MapleMapleBack to home

Legal

Data Processing Addendum

Last updated: 21 April 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between MAPLE AI (ABN 60 486 796 983) and the customer organisation (“Customer”) that subscribes to or uses the Maple platform. It sets out how Maple processes personal data on the Customer's behalf.

In plain English: you're the data controller, we're the processor, we only use the data to run the service for you, we list the subprocessors we use, and we tell you promptly if anything goes wrong.

1. Roles

In processing Customer personal data under the agreement, the Customer is the data controller (or equivalent role under applicable law) and Maple is the data processor. Each party will comply with its obligations under applicable data protection laws, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

2. Scope and purpose

Maple will process Customer personal data only:

  • To provide, secure, and improve the service as described in the agreement.
  • In accordance with the Customer's documented instructions.
  • As required by law, in which case Maple will inform the Customer first unless prohibited from doing so.

3. Categories of data and data subjects

The types of personal data processed and categories of data subjects are determined by the Customer. They typically include:

  • Data subjects: the Customer's staff, tenants, landlords, and contractors who interact with the service.
  • Personal data: names, contact details, property addresses, call and message content and transcripts, and metadata associated with communications.

4. Subprocessors

The Customer authorises Maple to engage the following subprocessors to assist in delivering the service:

  • Twilio: voice and SMS telephony.
  • Amazon Web Services: application hosting and infrastructure.
  • Anthropic: AI language model processing.
  • OpenAI: AI language model processing.
  • Postmark: transactional email delivery.

Each subprocessor is bound by written obligations that are substantially similar to those in this DPA. Maple will give the Customer advance notice of any new subprocessor and a reasonable opportunity to object on legitimate grounds. If the parties cannot resolve an objection, the Customer may terminate the affected part of the service.

5. Security

Maple will maintain appropriate technical and organisational measures to protect Customer personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

  • Encryption of personal data in transit and at rest.
  • Role-based access controls and principle-of-least-privilege access for staff.
  • Audit logging of access to production systems.
  • Regular review of vendors and internal security practices.
  • A documented incident response process.

6. Personnel

Maple ensures that personnel authorised to process Customer personal data are subject to appropriate confidentiality obligations and receive training on data protection.

7. Personal data breach

Maple will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer personal data. Notification will include the information reasonably available to Maple at that time, and Maple will provide updates as more information becomes available. Maple will assist the Customer in meeting its notification obligations under the Notifiable Data Breaches scheme and comparable laws.

8. Data subject requests

Maple will assist the Customer, taking into account the nature of the processing, in responding to requests from data subjects to access, correct, delete, or restrict processing of their personal data. Where Maple receives a request directly from a data subject, it will forward the request to the Customer and not respond on the Customer's behalf unless instructed.

9. International transfers

Some subprocessors listed in this DPA operate outside Australia, including in the United States. Where Customer personal data is transferred overseas, Maple takes reasonable steps to ensure the recipient is bound by obligations comparable to the Australian Privacy Principles.

10. Return or deletion of data

On termination or expiry of the agreement, Maple will, at the Customer's option, return Customer personal data in a commonly used format, or delete it, within the timeframe set out in the Privacy Policy. Maple may retain data where required by law or in anonymised form.

11. Audits

Maple will make available the information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications and summaries of third-party audits. A Customer may, with reasonable prior notice and at its own cost, conduct an audit of Maple's compliance with this DPA once per year, during business hours, and in a way that does not unreasonably disrupt Maple's operations.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability in the agreement.

13. Term

This DPA is effective from the start of the agreement and continues until all Customer personal data has been deleted or returned in accordance with section 10.

14. Governing law

This DPA is governed by the laws of New South Wales, Australia. Each party submits to the exclusive jurisdiction of the courts of New South Wales.

15. Contact

For data protection questions or to exercise any right under this DPA, email sunny@maplemanage.com.

Questions about this document? Email sunny@maplemanage.com.

MAPLE AI · ABN 60 486 796 983 · Sydney, Australia