Skip to main content
Mavrick
> legal

Data Processing Agreement

Effective: April 21, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between NLVL Inc. (“Mavrick,” “Processor”) and the organization using the Mavrick Service (“Customer,” “Controller”). It applies where Mavrick processes personal data on the Customer’s behalf in connection with the Service.

To request a countersigned DPA or for enterprise data processing inquiries, email hello@getmavrick.com.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (including GDPR). “Processing” means any operation performed on Personal Data. “Applicable Data Protection Law” means GDPR (EU 2016/679), UK GDPR, CCPA, and any other applicable privacy legislation.

2. Roles of the parties

The Customer is the Data Controller — it determines the purposes and means of processing Personal Data that flows through the Mavrick Service. Mavrick is the Data Processor — it processes Personal Data solely on the Customer’s behalf, as instructed by the Customer through commands and integrations configured in the Service.

3. Scope of processing

Mavrick processes the following categories of Personal Data on the Customer’s behalf:

  • Slack workspace data: User IDs, display names, and message content of commands sent to @Mavrick within the Customer’s workspace
  • Third-party integration outputs: Data returned from API calls to connected services (ad account performance data, CRM records, payment records) made in response to Customer commands
  • Contact and account data: Name, email address, and billing information of workspace administrators

The subject matter, duration, nature, and purpose of processing are set out in the Terms of Service and Privacy Policy. Processing continues for the duration of the Customer’s subscription.

4. Customer instructions

Mavrick will process Personal Data only on documented instructions from the Customer — primarily through commands issued to @Mavrick in Slack. Mavrick will not process Personal Data for any other purpose, including training AI models, advertising, or disclosure to third parties not required to operate the Service.

If Mavrick is required by law to process Personal Data for another purpose, it will notify the Customer unless legally prohibited from doing so.

5. Security measures

Mavrick implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • OAuth token storage in an isolated encrypted vault, never accessible to AI models
  • Row-level security enforcing per-tenant data isolation
  • Access controls based on least-privilege principles
  • Regular access reviews and security monitoring
  • Incident response procedures with 72-hour notification to affected Customers

6. Sub-processors

Mavrick uses the following sub-processors to operate the Service:

  • Anthropic — AI model inference. Data is not retained for training.
  • Vercel / AWS — Cloud infrastructure and hosting
  • Supabase / PostgreSQL — Database storage
  • Stripe — Payment processing
  • OAuth integration infrastructure provider — Managed connectors for third-party API integrations

Mavrick will provide at least 14 days’ notice of material changes to sub-processor usage. Each sub-processor is contractually bound to data protection standards at least equivalent to this DPA.

7. Data subject rights

Where the Customer receives a request from a data subject to exercise rights under Applicable Data Protection Law (access, rectification, erasure, portability, objection, or restriction), the Customer may contact Mavrick to assist in fulfilling that request. Mavrick will respond to such requests within 5 business days.

8. Data retention and deletion

Upon termination of the Customer’s subscription, or upon written request, Mavrick will delete all Personal Data processed on behalf of the Customer within 30 days, except where retention is required by law. Mavrick will provide written confirmation of deletion upon request.

9. Transfers outside the EEA

Mavrick’s infrastructure is primarily hosted in the United States. Where Personal Data of EEA or UK data subjects is processed in the US, such transfers rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other lawful transfer mechanisms. Customers requiring specific SCCs for their compliance program should contact hello@getmavrick.com.

10. Audits

Upon reasonable written request (no more than once per year, with 30 days’ notice), Mavrick will make available information reasonably necessary to demonstrate compliance with this DPA. We will share relevant security certifications and audit reports (when available) in lieu of on-site inspections.

11. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

12. Contact

For data protection inquiries, to request a countersigned copy of this DPA, or to exercise data subject rights:

NLVL Inc.
hello@getmavrick.com