Maxyfi Data Processing

Transparency in data processing compliance for secure debt management solutions.

Data Processing Addendum:

This Data Processing Addendum (the “DPA”) is incorporated by reference into the agreement between Maxyfi and the Customer (the"Agreement") regarding the Maxyfi Services described in the Agreement. This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is processed by Maxyfi under the Agreement.

Capitalized terms have the meanings provided in the Agreement except as provided here.

(1) Definitions and interpretation

“Breach” means a breach of security by Maxyfi that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data processed by the Services;

“California Data Protection Law” means the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations, and its successors.

“Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR and include equivalent terms in California Data Protection Law, in each case as applicable to the Services.

“Data Protection Laws” means GDPR, UK GDPR, and California Data Protection Law.

“GDPR” means the EU General Data Protection Regulation 2016/679, and its implementing legislation enacted into local law by European Union member states.

“Personal Data” means any Customer Data: (a) relating to an identified or identifiable individual, within the meaning of GDPR (regardless of whether GDPR applies), and (b) constituting “personal information” as such term is defined in California Data Protection Law.

“SCCs” or “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes A and B of this DPA.

“Privacy Policy” means Maxyfi’s Privacy policy available at Privacy.

“Sell”, “Service Provider” and “Third Party” have the meanings provided in California Data Protection Law.

“UK GDPR” means the Data Protection Act 2018 and GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018. Law.

(2) Roles and Processing of Personal Data

2.1 General Processing Conditions. Maxyfi will only process Customer Data: (a) in order to provide the Services to Customer, (b) with Customer’s prior written consent, or (c) as otherwise permitted by Data Protection Laws.

2.2 Confidentiality of Processing. Maxyfi will treat Customer Data as Customer’s Confidential Information. Maxyfi will protect the Customer Data in accordance with the confidentiality obligations in the Agreement.

2.3 Processing in accordance with EU and UK Laws. With respect to Personal Data processed by Maxyfi on Customer’s behalf as to which GDPR and/or UK GDPR applies: (a) Customer may be the controller of Personal Data or a processor and Maxyfi will act as a processor or sub-processor, as appropriate, (b) each party will comply with the obligations that apply to it under GDPR and/or UK GDPR, and (c) Maxyfi will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Laws.

2.4 Processing in accordance with California Law. With respect to Personal Data processed by Maxyfi on Customer’s behalf as to which California Data Protection Law applies: (a) Maxyfi is a Service Provider and not a Third Party, (b) Maxyfi will not Sell such Personal Data; and (c) Maxyfi will not retain, use or disclose such Personal Data except as described in Section 2.1. Maxyfi certifies that it understands the prohibitions and limitations regarding its use and all other processing activities and related purposes as outlined in this DPA regarding Personal Data, particularly in this Section 2.4, and will comply with them.

(3) Special Undertakings of Customer

The customer undertakes to:

3.1 Comply with all applicable requirements of Data Protection Laws

3.2 Advise Maxyfi of any requirements under Data Protection Laws applicable to Customer Data other than those provided in GDPR, UK GDPR or California Data Protection Law

3.3 Ensure that there is a legal ground for processing the Personal Data as envisioned under the Agreement.

3.4 Not instruct Maxyfi to Process Personal Data in violation of Data Protection Laws.

(4) Special Undertakings of Maxyfi

Maxyfi undertakes to:

4.1 Access by Personnel. Ensure that: (a) only Maxyfi personnel who must have access to the Personal Data in order to meet Maxyfi’s obligations under the Agreement have access to the Personal Data, (b) such personnel have received appropriate training and instructions regarding the processing of Personal Data, and (c) such personnel are subject to written agreements of confidentiality or are under an appropriate statutory obligation of confidentiality regarding Customer Data and other Customer Confidential Information.

4.2 Technical and Organizational Measures. Ensure that it has in place appropriate technical and organizational measures, without prejudice to Maxyfi’s right to make future replacements or updates to the measures that do not lower the level of protection of Personal Data, to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, in each case as described in the Security Policy.

3.3 Ensure that there is a legal ground for processing the Personal Data as envisioned under the Agreement.

4.3 Data Subject Access Requests. As applicable to the Service, reasonably assist Customer in responding (at Customer’s expense) to any request from a Data Subject (including MAXYFI – DATA PROCESSING ADDENDUM 3 “verifiable consumer requests”, as such term is defined in California Data Protection Law), relating to the Processing of Personal Data under the Agreement.

4.4 Breach Notice. Upon becoming aware of a Breach, Maxyfi shall notify Customer without undue delay and shall provide timely information relating to the Breach as it becomes known or as is reasonably requested by Customer.

4.5 Data Protection Impact Assessments Taking into account the nature of the Processing and the information available to Maxyfi, Maxyfi will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Maxyfi, and with related consultation with supervisory authorities, by providing Customer with any publicly available documentation for the relevant Service or by complying with Section 7 (Audit Rights). Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of Maxyfi’s involvement, and any other terms that the parties deem appropriate.

(5) Subprocessors

Maxyfi undertakes to:

5.1. Customer hereby consents to Maxyfi’s appointment of certain third-party processors of Personal Data under this Agreement (“Subprocessors”). Maxyfi’s current Subprocessors are listed below.

CompanyLocationAdditional Details
AWSUSAHosting Provider
MongoDBUSAHosting Provider
Amazon SESUSAHosting Provider
TwilioUSASMS, Call Processing
Fast2SMSIndiaSMS Processing
InfoBIPIndiaSMS Processing
WhatsAppUSAWhatsApp Messaging
CodatUKAccounting Integrations
StripeUSAPayment Processing
MpesaKenyaPayment Processing
RazorPayIndiaPayment Processing
PayTMIndiaPayment Processing
Google AnalyticsUSACustomer Analytics
MS ClarityUSACustomer Analytics

Maxyfi confirms that each Subprocessor is selected after thorough scrutiny and validation of their terms, and compliance to regulations which are at least as protective of Personal Data provided by Customer as those set out in this DPA;

(6) Transfer of Personal Data Outside of the EU/EEA

6.1 Consent. Maxyfi may not transfer Personal Data to a location without Customer’s prior written consent, except in compliance with Section 6.2 below (in each case a “Transfer”).

6.2 Compliant Transfer Mechanisms. All transfers of Customer Personal Data outside of the Country Of origination by the Service Provider (if any) will be in strict compliance with the relevant provisions of the Data Protection Laws in the originating country. Where the Personal Data originates in the EU, transfers can only occur either to a country with adequate Data Protection Laws or pursuant to Privacy Shields, or Binding Corporate Rules. All transfers of Personal Data by the Service Provider not technically necessary to perform its obligations under the Agreement will be done with the prior written consent of Customer and will be made in strict accordance with applicable Data Protection Laws or contractual obligations on such transfers provided such contractual obligations do not violate applicable Data Protection Laws.

(7) Audit Rights

On written request from Customer, Maxyfi shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its processing of Personal Data, including responses to information security and audit questionnaires that are strictly necessary to confirm Maxyfi’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any rolling 12 month period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Maxyfi has experienced a Breach or other reasonably similar basis.

(8) General Terms

8.1 This DPA is part of the Agreement and is governed by its terms and conditions including limitations of liability.

8.2 This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless required otherwise by GDPR, in which case this DPA will be governed by the laws of the Republic of Ireland.

(9) Deletion of Personal Data

9.1 Following termination of the Agreement, Maxyfi will delete all Customer Personal Data subject to Processing. Maxyfi will certify in writing to the Customer that it has Deleted all personal data from its application.

ANNEX A: DESCRIPTION OF DATA PROCESSING

The data processing activities carried out by Maxyfi under the Agreement may be described as follows:

Categories of data subjects whose personal data is transferred
  • Data subjects are (a) Customer’s personnel who use the Service by or at the direction of Customer, and (b) users of Customer’s product or service if Customer imports their Personal Data into the service or geographic area.
Categories of personal data transferred
  • The categories of Personal Data are (a) the name, email, and telephone contact information for Customer personnel who use the Service, (b) other Personal Data that users may provide to Maxyfi, and (c) contact information for users of Customer’s product or service, if Customer stores such information and imports it into the Service.
Sensitive data transferred
  • (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
  • Continuous
Nature of the processing
  • Maxyfi will process Personal Data to provide the Service identified in the Agreement.
Purpose(s) of the data transfer and further processing
  • Maxyfi will transfer Personal Data to provide the Service identified in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
  • As described in the DPA
For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing
  • The subprocessors referenced in the DPA provide portions of the platform used by Maxyfi to provide the Service

ANNEX B - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

1. System Access Controls: Maxyfi shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or, logging of access on several levels.

2. Data Access Controls: Maxyfi shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have the privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing.