Data Processing Agreement

2.1 This DPA applies to all Processing of Personal Data by the Processor in connection with the provision of the Services to the Controller and supplements the MapAtlas Terms of Service. In the event of conflict between this DPA and the Terms of Service with respect to the Processing of Personal Data, this DPA prevails.

2.2 The Processor processes Personal Data solely in its capacity as Data Processor on behalf of the Controller. The Processor does not sell, lease, or otherwise commercially exploit Personal Data processed under this DPA.

2.3 The Controller acknowledges that it is solely responsible for: (a) the accuracy, quality, and legality of Personal Data it submits to the Services; (b) ensuring it has a valid legal basis under GDPR for instructing the Processor to process such data; and (c) ensuring it has provided all required notices and obtained all required consents from Data Subjects.

2.4 This DPA commences on the Effective Date and remains in force for the duration of the applicable subscription or service term, unless earlier terminated in accordance with Article 15.

3.1 The Processor shall process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable EU or member state law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

3.2 The Controller’s instructions are set out in: (a) this DPA and the associated Exhibits; (b) the MapAtlas Terms of Service; and (c) any additional written instructions provided through the MapAtlas developer portal or via authenticated API configuration. The Processor is not obliged to follow instructions that, in its reasonable judgment, would cause it to violate applicable EU data protection law.

3.3 The Processor shall promptly notify the Controller if, in its opinion, an instruction infringes applicable data protection law. The Processor may suspend processing pending resolution, but is not required to do so where it could suffer legal detriment by acting.

4.1 The Processor shall ensure that persons authorised to process Personal Data on behalf of the Controller are subject to appropriate contractual or statutory obligations of confidentiality with respect to that Personal Data.

4.2 Access to Personal Data is granted strictly on a need-to-know basis and is limited to personnel directly involved in providing the Services or in fulfilling the Processor’s obligations under this DPA.

4.3 The Processor shall maintain a register of persons authorised to access Personal Data under this DPA, which shall be made available to the Controller on request during an audit conducted under Article 12.

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those measures specified in Exhibit C.

5.2 In assessing the appropriate level of security, the Processor takes particular account of the risks presented by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

5.3 The Processor maintains its ISO 27001 certification for its information security management system. The Processor shall notify the Controller without undue delay if its ISO 27001 certification lapses and is not reinstated within 90 days.

5.4 The Processor may update the TOMs in Exhibit C from time to time provided that the updated measures do not materially reduce the level of security. Substantive reductions require 30 days’ prior written notice to the Controller.

6.1 The Controller grants the Processor general authorisation to engage the Sub-Processors listed in Exhibit A. The Processor shall not engage a new Sub-Processor or make material changes to an existing Sub-Processor engagement without giving the Controller at least 30 days’ prior written notice (including by email to the primary contact on the Customer account).

6.2 The Controller may reasonably object to the engagement of a new Sub-Processor by notifying the Processor in writing within 14 days of receipt of the notice. If the Controller objects and the parties cannot resolve the objection within 30 days, either party may terminate the affected Services on 30 days’ written notice without liability for such termination.

6.3 The Processor shall impose on each Sub-Processor, by way of written contract, data protection obligations equivalent to those imposed on the Processor under this DPA. The Processor remains fully liable to the Controller for the performance of any Sub-Processor’s obligations under such contracts.

6.4 An up-to-date list of Sub-Processors is maintained in Exhibit A of this DPA.

7.1 Data Subject Rights. Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests for exercising Data Subjects’ rights under Chapter III GDPR (Articles 15–22), including rights of access, rectification, erasure, restriction, portability, and objection. The Controller shall submit such assistance requests to privacy@mapatlas.eu.

7.2 Security. The Processor shall assist the Controller in ensuring compliance with obligations pursuant to Articles 32–36 GDPR (security of processing, notification of breaches, DPIAs, and prior consultation), taking into account the nature of Processing and the information available to the Processor.

7.3 Costs. The Processor may charge a reasonable fee for assistance that goes beyond what is necessary to fulfil its obligations under this DPA, provided it notifies the Controller of such fees in advance.

8.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Personal Data processed under this DPA.

8.2 The notification shall, to the extent then known, include: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the name and contact details of the Data Protection Officer or other contact point; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach, including mitigation measures.

8.3 Where all information cannot be provided simultaneously, the Processor may provide it in phases without undue further delay.

8.4 Breach notifications should be sent to dpo@mapatlas.eu.

9.1 Where the Controller is required to carry out a Data Protection Impact Assessment (DPIA) under Article 35 GDPR in relation to Processing activities involving the Services, the Processor shall, upon request and at the Controller’s cost, provide such information and cooperation as is reasonably necessary and available to enable the Controller to complete the DPIA.

9.2 If prior consultation with the supervisory authority is required under Article 36 GDPR, the Processor shall cooperate with and provide reasonable assistance to the Controller in relation to such consultation.

10.1 The Processor stores and processes all Personal Data exclusively within the European Economic Area (EEA). All primary compute, storage, and database systems are hosted in EU-based data centres and are not subject to US surveillance laws (CLOUD Act, FISA 702) or equivalent non-EEA statutes.

10.2 Notwithstanding Section 10.1, certain Sub-Processors listed in Exhibit A are domiciled outside the EEA. The Processor ensures that any transfer of Personal Data to such Sub-Processors is covered by a lawful transfer mechanism, being, in the first instance, the Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914 (Module 3: Processor-to-Processor). The applicable transfer mechanism is listed for each Sub-Processor in Exhibit A.

10.3 The Processor conducts and documents Transfer Impact Assessments (TIAs) for all transfers to third countries and makes summaries available to the Controller on request.

10.4 In the event that any transfer mechanism referenced in Section 10.2 is invalidated or suspended by a supervisory authority or court, the Processor shall notify the Controller within 5 business days and shall implement an alternative lawful transfer mechanism within 30 days, or cease the relevant transfer.

11.1 At the choice of the Controller, the Processor shall, upon termination of the Services or upon written request, delete or return all Personal Data to the Controller and delete existing copies, unless applicable EU or member state law requires continued storage.

11.2 Routine API request logs containing Personal Data (primarily IP addresses and query parameters) are retained for a maximum of 90 days for operational and abuse-prevention purposes, after which they are automatically and permanently deleted.

11.3 Billing and financial records may be retained for the period required by applicable law (in the Netherlands, a minimum of 7 years under the Dutch General Tax Act) but are limited to the minimum data required for accounting purposes.

11.4 The Processor shall provide written confirmation of deletion to the Controller within 30 days of completing deletion, including confirmation from relevant Sub-Processors.

12.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

12.2 The Processor shall, in the first instance, satisfy audit requests by providing: (a) the most recent ISO 27001 certification and audit report; (b) penetration test executive summaries (redacted for security); (c) a written response to a reasonable security questionnaire submitted by the Controller.

12.3 Where the Controller reasonably requires an on-site inspection, such inspection shall be: (a) conducted no more than once per 12-month period, unless a Personal Data Breach has occurred; (b) subject to at least 30 days’ prior written notice; (c) carried out during normal business hours with minimal disruption; and (d) subject to a confidentiality agreement.

12.4 The Controller bears all costs of any audit conducted under this Article, including the Processor’s reasonable costs of cooperation.

13.1 Each party’s liability under this DPA is subject to the limitations and exclusions set out in the MapAtlas Terms of Service. Nothing in this DPA limits either party’s liability to Data Subjects or supervisory authorities under applicable data protection law.

13.2 If the Processor is held liable for a breach of data protection law arising from an action or omission of the Controller, the Controller shall indemnify the Processor to the extent of the Controller’s responsibility for the breach.

13.3 The Processor’s total liability in respect of any and all claims under this DPA shall not exceed the aggregate fees paid by the Controller in the 12 months preceding the event giving rise to the claim.

14.1 This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions.

14.2 The parties irrevocably submit to the exclusive jurisdiction of the competent courts of Amsterdam, Netherlands.

14.3 The supervisory authority responsible for overseeing the Processor’s data protection compliance is the Autoriteit Persoonsgegevens (AP), P.O. Box 93374, 2509 AJ The Hague, Netherlands.

15.1 This DPA takes effect on the Effective Date and remains in force for the duration of the applicable service subscription. It terminates automatically upon termination or expiry of the Terms of Service.

15.2 Either party may terminate this DPA and the associated Services immediately by written notice if the other party commits a material breach of this DPA and, where such breach is capable of remedy, fails to remedy it within 30 days of receiving written notice of the breach.

15.3 Articles 4, 11, 13, 14 and Exhibit C shall survive termination of this DPA for the duration of any applicable statutory retention periods.