Data Processing Agreement

Version 2.1 · Effective March 2026 · Mango Technologies Ltd. · DIFC CL5222

This Data Processing Agreement governs how Mango Technologies Ltd. (DIFC CL5222) processes personal data on behalf of its users, and how sub-processors process that data under instruction from maivis.

This agreement applies to: maivis users (individuals and families), and any B2B entity or organisation integrating with maivis.

Controller: Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE. Licence CL5222.

Data Protection Officer: dpo@maiviswealth.com

To request a signed DPA for your organisation: privacy@maiviswealth.com

1. Scope and Definitions

This agreement covers all personal data processed by Mango Technologies Ltd. in the operation of the maivis platform at maiviswealth.com. Personal data means any information relating to an identified or identifiable natural person, as defined under the DIFC Data Protection Law 2020.

Data Controller:: Mango Technologies Ltd. determines the purposes and means of processing.
Data Processor:: A third-party service provider that processes personal data under instruction from Mango Technologies Ltd.
Data Subject:: An individual whose personal data is processed, including maivis users, family members, and subscribers.

2. Data Controller

Mango Technologies Ltd.

DIFC Innovation Hub, Gate Avenue, Dubai, UAE

DIFC Commercial Licence: CL5222

Privacy contact: privacy@maiviswealth.com

Data Protection Officer: dpo@maiviswealth.com

3. Sub-Processors

The following sub-processors process personal data under instruction from Mango Technologies Ltd. Mango Technologies maintains a current sub-processor list and provides 30 days notice of material changes.

Google Cloud Platform(Google LLC)

PurposeInfrastructure: Cloud SQL (database), Cloud Run (compute), Cloud KMS (encryption), Cloud Storage, Firebase Authentication, Firebase Analytics, Cloud Functions, Vertex AI (Gemini models)

Data locationUAE (me-central1), India (asia-south1), USA (us-east1), UK (europe-west2). Jurisdiction-matched per user residency.

Data categoriesAll user data including identity, financial, encrypted documents, authentication credentials

Transfer mechanismGCP Cloud Data Processing Addendum with EU Standard Contractual Clauses and UK IDTA

SecurityISO 27001, SOC 2 Type II, AES-256 at rest and in transit, CMEK via Cloud KMS

Stripe, Inc.(Stripe, Inc.)

PurposePayment processing for maivis subscriptions ($29/month or $250/year)

Data locationUnited States (Stripe infrastructure)

Data categoriesBilling name, email address, billing address, subscription metadata. Card data processed under Stripe's own PCI DSS controllership. maivis never receives raw card numbers.

Transfer mechanismStripe Data Processing Agreement with EU Standard Contractual Clauses and EU-US Data Privacy Framework

SecurityPCI DSS Level 1, SOC 2 Type II, 3D Secure 2, tokenised storage

Lean Technologies(Lean Technologies (UAE))

PurposeRead-only UAE bank account aggregation via CBUAE Open Finance Framework

Data locationUAE (Lean infrastructure, G42 UAE)

Data categoriesBank account identifiers, balances, transaction history, authentication certificates

Transfer mechanismManual DPA with DIFC Standard Contractual Clauses. Lean holds CBUAE Innovative Payment Authorisation.

SecurityADGM FSRA licensed, certificate-based API authentication

Setu / Finvu AA(Setu / Finvu AA (India))

PurposeRBI Account Aggregator framework. Consent-based read-only access to Indian financial data.

Data locationIndia (asia-south1 GCP only, per RBI data localisation requirement)

Data categoriesBank accounts, UPI transactions, mutual fund and insurance data, consent artifacts

Transfer mechanismManual DPA with DIFC SCCs. Governed by RBI AA Master Directions and DPDPA 2023.

SecurityEnd-to-end encryption, consent-gated access, RBI-regulated

Plaid, Inc.(Plaid, Inc. (US / UK / Canada))

PurposeRead-only banking aggregation via Plaid Link OAuth for US, UK, and Canadian accounts

Data locationUnited States (Plaid infrastructure)

Data categoriesBank account identifiers, balances, transaction history, encrypted authentication tokens

Transfer mechanismPlaid Data Processing Addendum with EU SCCs, UK SCCs (IDTA), and DIFC SCCs for UAE transfers

SecuritySOC 2 Type II, bank-grade encryption, Plaid Link OAuth, Data Transparency Messaging

Anthropic, PBC(Anthropic, PBC (US))

PurposeAI analysis via Claude models for portfolio analysis and financial insights

Data locationUnited States (Anthropic infrastructure)

Data categoriesAnonymised financial category data, aggregated percentages, and trend analysis only (no PII, account details, or personal identifiers)

Transfer mechanismAnthropic Commercial Terms DPA with EU Standard Contractual Clauses; Zero-Data-Retention (ZDR) requested

SecurityAPI-only access, no training on customer data, PII gateway filtering pre-transmission

Perplexity AI(Perplexity AI (US))

PurposeReal-time market intelligence and asset validation for portfolio context

Data locationUnited States (Perplexity infrastructure)

Data categoriesAnonymised asset classes, market conditions, and aggregate allocation percentages only (no PII or family financial details)

Transfer mechanismPerplexity Standard DPA with EU Standard Contractual Clauses; market-only queries (no personal data)

SecurityQuery-level PII filtering, no personal data transmission, generic market context only

4. Data Subject Categories

maivis processes data belonging to: registered users (adults, age 18+); family members added by the account administrator; paying subscribers. maivis does not knowingly process data relating to children under 18.

5. Data Retention

Financial data: seven years (UAE Commercial Transactions Law). Identity data: account lifetime plus three years. Authentication logs: 90 days rolling. Encrypted vault documents: retained until explicit deletion request. Users may request deletion at any time: privacy@maiviswealth.com. Deletion is actioned within 30 days under Article 19 of DIFC Data Protection Law 2020.

6. International Transfers

Personal data is transferred internationally only where a lawful transfer mechanism exists. Mechanisms in use: EU Standard Contractual Clauses (EU SCCs 2021), UK International Data Transfer Agreement (IDTA), DIFC Standard Contractual Clauses, and adequacy decisions where applicable. Data is stored in the jurisdiction matching the user's residence by default and does not leave that jurisdiction without the user's consent.

7. Security Measures

AES-256-GCM encryption for all data at rest and in transit. Zero-knowledge architecture for the Document Vault: documents are encrypted client-side before upload; maivis stores only ciphertext. FIDO2 biometric authentication for user access. GCP Virtual Private Cloud (VPC) isolation. Cloud KMS key management with customer-managed encryption keys (CMEK). Regular penetration testing (pre-launch). DIFC DP Law 2020 breach notification obligations apply.

8. Self-Hosted Services

The following tools are self-hosted on maivis's own Google Cloud Platform infrastructure. No personal data is transmitted to external third parties for these services. No separate DPA is required as Mango Technologies Ltd. acts as both data controller and processor.

Native AI Chat (SSE): in-app chat widget and customer communication via native server-sent events implementation on Cloud Run within maivis VPC. Powered by Gemini Flash (via Vertex AI), Claude Sonnet (Anthropic), and Perplexity Sonar (market queries) via PII gateway. No conversation data leaves maivis infrastructure.
Cloud Scheduler + Cloud Functions: serverless workflow automation for email notifications and internal processes. GCP-native, no additional infrastructure.
PostHog: product analytics. Self-hosted on GCP within maivis VPC. No data transmitted to PostHog cloud.

9. Contact and DPA Requests

Privacy enquiries:: privacy@maiviswealth.com
Data Protection Officer:: dpo@maiviswealth.com
Enterprise or B2B DPA requests:: privacy@maiviswealth.com with subject line "DPA Request | [Organisation Name]"

Mango Technologies Ltd. will respond to DPA requests within 10 business days.