Controller and processor terms

Data Processing Agreement

How Maximo AI LTD processes personal data on behalf of MyTabulon business customers, including roles, security, sub-processors, international transfers, breach handling, audits, and deletion. This DPA forms part of our Terms when you use MyTabulon to process personal data about your own clients, employees, and contacts.

Effective June 21, 2026Version 2026-06-21RC - 8496452

Read Privacy Privacy Contact

01Roles and Application

This Data Processing Agreement ("DPA") applies between you ("Customer", "Controller") and Maximo AI LTD, a company registered in Nigeria with CAC number RC - 8496452 ("MyTabulon", "Processor", "we"). It is incorporated into and forms part of the MyTabulon Terms and Conditions whenever you use the platform to process personal data about other people.

For personal data you enter, upload, import, or generate about your own clients, customers, leads, employees, vendors, and contacts, you act as the controller and MyTabulon acts as the processor that handles that data on your documented instructions. For data we determine the purpose and means of — such as your account, billing, security, and platform-operation data — Maximo AI LTD acts as an independent controller, governed by our Privacy Policy.

If a term in this DPA conflicts with the Terms and Conditions on the subject of personal-data processing, this DPA controls. All other terms remain in force.

02Subject Matter, Duration, Nature, and Purpose

The subject matter of the processing is the personal data contained in the workspace content you submit to MyTabulon. The duration is the period of your subscription or account, plus any limited retention permitted under the Terms and our Privacy Policy.

The nature and purpose of the processing is to provide the MyTabulon platform and the features you enable — including CRM, customers, leads, invoices, quotes, payments, accounting, payroll, inventory, files, tasks, approvals, dashboards, notifications, messaging integrations, automations, and Maximo AI — together with hosting, security, backup, support, and service operation.

03Categories of Data and Data Subjects

The categories of personal data and data subjects are determined by you, because you decide what to enter into your workspace. They typically include:

Data subjects such as your clients, customers, leads, prospects, employees, contractors, vendors, and other business contacts.
Identity and contact data such as names, emails, phone numbers, addresses, company roles, and profile details.
Commercial data such as invoices, quotes, payment records, order history, account balances, and communication logs.
Employment and payroll data where you use HR or payroll features, such as roles, pay records, and related identifiers.
Content and files you upload, plus prompts, notes, and records processed by Maximo AI at your request.

You must not use MyTabulon to process special-category or high-risk personal data unless you have a valid lawful basis and have implemented any safeguards the law requires. You remain responsible for the legality of the data you submit.

04Our Obligations as Processor

When we process personal data on your behalf, Maximo AI LTD will:

Process the data only on your documented instructions, including this DPA, the Terms, your in-product configuration, and the features you enable — unless we are required to act otherwise by applicable law, in which case we will inform you where legally permitted.
Ensure that personnel authorized to process the data are bound by appropriate confidentiality obligations.
Implement and maintain the technical and organizational security measures described in Annex A below.
Engage sub-processors only under the conditions in the Sub-processors section, and impose data-protection obligations on them that are substantially similar to those in this DPA.
Taking into account the nature of the processing, assist you with appropriate technical and organizational measures, insofar as possible, in responding to data-subject requests to exercise their rights.
Assist you in ensuring compliance with your security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations, taking into account the information available to us.
At your choice, delete or return personal data after the end of the provision of services, except where retention is required by law, as described in the Return and Deletion section.
Make available information reasonably necessary to demonstrate compliance with these obligations, subject to the Audits section.

05Your Obligations as Controller

As the controller, you are responsible for the lawfulness of the personal data you process through MyTabulon. You will:

Establish and maintain a valid lawful basis for processing, including any consents, notices, or permissions your data subjects require.
Provide your clients, employees, vendors, and other contacts with any privacy notices required by law for data you enter into MyTabulon.
Issue instructions that comply with applicable data-protection law, and configure workspace roles, permissions, sharing, and retention appropriately.
Respond to data-subject requests and regulator enquiries directed to you as the controller, using the tools and assistance MyTabulon provides.
Promptly inform us if you can no longer comply with your obligations under applicable data-protection law.

06Sub-processors

You give general authorization for MyTabulon to engage sub-processors to help deliver the service — for example, cloud hosting, databases, file and object storage, email and notification delivery, payment processing, security and logging, AI infrastructure, and customer support providers.

We impose data-protection obligations on each sub-processor that are substantially similar to those in this DPA, and we remain responsible to you for a sub-processor's performance of its obligations. We maintain a current list of sub-processors and will provide it on request to privacy@mytabulon.com.

Where we intend to add or replace a sub-processor that processes your personal data, we will give you reasonable prior notice through the product, by email, or via our sub-processor list. If you have a reasonable, data-protection-based objection, you may raise it with us, and where we cannot accommodate it you may stop using the affected feature or terminate the affected service as your remedy.

07International Transfers

MyTabulon and our sub-processors may process personal data in Nigeria and in other countries where we or they operate. Some of those countries may have data-protection rules that differ from those in your location.

Where we transfer personal data across borders, we use appropriate transfer safeguards consistent with the Nigeria Data Protection Act 2023 and, where relevant, other applicable laws. These safeguards may include adequacy or whitelisting determinations, binding contractual commitments such as standard contractual clauses or their equivalent, transfer-impact assessments, encryption in transit, access controls, and other organizational measures. See our NDPR and Nigerian Data Protection page for more detail.

08Annex A: Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement technical and organizational measures designed to ensure a level of security appropriate to the risk. These measures may evolve as we improve the platform, but we will not materially reduce overall protection during your subscription.

Access control: role-based access, least-privilege principles, authentication controls, session management, and internal access restrictions.
Encryption and transport security: encryption of data in transit and protection of stored credentials, including password hashing.
Network and application security: request routing controls, rate limiting, input validation, and protections against common web and abuse vectors.
Monitoring and logging: security and audit events, error logging, and anomaly detection to support incident response.
Resilience and recovery: backups, redundancy where applicable, and processes to restore availability after an incident.
Organizational measures: confidentiality obligations for personnel, change-management practices, vendor due diligence, and incident-response procedures.

09Personal Data Breach

We maintain procedures to detect, investigate, and respond to personal-data breaches. On becoming aware of a personal-data breach affecting your data, we will notify you without undue delay and provide information reasonably available to us to help you meet your own notification obligations to regulators and data subjects.

Our notification is not an acknowledgement of fault or liability. You remain responsible for assessing and making any notifications required of you as the controller, including to the Nigeria Data Protection Commission where applicable.

10Audits and Compliance

We will make available to you information reasonably necessary to demonstrate compliance with this DPA. To the extent audits are required by applicable data-protection law, we will allow for and contribute to audits, including inspections, conducted by you or an independent auditor you mandate.

Audits must be carried out on reasonable prior written notice, no more than once per year unless required by a regulator or following a confirmed breach, during business hours, in a way that does not disrupt our operations or compromise the confidentiality and security of other customers' data. Where available, we may satisfy audit requests by providing current certifications, summaries, security documentation, or third-party reports.

11Return and Deletion

On termination or expiry of the service, or on your written request, we will delete or return personal data processed on your behalf, at your choice, except to the extent that applicable law requires us to retain it.

Deletion may be subject to a reasonable wind-down period and to standard backup cycles, during which residual copies are protected and inaccessible for ordinary use until they are overwritten or expire. You can also use available in-product controls to export and delete records during your subscription.

12Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions. This DPA does not increase a party's aggregate liability beyond those limits, except where applicable data-protection law does not permit such a cap.

13Governing Law

This DPA is governed by the laws of the Federal Republic of Nigeria and read together with the MyTabulon Terms and Conditions. Where another mandatory data-protection law applies to a specific transfer or data subject, the relevant requirements of that law apply to that processing.

14Contact and Execution

This DPA takes effect automatically when you accept the Terms and use MyTabulon to process personal data, and no separate signature is required. If your organization needs a counter-signed copy or a customized DPA for procurement, contact privacy@mytabulon.com and we will work with you where reasonable.

Data-protection contact: privacy@mytabulon.com. Maximo AI LTD, registered in Nigeria, CAC number RC - 8496452.