1. Definitions
- "Controller" means the customer who determines the purposes and means of processing personal data using the Service.
- "Processor" means Skyie Global Technologies Ltd (company number [COMPANY_NUMBER], ICO registration [ICO_REG_NUMBER]), trading as Maiekr, located at Kings Hill, West Malling, Kent, England, which processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
- "Processing" means any operation performed on personal data, including collection, storage, modification, retrieval, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
- "Data Protection Laws" means the UK GDPR, the EU General Data Protection Regulation (EU 2016/679), and any other applicable data protection legislation.
2. Scope and Purpose of Processing
This DPA applies to all processing of personal data that Maiekr performs on behalf of the Controller when providing the Maiekr platform (the "Service"). The purpose, nature, and duration of processing are determined by the Controller's use of the Service as described in our Terms of Service.
Categories of personal data processed may include:
- Account information (names, email addresses) of team members
- Content data included in presentations and slides
- Usage and session data (IP addresses, device information)
- Any personal data the Controller chooses to include in presentation content
3. Obligations of the Processor
Maiekr shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data outside the UK or EEA, unless required by law.
- Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6.
- Assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, and objection).
- Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all personal data upon termination of the Service, and delete existing copies unless storage is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.
4. Sub-processors
The Controller provides general authorisation for Maiekr to engage sub-processors. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google (Gemini API) | AI content generation | United States |
| Resend | Transactional email delivery | United States |
| Stripe | Payment processing | United States |
| Sentry | Error monitoring and performance | United States |
Maiekr shall inform the Controller of any intended changes to sub-processors by updating this page at least 30 days before the change takes effect. The Controller may object to a new sub-processor by contacting us at privacy@maiekr.com within 14 days of notification.
5. International Data Transfers
Where personal data is transferred outside the United Kingdom or European Economic Area, Maiekr ensures that appropriate safeguards are in place in accordance with Data Protection Laws. These safeguards include:
- Standard Contractual Clauses (SCCs): Approved by the European Commission (Decision 2021/914) or the UK International Data Transfer Agreement / Addendum, as applicable.
- Adequacy decisions: Where the destination country has been determined to provide an adequate level of data protection.
- Supplementary measures: Additional technical and organisational measures where required to ensure an essentially equivalent level of protection.
6. Technical and Organisational Security Measures
Maiekr implements the following measures to protect personal data:
- Encryption of data in transit using TLS 1.2 or higher.
- Password hashing using bcrypt with a minimum cost factor of 12.
- Multi-factor authentication (TOTP) available for all user accounts.
- Rate limiting and account lockout to prevent brute-force and credential-stuffing attacks.
- Cryptographic session management with signed JWT tokens.
- API key storage as irreversible SHA-256 hashes.
- Role-based access control (RBAC) with 14 granular permissions across 4 roles.
- Security headers enforced on all responses (HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options).
- Audit logging of security-relevant events (login, logout, permission changes, data export, account deletion).
- Automated vulnerability monitoring and error tracking via Sentry.
7. Data Breach Notification
In the event of a personal data breach, Maiekr shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide sufficient information to enable the Controller to fulfil its obligations to notify the supervisory authority and affected data subjects, including:
- The nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
8. Data Subject Rights
Maiekr provides the following self-service capabilities to assist with data subject requests:
- Right of access and portability: Users can export all personal data via Settings > Account > Export My Data (GDPR Article 15 and 20).
- Right to rectification: Users can update their profile, name, and email through account settings.
- Right to erasure: Users can delete their account and all associated data through Settings > Account > Delete Account.
- Cookie consent: Users can manage cookie preferences through the consent banner, with granular control over analytics and marketing cookies.
For requests that cannot be fulfilled through self-service, the Controller may contact us at privacy@maiekr.com.
9. Data Retention and Deletion
Maiekr retains personal data only for as long as necessary to provide the Service or as required by law:
- Account and content data is retained while the account is active and deleted within 30 days of account deletion.
- Session data expires after 30 days and is automatically removed.
- Audit logs are retained for 90 days for security and compliance purposes.
- Password reset tokens expire after 1 hour.
Upon termination of the Service, Maiekr will delete or return all personal data within 30 days, unless retention is required by applicable law.
10. Audits and Compliance
Maiekr shall make available to the Controller, on request, all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. Maiekr shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice, scope limitations, and confidentiality obligations. The Controller shall bear the costs of any such audit unless the audit reveals material non-compliance by Maiekr.
11. Term and Termination
This DPA shall remain in effect for the duration of Maiekr's processing of personal data on behalf of the Controller. It automatically terminates when the Controller's use of the Service ends. Obligations relating to confidentiality and data deletion survive termination.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to any rights data subjects may have under applicable Data Protection Laws.
13. Contact
For questions about this DPA or to exercise any rights under it, please contact us:
Skyie Global Technologies Ltd, trading as Maiekr
Kings Hill, West Malling, Kent, England
Email: privacy@maiekr.com
Related Policies
- Privacy Policy — How we collect, use, and protect personal data
- Terms of Service — General terms governing use of the Service
- Cookie Policy — How we use cookies and similar technologies