MaiaLearning Data Procesing Addendum

(v3.0.0 - October 20, 2023)

This Data Processing Addendum (this “DPA”) is entered into by and between MaiaLearning, Inc. (“MaiaLearning”, “we”, or “us”) and the party that electronically accepts or otherwise agrees or opts-in to this DPA (“Customer”, or “you”). This DPA is effective as of the date electronically agreed and accepted by you.

You have entered into one or more agreements with us (each, as amended from time to time, an “Agreement”) governing the provision of our MaiaLearning service more fully described at www.maialearning.com (the “Service”). This DPA will amend the terms of the Agreement to reflect the parties’ rights and responsibilities with respect to the processing and security of Customer Data (as defined below) under the Agreement. If you are accepting this DPA in your capacity as an employee, consultant or agent of Customer, you represent that you are an employee, consultant or agent of Customer, and that you have the authority to bind Customer to this DPA.

Any capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1.) Definitions.

The following definitions apply to this DPA:

"Applicable Privacy Law" means: means all applicable privacy and data protection laws and regulations anywhere in the world, including, where applicable, the European Data Protection Legislation, and the CCPA.

“CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq.) and its regulations; as may be amended, superseded or replaced from time to time.

“Customer Data” means data you submit to, store on, or send to us via the Service.

“Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems that are managed and controlled by MaiaLearning. Data Incidents will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including, without limitation, pings, port scans, denial of service attacks, network attacks on firewall or networked systems, or unsuccessful login attempts.

"Data Privacy Framework" means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.

“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded or replaced.

“Europe” means, for the purposes of this DPA, the member states of the European Economic Area, Switzerland and the United Kingdom.

“European Data Protection Legislation” means the data protection and privacy laws and regulations enacted in Europe and applicable to the Personal Data in question, including as applicable: (a) the GDPR; (b) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance ("FADP"); and/or (c) in respect of the United Kingdom, the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018; in each case as may be amended, superseded or replaced from time to time.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Notification Email Address” means the email address(es) that you designate to receive notifications when you create an account to use the Service. You agree that you are solely responsible for ensuring that your Notification Email Address is current and valid at all times.

“Personal Data” means any personal data or personal information (as those terms are defined by Privacy Laws) contained within Customer Data.

"Privacy Laws" means: (a) the CCPA; (b) European Data Protection Legislation, (c) COPPA; (d) FERPA; and (e) any other data protection and/or privacy laws and regulations governing MaiaLearning’s processing of Personal Data on your behalf.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914.

“Subprocessor” means a third party that we use to process Customer Data in order to provide parts of the Service and/or related technical support. For the avoidance of doubt, the term Subprocessor shall not include MaiaLearning employees or contractors.

“Term” means the term of the Agreement.

“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

The terms “personal data”, “special categories of personal data”, “data subject”, “process”, “processing”, “controller”, “processor” and “supervisory authority” have the meanings given in European Data Protection Legislation or, if not defined therein, the GDPR.

2.) Data Processing.

2.1.) Roles and Regulatory Compliance; Authorization.

2.1.1.) This DPA applies where and only to the extent MaiaLearning processes Personal Data as a processor or service provider (as defined by Privacy Laws).

2.1.2.) Roles and Responsibilities. The parties acknowledge and agree as follows: (i) that MaiaLearning will process the Personal Data as described in Annex I; (ii) that  MaiaLearning is a processor of Personal Data and Customer is the controller (or a processor acting on behalf of a third party controller); (iii) if the CCPA applies to processing of Personal Data, MaiaLearning shall act solely as a service provider (as that term is defined under the CCPA) on behalf of Customer; (iv) MaiaLearning shall not retain, use or disclose Personal Data outside of its relationship with you or for any purpose other than the purposes described in this DPA, “sell” or “share” Personal Data (within the meaning of Privacy Laws), or combine Personal Data with information received directly from individuals or from other sources except as permitted by Privacy Laws; and (iv) that each of us will comply with our obligations under Privacy Laws with respect to the processing of Personal Data.

2.1.3.) Authorization by Third Party Controller. If you are a processor of Personal Data acting on behalf of a third party controller: (i) you warrant to us that your instructions and actions with respect to that Personal Data, including your appointment of MaiaLearning as another processor, have been authorized by the relevant controller; and (ii) you will serve as our sole point of contact and where we would otherwise be required (including for the purposes of the Standard Contractual Clauses) to provide information, assistance or cooperation to or seek authorization from any such third party controllers, we may provide such information, assistance or cooperation to or seek such authorization from you.

2.1.4.) FERPA. To the extent Customer Data contains personally identifiable information from education records that are subject to the Family Education Rights and Privacy Act (“FERPA”), the parties agree that MaiaLearning will be a “School Official” (as defined by FERPA) and will comply with FERPA.

2.1.5.) COPPA. If you permit students younger than 13 years of age to use the Services, you hereby consent as required by the Children’s Online Privacy Protection Act (“COPPA”) to the collection and use of Personal Data from such students as described in the MaiaLearning Educational User Privacy Policy available at https://www.maialearning.com/educational-user-privacy-policy.

2.2.) Customer instructions.

MaiaLearning shall process Personal Data in accordance with Customer’s documented lawful instructions. By entering into this DPA, you hereby authorize and instruct us to process Personal Data: (i) to provide the Service, and related technical support; (ii) as otherwise permitted or required by your use of the Service and/or your requests for technical support; (iii) as otherwise permitted or required by the Agreement, including this DPA; and (iv) as further documented in any other written instructions that are agreed by the parties. We will not process Personal Data for any other purpose, unless required to do so by applicable law or regulation. The parties agree that the Agreement (including this DPA), and your use of the Service in accordance with the Agreement, set out your complete and final processing instructions and any processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. Customer shall ensure its instructions are lawful and that the processing of Personal Data in accordance with such instructions will not violate Privacy Laws. Notwithstanding the foregoing, if you are a processor of Personal Data acting on behalf of a third party controller then where legally required we are entitled to follow the instructions of such third party controllers with respect to their Personal Data.

3.) Deletion.

3.1.) Deletion During Term.
We will enable you to delete Personal Data during the Term in a manner that is consistent with the functionality of the Service. If you use the Service to delete any Personal Data in a manner that would prevent you from recovering Personal Data at a future time, you agree that this will constitute an instruction to us to delete Personal Data from our systems in accordance with our standard processes and applicable law. We will comply with this instruction as soon as reasonably practicable, but in all events in accordance with applicable law.

3.2.) Deletion When Term Expires.
When the Term expires, we will destroy any Personal Data in our possession or control. This requirement will not apply to the extent that we are required by applicable law to retain some or all of the Personal Data, in which event we will isolate and protect the Personal Data from further processing and delete in accordance with MaiaLearning's deletion practices, except to the extent required by law. You acknowledge that you will be responsible for exporting, before the Term expires, any Personal Data you want to retain after the Term expires.

4.) Data Security.

4.1.) Security Measures.
We will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Data Incidents and to preserve the security and confidentiality of Personal Data, as described in Annex II (collectively, the “Security Measures”). MaiaLearning shall ensure that any person who is authorized by MaiaLearning to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). Customer acknowledges that Security Measures are subject to technical progress and development and that accordingly we may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service.

4.2.) Data Incidents.
Upon becoming aware of a Data Incident, we will notify you promptly and without undue delay, and will take reasonable steps to minimize harm and secure Personal Data. Any notifications that we send you pursuant to this Section 4.2 will be sent to your Notification Email Address and will describe, to the extent possible and/or known to MaiaLearning, the details of the Data Incident, the steps we have taken to mitigate the potential risks, and any suggestions we have for you to minimize the impact of the Data Incident. We will not assess the contents of any Personal Data in order to identify information that may be subject to specific legal requirements. You are solely responsible for complying with any incident notification laws that may apply to you, and for fulfilling any third-party notification obligations related to any Data Incident(s). Our notification of or response to a Data Incident under this Section will not constitute an acknowledgement of fault or liability with respect to the Data Incident.

4.3.) Your Security Responsibilities.
You agree that, without prejudice to our obligations under Sections 4.1 or 4.2: (i) you are solely responsible for your use of the Service, including making appropriate use of the Service to ensure a level of security appropriate to the risk in relation to Customer Data, securing any account authentication credentials, systems, and devices you use to use the Service, and backing up your Customer Data. You understand and agree that we have no obligation to protect Customer Data that you elect to store or transfer outside of our or our Subprocessors’ systems (e.g., offline or on-premise storage). You are solely responsible for evaluating whether the Service and our commitments under this Section 4 meet your needs, including with respect to your compliance with any of your security obligations under Applicable Privacy Law, as applicable.

4.4.) Audit Rights.

4.4.1.) Audit Reports. You acknowledge that MaiaLearning is regularly audited against various information security standards by independent third-party auditors and internal auditors, respectively. Upon request, we shall supply (on a confidential basis) a summary copy of our audit report(s), so that you can verify our compliance with the audit standards against which it has been assessed, and this DPA. Further, we will provide written responses (on a confidential basis) to all reasonable requests for information necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year.

4.4.2.) Independent Audits. While it is the parties’ intention to rely ordinarily on the provision of the above audit report(s) to verify our compliance with this DPA, we will allow an internationally-recognized independent auditor that you select to conduct audits to verify our compliance with our obligations under this DPA. You must send any requests for audits under this Section 4.4.2 to legal@maialearning.com. Following our receipt of your request, the parties will discuss and agree in advance on the reasonable start date, scope, duration, and security and confidentiality controls applicable to the audit. You will be responsible for any costs associated with the audit. You agree not to exercise your audit rights under this Section 4.4.2 more than once in any twelve (12) calendar month period, except (i) if and when required by a competent data protection authority; or (ii) an audit is necessary due to a Data Incident. You agree that (to the extent applicable), you shall exercise any audit rights under Applicable Privacy Law and the Standard Contractual Clauses by instructing us to comply with the measures described in this Section 4.4.

5.) Data Subject Rights; Data Export.

5.1.) Access; Rectification; Restricted Processing; Portability.
You acknowledge that the Service may, depending on the functionality of the Service, enable you to: (i) access the Customer Data; (ii) rectify inaccurate Customer Data; (iii) restrict the processing of Customer Data; (iv) delete Customer Data; and (v) export Customer Data.

5.2.) Cooperation; Data Subjects’ Rights.
To the extent that you cannot access the relevant Personal Data within the Service, we will provide you, at your expense, with all reasonable and timely assistance to enable you to respond to: (i) requests from data subjects who wish to exercise any of their rights under Applicable Privacy Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, supervisory authority or other third party in connection with the processing of the Customer Data. In the event that any such request, correspondence, enquiry or complaint is made directly to us, we will promptly inform you of it, and provide you with as much detail as reasonably possible. For the avoidance of doubt, Customer is responsible for responding to Data Subject request for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data

6.) Data Transfers.

6.1.) Data Storage and Processing Facilities.
You agree that we may, subject to Section 6.2, store and process Customer Data in the United States and any other country in which we or our Subprocessors maintain data processing operations. MaiaLearning shall ensure that such transfers are made in compliance with Applicable Privacy Law and this DPA.

6.2.) Transfers of Data out of Europe.
If the storage and/or processing of Personal Data as described in Section 6.1 involves a transfer of Personal Data subject to European Data Protection Legislation (a “Restricted Transfer”), then the parties agree to conduct such Restricted Transfers pursuant to MaiaLearning’s certification to the Data Privacy Framework, to the extent such certification permits the parties to conduct Restricted Transfers in compliance with Privacy Laws. MaiaLearning will process any Personal Data so transferred in compliance with the Data Privacy Framework principles and/or supplemental principles, as applicable. To the extent MaiaLearning’s Data Privacy Framework certification does not permit the parties to conduct Restricted Transfers in compliance with Privacy Laws, the parties agree to conduct Restricted Transfers pursuant to the Standard Contractual Clauses and UK IDTA, both of which are incorporated into and form a part of this DPA in the form attached hereto and are deemed executed by this reference, in accordance with Section 6.3.

6.3.) Standard Contractual Clauses and UK IDTA.
For the purposes of the Standard Contractual Clauses, the parties agree that (i) MaiaLearning is the “data importer” and you are the “data exporter”; (ii) the optional language in Clause 7 shall apply; (iii) in Clause 9, Option 2 will apply and the time-period for providing notice shall be as provided in this DPA; (iv) in Clause 11 the optional language will not apply; (v) in Clause 17, the Standard Contractual Clauses shall be governed by the laws or Ireland; (vi) in Clause 18, the parties agree to resolve disputes arising from the Standard Contractual Clauses in the courts of Ireland; and (vii) the Annexes or Appendices of the SCCs shall be populated with the information from Annexes I, II and III of this DPA. Restricted Transfers subject to the UK GDPR that cannot be legitimized pursuant to Section 6.2 will be conducted pursuant to the SCCs and the UK IDTA, and neither party may terminate the UK IDTA without the consent of the other. The following modifications apply to Restricted Transfers subject to the FADP: (i) the competent supervisory authority shall be the Federal Data Protection and Information Commissioner; (ii) references to “member state” will not prevent individuals in Switzerland from suing to enforce their rights in Switzerland; and (iii) references to “GDPR” will be understood as references to the FADP. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA), the Standard Contractual Clauses shall prevail to the extent of such conflict. In particular, nothing in the DPA shall exclude the rights of third-party beneficiaries granted under the Standard Contractual Clauses. You agree that in the event we cannot ensure compliance with the Standard Contractual Clauses, we will inform you promptly and you will provide us with a reasonable period of time to cure any non-compliance. You will reasonably cooperate with us to agree what additional safeguards or measures, if any, may be reasonably required to cure the non-compliance and will only be entitled to suspend the transfer of Personal Data and/or terminate the affected parts of the Service if we have not or cannot cure the non-compliance before the end of the cure period.

7.) Subprocessors.

7.1.) Consent to Engagement.
You authorize us to engage third parties as Subprocessors. Whenever we engage a Subprocessor, we will enter into a contract with that Subprocessor which imposes data protection terms that require the Subprocessor to protect Personal Data to an equivalent standard required under this DPA, and we shall remain responsible for the Subprocessor’s compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause us to breach any of our obligations under this DPA as we would for our own acts or omissions.

7.2.) List of Subprocessors.
A list of our current Subprocessors is set out in Annex III. We may update the list of Subprocessors upon thirty (30) days’ prior written notice to you, during which period you will have the opportunity to object as described in Section 7.3 below.

7.3.) Objections; Sole Remedy.
During the thirty (30) day period beginning on the date we notify you of any new or replacement Subprocessor, you have the right to object to the appointment of that Subprocessor on reasonable grounds that the Subprocessor does not or cannot comply with the requirements set forth in this DPA (each, an “Objection”). If we do not remedy or provide a reasonable workaround for your Objection within a reasonable time, you may, as your sole remedy and our sole liability for your Objection, terminate the Agreement for your convenience, and without further liability to either party. We will not owe you a refund of any fees you have paid in the event you decide to terminate the Agreement pursuant to this Section.

7.4.) Disclosure of Subprocessor agreements.
You agree that by complying with this Section 7, we fulfill our obligations under Clause 9(a) and (b) of the Standard Contractual Clauses. You further acknowledge that, for the purposes of Clause 9(c) of the Standard Contractual Clauses, we may be restricted from disclosing Subprocessor agreements to you (or the relevant third party controller) due to confidentiality restrictions. Notwithstanding this, we shall use reasonable efforts to require Subprocessors to permit us to disclose Subprocessor agreements to you and, in any event, will provide (upon request and on a confidential basis) all information we reasonably can in connection with such Subprocessor agreement.

8.) Additional Information.

You acknowledge that we are required under European Data Protection Legislation (i) to collect and maintain records of certain information, including, among other things, the name and contact detail of each processor and/or controller on whose behalf we are acting and, where applicable, of such processor or controller’s local representative and data protection officer; and (ii) to make such information available to the supervisory authorities. Accordingly, if European Data Protection Legislation applies to the processing of Personal Data, you will, when requested, provide this additional information to us, and ensure that the information is kept accurate and up-to-date.

9.) Data Protection Impact Assessment.

We will provide you with reasonable and timely assistance as you may require in order to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority.

10.) Miscellaneous.

With the exception of the third-party beneficiary rights granted (where applicable) under the Standard Contractual Clauses, there are no third-party beneficiaries to this DPA. Except as expressly provided herein, nothing in this DPA will be deemed to waive or modify any of the provisions of the Agreement, which otherwise remains in full force and effect. Specifically, nothing in this DPA will affect any of the terms of the Agreement relating to MaiaLearning’s limitations of liability, which will remain in full force and effect. Notwithstanding the foregoing, in no event shall either party exclude or limit its liability with respect to any data subject’s rights under European Data Protection Legislation or the Standard Contractual Clauses. If you have entered into more than one Agreement with us, this DPA will amend each of the Agreements separately. In the event of a conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA will control. This DPA amends and supersedes any prior data processing addendum or similar agreement regarding its subject matter.

11.) Change in Applicable Privacy Law.

Notwithstanding anything to the contrary in the Agreement (including this DPA), in the event of a change in Applicable Privacy Law or a determination or order by a supervisory authority or competent court affecting this DPA or the lawfulness of any processing activities under this DPA, we reserve the right to make any amendments to this DPA as are reasonably necessary to ensure continued compliance with European Data Protection Legislation or compliance with any such orders.

Annex I

A. List of Parties

Data exporter(s):
Name: Customer (as defined in the DPA)
Address: Customer’s address (as provided by Customer in the Agreement)
Contact person’s name, position and contact details: Customer’s contact details (as provided by Customer in the Agreement)
Role (controller/processor): Controller/processor

Data importer(s):
Name: MaiaLearning, Inc
Address: 22700 Alcalde Road, Cupertino, CA 95014, USA
Contact person’s name, position and contact details: Barry Coleman, CTO, legal@maialearning.com
Role (controller/processor): Processor

B. Data Processing Description
Subject Matter: MaiaLearning’s provision of the Service to Customer, and related technical support.
Purpose of the Processing: MaiaLearning will process personal data submitted to, stored on, or sent via the Service for the purpose of providing the Service and related technical support in accordance with this DPA.
Categories of Data Subjects: The personal data transferred concern the following categories of data subjects:

  • End users of the Service
  • Individuals whose personal data is supplied by end users of the Service.
  • Categories of Personal Data: The personal data transferred concern the following categories of data:
  • Direct identifying information (e.g. name, email address, telephone, student number)
  • Indirect identifying information (e.g. job title, gender, date of birth)
  • Device identification data and traffic data (e.g. IP addresses, MAC addresses, web logs, browser agents)
  • Education Information (e.g. student number, transcript, reports)
  • Any personal data supplied by end users of the Service
  • Sensitive Data: The personal data transferred to MaiaLearning through the Service is determined and controlled by Customer. As such, Customer controls the content of the personal data transferred to MaiaLearning and is solely responsible for ensuring the legality of the categories of data it may choose to transfer to MaiaLearning. The DPA includes an express prohibition on the transfer of special categories of personal data to MaiaLearning.
    Frequency of the Transfer: Continuous
    Nature of the Processing: MaiaLearning will perform the following basic processing activities: processing to provide the Service in accordance with the Agreement; processing to perform any steps necessary for the performance of the Agreement; and processing to comply with other reasonable instructions provided by Customer (e.g. via email) that are consistent with the terms of the Agreement.
    Period for which the personal data will be retained: Throughout the Term of the Agreement plus the period from expiry of the Term until deletion of Personal Data by MaiaLearning in accordance with the Agreement.

C. Competent Supervisory Authority
The Irish Data Protection Commissioner.

Annex II

Security Measures

MaiaLearning Security Policy

1.) Security & Compliance.

Security and compliance are top priorities for MaiaLearning because they are fundamental to your experience with the product. MaiaLearning is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.

MaiaLearning uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All MaiaLearning employees undergo background checks before employment and are trained on security practices during company onboarding and on an annual basis.

Security is directed by MaiaLearning’s Chief Technology Officer and maintained by MaiaLearning’s Security & Operations team.

2.) Data Center and Network Security

a. Data Centers. MaiaLearning utilizes a third-party infrastructure provider to host the Services. This is currently Amazon Web Services, Inc. (AWS). AWS states that it is ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, FIPS 140-2, SOC 1, SOC 2 and SOC 3. AWS provides for all physical redundancy of systems and network infrastructure. We ensure that any future provider meets these standards.

AWS does not allow any customer, including MaiaLearning, physical access to the data centers or operations centers.

MaiaLearning employs and enables all provided security features from AWS to protect the core infrastructure and follows AWS best practices for network and systems security within the AWS infrastructure. MaiaLearning takes all security updates to operating systems and managed applications in a timely manner. Where appropriate and possible MaiaLearning prefers fully managed services from the infrastructure provider over internally managed services.

b. Logical Separation of environments. MaiaLearning maintains complete separation between production and development servers, with no shared infrastructure.

c. Network and Transmission. All Service Data is encrypted in transit to and from MaiaLearning facilities when traveling over public networks using TLS to HTTPS endpoints or SFTP endpoints. MaiaLearning maintains our encryption technologies to the latest industry standards and removes any encryption technologies that have known defects.

d. External Attack Surface. MaiaLearning maintains multiple layers of network services to protect its external attack surface. MaiaLearning considers potential attack vectors and incorporates appropriate technologies into externally facing systems. MaiaLearning employs AWS Virtual Private Cloud, Virtual Private Networks, Application Load Balancers, restrictive Security Groups and Web Application Firewalls from AWS and Akamai to control, monitor and restrict traffic into the application.

e. Intrusion Detection and Prevention.  Unusual network patterns or suspicious behavior are among MaiaLearning’s most significant concerns for infrastructure hosting and management. MaiaLearning and AWS’s intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.

IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.

MaiaLearning does not provide direct access to security event forensics but does provide access to the customer support teams during and after any unscheduled downtime.

f. Penetration Testing. MaiaLearning undergoes annual penetration testing conducted by an independent, third-party agency. For testing, MaiaLearning provides the agency with an isolated clone of maialearning.com and a high-level diagram of application architecture. No customer data is exposed to the agency through penetration testing.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. A summary of penetration test findings is available upon request to contracted customers.

g. Incident Response. MaiaLearning monitors a variety of communication channels for security incidents, and MaiaLearning's security personnel will react promptly to known incidents in accordance with MaiaLearning's Incident Management Policy.

3.) Access Control

a. Security Personnel. MaiaLearning has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. MaiaLearning’s security personnel are responsible for the ongoing monitoring of the security infrastructure, the review of the Services, and responding to security incidents.

b. Access Control and Privilege Management. MaiaLearning’s administrators must authenticate themselves on the system in order to administer the Services. All administrative users must use Multi-factor Authentication via TOTP or SMS.

c. Internal Data Access Processes and Policies – Access Policy. MaiaLearning’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. MaiaLearning designs its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. MaiaLearning controls personnel access to production servers, and only provides access to a limited number of authorized personnel. VPNs enforcing individual user authentication and multi factor authentication provide MaiaLearning with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to hosts, logs, data and configuration information. MaiaLearning requires the use of unique user IDs, strong passwords, multi factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with MaiaLearning’s internal data access policies and training. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

d. Application Security. MaiaLearning maintains several mechanisms for user credentials starting with password login. Enhanced security measures are: 

  1. Two-Factor Authentication. In addition to password login, two-factor authentication (2FA) provides an added layer of security to MaiaLearning via a time-based one-time password algorithm (TOTP). We encourage 2FA as an important step towards securing data access from intruders. MaiaLearning users can deploy universal second-factor devices like TOTP apps like Google Authenticator, or SMS as second factors. This also applies to sign-in with an SSO provider.
  2. Single Sign-On. MaiaLearning’s single sign-on (SSO) implementation prioritizes security. SSO improves user experience by streamlining login and improving access from trusted domains. MaiaLearning currently offers SSO via Microsoft Office 365 and Google.
  3. SAML 2.0.  To facilitate user authentication through the web browser and improve identity management, MaiaLearning offers assertion markup language (SAML)-based SSO as a standard feature to customers. SAML 2.0 enhances user-based security and streamlines signup and login from trusted portals to enhance user experience, access management, and auditability.

    MaiaLearning integrates with SAML 2.0 providers including OneLogin, Auth0, Microsoft AzureAD, Microsoft ADFS and Okta.
  4. REST API Authentication (API Key). MaiaLearning’s REST API uses an auth token for authentication. Authentication tokens are passed using the auth header and are used to authenticate a user account with the API.

e. Email Security. The MaiaLearning service includes email messages between users, email notifications from the system and reports. Sender policy framework (SPF) is a system to prevent email address spoofing and minimize inbound spam. We have SPF records set through Akamai, our domain name service (DNS), and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams. 

f. Audit Controls. We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All MaiaLearning customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed.

Membership within MaiaLearning is handled at the district and school level. The system is designed so each user has a singular account that can be used within a single district organization. Each MaiaLearning user should have their own account and can choose their own personal preferences and notifications settings. Access to organizations is dictated by role:

  1. Student
  2. Parent
  3. Teacher
  4. Counselor
  5. School Admin
  6. District Admin

For any organization in MaiaLearning, the site administration portal is the hub for seeing and managing users. The member list includes the email, status and role for each user. The admin can revoke access and change the user role. Additionally, the admin can request login history and revoke passwords for any user via request to MaiaLearning Support.

4.) Data

  1. Data into system.  The MaiaLearning application accepts Service Data into the system either through TLS to an HTTPS endpoint, or via TLS to an SFTP endpoint. All data is AES-256bit encrypted, both in transit over public networks and at rest. MaiaLearning utilizes the latest version of TLS and disables old versions as practical to support modern browser versions.
  2. Data through system. MaiaLearning stores Service Data at rest in encrypted storage. All file stores and database stores employ encryption on the underlying storage using at least AES-256 encryption algorithms. All data back-ups are encrypted using the same mechanisms.
  3. Data out of system. MaiaLearning data can be extracted through the MaiaLearning application and is downloaded over through TLS to an HTTPS endpoint, or via TLS to an SFTP endpoint. All data is AES-256bit encrypted, both in transit and at rest. The application provides both web download and API access to Service Data.

    MaiaLearning’s latest SSL Labs Report can be found here.
  4. Data Isolation and Logging.  MaiaLearning stores data in a multi-tenant environment at the MaiaLearning's hosting provider. We logically isolate the Customer’s data, and the Customer will be given control over their specific data access policies for its users. Those policies, in accordance with the functionality of the Services, will enable the Customer to determine the data access settings applicable to end users for specific purposes. The Customer may choose to make use of certain logging capabilities that MaiaLearning may make available via the Services.
  5. Data backup and Recovery. As appropriate, and based on application, operational or system requires, all data stores, especially database data stores, are maintained with an online duplicate system that can be swapped in upon failure of the primary data store. All database systems are snapshot on a regular schedule to ensure recovery should primary and standby database systems become lost or corrupted.
  6. Data Retention. MaiaLearning retains all Service Data for the term of the contract and in accordance with the Agreement and legal requirements.
  7. Data Removal. All customer data stored on MaiaLearning servers is eradicated upon a customer’s termination of service and deletion of account within 45 days of termination, as specified in the Agreement, or as required by applicable law.

5.) Business Continuity and Disaster Recovery

  1. High Availability. Every part of the MaiaLearning service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
  2. Business Continuity.  MaiaLearning keeps continuous point-in-time as well as daily encrypted backups of data in multiple regions on AWS. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.
  3. Disaster Recovery. In the event of a region-wide outage, MaiaLearning will bring up a duplicate environment in a different AWS region. 

6.) Corporate Security

a. Code of Conduct. MaiaLearning personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. MaiaLearning conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

b. Confidentiality. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, MaiaLearning’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling customer data are required to complete additional requirements appropriate to their role. We will not process customer data without authorization.

c. Malware Protection. At MaiaLearning, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations run Kandji for inventory management, which enables and enforces full-disk encryption, screen lock, and other security features.

d. Risk Management. MaiaLearning follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.

All MaiaLearning product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on MaiaLearning’s operations team have secure shell (SSH) access to production servers.

We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.


MaiaLearning performs risk assessments throughout the product lifecycle per the standards outlined in HIPAA Security Rule, 45 CFR 164.308:

  1. Before the integration of new system technologies and before changes are made to MaiaLearning physical safeguards
  2. While making changes to MaiaLearning physical equipment and facilities that introduce new, untested configurations
  3. Periodically as part of technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting security

e. Contingency Planning.  The MaiaLearning operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.

f. Security Policies. MaiaLearning maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is:

  1. Information Security
  2. Risk Management
  3. Security Incident Response
  4. Vulnerability Management
  5. Policy Management and Maintenance
  6. Data Request
  7. Change Management
  8. System Access

g. Background Checks. MaiaLearning conducts background checks for all new hires, including verification on the following:

  1. Identity verification
  2. Global watchlist check
  3. National criminal records check
  4. County criminal records check
  5. (U.S. only) Sex offender registry check

h. Security Training. All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.

All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation. Any change to policy affecting the product is communicated as a pull request, such that all engineers can review and contribute before internal publication. Major updates are communicated via email to all MaiaLearning employees.

7.) Sub-processor Security. 

  1. Onboarding. Before onboarding Sub-processors, MaiaLearning conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. 
  2. Contractual Obligation. Once we have assessed the risks presented by the Sub-processor, the Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms as described in Section 11.3 of the Data Processing and Security Terms.

8.) External audit and assessment

  1. External Audit. MaiaLearning participates in an annual independent third-party systems and security audit. The audit produces recommendations in changes to security settings and practices. MaiaLearning remediates these recommendations and a final audit is completed before issuance of the final security audit report. We make this audit report available to Customers that request it under strict confidentiality.
  2. Third Party Audit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, FIPS 140-2, SOC 1, SOC 2 and SOC 3. 

9.) Development

  1. MaiaLearning practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities. 
  2. Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in secure web application development practices upon hire and annually.
  3. Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
  4. Development practices default to making data available to users under the principle of least privilege. Access control is applied to all application layers and application programming interfaces.

10.) Incident Response Management

  1. MaiaLearning maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed and tested regularly.

11.) Disclosure Policy

MaiaLearning follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. MaiaLearning notifies customers of any data breaches as soon as possible via email or phone call, followed by multiple periodic updates throughout each day addressing progress and impact. MaiaLearning service plans may include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations.

12.) Vulnerability Disclosure

Anyone can report a vulnerability or security concern with a MaiaLearning product by contacting security@maialearning.com and including a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously, and once we receive a disclosure we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

Annex III

List of Subprocessors