This policy is intended to provide information about the data processing activities carried out by MAIA HEALTH TECH S.L. (hereinafter MAIA AESTHETICS®) as Data Controller/Processor in the services it provides to its clients as an ICT-AI developer. With regard to the security measures adopted and their communication to clients, everything set forth in this document is aligned with the provisions of the European General Data Protection Regulation (GDPR) 2016/679, Spanish Organic Law 03/2018 on the Protection of Personal Data and the Guarantee of Digital Rights, the Spanish National Security Framework (Esquema Nacional de Seguridad), the ISO 27001-9001 quality standards, and Regulation (EU) 2024/1689 of the European Parliament and of the Council of June 13, 2024, laying down harmonized rules on artificial intelligence. This document has been prepared in accordance with the security controls and requirements of the aforementioned legislation.
I. Purpose
MAIA AESTHETICS® develops an information security management system in order to provide security guarantees for the processing of its clients' data in the services it provides to them. This policy serves as an instrument of compliance with the principle of proactive accountability established by the European General Data Protection Regulation (EU) 2016/679 and Spanish Organic Law 03/2018 on the Protection of Personal Data.
The security measures described below were developed following a risk analysis and an impact assessment of the data processing systems, infrastructure, and software of MAIA AESTHETICS®.
MAIA AESTHETICS® is the first AI agent for aesthetic medicine and plastic surgery. Built by physicians, MIT engineers, and attorneys specializing in data protection. Our years of experience and the clients who have engaged us attest to the quality of the services we offer. Our philosophy and our values are the foundation of our work.
II. Software and services management
To this end, MAIA AESTHETICS® develops artificial intelligence, applications, software, and online content, and provides human capital, in order to maintain constant communication and an ongoing relationship, understand its clients' needs, and achieve the highest levels of satisfaction with its services. Protecting our information, that of our clients, and that of our clients' patients is the primary objective at MAIA AESTHETICS®; to that end, we maintain controls to protect against theft, loss, tampering, or disclosure by unauthorized third parties.
These security and service quality controls are based on the provisions of the European General Data Protection Regulation (EU) 2016/679, Spanish Organic Law 03/2018 on the Protection of Personal Data and the Guarantee of Digital Rights, Spanish Law 34/2002 on Information Society Services and Electronic Commerce, the European Artificial Intelligence Regulation, and all other legislation related to the activities carried out by MAIA AESTHETICS®.
III. Backups
MAIA AESTHETICS® safeguards information of a certain level of relevance — servers, network storage devices, and configuration files for network and security devices, among others — by performing periodic backups using appropriate mechanisms and controls that guarantee its identification, protection, integrity, and availability.
We have established a backup restoration plan that is tested at regular intervals to ensure backups are reliable in case of emergency, and backups are retained for a defined period of time.
MAIA AESTHETICS® has explicit information backup and recovery procedures that include specifications regarding frequency and identification, and it defines retention periods jointly with the responsible parties. We have the necessary resources in place to identify storage media, the information they contain, and their physical location, enabling fast and efficient access to the media containing the backed-up information.
The external site where these copies are stored has appropriate security controls in place and complies with the highest required physical protection and security measures.
IV. Contingency plans
MAIA AESTHETICS® has contingency plans in place that ensure all relevant information from our data processing centers is backed up in different locations and that such information is available and reliable. This information is stored at several external sites that meet the highest security standards in the world (for more information, please submit your request through the channels indicated).
The entire virtual infrastructure of MAIA AESTHETICS® is backed up and tested by an external contracted company specializing in IT security. As with the backups, there is a backup restoration plan that is tested at regular intervals to ensure reliability in case of emergency, with backups retained for a defined period of time.
V. Security mechanisms
The data processing center and equipment room used by MAIA AESTHETICS®, located in Europe, are in areas physically protected against unauthorized access, damage, or interference, and comply with Physical Security Policies appropriate to the type of data stored.
Equipment and devices lock after a period of inactivity, after which the user must authenticate before resuming activity.
To prevent the loss of or damage to information, the compromise of information assets, or the interruption of the activities of MAIA AESTHETICS®, equipment is connected to the regulated backup power supply designated for that purpose.
We take equipment installation and removal processes into account so that they are carried out in a controlled and secure manner. We have equipment protection mechanisms in place, even when equipment is used outside the office, reducing the risk of unauthorized access to information and protecting against loss or theft.
VI. Communications and operations
In order to maintain the proper and secure functioning of data processing, MAIA AESTHETICS® has established a specific policy for communications and operations management.
The following controls have been established for this purpose:
- Controls for establishing responsibilities and procedures
- Third-party service controls
- System planning and acceptance with capacity management, both technical and human
- Controls against malicious code on our servers and in our production environment
- Network service controls and security
- Security controls for information exchanges
- Media disposal, handling procedures, and documentation security.
VII. Service providers
At MAIA AESTHETICS® we currently work with leading technology providers that guarantee support, security, robustness, and stability in communications and hosting services, and on which we rely for the development of our services.
MAIA AESTHETICS® keeps its clients informed of the engagement of these providers, which are considered data processors/sub-processors in the services that MAIA AESTHETICS® provides to them.
These data processors and sub-processors undertake in writing to comply with the same formal requirements that MAIA AESTHETICS® has committed to with its clients, in terms of ensuring that the processing of personal data and the rights of affected users comply with current regulations.
VIII. Infrastructure and software
For more information about our infrastructure, please submit your request through the channels indicated.
IX. Access
MAIA AESTHETICS® implements security measures applicable on a case-by-case basis to prevent the alteration, loss, leakage, or unauthorized or fraudulent consultation, use, or access of data. Access control for data and sensitive information is based on the principle of least privilege, meaning that access is not granted unless explicitly permitted.
Users are authorized by the Security Officer to use the information system or service of MAIA AESTHETICS®. We verify that the level of access granted is appropriate for our company's purposes while maintaining an adequate segregation of duties.
Users and/or providers are only given access to the services they have been specifically authorized to use. Appropriate authentication methods are used to control access for remote users. Additional controls are in place for access via wireless networks. Adequate network segregation has been established, separating user network environments from services.
The use of programs capable of overriding system and application controls is restricted and strictly controlled. Inactive sessions are closed after a defined period of inactivity.
Default user accounts for tools or products are disabled immediately after the installation of systems or software.
X. Communications
Special attention is paid to managing network security, which may extend beyond the physical boundaries of MAIA AESTHETICS®. We have special procedures and measures in place to protect the transfer of sensitive information over public networks. MAIA AESTHETICS® ensures that network service providers implement measures in compliance with security requirements, service level agreements, and management requirements.
We apply special controls to safeguard the integrity and confidentiality of data passing through public or wireless networks and to protect connected systems and applications, guaranteeing the availability of network services and connected computers.
XI. Security breaches
In the unlikely event of a security breach, MAIA AESTHETICS® will notify the affected client, without undue delay and in any event within a maximum of 48 hours, through our usual established communication channels, of any personal data security breach under its responsibility of which it becomes aware, together with all information relevant to documenting and reporting the incident.
Notification will not be required when the security breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Such notification will include, at a minimum, the following information:
1. A description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
2. A description of the possible consequences of the personal data security breach.
3. A description of the measures adopted or proposed to remedy the personal data security breach, including, where applicable, the measures taken to mitigate its possible adverse effects.
XII. Risk analysis
MAIA AESTHETICS® carries out an ongoing formal internal risk analysis process, producing an inventory of potential vulnerabilities and threats to information assets. Together with internal and external auditors, we periodically conduct a study of the risk level of our infrastructure and services, adopting solutions and implementing appropriate safeguards and technical controls to minimize these potential risks.
XIII. Compliance
Our information systems and technical procedures identify all requirements related to current regulations on the provision of Information Society Services, Intellectual Property, Artificial Intelligence, and Personal Data Protection.
In this way, MAIA AESTHETICS® guarantees strict compliance with the security measures, procedures, and controls governed by these regulations. Data security, in line with the applicable legal requirements, is also subject to constant continuous improvement and quality assurance through our internal audit processes.
Security regulations regarding personal data are governed and stipulated with respect to clients and providers through privacy and personal data protection clauses and through the documentation prepared when services are contracted.
Likewise, we can guarantee that users authorized to process personal data expressly commit, in writing, to respecting confidentiality and complying with the corresponding security measures. These users are properly informed through training and awareness sessions planned and led by our Data Protection Officer.
XIV. Data subjects' rights
Our clients have the right to request and obtain, free of charge, information about their personal data undergoing processing, its origin, and any communications that may affect it. The data protection rights that users may exercise are available in our Privacy Policy.
XV. DPO
MAIA AESTHETICS® has a data protection officer (DPO) appointed and designated on the basis of their professional qualifications and, in particular, their expert knowledge and practice in the field of Data Protection, and their ability to perform the duties set out in current Data Protection legislation. Their role is to advise us on Data Protection matters, oversee its correct application, train and raise awareness among our users and providers, serve as the point of contact for MAIA AESTHETICS® regarding potential complaints and suggestions from data subjects, and act as liaison with the Supervisory Authority.
XVI. AI
Some of the Services provided by MAIA AESTHETICS® incorporate artificial intelligence (AI) technologies in order to offer the best possible service to our clients. When you interact with our company, the information you provide may be processed by automated systems for the sole purpose of improving the performance of our services.
Where our services involve the processing of personal data by AI systems, we apply additional technical and organizational measures to promote transparency and ensure their security.
Our practices comply with the applicable European data protection and AI governance laws and regulations. For more information about our AI practices, please submit your request through the channels indicated.