SOLUTIONS
Operate in the United States

Operational structuring in the United States for globally positioned founders.

Expand into Dubai & the UAE

Strategic formation, residency planning, and real estate investment within the UAE.

Protect with a Panama Foundation

Private foundation structures for asset protection and long-term succession architecture.

Maera Select

Structured governance of how your organization is interpreted across AI systems.

Become a Partner

Power your practice with our global infrastructure.

GET IN TOUCH
client login
ES
EN

Data Processing Addendum (DPA) 

Last update: March 2026

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Terms and Conditions (or any master services agreement, order form, or engagement letter) between Maera ("Processor") and the Customer ("Controller"). It applies whenever Maera processes Personal Data on behalf of the Controller in connection with the Services, and Applicable Data Protection Laws require such terms.

‍

1. Definitions

‍

  • Personal Data / Customer Personal Data: Any information relating to an identified or identifiable natural person that is provided by or accessed through the Controller in connection with the Services.
  • Processing: Any operation or set of operations performed on Personal Data (collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction).
  • Applicable Data Protection Laws: The EU General Data Protection Regulation (GDPR – Regulation (EU) 2016/679), UK GDPR, UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL), California Consumer Privacy Act (CCPA/CPRA), and any other applicable data protection or privacy laws.
  • Roles: Controller = the Customer; Processor = Maera (or "Service Provider" under CCPA where applicable).

‍

2. Scope and Application This DPA applies only when Maera acts as Processor (or equivalent) of Customer Personal Data under Applicable Data Protection Laws. It supplements the main agreement and prevails in case of conflict on data protection matters.

‍

3. Processor Obligations Maera shall:

‍

  • Process Customer Personal Data only on documented instructions from the Controller (including this DPA and the main agreement), unless required by law (in which case Maera will notify the Controller unless prohibited).
  • Ensure persons authorised to process the data are bound by confidentiality obligations.
  • Implement and maintain appropriate technical and organisational measures (as detailed in Annex 2) to ensure a level of security appropriate to the risk.
  • Assist the Controller, where reasonably requested and at the Controller’s cost, in complying with obligations regarding data subject rights, data protection impact assessments, prior consultations, and breach notifications.
  • Notify the Controller without undue delay (and in any event within 72 hours where required by GDPR) upon becoming aware of a Personal Data breach affecting Customer Personal Data.
  • At the Controller’s choice, return or delete all Customer Personal Data upon termination of the Services (except where retention is required by law), and certify such deletion/return in writing.
  • Make available information reasonably necessary to demonstrate compliance with this DPA (including through audits – see section 7).

‍

4. Sub-processors

‍

  • Maera maintains an up-to-date list of authorised sub-processors at maera.com/legal/sub-processors (or upon request).
  • The Controller provides general written authorisation for the use of sub-processors listed as of the date of this DPA.
  • Maera will notify the Controller of any intended addition or replacement of sub-processors at least 30 days in advance (via email or account notification). The Controller may object on reasonable grounds within 14 days; if no objection, the addition is deemed accepted.
  • Maera remains fully liable for sub-processors’ compliance.

‍

5. International Transfers Where Applicable Data Protection Laws restrict transfers outside the relevant territory:

‍

  • For EU/EEA/UK: Maera relies on the EU-US Data Privacy Framework (DPF – certification where applicable), 2021 EU Standard Contractual Clauses (SCCs – Module 2: Controller to Processor), UK International Data Transfer Addendum (where applicable), and Transfer Impact Assessments (TIA).
  • For UAE (PDPL): Transfers use PDPL-permitted mechanisms (adequacy decisions, appropriate safeguards, explicit consent if required).
  • Maera will not transfer Customer Personal Data to a third country or international organisation unless compliant with Applicable Data Protection Laws.

‍

6. Records and Assistance Maera will maintain records of Processing activities as required under Applicable Data Protection Laws and provide them to the Controller upon reasonable request.

‍

7. Audits Upon reasonable advance written notice (at least 30 days), the Controller (or an independent auditor) may audit Maera’s compliance with this DPA, subject to confidentiality, reasonable scope, and no disruption to business. Maera will cooperate and provide necessary information.

‍

8. Liability Liability under this DPA is subject to the limitation of liability provisions in the main agreement.

‍

9. Governing Law This DPA is governed by the laws specified in the main agreement (State of New York, USA), without prejudice to mandatory provisions of Applicable Data Protection Laws.

‍

Annex 1: Description of the Processing / Details of the Transfer

‍

Data Exporter (Controller): The Customer (as identified in the Agreement). Data Importer (Processor): Maera (New York, NY, USA).

‍

Subject Matter of the Processing Provision of AI Search Optimization / Generative Engine Optimization (GEO/AEO) services, including content audits, structured data/schema recommendations, entity optimization, before/after visibility reports, and related consulting to improve prominence of the Customer’s verified content in generative AI systems.

‍

Duration of the Processing From commencement of the relevant Services until termination of the Agreement, plus a reasonable post-termination period for return/deletion (typically up to 90 days, or longer if legally required).

‍

Nature and Purpose of the Processing

‍

  • Temporary storage and analysis of Customer-provided content, URLs, and query examples.
  • Application of optimization techniques (e.g., markup suggestions, content restructuring signals).
  • Generation of diagnostic reports and recommendations (using only provided data).
  • No independent data collection, scraping, generation of synthetic content, or processing beyond Controller instructions.

‍

Types of Personal Data Low-risk, non-sensitive categories:

‍

  • Contact details (names, emails, phone numbers if present in content samples, metadata, or author information).
  • Website/domain information and page excerpts.
  • Search query examples provided by the Controller.
  • Any incidental personal data embedded in supplied materials (e.g., testimonials, bios). Special categories/sensitive data: Not expected or processed unless explicitly provided by the Controller (additional restrictions apply if so).

‍

Categories of Data Subjects

‍

  • Employees, contractors, or representatives of the Controller.
  • Visitors/users of the Controller’s websites (if personal data appears incidentally in content/URLs).
  • Other individuals referenced in materials supplied by the Controller.

‍

Annex 2: Technical and Organisational Measures (TOMs)

‍

Maera implements the following measures (reviewed annually or upon material change):

‍

  1. Pseudonymisation & Encryption
    • AES-256 encryption at rest for databases and stored files (e.g., AWS-managed keys).
    • TLS 1.3 encryption in transit for all API, web, and data transfer communications.
    • Pseudonymisation/tokenisation of identifiers in logs where technically feasible.
  2. Access Controls & Authentication
    • Role-Based Access Control (RBAC) with least-privilege principle.
    • Mandatory multi-factor authentication (MFA) for all internal accounts.
    • Unique user accounts; immediate deactivation upon role change/termination.
    • Audit logs of access retained for minimum 12 months.
  3. Physical & Environmental Security
    • Hosting in ISO 27001 and SOC 2-compliant cloud environments (e.g., AWS, Google Cloud).
    • Physical security via data centre controls (biometric access, 24/7 monitoring, CCTV).
  4. System Integrity & Resilience
    • Quarterly vulnerability scanning and penetration testing (internal + third-party where applicable).
    • Automated patch management for OS, dependencies, and applications.
    • Encrypted daily backups with 30-day retention; regular restore testing.
    • High-availability architecture (multi-AZ/multi-region failover).
  5. Incident Detection & Response
    • Continuous monitoring using SIEM/log analysis tools for anomalies.
    • Documented incident response plan (tested at least annually).
    • Breach notification to Controller without undue delay (≤72 hours for GDPR-reportable incidents).
  6. Confidentiality & Training
    • All personnel sign confidentiality agreements.
    • Mandatory annual security and data protection training.
    • Background screening for employees with access to Customer Personal Data.
  7. Data Minimisation & Retention Controls
    • Processing limited to what is necessary; automatic purging policies post-termination.
    • No long-term retention beyond Agreement requirements.
  8. Auditing & Continuous Improvement
    • Annual internal compliance reviews.
    • Independent third-party audits/certifications (e.g., SOC 2 Type II reports available upon NDA).

‍

Annex 3: Standard Contractual Clauses – Module 2 (Controller to Processor)

‍

The 2021 EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2, apply in full for restricted transfers from the EU/EEA/UK to Maera. Key provisions incorporated by reference (full text: eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0915):

‍

  • Processor must process only on documented instructions and inform if instructions infringe law.
  • Implement TOMs from Annex 2.
  • Maintain confidentiality and train personnel.
  • Assist with data subject rights, DPIAs, and breach response.
  • Notify of sub-processor changes (per section 4 above).
  • Return/delete data on termination and certify compliance.
  • Allow audits/inspections (reasonable notice, confidentiality).
  • Additional safeguards: Reliance on EU-US DPF (if certified), TIA, no conflicting third-country laws undermining protections.

‍

SCC completion details:

‍

  • Clause 7: Docking clause applies.
  • Clause 9: Option 2 (general written authorisation).
  • Clause 11: Optional third-party beneficiary clause not applied.
  • Clause 17: Option 1 – laws of Ireland (or another EU Member State selected by Controller).
  • Clause 18: Courts of the chosen EU Member State.

‍

This DPA is effective upon use of the Services where Applicable Data Protection Laws require it. For questions or custom negotiations, contact support@maera.com.

‍

Data Processor Addendum Last Updated: March 2026

‍

‍

Solutions
Operate in the United StatesExpand into Dubai & the UAEProtect with a Panama FoundationMaera SelectBecome a Partner
Resources
AboutGet in TouchTerms of ServicePrivacy PolicyData Processing Addendum (DPA) 
Copyright  ©2026 Maera Inc | All Rights Reserved
Availability of Maera products and services may vary based on customer eligibility. Please note that our Terms and Conditions are applicable and subject to change. As a service and technology company, Maera does not operate as a law firm and cannot provide legal advice. Information presented on our website or communicated through channels such as email, WhatsApp, SMS, virtual calls or meetings of any kind, social networks, or any other means is for informational and educational purposes only and should not be construed as legal advice. Your use of our website and services constitutes explicit acceptance of our Terms and Conditions and Privacy Policy. We strive to provide excellent service and maximize the likelihood of approval of your banking application, depending on your eligibility. Please note that we cannot guarantee approval, as final decisions rest with the relevant authorities. Our responsibility lies in diligently completing the requested services on your behalf. Therefore, please note that no refunds will be provided in the event that a bank application is not approved. Thank you for your understanding.