Data Processing Addendum (DPA)

Last updated: October 2, 2025

This DPA applies when Maximum Labs processes personal data on behalf of a client under a services agreement. It forms part of the applicable SOW/Master Agreement.

1) Roles & Scope

Client is the controller and Maximum Labs is the processor. Processing is limited to the subject‑matter and duration described in the SOW, for the purposes of delivering the Services.

2) Processor Obligations

  • Process personal data only on documented instructions from Client.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist Client with data subject requests and DPIAs, as appropriate.
  • Delete or return personal data upon termination, unless law requires storage.

3) Sub‑processors

Maximum Labs may use sub‑processors for hosting, infrastructure, or tooling. We will maintain appropriate contracts (including DPAs) and remain responsible for sub‑processors’ obligations. On request, we will provide a current list of sub‑processors.

4) International Transfers

For transfers from the EEA/UK, Maximum Labs will use appropriate safeguards (e.g., Standard Contractual Clauses and the UK Addendum) and implement supplementary measures as needed.

5) Security

We use administrative, technical, and organizational measures proportionate to risk (including access control, encryption in transit where feasible, and logging). Details may vary by engagement and architecture.

6) Breach Notification

We will notify Client without undue delay after becoming aware of a personal data breach affecting Client personal data, and will provide information reasonably necessary for Client to meet its obligations.

7) Audits

On reasonable written notice, and no more than once per year, Client may audit our compliance (including via questionnaire or remote review). On‑site audits may be conducted during business hours and must not unreasonably disrupt operations.

8) Order of Precedence

To the extent of conflict, the SOW/Master Agreement controls, then this DPA. Local law‑mandated terms are incorporated where required.

9) Contact

For privacy and data processing questions, contact legal [at] maximumlabs.com or privacy [at] maximumlabs.com .

Need a signed copy? We can execute a mutually signed DPA alongside your SOW without requiring a PDF download from the site. Request one at legal@maximumlabs.com.