Supervisory Authorities.
f) Delete or return Personal Data at the end of the Agreement unless otherwise required by law.
g) Make available to you information necessary to demonstrate compliance and allow for audits (see Section 6).

5. Subprocessors

5.1 Use of Subprocessors

You authorise Maybe* to engage Subprocessors to support the provision of the Platform. Maybe* shall:

  • Ensure Subprocessors are bound by equivalent data protection obligations.

  • Remain fully liable for Subprocessors’ acts or omissions

  • Maintain an up-to-date list of Subprocessors here

5.2 Notification of Changes

Maybe* shares all Subprocessors and allows you to object on reasonable data protection grounds.

6. Audit Rights

You may audit Maybe*’s compliance with this DPA once per year (or more frequently if required by law) by:

  • Reviewing audit reports and certifications made available by Maybe* (e.g., Cyber Essentials, penetration test results).

  • Upon reasonable notice, conducting an on-site or remote audit during normal business hours, subject to confidentiality safeguards.

7. International Transfers

7.1 Transfers Outside the UK/EEA

When transferring Personal Data outside the UK or European Economic Area (EEA) to a country not subject to an adequacy decision, Maybe* shall ensure appropriate safeguards are in place, such as:

  • Entering into the applicable SCCs, which are incorporated by reference into this DPA where required.

7.2 SCC Execution

Where SCCs apply, the Client is the “data exporter” and Maybe* (or its Subprocessor) is the “data importer.” Maybe* will execute SCCs if requested.

8. Security

Maybe* implements and maintains appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Such measures include (where appropriate): encryption, pseudonymisation, access controls, regular testing, and disaster recovery procedures.

9. Personal Data Breach

In the event of a Personal Data Breach affecting Client data:

  • Maybe* shall notify you without undue delay once it becomes aware.

  • The notification shall include details of the breach, its likely impact, and mitigation steps.

  • Maybe* shall cooperate with your investigation and remediation efforts.

10. Data Subject Rights

When acting as Processor, Maybe* shall assist you in responding to Data Subject requests (e.g., access, rectification, erasure) received directly or through you, to the extent reasonably possible and in accordance with applicable law.

11. Term & Termination

This DPA remains in effect for as long as Maybe* processes Personal Data on your behalf under the Agreement. Upon termination, Maybe* shall delete or return Personal Data, unless retention is required by applicable law.

12. Priority

In the event of any conflict between the DPA and the Agreement regarding Personal Data, the DPA shall prevail.

13. Governing Law

This DPA is governed by and construed in accordance with English law, and the parties submit to the jurisdiction of the English courts.

14. Contact

For any questions regarding this DPA, please contact:
📧 hello@maybetech.com
📞 +44 (0) 800 0614214

11 Brindley Place, Brunswick Square, Birmingham B1 2LP

© Maybe* Solutions 2024