top of page

Data Processing Agreement

Last Updated: Nov 07, 2024

This Data Processing Agreement (“DPA”), between (i) Customer (“Data Controller, or "you") and (ii) Myma Digital Limited (“Data Processor”, "Myma.ai", "we", or "us") collectively known as the “Parties” and individually known as a “Party”.

1.    Subject Matter
1.1.    This DPA applies to the processing of personal data subject to the Data Protection Laws in the scope of the agreement between the Parties (“Service Agreement”) governing the provision of our AI Chatbot, Digital Compendium, Digital Vouchers & eGifts, and Space Booking (“Services”). This DPA shall come into effect on the date both parties have signed it. This DPA forms part of and is incorporated into the Service Agreement, and except as modified below, the terms of the Service Agreement shall remain in full force and effect. In the event of any inconsistency between the provisions of this DPA and the provisions of the Service Agreement, the provisions of this DPA shall prevail.


1.2.    The term Data Protection Laws shall mean (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”),  (ii) The Privacy Act 1988 (AU), (iii) The Privacy Act 1993 No 28 (the NZ Privacy Act 2020), (iv) The Personal Data (Privacy) Ordinance (the “PDPO”) regulated by The Office of the Privacy Commissioner for Personal Data, Hong Kong, and (v) to the extent applicable to the Parties, data protection laws of any other country.


1.3.    All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Service Agreement. 

2.    Processing
2.1.    An overview of the categories of the Personal Data, the categories of data subjects, and the nature and purposes for which the Personal Data are being processed by the Data Processor on behalf of the Data Controller are specified in Annex 1.


2.2.    The Data Processor shall process Personal Data on behalf of the Data Controller and in accordance with its documented instructions, for the sole purpose of performing its obligations under the Service Agreement or as otherwise reasonably instructed by the Data Controller, and not for the Data Processor's own purposes or other commercial exploitation, and always in compliance with all applicable Data Protection Laws. If Data Processor believes an instruction violates the Data Protection Laws, Data Processor shall inform the Data Controller without undue delay.

 

2.3.    At any time during the term of this DPA at the Data Controller’s request or upon the termination or expiration of the Service Agreement, the Data Processor shall promptly return to the Data Controller all copies, whether in written, electronic or other form or media, of the Personal Data in its possession, or securely dispose of all such copies, and certify in writing to the Data Controller that such Personal Data has been returned or disposed of securely within 7 days of the request. Data Processor shall comply with all directions provided by Data Controller with respect to the return or disposal of the Personal Data. The Data Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the DPA and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller. This DPA shall remain in force until the termination of the Personal Data processing and the erasure of the data by the Data Processor and any sub-processors.

 

2.4.    The Data Processor’s failure to comply with any of the provisions of this DPA shall be deemed to be a material breach of the Service Agreement. In such event, Data Controller may terminate the Service Agreement effective immediately upon written notice to the Data Processor without further liability or obligation to Data Controller.


3.    Confidentiality and Technical and Organizational Measures
3.1.    Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality. This confidentiality obligation shall survive the termination of the DPA.


3.2.    Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of the Personal Data appropriate to the risk. Measures shall include, as appropriate, measures for protection against unauthorized or unlawful processing, against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to the Personal Data, and measures to ensure confidentiality and integrity of the Personal Data.

 

3.3.    The Data Processor shall regularly monitor its compliance with the respective technical and organizational measures, the Data Protection Laws, and accepted industry standards or practices, and will verify this monitoring upon the Data Controller’s request. The Data Processor shall not materially decrease the overall security measures during the term of the Service Agreement.

 

4.    Information and Audit
4.1.    The Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this DPA and the Data Protection Laws, and shall allow for and contribute to audits, including on-site inspections, by the Data Controller or an auditor mandated by any Data Controller in relation to the Processing of the Personal Data.


4.2.    Upon Data Controller’s written request, Data Processor shall make available to the Data Controller details of technical and organizational measures implemented, all sub-processors engaged, and a copy of Data Processor’s then most recent third-party audits or certifications, as applicable.

 

4.3.    Data Processor will provide Data Controller with full and prompt cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that the Data Controller is legally required to make.

 

5.    Sub-processors
5.1.    The Data Processor shall not subcontract any of its Service-related activities consisting (partly) of the processing of the Personal Data or requiring Personal Data to be processed by any third party without the prior written authorization of the Data Controller. The Data Controller’s consent to the engagement of specific sub-processors, if applicable, shall be specified in Annex III.


5.2.    If authorised by the Data Controller, the Data Processor shall enter into a written agreement with each sub-processor on terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this DPA and meet the requirements of the article 28(3) of the GDPR prior to the sub-processor processing any Personal Data, and ensure that the relevant obligations (including but not limited to the information and audit rights) can be directly enforced by the Data Controller against the Data Processor’s sub-processors.

 

5.3.    The Data Processor remains responsible for its sub-processors and liable for their acts and omissions as for its own acts and omissions and any references to Data Processor’s obligations, acts and omissions in this DPA shall be construed as referring also to the Data Processor’s sub-processors.

 

5.4.    The Data Processor shall inform the Data Controller of any new sub-processors Data Processor intends to engage to process the Personal Data. The Data Controller may object to the engagement of any new sub-processor but shall not unreasonably withhold its consent to such appointment.

 

5.5.    The Data Processor shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this DPA, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.

 

5.6.    The Data Controller may request that the Data Processor audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Sub-processor’s operations) to ensure compliance with its obligations imposed by the Data Processor in conformity with this Agreement.

 

6.    Data Subject Rights
6.1.    The Data Processor shall assist Data Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller' obligations, as reasonably understood by Data Controller, to respond to requests to exercise data subject rights under the Data Protection Laws. 

 

6.2.    The Data Processor shall promptly notify the Data Controller of any data subjects requests or complaints regarding Personal Data. The Data Processor shall not respond to such requests except on the documented instructions of the Data Controller or as required by applicable laws to which the Data Processor is subject, in which case the Data Processor shall inform the Data Controller of that legal requirement before responding to the request. The Data Processor shall upon Data Controller’s request provide reasonable efforts to assist Data Controller in responding to such data subject request.

 

6.3.    If a data subject or a supervisory authority brings a claim against Data Controller for damages suffered in relation to Data Processor’s breach of this DPA or Data Protection Laws, Data Processor shall indemnify Data Controller and its affiliates and their respective directors, officers, employees, agents and subcontractors,  from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers, arising out of or resulting from any third party claims against Data Controller, its affiliates and their respective directors, officers, employees, agents and subcontractors arising out of or resulting from Data Processor’s failure to comply with any of its obligations under this DPA and/or the Data Protection Law.


7.    Incidents
7.1.    When the Data Processor becomes aware of an incident that has a material impact on the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.


7.2.    The term “incident” used in Article 7.1 shall be understood to mean in any case:

 

(a)    a complaint or a request with respect to the exercise of a data subject’s rights under Data Protection Law.
(b)    an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent.
(c)    any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data.
(d)    any breach of the security and/or confidentiality as set out in Article 3 of this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
(e)    where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 

 

7.3.    The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident may require a data breach notification by the Data Controller under Data Protection Laws, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller without undue delay after the Data Processor becomes aware of such an incident, and in no event later than 24 hours, after becoming aware of an incident. The local data protection authority shall be notified about the data breach notification. Such notification shall as a minimum:


(a)    describe the nature of the incident, the categories and numbers of data subjects and Personal Data records concerned;
(b)    communicate the name and contact details of Data Processor's data protection officer or other relevant contact from whom more information may be obtained;
(c)    describe the likely consequences of the incident; and
(d)    describe the measures taken or proposed to be taken to address the incident including, where appropriate, measures to mitigate its possible adverse effects.


7.4.    In the event of an incident the Data Processor shall (i) promptly investigate the incident, (ii) assist Data Controller with any investigation, making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise required by Data Controller, and (iii) as soon as possible remedy and take action to prevent any further breach. Data Processor will provide Data Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify supervisory authorities or data subjects) of Data Controller in relation to the incident and reimburse actual costs incurred by Data Controller in responding to, and mitigating damages caused by, any incident, including all costs of notice and/or remediation.

 

8.    Data Transfers
8.1.    The Data Processor shall promptly notify the Data Controller of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorization from the Data Controller, which may be refused at its own discretion. 

 

8.2.    Annex 1 provides a list of transfers for which the Data Controller grants its authorization upon the conclusion of this Data Processing Agreement. The Parties shall comply with the Controller-to-Processor EU Standard Contractual Clauses (“Standard Contractual Clauses”) whereby Data Controller will be regarded as the Data Exporter and the Data Processor will be regarded as the Data Importer. In addition, the Data Processor agrees to comply with all applicable Data Protection Laws in respect of such transfers. In the event of inconsistencies between the provisions of the Standard Contractual Clauses, this DPA or the Service Agreements between the parties, the Standard Contractual Clauses shall take precedence. 

 

8.3.    To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer without undue delay.

 

8.4.    The Data Controller may by at least 30 (thirty) calendar days' written notice to the Data Processor from time to time make any variations to this DPA as it applies to transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those restricted transfers to be made (or continue to be made) without breach of that Data Protection Law and propose any other variations to this DPA which the Data Controller considers to be necessary to address the requirements of any Data Protection Law.

 

9.    Jurisdiction Specific Terms

The terms specified in ANNEX IV with respect to the listed jurisdictions will apply in addition to the terms of this DPA.


10.    Severance
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

11.    Counterparts 
This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same document. Delivery of an executed signature page to this DPA by facsimile or electronic means (e.g. e-mail, PDF) shall be effective to the same extent as if such party had delivered a manually executed counterpart.
This DPA is entered into and becomes a binding part of the Service Agreement with effect from the date first set out above.

ANNEX I

A. LIST OF PARTIES

Unless otherwise specified below, this Annex I applies to all the Services offered by Myma.ai further described at https://www.myma.ai and https://www.getaiva.com.

Data exporter(s):

 

Name: Customer (as defined in the DPA)

 

Address: Customer's address as mentioned in the Service Agreement

 

Contact Person Name: Customer's contact person name as mentioned in the Service Agreement

Contact Person Position: Customer's contact person position as mentioned in the Service Agreement

Contact Person Email: Customer's contact person email as mentioned in the Service Agreement

Role (controller/processor): Controller/processor

Data importer(s):

Name: Myma Digital Limited

 

Address: 8 Whakatomo Place, Havelock North, Havelock North, 4130 , New Zealand

 

Contact Person name: Andy Dharmani

 

Contact Person Position: Chief Technology Officer

Contact Person Email: andy@myma.ai

 

Role (controller/processor): Processor

B. DATA PROCESSING DESCRIPTION

Subject Matter: Myma.ai’s provision of the Service to Customer, and related Customer support.

Purpose of the Processing: Myma.ai will process personal data submitted to, stored on, or sent via the Service for the purpose of providing the Service and related Customer support in accordance with this DPA.

AI Chatbot & Digital Compendium

Categories of data subjects whose personal data is transferred: Customer users who are prospective hotel guests, and booked hotel guests who choose to interact with the AI Chatbot and/or Digital Compendium.

Categories of personal data transferred: Personal data that is submitted to the Service by Customer users, which may include IP address, email address, and other types of identifiable data configured by Customer, subject to the restrictions in this DPA.

Digital Vouchers & eGifting

Categories of data subjects whose personal data is transferred: Customer users who choose to purchase Vouchers and eGift Cards using the Service.

Categories of personal data transferred: Personal data that is submitted to the Service by Customer users, which may include IP address, email address, and other types of identifiable data, subject to the restrictions in this DPA.

Space Booking

Categories of data subjects whose personal data is transferred: Customer users who choose to book a meeting room or other space type using the Service.

Categories of personal data transferred: Personal data that is submitted to the Service by Customer users, which may include IP address, email address, phone number, and other types of identifiable data, subject to the restrictions in this DPA.

-----------------------

Sensitive Data Transferred. Customer determines and controls some parts of the personal data transferred to Myma.ai, but some are needed for the Service to function. These include:

  • First Name

  • Last Name

  • Email Address

  • Phone Number

 

Frequency of the transfer: Continuous

Nature of the Processing: Myma.ai will perform the following basic processing activities: processing to provide the Service in accordance with the Agreement; processing to perform any steps necessary for the performance of the Agreement; and processing to comply with other reasonable instructions provided by Customer (e.g. via email) that are consistent with the terms of the Agreement.

 

Period for which the personal data will be retained: Throughout the Term of the Agreement plus the period from expiry of the Term until deletion of Personal Data by Myma.ai in accordance with the Agreement.

ANNEX II - SECURITY MEASURES

This ANNEX II describes Security Measures, as applicable to each of the Service.

Organizational Controls

  1. Myma.ai has designated a data protection officer responsible for ensuring compliance with data protection requirements.

  2. Myma.ai has a formal Data Privacy/Information Security policy and procedures that cover storage, access and/or transmission of customer data, including records containing personal information.

  3. Myma.ai’s Data Privacy/Information Security policy is reviewed at least annually and amended as Myma.ai deems reasonable to maintain the protection of Personal Data.

  4. Myma.ai’s employees and any others performing work on Data Processor’s behalf are required to sign confidentiality and non-disclosure agreements.

  5. Myma.ai’s employees and any others performing work on Myma.ai’s behalf receive appropriate data security awareness and training, at least annually.

  6. Myma.ai undertakes regular audits to ensure its compliance with data protection requirements.

Physical Access Control

  1. Myma.ai prevents unauthorized individuals from gaining access to the Data Processor’s premises.    ☒Yes ☐No

  2. Myma.ai restricts access to data centres/rooms where data servers are located.    ☒Yes ☐No

  3. Myma.ai ensures that individuals who do not have access authorization (e.g. technicians, cleaning personnel) are accompanied when accessing data processing facilities.    ☒Yes ☐No

  4. Myma.ai stores physical media containing personal data in secured areas.    ☒Yes ☐No

  5. If no please explain:

  6. 14.    Myma.ai ensures secure disposal of documents containing personal data.    ☒Yes ☐No

  7. If no please explain:

System Access Control

  1. Myma.ai ensures that access to systems is supported by an authentication system.

  2. Access to the Myma platform systems and applications is controlled by requiring unique User Login IDs and passwords for each individual user and developer.

  3. Shared accounts are not allowed within Myma systems or networks.

  4. Myma.ai ensures that all data processing systems are password protected to prevent unauthorized persons accessing any personal data.

  5. Myma.ai has implemented a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password, and requires the regular change of passwords.

  6. Myma.ai maintains technical measures enforcing timeout of inactive sessions and lockout of accounts after multiple sequential failed login attempts.

  7. Myma.ai grants data access only to authorized personnel and assigns only the minimum data permissions necessary for those personal to fulfil their duties.

  8. Myma.ai implements a proper procedure to deactivate user accounts when a user leaves.

 

System Security

  1. Myma.ai has authorized employees and contractors to use a Bring Your Own Device (BYOD) machine of their choosing as a workstation, and provide acceptable use requirements and procedures as well as BYOD Guidelines as part of the Acceptable Use Policy.

  2. Myma.ai protects against malware through malware detection and repair software, information security awareness, and appropriate system access and change management controls.

  3. Myma.ai encrypts personal data at rest.

  4. Myma.ai encrypts personal data during any transmission.

  5. Myma.ai ensures that each system used to process personal data runs an up to date malware and antivirus detection and removal solution.

  6. Myma.ai performs penetration testing and vulnerability assessments at least annually.

  7. Mym.ai enlists a qualified independent third-party to perform penetration testing at least annually.

  8. Myma.ai remediates identified vulnerabilities or noncompliance with its security configuration requirements.

  9. Myma.ai has established rules for the safe and permanent destruction of data that are no longer required.

Incident Management

  1. Myma.ai creates back-up copies of personal data, which are stored in protected environments.

  2. Myma.ai has the ability to restore personal data from those back-ups.

  3. Myma.ai regularly performs testing of contingency plans or business recovery strategies.

  4. Myma.ai has an incident response plan to respond to a personal data breach.

  5. Myma.ai regularly tests the incident response plan, including to respond to a personal data breach.

  6. Myma.ai has a plan to communicate information security incidents or breaches to Myma.ai’s Customers

ANNEX III – LIST OF SUB-PROCESSORS

The Subprocessor list for the Myma.ai Service is set forth below.

Third Party

Microsoft Corporation

Address: Microsoft Headquarters One Microsoft Way Redmond, WA 98052

Purpose of processing: Cloud infrastructure services.

Sub-processor measures: https://www.microsoft.com/en-us/trust-center/product-overview

Twilio Inc. (including SendGrid)

Address: 101 Spear Street, First Floor San Francisco, CA 94105 United States

Purpose of processing: Email delivery services and LiveChat delivery services.

Sub-processor measures: https://sendgrid.com/en-us/policies/security

Google LLC (Google Cloud Platform)

Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043 United States

Purpose of processing: Language translation services.

Sub-processor measures: https://cloud.google.com/trust-center

OpenAI, LLC (OpenAI)

Address: 3180 18th Street, San Francisco, CA 94110.

Purpose of processing: Generative AI

Sub-processor measures: https://openai.com/policies/data-processing-addendum/

Functional Software, Inc. d/b/a Sentry

Address: 45 Fremont Street, 8th Floor, San Francisco, CA 94105.

Purpose of processing: Log management services

Sub-processor measures: https://sentry.io/trust/

Affiliates

Book Me Bob, Inc.

Address: 103 Blake Ln, Mt Juliet, Tennessee 37122

Purpose of processing: Provides parts of the Service and related technical support

Adage Infotech Solutions Private Limited

Address: C/O Starhub Nation, F-452, Phase 8, Industrial Area, Mohali, Punjab, India

Purpose of processing: Provides parts of the Service and related technical support

Hospitality Host

Address: Hong Kong

Purpose of processing: Provides parts of the Service and related technical support

ANNEX IV – JURISDICTION SPECIFIC TERMS

1. Europe

1.1 Additional Information. You acknowledge that Myma.ai is required under European Data Protection Legislation (i) to collect and maintain records of certain information, including, among other things, the name and contact detail of each Processor and/or Controller on whose behalf we are acting and, where applicable, of such Processor’s or Controller’s local representative and data protection officer; and (ii) to make such information available to the supervisory authorities. Accordingly, if European Data Protection Legislation applies to the processing of Personal Data, you will, when requested, provide this additional information to us, and ensure that the information is kept accurate and up-to-date.

2. California

2.1 Definitions. For purposes of Section 2 (California) of this ANNEX IV:

 

2.1.1 “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA.

2.1.2 The definition of “Data Subject” includes “consumer” as defined under the CCPA.

2.1.3 The definition of “Controller” includes “business” as defined under the CCPA.

2.1.4 The definition of “Processor” includes “service provider” as defined under the CCPA.

 

2.2 Obligations.

2.2.1 Customer is providing the Personal Data to Myma.ai under the Agreement for the limited and specific business purposes of providing the Service as described in ANNEX I to this DPA and otherwise performing under the Agreement.

 

2.2.2 Myma.ai will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Personal Data as is required by the CCPA.

2.2.3 Myma.ai acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 4 (Information and Audit) of this DPA to help to ensure that Myma.ai's use of Personal Data is consistent with Customer’s obligations under the CCPA, (ii) receive from Myma.ai notice and assistance under Section 6 (Data Subject Rights) of this DPA regarding consumers’ requests to exercise rights under the CCPA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

2.2.4 Myma.ai will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.

 

2.2.5  Myma.ai will not retain, use or disclose Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.2.1 of this Section 2 (California) of ANNEX IV or (ii) outside of the direct business relationship between Myma.ai with Customer, except, in either case, where and to the extent permitted by the CCPA.

2.2.6 Myma.ai will not sell or share Personal Data received under the Agreement.

2.2.7 Myma.ai will not combine Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA.

bottom of page