1. Introduction
This Data Processing Agreement (“DPA”) governs the Processing of Personal Data by Mappica, LLC (“Mappica”, “us”, “we”, “our”, “Data Processor”) and the Customer (“you”, “your”, “Data Controller”) on Mappica’s platform. It is intended to ensure compliance with Applicable Data Protection Law, including but not limited to the GDPR and the CCPA. This DPA forms part of, and is subject to the provisions of, the Mappica End User License Agreement. Capitalized terms that are not defined in this DPA have the meanings set forth in the End User License Agreement. This DPA applies to all Personal Data Processed by Mappica on behalf of the Customer.
2. Definitions
“Applicable Data Protection Law” means any data protection or data privacy law or regulation applicable to Processing of Personal Data and any laws or regulations ratifying, implementing, adopting or supplementing such laws, as any of the foregoing may be updated, amended or replaced from time to time. Applicable Data Protection Law shall include without limitation: (i) the EU General Data Protection Regulation 2016/769 (“GDPR”), and (ii) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 – 1798.199 (“CCPA”). In no event will Applicable Data Protection Law or this DPA include or cover any industry-specific regulation.
“EULA” means the End User License Agreement governing the Customer’s access to and use of the Mappica platform.
“Personal Data”, “Process”, “Processing”, “Processor”, “Controller”, “Personal Data Breach”, and “Data Subject” have the meaning specified for each term respectively under the Applicable Data Protection Law.
“Sensitive Personal Data” means (a) passport number, drivers’ license number, social security number, tax ID, or similar identifier (or any portion thereof); (b) credit card or debit card number (other than the last four digits of the credit card or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) other information that falls within the definition of “special categories of data” under Applicable Data Protection Law.
“Subprocessor” means any third-party entity engaged by Mappica to Process Personal Data on behalf of the Data Controller, as outlined in Section 6 (Subprocessors) and as detailed in full in the List of Subprocessors.
3. Data Processing Scope
3.1 Controller and Processor of Personal Data
- Mappica as Processor and you as Controller: You are the Data Controller and Mappica is the Data Processor of the Personal Data.
- Mappica as the Controller: Mappica may also be an independent controller for some Personal Data relating to you. Please see our Privacy Policy for details about this Personal Data which we control. When we Process Personal Data as a Data Controller, you acknowledge and confirm that the EULA does not create a joint-controller relationship between you and Mappica. If we provide you with Personal Data controlled by us, you receive that as an independent Data Controller and are responsible for compliance with Applicable Data Protection Law in that regard.
3.2 Subject Matter and Purpose of Processing
Mappica will Process Personal Data solely to provide its platform and associated services as instructed by the Data Controller or required by Applicable Data Protection Law. This includes the following activities:
- Hosting and Storage: Storing datasets, visualizations, basemaps, and other uploaded content.
- Data Visualization: Generating visualizations and managing datasets based on configurations provided by the Data Controller.
- Publication and Sharing: Enabling the publication, embedding, or sharing of visualizations, as directed by the Data Controller or its authorized users.
- Support and Troubleshooting: Processing information provided during support inquiries to address technical issues and respond to requests.
Mappica will not Process Personal Data for purposes beyond those outlined above without documented instructions from the Data Controller or as required by Applicable Data Protection Law.
3.3 Categories of Data Subjects
Mappica may Process Personal Data relating to the following categories of individuals:
- Authorized Users: Individuals authorized by the Data Controller to use the Mappica platform.
- Third Parties: Data Subjects whose information is included in datasets or visualizations uploaded by the Data Controller.
3.4 Types of Personal Data Processed
The types of Personal Data Processed may include:
- Project Data: Datasets, visualizations, basemaps, and any text, images, or other content uploaded by users.
- Support Data: Information provided during troubleshooting or customer communications, including support tickets, inquiries, and metadata generated during user interactions with support systems.
3.5 Special Categories of Data
Mappica does not Process Sensitive Personal Data. The Data Controller is prohibited from uploading datasets containing Sensitive Personal Data. Any Sensitive Personal Data uploaded in violation of this restriction is considered unauthorized and outside the scope of Mappica’s responsibilities. Mappica will notify the Data Controller of any such occurrences upon discovery.
3.6 Duration of Processing
Mappica will Process Personal Data for the duration of the Data Controller’s use of the platform. Upon termination of services, Mappica will delete or return Personal Data in accordance with Section 10 (Data Retention and Deletion).
3.7 Data Processing Outside Scope
Mappica will not Process Personal Data for purposes other than those outlined in this DPA without documented instructions from the Data Controller or as required by Applicable Data Protection Law.
4. Obligations of the Data Controller
The Data Controller is responsible for ensuring that all Personal Data Processed using the Mappica platform complies with Applicable Data Protection Law, including but not limited to:
- Lawful Basis for Processing: Ensuring that the Personal Data uploaded or Processed via the platform has been collected lawfully and that a valid legal basis exists for its Processing (e.g., consent, legitimate interest, contractual necessity).
- Compliance with Applicable Data Protection Law: Complying with all Applicable Data Protection Law and regulations, including the GDPR, CCPA, and other relevant laws in your jurisdiction.
- Accuracy of Personal Data: Ensuring that all Personal Data uploaded to the platform is accurate, complete, and up-to-date.
- Informing Data Subjects: Informing Data Subjects about the data Processing activities, including the nature and purpose of Processing, as required under Applicable Data Protection Law.
- Data Subject Requests: Responding to and fulfilling any Data Subject requests related to the Personal Data you control (e.g., access, rectification, deletion, restriction of Processing, objection to Processing, and data portability).
- Processing Instructions: Providing clear and documented instructions to Mappica for any specific Processing activities that go beyond the general services outlined in this DPA.
- Risk Assessment: Assessing whether the security measures implemented by Mappica (see Section 5.3) meet your obligations under Applicable Data Protection Law.
- Acceptable Use Compliance: Ensuring that uploaded data complies with the Acceptable Use Policy and does not contain unauthorized Sensitive Personal Data.
5. Obligations of the Data Processor
5.1 Processing on Documented Instructions
Mappica will Process Personal Data only on documented instructions from the Data Controller, as described in this DPA, or as required to provide the agreed services. We will not “Sell” or “Share” (as such terms are defined under Applicable Data Protection Law) the Personal Data. Additional instructions outside the scope of this DPA require prior written agreement between you and Mappica, including agreement on any additional fees payable by you to Mappica for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe Applicable Data Protection Law, or if we are unable to comply with your instructions. We will notify you when Applicable Data Protection Law prevents Mappica from complying with your request, except if such disclosure is prohibited by Applicable Data Protection Law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.
5.2 Confidentiality
- Authorized Personnel: Mappica will ensure that all personnel authorized to Process Personal Data are bound by a duty of confidentiality.
- Restricted Access: Access to Personal Data will be limited to employees, agents, or Subprocessors who require it to perform their designated Processing activities.
5.3 Security Measures
Mappica will implement and maintain the following technical and organizational measures to protect Personal Data, which may include:
- Access Controls: Limiting access to Personal Data to authorized personnel based on legitimate business needs.
- Data Encryption: Encrypting Personal Data in transit and at rest using industry-standard protocols.
- Monitoring and Logging: Implementing systems to monitor activity for unauthorized access and maintaining logs for security purposes.
- Backup and Recovery: Conducting regular backups and maintaining procedures to support disaster recovery and business continuity.
- Hosting Security: Utilizing secure infrastructure from third-party vendors with industry-recognized certifications.
5.4 Subprocessor Management
- Approval and Oversight: Mappica will engage Subprocessors as described in Section 6 of this DPA. Subprocessors are bound by terms that impose data protection obligations equivalent to those set out in this DPA.
- Accountability: Mappica ensures Subprocessors comply with the obligations set forth in this DPA.
5.5 Assistance to the Data Controller
Mappica will provide reasonable assistance to the Data Controller to fulfill its obligations under Applicable Data Protection Law, including:
- Responding to Data Subject rights requests (e.g., access, rectification, deletion, restriction, objection, or portability).
- Supporting compliance efforts related to data security, breach notification, and Data Protection Impact Assessments (“DPIAs”).
- Providing relevant information about its Processing activities, security measures, and Subprocessors to assist the Data Controller in conducting DPIAs, where required.
5.6 Notification of Personal Data Breaches
- Prompt Notification: In the event of a Personal Data Breach, Mappica will notify the Data Controller without undue delay after becoming aware of the breach.
- Information Sharing: Mappica will provide details about the breach, including the nature of the breach and categories of data affected, likely consequences of the breach, and measures taken to mitigate the breach and prevent recurrence.
- Notification from Authority: If Mappica receives a legally binding request from a public authority or law enforcement agency for access to Personal Data, Mappica will promptly notify the Data Controller before disclosing the data, unless prohibited by law. Mappica will limit disclosure to the minimum data required to comply with the request.
6. Subprocessors
6.1 Engagement of Subprocessors
You acknowledge and agree that Mappica may engage Subprocessors to assist in the performance of its obligations under this DPA. Subprocessors are third-party service providers who Process Personal Data on behalf of Mappica in connection with the provision of its services.
6.2 List of Approved Subprocessors
A list of current Subprocessors can be viewed on our List of Subprocessors page and is subject to the terms of this DPA. Mappica will provide the Data Controller with advance notice of any intended changes to the list of Subprocessors, including the addition or replacement of Subprocessors.
6.3 Subprocessor Obligations
Subprocessors will be obliged under a written contract (i) to comply with Applicable Data Protection Law and (ii) to provide at least the same level of data protection as required by this DPA, including the implementation of appropriate technical and organizational measures.
6.4 Notification of Changes
- Mappica will notify the Data Controller of any intended changes to Subprocessors, including the identity and location of the new Subprocessor at least ten (10) business days in advance.
- The Data Controller may object to the new Subprocessor by providing written notice within this period.
- If the Data Controller objects, Mappica will work in good faith to resolve the objection. If no resolution is achieved, the Data Controller may terminate the relevant services that require the use of the proposed Subprocessor, subject to any applicable terms in the EULA.
6.5 Responsibility
Mappica will be liable for the performance of its Subprocessors to the same extent Mappica would be liable if performing the services of each Subprocessor directly under the terms of this DPA. Mappica is not liable for general performance issues unrelated to data protection compliance.
6.6 Access to Subprocessor Information
Upon written request, Mappica will provide the Data Controller with additional information about Subprocessors engaged in Processing Personal Data under this DPA.
6.7 Data Transfers by Subprocessors
If a Subprocessor Processes Personal Data outside of the jurisdiction where the Data Controller or Data Subjects reside, Mappica will ensure that appropriate safeguards are in place for such transfers, as outlined in Section 8 (Data Transfers).
7. Data Subject Rights
7.1 Assistance with Data Subject Rights Requests
Mappica will assist the Data Controller in fulfilling its obligations to respond to Data Subject Rights requests under Applicable Data Protection Law, including but not limited to the GDPR and the CCPA. These requests may include, but are not limited to:
- Access: Requests to confirm whether Personal Data is being Processed and to provide access to such data.
- Rectification: Requests to correct inaccurate or incomplete Personal Data.
- Erasure: Requests to delete Personal Data (“right to be forgotten”).
- Restriction: Requests to restrict the Processing of Personal Data under certain circumstances.
- Data Portability: Requests to receive Personal Data in a structured, commonly used, and machine-readable format, and to transfer it to another controller.
- Objection: Requests to object to the Processing of Personal Data for specific purposes, such as direct marketing or Processing based on legitimate interests.
7.2 Notification and Documentation of Requests
- If Mappica receives a request directly from a Data Subject concerning their Personal Data, Mappica will promptly notify the Data Controller and provide details of the request.
- Mappica will not respond to such requests directly unless authorized to do so by the Data Controller, or legally obligated to respond under Applicable Data Protection Law, in which case Mappica will notify the Data Controller before responding unless prohibited by law.
7.3 Technical and Organizational Assistance
Mappica will provide appropriate technical and organizational measures, as necessary, to enable the Data Controller to:
- Locate and retrieve the requested Personal Data.
- Fulfill the Data Subject's request in compliance with Applicable Data Protection Law.
- Provide any supplementary information required to comply with the request, such as the purposes of Processing, categories of Personal Data, or recipients of the data.
7.4 Costs of Assistance
- Assistance with routine requests, such as data retrieval from within the Mappica platform, is included as part of the services provided.
- If fulfilling a request involves extraordinary efforts (e.g., custom data extraction or significant manual intervention), Mappica reserves the right to charge a reasonable fee, provided such costs are communicated to and approved by the Data Controller in advance.
7.5 Compliance with Deadlines
Mappica will endeavor to assist the Data Controller in meeting the deadlines for responding to Data Subject Rights requests as specified under Applicable Data Protection Law, such as:
- One Month for GDPR: Responses to most requests must be provided within one (1) month of receipt.
- 45 Days for CCPA: Responses must be provided within forty-five (45) days of receipt, with the possibility of an extension under specific circumstances.
7.6 Exemptions
Mappica’s obligations to assist with Data Subject Rights requests are subject to:
- The Data Controller’s ability to verify the identity of the requestor.
- Any applicable legal exemptions that permit or require the continued Processing of Personal Data.
- Disproportionate effort or technical infeasibility in fulfilling the request.
8. Data Transfers
8.1 Jurisdiction of Processing
Mappica Processes Personal Data primarily within the United States, where its servers are located. However, data may be transferred to and Processed in other jurisdictions where Subprocessors operate. All transfers are conducted in compliance with Applicable Data Protection Law and include appropriate safeguards.
8.2 Transfers Outside the EEA, UK, and Switzerland
For transfers of Personal Data outside the European Economic Area (EEA), United Kingdom (UK), or Switzerland, Mappica ensures compliance with Chapter V of the GDPR or other Applicable Data Protection Law by implementing safeguards such as:
- Standard Contractual Clauses (“SCCs”): Mappica enters into SCCs where required to provide a lawful basis for transfers.
- Adequacy Decisions: Transfers are made to countries deemed by the European Commission to provide an adequate level of data protection. Mappica will implement additional safeguards where required by law.
8.3 Controller Responsibilities for Data Transfers
The Data Controller is responsible for:
- Ensuring that the transfer of Personal Data to Mappica and its Subprocessors complies with Applicable Data Protection Law.
- Informing Data Subjects, as required, that their data may be transferred internationally.
- Ensuring that Data Subjects’ rights and legal protections are maintained throughout the transfer Process.
8.4 Subprocessor Data Transfers
If Subprocessors Process Personal Data in jurisdictions outside the EEA, UK, or Switzerland:
- Mappica ensures that Subprocessors are bound by data transfer mechanisms that meet applicable legal requirements (e.g., SCCs or adequacy decisions).
- Upon request, Mappica will provide information about the Subprocessors’ locations and data transfer safeguards.
8.5 Transparency Regarding Data Transfers
Mappica will, upon request:
- Provide details of the data transfer mechanisms in place, including copies of relevant safeguards (e.g., SCCs), subject to applicable confidentiality obligations.
- Notify the Data Controller of any material changes to these mechanisms or safeguards that could impact compliance.
8.6 Restrictions on Data Transfers
Mappica limits data transfers to jurisdictions that provide appropriate safeguards, as required by Applicable Data Protection Law. Mappica ensures that:
- Transfers are strictly necessary for providing the agreed services.
- Personal Data is Processed securely and in compliance with this DPA and Applicable Data Protection Law.
8.7 Data Transfer Obligations in the Event of Legal Requirements
If Mappica is legally required to transfer Personal Data to a third country or international organization (e.g., in response to a government request), Mappica will:
- Notify the Data Controller promptly, unless prohibited by law.
- Limit the disclosure of Personal Data to the extent strictly required by law.
- Assist the Data Controller in evaluating and responding to such legal requirements, including challenging the request where appropriate and permitted.
8.8 Assistance with Data Transfer Assessments
Mappica will assist the Data Controller, where necessary, in providing relevant information for conducting Transfer Impact Assessments or similar evaluations required by Applicable Data Protection Law.
9. Audit and Compliance
9.1 Demonstrating Compliance
Mappica will make available to the Data Controller, upon request, documentation or certifications demonstrating ongoing compliance with this DPA and Applicable Data Protection Law, including summaries of internal compliance checks or third-party audits.
9.2 Right to Audit
You agree to exercise any right you may have to conduct an audit or inspection by instructing Mappica to carry out the audit described in Section 9.1. You agree that you may be required to agree to a non-disclosure agreement with Mappica before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If Mappica does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with Applicable Data Protection Law by means other than reviewing a report from such an audit, you may only request a change in the following way:
- First, submit a request for additional information in writing to Mappica, specifying all details required to enable Mappica to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our security measures or as otherwise required by Applicable Data Protection Law.
- Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for Mappica to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for Mappica to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize the confidentiality of Mappica or our users’ information.
9.3 Subprocessor Audits
The Data Controller acknowledges that Subprocessors engaged by Mappica may be independently audited by certified third parties. Upon request, Mappica will provide summaries or certifications of such audits, which satisfy audit requirements for Subprocessors.
9.4 Costs
The Data Controller will bear its own costs for audits. Mappica reserves the right to charge a reasonable fee if extraordinary effort is required to support the audit, provided such costs are communicated in advance.
10. Data Retention and Deletion
10.1 Retention Periods
Mappica will retain Personal Data Processed on behalf of the Data Controller for as long as necessary to:
- Fulfill the purposes outlined in this DPA or as instructed by the Data Controller.
- Comply with applicable legal, regulatory, or contractual obligations.
10.2 Obligations Upon Termination or Expiration
Upon termination or expiration of services under this DPA:
- Mappica will permanently delete all Personal Data within thirty (30) days, unless retention is required by law, in which case the data will be securely isolated and protected.
- Upon written request, Mappica will return Personal Data to the Data Controller in a commonly used, machine-readable format before deletion.
- Upon written request, Mappica will certify the deletion of Personal Data, as required under applicable Standard Contractual Clauses (“SCCs”).
10.3 Data Retention in Backups
Personal Data stored in system backups will be deleted or anonymized during the regular backup cycle, which occurs no later than thirty (30) days after the initial deletion of the corresponding data.
10.4 Permanent Deletion
Once data has been permanently deleted, it cannot be recovered. The Data Controller acknowledges and agrees that Mappica will not be liable for any loss resulting from the permanent deletion of data in compliance with this DPA.
11. Liability
11.1 Limitations of Liability
This DPA is subject to the limitations of liability set forth in the EULA. Any liability arising out of or related to this DPA, whether in contract, tort or any other theory of liability, shall be subject to the exclusions and limitations of liability in the EULA, which apply in aggregate across the EULA and this DPA.
11.2 Claims Limitation
Any claims made under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) may only be brought by the Data Controller entity that is a party to this DPA.
11.3 No Limitation of Data Subject Rights
Nothing in this DPA limits liability with respect to any individual’s data protection rights under Applicable Data Protection Law, including the GDPR, where such limitations are prohibited by law.
12. Miscellaneous
12.1 Governing Law and Jurisdiction
- This DPA shall be governed by and construed in accordance with the laws specified in the EULA between the parties.
- Any disputes arising out of or in connection with this DPA shall be resolved in the courts specified in the EULA.
12.2 Modifications to the DPA
- Mappica reserves the right to modify this DPA as required to comply with changes in Applicable Data Protection Law, regulatory requirements, or its operational practices.
- Mappica will notify the Data Controller of any material modifications to this DPA at least thirty (30) days before the changes take effect.
- Continued use of Mappica’s services after the effective date of any modifications constitutes acceptance of the updated DPA.
12.3 Severability
If any provision of this DPA is found to be invalid, illegal, or unenforceable under applicable law:
- That provision shall be deemed modified to the extent necessary to make it valid, legal, and enforceable.
- If modification is not possible, the provision shall be deemed deleted, and the remaining provisions of the DPA shall remain in full force and effect.
12.4 Notices
Any notices required under this DPA shall be provided as follows:
- To Mappica: Notices must be sent to Mappica LLC, 418 W. Garden St, Box 4, Pensacola, FL 32502, United States, or via email at support@mappica.com.
- To the Customer: Notices will be sent to the contact information provided by the Customer in their account profile or other written communication.
All notices and other communications hereunder shall be in writing and shall be deemed to have been given: (i) when delivered by hand (with written confirmation of receipt); (ii) when received by the addressee if sent by a nationally recognized overnight courier (receipt requested); (iii) on the date sent by facsimile or email (with confirmation of transmission) if sent during normal business hours of the recipient, and on the next business day if sent after normal business hours of the recipient; or (iv) on the third day after the date mailed, by certified or registered mail, return receipt requested, postage prepaid.
