DPA

Legal Framework

Data Processing Agreement.

This Data Processing Agreement forms part of the Services Agreement between Mapifyit and the Client. This DPA applies where Mapifyit processes personal data on behalf of the Client in connection with the provision of geospatial services.

Effective Date: This DPA is effective as of the date the Client agrees to the Terms of Service or enters into a separate enterprise agreement with Mapifyit.

1. Overview & Scope

This DPA establishes the obligations of both parties regarding the processing of personal data in compliance with applicable data protection laws, including but not limited to:

General Data Protection Regulation — EU/EEA
California Consumer Privacy Act — United States
Other applicable US state privacy laws
Industry-specific regulations (NERC CIP, FCC, HIPAA where applicable)

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as processed by Mapifyit on behalf of the Client.

Controller: The Client, who determines the purposes and means of the processing of Personal Data.

Processor: Mapifyit, who processes Personal Data on behalf of the Controller.

Subprocessor: A third party engaged by Mapifyit to process Personal Data on behalf of the Controller.

Data Subject: An identified or identifiable natural person whose Personal Data is processed.

3. Data Processing Obligations

Mapifyit shall:

Process Personal Data only on documented instructions from the Controller
Ensure that persons authorized to process Personal Data have committed to confidentiality
Implement appropriate technical and organizational measures to ensure security of processing
Not engage another Subprocessor without prior written authorization of the Controller
Assist the Controller in responding to Data Subject requests
Delete or return all Personal Data upon termination of services, at the Controller's choice

4. Technical & Organizational Security Measures

Mapifyit implements and maintains the following security measures:

AES-256 encryption at rest

TLS 1.3 encryption in transit

Role-based access controls (RBAC)

Multi-factor authentication (MFA)

Regular penetration testing

24/7 security monitoring

Automated vulnerability scanning

Employee background checks

Security awareness training

Incident response procedures

For the full list of security controls, see our Compliance & Security page.

5. Subprocessors

Mapifyit maintains a current list of authorized subprocessors. We will notify the Controller at least 30 days before adding or replacing a subprocessor. The Controller may object to any new subprocessor on reasonable grounds.

Current Subprocessors

Cloud Infrastructure Provider— Data hosting & compute

United States

Payment Processor— Billing & subscription management

United States

Monitoring & Analytics— Service uptime & performance monitoring

United States

Enterprise clients can request the full subprocessor list with entity names under NDA.

6. International Data Transfers

All customer data is stored and processed exclusively within the United States. Mapifyit does not transfer personal data outside the United States unless:

The Controller has provided explicit written consent
Adequate safeguards are in place (Standard Contractual Clauses, where applicable)
The transfer is necessary for the performance of services requested by the Controller

7. Data Subject Rights

Mapifyit will assist the Controller in responding to requests from data subjects exercising their rights under applicable law, including:

Right of Access

Right to Rectification

Right to Erasure (Right to be Forgotten)

Right to Restriction of Processing

Right to Data Portability

Right to Object

Right to Opt-Out (CCPA)

Right to Know (CCPA)

8. Data Breach Notification

In the event of a Personal Data breach, Mapifyit will:

Notify the Controller without undue delay, and in any event within 72 hours of becoming aware
Provide details of the nature and scope of the breach
Describe the likely consequences of the breach
Describe the measures taken or proposed to address the breach
Cooperate with the Controller's investigation and remediation efforts
Maintain records of all breaches, including facts, effects, and remedial actions

9. Data Retention & Deletion

Upon termination of the Services Agreement, Mapifyit will:

Return all Personal Data to the Controller in a standard, machine-readable format upon request
Securely delete all Personal Data within 90 days of termination (unless legally required to retain)
Provide written certification of deletion upon request
Remove all copies from backup systems within 180 days

10. Audits & Impact Assessments

Mapifyit will make available to the Controller all information necessary to demonstrate compliance with this DPA. This includes:

Annual SOC 2 Type II audit reports (available under NDA)
ISO 27001 certification documentation
Security questionnaire responses (SIG, CAIQ, or custom formats)
Support for the Controller's data protection impact assessments (DPIAs)
Cooperation with regulatory audits as required by applicable law

Request a Signed DPA

Enterprise and regulated industry clients can request a signed, customized DPA. Contact our legal team to get started.

Request DPA hi@mapifyit.com