MaiaLearning Data Procesing Addendum

MaiaLearning Data Processing Addendum

Version 3.1.0 — January 30, 2026

Contents

1. Definitions
2. Processor and Controller Responsibilities
3. Purpose of Processing
4. Processor Obligations
5. Assistance
6. Data Subject Rights
7. Security Incident Notification
8. Deletion or Return of Personal Data
9. Data Protection Impact Assessment and Prior Consultation
10. Liability Clarifications
11. International Data Transfers
Annex I
Annex II
Annex III
Annex IV
Changelog

MaiaLearning Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into between MaiaLearning, Inc. (“MaiaLearning” or “Processor”) and the Customer (“Customer” or “Controller”), and is incorporated into and forms part of the Agreement between the parties governing the provision of the Services.

This DPA reflects the parties’ agreement on the processing of Personal Data in connection with the Services, including where Customer’s Personal Data is transferred from the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland to a third country that has not been deemed to provide an adequate level of protection under applicable data protection laws.

1. Definitions

Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set forth below:

“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, and the CCPA/CPRA.
“Controller” means the entity that determines the purposes and means of the processing of Personal Data.
“Processor” means the entity that processes Personal Data on behalf of the Controller.
“Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller under the Agreement.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Processor and Controller Responsibilities

Controller is responsible for complying with its obligations under Applicable Data Protection Laws in connection with its use of the Services, including its decisions and instructions regarding the processing of Personal Data.

Processor shall process Personal Data only on documented instructions from Controller, unless required to do otherwise by Applicable Data Protection Laws.

3. Purpose of Processing

Processor will process Personal Data as necessary to provide the Services under the Agreement, as further described in Annex I.B (Description of Transfer).

4. Processor Obligations

Processor shall:

Process Personal Data only on documented instructions from Controller;
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality;
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
Assist Controller in responding to Data Subject requests and in meeting its obligations under Applicable Data Protection Laws;
Make available to Controller information necessary to demonstrate compliance and allow for audits as set out herein.

5. Assistance

Processor will provide reasonable assistance to Controller as necessary for Controller to comply with its obligations under Applicable Data Protection Laws in connection with Processor’s processing of Personal Data, including assistance with Security Incidents, data protection impact assessments, and prior consultations.

6. Data Subject Rights

Processor will, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise rights under Applicable Data Protection Laws, and will assist Controller in responding to such requests.

7. Security Incident Notification

Processor will notify Controller without undue delay after becoming aware of a Security Incident involving Personal Data and will provide information reasonably requested by Controller in relation to the Security Incident.

8. Deletion or Return of Personal Data

Upon termination or expiration of the Agreement, Processor will, at Controller’s choice and as applicable, return or delete Personal Data as described in the Agreement and this DPA, unless retention is required by law.

9. Data Protection Impact Assessment and Prior Consultation

Processor will provide reasonable assistance to Controller in completing data protection impact assessments and, where required, prior consultations with supervisory authorities, taking into account the nature of processing and information available to Processor.

10. Liability Clarifications

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except as prohibited by Applicable Data Protection Laws.

11. International Data Transfers

To the extent Controller’s use of the Services involves transfers of Personal Data from the EEA, UK, or Switzerland to a third country, the parties agree that the Standard Contractual Clauses (and where applicable the UK Addendum) will apply as set out in Annex I.

Annex I

Annex I.A. List of Parties

Data exporter(s): Customer (Controller)

Data importer(s): MaiaLearning, Inc. (Processor)

Annex I.B. Description of Transfer

Categories of Data Subjects: Students, parents/guardians, educators, staff, administrators, and other authorized users.

Categories of Personal Data: Account and profile data, education records, communications, usage data, and other data provided by Controller or end users through the Services.

Nature of processing: Collection, storage, organization, use, disclosure, deletion, and other processing as necessary to provide the Services.

Purpose(s) of processing: Provision, support, and improvement of the Services; security; compliance; analytics; and communications as instructed by Controller.

Annex I.C. Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Applicable Data Protection Laws and the Standard Contractual Clauses.

Annex II

Annex II — Security Measures

Technical and Organizational Measures

Technical and Organizational Measures	Relevant Section(s) of MaiaLearning’s Security Policy (see below)
Measures of pseudonymization and encryption of personal data	Data – Data into system Data – Data through system Data – Data out of system
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Data Center and Network Security – Logical Separation of environments Data Center and Network Security – Intrusion Detection and Prevention Access Control – Security Personnel Access Control – Access Control and Privilege Management Access Control – Application Security – Two-Factor Authentication Access Control - Application Security – Single Sign-On Access Control - Application Security – SAML 2.0 Access Control - Application Security – REST API Authentication (API Key) Access Control - Application Security – Audit Controls Data – Data backup and recovery Business Continuity and Disaster Recovery
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Data Center and Network Security – Intrusion Detection and Prevention Business Continuity and Disaster Recovery Corporate Security – Contingency Planning Disclosure Policy Vulnerability Disclosure
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Data Center and Network Security – Penetration Testing External audit and assessment – External Audit External audit and assessment – Third-Party Audit Corporate Security – Risk Management Corporate Security – Security Policies
Measures for user identification and authorization	Access Control – Security Personnel Access Control – Access Control and Privilege Management Access Control – Access Policy Access Control – Application Security – Two-Factor Authentication Access Control – Application Security – Single Sign-On Access Control – Application Security – SAML 2.0 Access Control – Application Security – REST API Authentication (API Key) Access Control – Audit Controls
Measures for the protection of data during transmission	Data – Data into system Data – Data through system Data – Data out of system
Measures for the protection of data during storage	Data – Data through system
Measures for ensuring physical security of locations at which personal data are processed	Data Center and Network Security – Data Centers
Measures for ensuring events logging	Access Control – Audit Controls
Measures for ensuring system configuration, including default configuration	Development Corporate Security – Risk Management Corporate Security – Security Policies
Measures for internal IT and IT security governance and management	Security and Compliance External audit and assessment – Third-Party Audit Corporate Security – Risk Management
Measures for certification/assurance of processes and products	External audit and assessment – Third-Party Audit Corporate Security – Risk Management
Measures for ensuring data minimization	Data – Data Retention Data – Data Removal
Measures for ensuring data quality	Data – Data through system Access Control – Audit Controls
Measures for ensuring limited data retention	Data – Data Retention Data – Data Removal MaiaLearning customer's end users should request data extraction or erasure through their Data Controller (Customer). MaiaLearning customers can remove data themselves or make a request to MaiaLearning Support.
Measures for ensuring accountability	Corporate Security – Risk Management Corporate Security – Security Policies
Measures for allowing data portability and ensuring erasure	MaiaLearning customer's end users should request data extraction or erasure through their Data Controller (Customer). MaiaLearning customers can remove data themselves or make a request to MaiaLearning Support.
Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”)	MaiaLearning uses encryption both in transit and at rest. As of the date of this DPA, MaiaLearning has not received any national security orders of the type described in Paragraphs 150-202 of the judgment in the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. No court has found MaiaLearning to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition. MaiaLearning shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance). MaiaLearning shall use all available legal mechanisms to challenge any demands for data access through national security process that MaiaLearning receives, as well as any non-disclosure provisions attached thereto. MaiaLearning shall take no action pursuant to U.S. Executive Order 12333. MaiaLearning publishes a transparency report indicating the types of binding legal demands for the personal data it has received, including national security orders and directives, which shall encompass any process issued under FISA Section 702. MaiaLearning will notify Customer if MaiaLearning can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

Annex III

Annex III — List of Sub-processors

Name (full legal name)	Address	Description of processing
Amazon Web Services Inc.	410 Terry Avenue North Seattle, WA 98109	Cloud infrastructure services
Akamai, Inc.	145 Broadway Cambridge, MA 02142	Cloud infrastructure services
Plivo, Inc.	201 Mission St #230 San Francisco, CA 94105	SMS sending
Softo Limited	1 Apriliou, 52 Athienou 7600 Larnaca, Cyprus	Document format conversion service Data services in Germany
Human eSources Ltd	PO Box 232 Marlborough, CT 06447	Personal assessment tools
Parchment, Inc.	7001 N Scottsdale Rd #1050 Scottsdale, AZ 85253	Application document sending services
Winward Academy	12670 High Bluff Dr San Diego, CA 92130	College Test Prep Optional Tool per Agreement

Annex IV

Annex IV. Country-specific terms

(Country-specific terms appear in the original DPA.)

Changelog

v3.1.0 (January 30, 2026) — Updates to subprocessors and related notices; DPIA assistance; liability clarifications; and Annex III list maintenance approach.