Data Processing Agreement
Effective Date: April 26, 2025 | Malya LLC
About This DPA
This Data Processing Agreement ("DPA") describes how Malya LLC processes personal data on behalf of its enterprise clients. This DPA is incorporated into and forms part of the Terms of Service, Master Services Agreement, or Statement of Work governing your engagement with Malya. Enterprise clients requiring a signed, countersigned DPA for regulatory compliance should contact legal@malya.io.
1. Definitions
- "Controller" — The Malya client that determines the purposes and means of processing personal data.
- "Processor" — Malya LLC, which processes personal data on behalf of and under the instructions of the Controller.
- "Personal Data" — Any information relating to an identified or identifiable natural person.
- "Processing" — Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" — A third party engaged by Malya to assist in processing data on behalf of the Controller.
- "Data Breach" — A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Roles
Malya processes Personal Data as a Processor acting under the documented instructions of the Controller (client). Malya will not process Personal Data for any purpose other than to perform the contracted services unless required by applicable law.
The subject matter, nature, and purpose of processing; the type of Personal Data; and the categories of Data Subjects are defined in the applicable SOW or service description.
3. Malya's Obligations as Processor
- Process Personal Data only on documented instructions from the Controller
- Ensure that all Malya personnel who access Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 5)
- Assist the Controller in responding to Data Subject rights requests (access, deletion, portability, correction)
- Assist the Controller in meeting its obligations under applicable data protection laws, including breach notification
- Delete or return all Personal Data upon termination of the engagement, as instructed by the Controller
- Provide all information necessary to demonstrate compliance with this DPA upon reasonable request
4. Sub-processors
Malya uses the following approved sub-processors to deliver its services. By agreeing to this DPA, the Controller provides general authorization for Malya to engage these sub-processors:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | Database hosting, authentication, Row-Level Security | USA (AWS us-east-1) |
| Vapi | Voice AI infrastructure, call processing, transcription | USA |
| Stripe | Payment processing, subscription management | USA |
| Resend | Transactional email delivery | USA |
| n8n | Workflow automation and integrations | USA / EU (configurable) |
| Amazon Web Services | Cloud infrastructure, hosting | USA |
| Vercel | Web application hosting, CDN | USA / Global |
Malya will notify the Controller at least 14 days before adding new sub-processors or making changes that materially affect data processing. The Controller may object in writing within that period.
5. Security Measures
Malya implements the following technical and organizational security measures:
Encryption
TLS 1.2+ for data in transit; AES-256 for data at rest
Access Control
Role-based access control (RBAC); Row-Level Security (RLS) at the database layer; least privilege principle
Authentication
Multi-factor authentication for internal systems; secure session management
Audit Logging
All access to client data is logged and retained for audit purposes
Vulnerability Management
Regular dependency scanning; security patch management; penetration testing
Incident Response
Documented breach response plan; notification within 72 hours of confirmed breach
Data Isolation
Client data is logically separated; no co-mingling of client datasets
Personnel Training
Data handling training for all personnel with access to client data
6. Data Breach Notification
In the event of a confirmed Data Breach affecting Client Personal Data, Malya will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
7. Data Subject Rights
Malya will promptly notify the Controller of any Data Subject rights requests received directly (within 5 business days) and will assist the Controller in fulfilling such requests — including access, correction, deletion, restriction of processing, and portability — within the applicable legal timeframes.
8. Data Retention and Deletion
Upon termination or expiry of the engagement, Malya will, at the Controller's election: (a) return all Personal Data in a portable format; or (b) securely delete all Personal Data within 30 days, and provide written confirmation of deletion. Malya may retain Personal Data longer only where required by applicable law and will inform the Controller accordingly.
9. Audits and Compliance
Malya will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. Malya will allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, with reasonable advance notice and subject to confidentiality obligations.
10. Contact for DPA Inquiries
Enterprise clients requiring a signed and countersigned DPA for GDPR, HIPAA, or other regulatory compliance should contact us directly. We are happy to execute a bespoke DPA as part of your enterprise engagement.
© 2026 Malya LLC. Effective April 26, 2025. This document does not constitute legal advice. Consult a licensed attorney for jurisdiction-specific compliance guidance.