Data Processing Agreement

1. Parties and Background

Data Controller ("Controller"): The customer who has accepted the Mapalyze Terms of Service.

Data Processor ("Processor"): Mapalyze, trading as "Mapalyze," Calle Badajoz 9, 21600 Valverde del Camino, Huelva, Spain. Contact: info@mapalyze.com.

This DPA ensures compliance with Article 28 GDPR and Spain's LOPDGDD. In the event of conflict between this DPA and the Agreement, this DPA prevails with respect to data protection matters.

2. Definitions

Capitalized terms have the meanings assigned to them in the GDPR or the Agreement. Key terms:

• "Personal Data" — any information relating to an identified or identifiable natural person (Article 4(1) GDPR)
• "Processing" — any operation performed on Personal Data (Article 4(2) GDPR)
• "Personal Data Breach" — a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data (Article 4(12) GDPR)
• "Sub-processor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller
• "Supervisory Authority" — the Agencia Española de Protección de Datos (AEPD)
• "Standard Contractual Clauses (SCCs)" — clauses approved by the European Commission for transfers of Personal Data outside the EEA

3. Scope and Purpose of Processing

Subject Matter

Provision of a cloud-based mapping, field data collection, inspection, and geospatial analysis platform, including data storage, synchronization, reporting, and related technical support services.

Duration

Processing continues for the duration of the Agreement. Upon termination, Section 9 (Termination) applies.

Nature and Purpose

Collection, storage, organization, retrieval, display, transmission, synchronization, analysis, and erasure of Personal Data as necessary to provide the Services.

Types of Personal Data Processed

• Identity data: names, employee IDs, job titles, roles
• Contact data: email addresses, phone numbers, postal addresses
• Location/Geospatial data: GPS coordinates, geographic boundaries, map annotations, GIS layer data
• Media data: photographs, videos, audio recordings captured through the Services
• Device data: device identifiers, IP addresses, operating system information
• Form/survey response data: any data entered into forms created by the Controller

Categories of Data Subjects

• The Controller's employees, contractors, and agents
• The Controller's customers and end-users
• Individuals whose data is collected during field inspections or surveys
• Any other individuals whose Personal Data is uploaded by the Controller or its Users

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required by EU or Member State law. The Processor shall inform the Controller of any such legal requirement before processing, unless prohibited by law.

4.2 Confidentiality

All Processor personnel with access to Personal Data are bound by written confidentiality agreements and are committed to confidentiality.

4.3 Security Measures

The Processor implements appropriate technical and organizational measures in accordance with Article 32 GDPR, including:

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256 or equivalent
• Role-based access controls ensuring only authorized personnel access Personal Data
• Regular security testing and vulnerability assessments
• Logging and monitoring of access to Personal Data
• Secure development practices for the platform
• Business continuity and disaster recovery procedures including regular backups

4.4 Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations to respond to Data Subject rights requests under GDPR Chapter III (Articles 15–22), including rights of access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly notify the Controller of any Data Subject request received directly.

4.5 DPIAs

The Processor shall provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with Supervisory Authorities as required under Articles 35 and 36 GDPR.

5. Personal Data Breach Notification

In the event of a Personal Data Breach, the Processor shall:

• Notify the Controller without undue delay and, in any event, within 72 hours of becoming aware of the breach, consistent with Articles 33–34 GDPR, providing the Controller sufficient time to comply with its own 72-hour notification obligation
• Provide the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed
• Cooperate with the Controller and take reasonable steps to assist in investigation, mitigation, and remediation
• Not notify third parties (including Data Subjects or Supervisory Authorities) directly without the Controller's prior written instruction, unless required by law
• Document all Personal Data Breaches in accordance with Article 33(5) GDPR

6. International Data Transfers

The Processor shall not transfer Personal Data outside the EEA unless:

• The European Commission has issued an adequacy decision for the destination country (including transfers to the US under the EU-U.S. Data Privacy Framework where the recipient is certified)
• Appropriate safeguards are in place under Article 46 GDPR, such as Standard Contractual Clauses (SCCs)
• A derogation under Article 49 GDPR applies and has been documented

The Processor shall inform the Controller of any Sub-processor located outside the EEA and the safeguard mechanism used. Current Sub-processor information is listed in Section 8 and can also be obtained by contacting info@mapalyze.com.

7. Audits and Inspections

The Processor shall make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits, subject to:

• At least 30 days' written notice of any audit request
• Audits conducted during normal business hours without unreasonably disrupting operations
• The Controller bears audit costs, except where the audit reveals a material breach by the Processor
• Audit results treated as Confidential Information of the Processor

8. Sub-processors

The Controller provides general written authorization to engage Sub-processors, subject to the following conditions:

• An up-to-date list of Sub-processors is maintained in this Section and available on request from info@mapalyze.com, including name, location, and role
• At least 15 days' advance notice of any intended changes to Sub-processors, giving the Controller opportunity to object
• Good faith discussion of any reasonable objection within 15 days; if unresolved, the Controller may terminate the affected Services
• The same data protection obligations imposed on each Sub-processor by contract (Article 28(4) GDPR)
• The Processor remains fully liable for Sub-processor acts and omissions

8.1 Current Sub-processors

As of the last updated date, Mapalyze engages the following Sub-processors to provide the Services. Data protection obligations equivalent to those in this DPA are imposed on each Sub-processor by contract.

• Paddle.com Market Ltd — United Kingdom — Merchant of Record for paid subscriptions (payment processing, tax calculation, invoicing, refund handling). Data processed: customer name, billing email, billing address, IP address, purchase history, payment tokens. Transfer mechanism: UK adequacy decision adopted by the European Commission on 28 June 2021 under Article 45 GDPR.
• Supabase Inc. — European Union (EU region, Stockholm — eu-north-1) — Database, authentication, storage, and edge functions hosting for the Mapalyze application. Data processed: all Personal Data uploaded by the Controller and its Users, including account data, field data, geospatial data, media, and authentication identifiers. Transfer mechanism: EEA hosting, no international transfer required.
• Vercel Inc. — United States — Web application hosting and serverless compute for the Mapalyze web app (app.mapalyze.com). Data processed: authenticated user session data, IP addresses, request metadata, usage telemetry. Transfer mechanism: Standard Contractual Clauses (Module 2) under Article 46 GDPR and EU-U.S. Data Privacy Framework where applicable; Vercel is DPF-certified.
• Hostinger International Ltd — European Union (Lithuania) — Static hosting for the public Mapalyze marketing website (mapalyze.com). Data processed: visitor IP addresses, browser identifiers, HTTP access logs. Transfer mechanism: EEA hosting, no international transfer required.
• Resend, Inc. — United States — Transactional email delivery (authentication emails, invoices, notifications). Data processed: recipient email address, name, email content and metadata. Transfer mechanism: Standard Contractual Clauses (Module 2) under Article 46 GDPR.
• Google LLC — United States — Web analytics for the public marketing website (mapalyze.com) via Google Analytics 4 (GA4). Data processed: IP address (anonymised where possible via IP truncation), browser and device identifiers, referring URL, pages visited, interaction events. Collection is gated behind a cookie consent banner and only occurs if the visitor grants analytics consent. Transfer mechanism: Standard Contractual Clauses (Module 2) under Article 46 GDPR and EU-U.S. Data Privacy Framework (Google LLC is DPF-certified).
• Functional Software, Inc. (Sentry) — United States — Error tracking, performance monitoring, and release health for the Mapalyze application. Data processed: error stack traces, user identifiers, device information, browser and operating system metadata, IP addresses. Transfer mechanism: Standard Contractual Clauses (Module 2) under Article 46 GDPR.
• HERE Global B.V. — Netherlands (European Union) — Geocoding, reverse geocoding, routing, and mapping services. Data processed: address search queries, GPS coordinates submitted for geocoding, IP addresses. Transfer mechanism: EEA hosting (primary); Standard Contractual Clauses where operational support involves transfers to HERE group entities outside the EEA.
• MapTiler AG — Switzerland — Vector map tiles, map styling, and tile server. Data processed: map tile requests (coordinates and zoom level), IP addresses. Transfer mechanism: Swiss adequacy decision adopted by the European Commission under Article 45 GDPR.

This list reflects current engagements and may evolve. The Controller may request a current and complete Sub-processor list at any time by contacting info@mapalyze.com. Material changes are notified at least 15 days in advance.

9. Termination and Data Return

Upon termination of the Agreement, the Processor shall, at the Controller's choice: return all Personal Data to the Controller in a structured, commonly used format; or securely delete all Personal Data in the Processor's possession. The Controller has 30 days from termination to export data before deletion. The Processor shall provide written confirmation of deletion upon request.

The Processor shall maintain records of processing activities as required by Article 30 GDPR and cooperate with the Supervisory Authority (AEPD) as required by Article 31 GDPR.