Last updated: September 15, 2023.
This Data Processing Addendum (“DPA”) is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Mapsly LLC (“MAPSLY”). This DPA supplements the MAPSLY Terms of Service available at https://mapsly.com/terms, as updated from time to time between Customer and MAPSLY, or other agreements between Customer and MAPSLY that govern Customer’s use of the MAPSLY Services (the “Agreement”).
Definitions. All capitalized terms used in this DPA will have the meanings given to them below, unless otherwise defined in the Agreement:
“API” means an application programming interface.
“Applicable Data Protection Law” means all laws and regulations applicable to and binding on the processing of Customer Data by a party, including, as applicable, the GDPR.
“Binding Corporate Rules” has the meaning given to it in the GDPR.
“Controller” has the meaning given to it in the GDPR.
“Controller-to-Processor Clauses” means the standard contractual clauses between Controllers and Processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Customer Data” means the Personal Data that is uploaded to the Services under Customer’s MAPSLY accounts.
“Documentation” means the then-current documentation for the Services located at https://help.mapsly.com (and any successor locations designated by MAPSLY).
“EEA” means the European Economic Area.
“End Users” means users of Customer’s Mapsly account including Customer’s employees and contractors that were assigned by Customer to use Mapsly.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“MAPSLY Network” means the servers, networking equipment, and host software systems (for example, virtual firewalls) that are within MAPSLY’s control and are used to provide the Services.
“MAPSLY Setup console” means the Setup section in the Mapsly Service available under “Setup” in the main menu.
“Personal Data” means personal data, personal information, personally identifiable information or other equivalent term (each as defined in Applicable Data Protection Law).
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
“Processor” has the meaning given to it in the GDPR.
“Processor-to-Processor Clauses” means the standard contractual clauses between Processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Security Incident” means a breach of MAPSLY’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
“Service Controls” means the controls, including security features and functionalities, that the Services provide, as described in the Documentation.
“Standard Contractual Clauses” means (i) the Controller-to-Processor Clauses, or (ii) the Processor- to-Processor Clauses, as applicable in accordance with Sections 9.2.1 and 9.2.2.
“Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
1. Data Processing.
1.1 Scope and Roles. This DPA applies when MAPSLY processes Customer Data. In this context, MAPSLY will act as a Processor to Customer, who can act either as Controller or Processor of Customer Data.
1.2 Customer Controls. Customer can use the Service Controls to assist it with its obligations under Applicable Data Protection Law, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Customer agrees that it is unlikely that MAPSLY would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if MAPSLY becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. MAPSLY will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by providing the Service Controls that Customer can use to erase or rectify Customer Data.
1.3 Details of Data Processing.
1.3.1 Subject matter. The subject matter of the data processing under this DPA is Customer Data.
1.3.2 Duration. As between MAPSLY and Customer, the duration of the data processing under this DPA is determined by Customer.
1.3.3 Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
1.3.4 Nature of the processing. Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.
1.3.5 Type of Customer Data. Customer Data uploaded to the Services under Customer’s MAPSLY accounts.
1.3.6 Categories of data subjects. The data subjects could include Customer’s customers, employees, suppliers and End Users.
1.4 Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Law.
1.5 Mapsly as Controller. Customer acknowledges that Mapsly may collect specific information about the Customer’s End Users described in the MAPSLY Privacy Policy (currently published at https://mapsly.com/privacy-policy). To the extent any such data is considered Personal Information under Data Protection Laws, Mapsly is the Controller of such data and shall process it as part of Customer Data in accordance with this DPA. Customer also grants MAPSLY the right to disclose such data internally and to its Sub-processors for its legitimate business purposes relating to the operation, support, and use of the Services, such as billing, account management, technical support, product development, sales and marketing.
2. Customer Instructions. The parties agree that this DPA and the Agreement (including Customer providing instructions via configuration tools such as the MAPSLY Setup console and APIs made available by MAPSLY for the Services) constitute Customer’s documented instructions regarding MAPSLY’s processing of Customer Data (“Documented Instructions”). MAPSLY will process Customer Data only in accordance with Documented Instructions (which if Customer is acting as a Processor, could be based on the instructions of its Controllers). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between MAPSLY and Customer, including agreement on any additional fees payable by Customer to MAPSLY for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if MAPSLY declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA. Taking into account the nature of the processing, Customer agrees that it is unlikely MAPSLY can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law. If MAPSLY forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions.
3. Confidentiality of Customer Data. MAPSLY will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends MAPSLY a demand for Customer Data, MAPSLY will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, MAPSLY may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then MAPSLY will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless MAPSLY is legally prohibited from doing so.
4. Confidentiality Obligations of MAPSLY Personnel. MAPSLY restricts its personnel from processing Customer Data without authorization by MAPSLY. MAPSLY imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
5. Security of Data Processing
5.1 MAPSLY has implemented and will maintain the appropriate technical and organizational measures to ensure the security and confidentiality of the Customer Data, in accordance with Mapsly’s security standards described in this PDA and within MAPSLY Privacy Policy.
5.2 Customer Responsibilities and Optional Security Features. MAPSLY makes available many Service Controls that Customer can elect to use to further strengthen the security of Customer Data. Customer is responsible for (a) its secure use of the Services, including securing its account authentication credentials, (b) protecting the security of Customer Data when in transit to and from the Services, (c) taking any appropriate steps to securely encrypt or backup Customer Data uploaded to the Services, (d) properly configuring the Services and Service Controls, and (e) taking other steps as Customer considers adequate to ensure security, protection, and deletion of Customer Data.
5.3. Security Incident Notification.
5.3.1. Security Incident. MAPSLY will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
5.3.2. MAPSLY Assistance. To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), MAPSLY will cooperate with and assist Customer by including in the notification such information about the Security Incident as MAPSLY is able to disclose to Customer, taking into account the nature of the processing, the information available to MAPSLY, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
5.3.3. Unsuccessful Security Incidents. Customer agrees that:
(i) an unsuccessful Security Incident will not be subject to this Section 5.3. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of MAPSLY’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
(ii) MAPSLY’s obligation to report or respond to a Security Incident under this Section 5.3 is not and will not be construed as an acknowledgment by MAPSLY of any fault or liability of MAPSLY with respect to the Security Incident.
5.3.4. Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means MAPSLY selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the MAPSLY Setup console and secure transmission at all times.
5.3.5. Notification Obligations. If MAPSLY notifies Customer of a Security Incident, or Customer otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, Customer will be responsible for (a) determining if there is any resulting notification or other obligation under Applicable Data Protection Law and (b) taking necessary action to comply with those obligations. This does not limit MAPSLY’s obligations under this Section 5.3.
6. Sub-processing.
6.1 Authorized Sub-processors. Customer provides general authorization to MAPSLY’s use of sub-processors to provide processing activities on Customer Data on behalf of Customer (“Sub-processors”) in accordance with this Section. The MAPSLY website (currently posted at https://mapsly.com/sub-processors/) lists Sub-processors that are currently engaged by MAPSLY. At least 30 days before MAPSLY engages a Sub-processor, MAPSLY will update the applicable website and provide Customer with a mechanism to obtain notice of that update. To object to a Sub-processor, Customer can: (i) cease using the functionality of the MAPSLY Service for which MAPSLY has engaged the Sub-processor, or (ii) terminate the Agreement pursuant to its terms.
6.2 Sub-processor Obligations. Where MAPSLY authorizes a Sub-processor as described in Section 6.1:
(i) MAPSLY will restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and MAPSLY will prohibit the Sub-processor from accessing Customer Data for any other purpose;
(ii) MAPSLY will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by MAPSLY under this DPA, MAPSLY will impose on the Sub-processor the same contractual obligations that MAPSLY has under this DPA; and
(iii) MAPSLY will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause MAPSLY to breach any of MAPSLY’s obligations under this DPA.
7. MAPSLY Assistance with Data Subject Requests. Taking into account the nature of the processing, the Service Controls are the technical and organizational measures by which MAPSLY will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests under Applicable Data Protection Law. If a data subject makes a request to MAPSLY, MAPSLY will promptly forward such request to Customer once MAPSLY has identified that the request is from a data subject for whom Customer is responsible. Customer authorizes on its behalf, and on behalf of its controllers when Customer is acting as a Processor, MAPSLY to respond to any data subject who makes a request to MAPSLY, to confirm that MAPSLY has forwarded the request to Customer. The parties agree that Customer’s use of the Service Controls and MAPSLY forwarding data subjects’ requests to Customer in accordance with this section represent the scope and extent of Customer’s required assistance.
8. Compliance Verification.
8.1 MAPSLY Audits. MAPSLY uses external auditors to verify the adequacy of its security measures. This audit: (a) will be performed at least annually; (b) will be performed according to a widely recognized standard; (c) will be performed by independent third-party security professionals at MAPSLY’s selection and expense; and (d) will result in the generation of an audit report (“Report”), which will be MAPSLY’s Confidential Information.
8.2 Audit Reports. At Customer’s written request, and provided that the parties have an applicable NDA in place, MAPSLY will provide Customer with a copy of the Report so that Customer can reasonably verify MAPSLY’s compliance with its obligations under this DPA.
8.3 Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to MAPSLY, MAPSLY will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation by providing the information MAPSLY makes available under this Section 8.
9. Transfers of Personal Data.
9.1 Locations. MAPSLY may transfer and process Customer Data within the MAPSLY Network in the USA or EEA. MAPSLY will not transfer Customer Data outside of the EEA and the USA except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or valid and binding order of a governmental body.
9.2 Application of Standard Contractual Clauses. Subject to Section 9.3, the Standard Contractual Clauses will only apply to Customer Data subject to the GDPR that is transferred, either directly or via onward transfer, to any Third Country (each a “Data Transfer”).
9.2.1 When Customer is acting as a Controller, the Controller-to-Processor Clauses will apply to a Data Transfer.
9.2.2 When Customer is acting as a Processor, the Processor-to-Processor Clauses will apply to a Data Transfer. Taking into account the nature of the processing, Customer agrees that it is unlikely that MAPSLY will know the identity of Customer’s Controllers because MAPSLY has no direct relationship with Customer’s Controllers and therefore, Customer will fulfill MAPSLY’s obligations to Customer’s Controllers under the Processor-to-Processor Clauses.
9.3 Alternative Transfer Mechanism. The Standard Contractual Clauses will not apply to a Data Transfer if MAPSLY has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for lawful Data Transfers.
10. Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”).
11. Deletion of Customer Data. Upon termination or expiration of the Agreement, MAPSLY shall delete Customer Data at Customer’s request but not later than within a 90-day period, except and to the extent MAPSLY is required by the applicable law to retain some or all of the Customer Data, which MAPSLY shall securely isolate and store this Data in accordance with applicable retention periods. MAPSLY will protect this Data from any further processing, except to the extent required by applicable law.
12. Duties to Inform. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings or similar measures by third parties while being processed by MAPSLY, MAPSLY will inform Customer without undue delay. MAPSLY will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.
13. Entire Agreement; Conflict. This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control, except that the Service Terms will control over this DPA. Nothing in this document varies or modifies the Standard Contractual Clauses.