Legal Document

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the MapAtlas Terms of Service and governs the processing of personal data by MapMetrics B.V. on behalf of customers in accordance with GDPR Article 28.

Effective Date

1 January 2024

Governing Law

Netherlands

Standard

GDPR Article 28

Version

1.2

By using the MapAtlas API under a paid subscription or by countersigning this DPA, the Customer agrees to the terms set out herein. Enterprise customers may request a negotiated countersigned copy at legal@mapatlas.eu.

Parties

Data Processor

MapMetrics B.V.

trading as MapAtlas

Keurenplein 4, Unit A35

1069 CD Amsterdam, Netherlands

KVK: 86457101 · VAT: NL863876671B01

legal@mapatlas.eu

Data Controller

The Customer

The legal entity or individual that has entered into the MapAtlas Terms of Service and is identified in the associated customer account or countersigned order form.

Where the Customer itself acts as a Data Processor on behalf of a third-party controller, the Customer warrants that it has authority to bind that controller to the obligations herein.

Article 1, Definitions

The following terms have the meanings set out below. Terms not defined here carry the meaning given in the GDPR or the MapAtlas Terms of Service.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Personal Data” has the meaning given in Article 4(1) GDPR: any information relating to an identified or identifiable natural person.

“Processing” has the meaning given in Article 4(2) GDPR and includes any operation or set of operations performed on personal data, whether or not by automated means.

“Data Controller” means the Customer, who determines the purposes and means of the Processing of Personal Data.

“Data Processor” means MapMetrics B.V. (trading as MapAtlas), who processes Personal Data on behalf of the Controller pursuant to this DPA.

“Sub-Processor” means any third party engaged by the Processor to carry out Processing activities on behalf of the Controller.

“Services” means the MapAtlas API services (Maps, Geocoding, Routing, Autocomplete, Places, Isochrone, Static Maps, Matrix, and Map Matching APIs) made available under the Terms of Service.

“Data Subject” means the natural person to whom the Personal Data relates.

“EEA” means the European Economic Area, comprising the member states of the European Union together with Iceland, Liechtenstein, and Norway.

“SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to GDPR, as approved by the European Commission Decision 2021/914.

“TOMs” means the technical and organisational security measures described in Exhibit C of this DPA.

Article 2, Scope and Relationship of the Parties

2.1 This DPA applies to all Processing of Personal Data by the Processor in connection with the provision of the Services to the Controller and supplements the MapAtlas Terms of Service. In the event of conflict between this DPA and the Terms of Service with respect to the Processing of Personal Data, this DPA prevails.

2.2 The Processor processes Personal Data solely in its capacity as Data Processor on behalf of the Controller. The Processor does not sell, lease, or otherwise commercially exploit Personal Data processed under this DPA.

2.3 The Controller acknowledges that it is solely responsible for: (a) the accuracy, quality, and legality of Personal Data it submits to the Services; (b) ensuring it has a valid legal basis under GDPR for instructing the Processor to process such data; and (c) ensuring it has provided all required notices and obtained all required consents from Data Subjects.

2.4 This DPA commences on the Effective Date and remains in force for the duration of the applicable subscription or service term, unless earlier terminated in accordance with Article 15.

Article 3, Processing Instructions

3.1 The Processor shall process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable EU or member state law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

3.2 The Controller’s instructions are set out in: (a) this DPA and the associated Exhibits; (b) the MapAtlas Terms of Service; and (c) any additional written instructions provided through the MapAtlas developer portal or via authenticated API configuration. The Processor is not obliged to follow instructions that, in its reasonable judgment, would cause it to violate applicable EU data protection law.

3.3 The Processor shall promptly notify the Controller if, in its opinion, an instruction infringes applicable data protection law. The Processor may suspend processing pending resolution, but is not required to do so where it could suffer legal detriment by acting.

Article 4, Confidentiality

4.1 The Processor shall ensure that persons authorised to process Personal Data on behalf of the Controller are subject to appropriate contractual or statutory obligations of confidentiality with respect to that Personal Data.

4.2 Access to Personal Data is granted strictly on a need-to-know basis and is limited to personnel directly involved in providing the Services or in fulfilling the Processor’s obligations under this DPA.

4.3 The Processor shall maintain a register of persons authorised to access Personal Data under this DPA, which shall be made available to the Controller on request during an audit conducted under Article 12.

Article 5, Security Measures

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those measures specified in Exhibit C.

5.2 In assessing the appropriate level of security, the Processor takes particular account of the risks presented by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

5.3 The Processor maintains its ISO 27001 certification for its information security management system. The Processor shall notify the Controller without undue delay if its ISO 27001 certification lapses and is not reinstated within 90 days.

5.4 The Processor may update the TOMs in Exhibit C from time to time provided that the updated measures do not materially reduce the level of security. Substantive reductions require 30 days’ prior written notice to the Controller.

Article 6, Sub-Processors

6.1 The Controller grants the Processor general authorisation to engage the Sub-Processors listed in Exhibit A. The Processor shall not engage a new Sub-Processor or make material changes to an existing Sub-Processor engagement without giving the Controller at least 30 days’ prior written notice (including by email to the primary contact on the Customer account).

6.2 The Controller may reasonably object to the engagement of a new Sub-Processor by notifying the Processor in writing within 14 days of receipt of the notice. If the Controller objects and the parties cannot resolve the objection within 30 days, either party may terminate the affected Services on 30 days’ written notice without liability for such termination.

6.3 The Processor shall impose on each Sub-Processor, by way of written contract, data protection obligations equivalent to those imposed on the Processor under this DPA. The Processor remains fully liable to the Controller for the performance of any Sub-Processor’s obligations under such contracts.

6.4 An up-to-date list of Sub-Processors is maintained in Exhibit A of this DPA.

Article 7, Assistance to the Controller

7.1 Data Subject Rights. Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests for exercising Data Subjects’ rights under Chapter III GDPR (Articles 15–22), including rights of access, rectification, erasure, restriction, portability, and objection. The Controller shall submit such assistance requests to privacy@mapatlas.eu.

7.2 Security. The Processor shall assist the Controller in ensuring compliance with obligations pursuant to Articles 32–36 GDPR (security of processing, notification of breaches, DPIAs, and prior consultation), taking into account the nature of Processing and the information available to the Processor.

7.3 Costs. The Processor may charge a reasonable fee for assistance that goes beyond what is necessary to fulfil its obligations under this DPA, provided it notifies the Controller of such fees in advance.

Article 8, Personal Data Breaches

8.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Personal Data processed under this DPA.

8.2 The notification shall, to the extent then known, include: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the name and contact details of the Data Protection Officer or other contact point; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach, including mitigation measures.

8.3 Where all information cannot be provided simultaneously, the Processor may provide it in phases without undue further delay.

8.4 Breach notifications should be sent to dpo@mapatlas.eu.

A notification under this Article does not constitute an admission of fault or liability by the Processor. The Controller remains responsible for notifying the competent supervisory authority (Dutch DPA, Autoriteit Persoonsgegevens) and, where required, Data Subjects, under Articles 33 and 34 GDPR respectively.

Article 9, Data Protection Impact Assessments

9.1 Where the Controller is required to carry out a Data Protection Impact Assessment (DPIA) under Article 35 GDPR in relation to Processing activities involving the Services, the Processor shall, upon request and at the Controller’s cost, provide such information and cooperation as is reasonably necessary and available to enable the Controller to complete the DPIA.

9.2 If prior consultation with the supervisory authority is required under Article 36 GDPR, the Processor shall cooperate with and provide reasonable assistance to the Controller in relation to such consultation.

Article 10, International Data Transfers

10.1 The Processor stores and processes all Personal Data exclusively within the European Economic Area (EEA). All primary compute, storage, and database systems are hosted in EU-based data centres and are not subject to US surveillance laws (CLOUD Act, FISA 702) or equivalent non-EEA statutes.

10.2 Notwithstanding Section 10.1, certain Sub-Processors listed in Exhibit A are domiciled outside the EEA. The Processor ensures that any transfer of Personal Data to such Sub-Processors is covered by a lawful transfer mechanism, being, in the first instance, the Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914 (Module 3: Processor-to-Processor). The applicable transfer mechanism is listed for each Sub-Processor in Exhibit A.

10.3 The Processor conducts and documents Transfer Impact Assessments (TIAs) for all transfers to third countries and makes summaries available to the Controller on request.

10.4 In the event that any transfer mechanism referenced in Section 10.2 is invalidated or suspended by a supervisory authority or court, the Processor shall notify the Controller within 5 business days and shall implement an alternative lawful transfer mechanism within 30 days, or cease the relevant transfer.

Article 11, Deletion and Return of Data

11.1 At the choice of the Controller, the Processor shall, upon termination of the Services or upon written request, delete or return all Personal Data to the Controller and delete existing copies, unless applicable EU or member state law requires continued storage.

11.2 Routine API request logs containing Personal Data (primarily IP addresses and query parameters) are retained for a maximum of 90 days for operational and abuse-prevention purposes, after which they are automatically and permanently deleted.

11.3 Billing and financial records may be retained for the period required by applicable law (in the Netherlands, a minimum of 7 years under the Dutch General Tax Act) but are limited to the minimum data required for accounting purposes.

11.4 The Processor shall provide written confirmation of deletion to the Controller within 30 days of completing deletion, including confirmation from relevant Sub-Processors.

Article 12, Audit Rights

12.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

12.2 The Processor shall, in the first instance, satisfy audit requests by providing: (a) the most recent ISO 27001 certification and audit report; (b) penetration test executive summaries (redacted for security); (c) a written response to a reasonable security questionnaire submitted by the Controller.

12.3 Where the Controller reasonably requires an on-site inspection, such inspection shall be: (a) conducted no more than once per 12-month period, unless a Personal Data Breach has occurred; (b) subject to at least 30 days’ prior written notice; (c) carried out during normal business hours with minimal disruption; and (d) subject to a confidentiality agreement.

12.4 The Controller bears all costs of any audit conducted under this Article, including the Processor’s reasonable costs of cooperation.

Article 13, Liability

13.1 Each party’s liability under this DPA is subject to the limitations and exclusions set out in the MapAtlas Terms of Service. Nothing in this DPA limits either party’s liability to Data Subjects or supervisory authorities under applicable data protection law.

13.2 If the Processor is held liable for a breach of data protection law arising from an action or omission of the Controller, the Controller shall indemnify the Processor to the extent of the Controller’s responsibility for the breach.

13.3 The Processor’s total liability in respect of any and all claims under this DPA shall not exceed the aggregate fees paid by the Controller in the 12 months preceding the event giving rise to the claim.

Article 14, Governing Law and Jurisdiction

14.1 This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions.

14.2 The parties irrevocably submit to the exclusive jurisdiction of the competent courts of Amsterdam, Netherlands.

14.3 The supervisory authority responsible for overseeing the Processor’s data protection compliance is the Autoriteit Persoonsgegevens (AP), P.O. Box 93374, 2509 AJ The Hague, Netherlands.

Article 15, Term and Termination

15.1 This DPA takes effect on the Effective Date and remains in force for the duration of the applicable service subscription. It terminates automatically upon termination or expiry of the Terms of Service.

15.2 Either party may terminate this DPA and the associated Services immediately by written notice if the other party commits a material breach of this DPA and, where such breach is capable of remedy, fails to remedy it within 30 days of receiving written notice of the breach.

15.3 Articles 4, 11, 13, 14 and Exhibit C shall survive termination of this DPA for the duration of any applicable statutory retention periods.

Exhibit A, Approved Sub-Processors

Last updated: March 2025. The Processor will provide 30 days’ notice before adding or materially changing a Sub-Processor.

Cloudflare, Inc.

USA (EU Data Localization)

EU SCCs + EU Data Localization Suite

Content delivery network (CDN), DDoS protection, network security and TLS termination. MapAtlas uses Cloudflare's EU Data Localization Suite, which restricts data inspection to EU-based points of presence.

Stripe Payments Europe, Limited

Ireland (EU)

EU entity, no transfer

Payment processing, invoicing, and subscription management. Stripe's Irish entity is the merchant of record for EU customers; no personal data is transferred outside the EEA for EU billing.

Postmark (ActiveCampaign, LLC)

USA

EU SCCs

Transactional email delivery (API key notifications, billing receipts, password resets). Only the recipient email address and the message content you configure are transmitted.

Sentry (Functional Software, Inc.)

USA

EU SCCs + data scrubbing

Application error monitoring and crash reporting. Personal data is scrubbed from payloads at source before transmission; only anonymized stack traces and metadata are sent.

Exhibit B, Description of Processing

This exhibit describes the Processing carried out by the Processor pursuant to Article 28(3) GDPR.

Subject Matter

Processing of Personal Data in connection with the delivery of the MapAtlas API Services (mapping, geocoding, routing, search, and analytics APIs).

Duration

For the term of the service agreement plus any applicable retention period specified in Article 11.

Nature of Processing

Collection, storage, transmission, structuring, use, and deletion of Personal Data in the course of providing real-time API responses.

Purpose

Provision of the Services including API response delivery, rate limiting, abuse prevention, billing, and service quality monitoring.

Categories of Personal Data and Data Subjects

Category	Examples	Data Subjects	Legal Basis
API Identifiers	API keys, client application identifiers, OAuth tokens	Customer's developers and applications	Performance of contract (Art. 6(1)(b) GDPR)
Network Identifiers	IPv4 and IPv6 addresses of API callers, HTTP headers (User-Agent, Referer)	Customer's end users making API requests	Legitimate interests, security, rate limiting (Art. 6(1)(f) GDPR)
Location Query Data	Geocoding input (addresses or place names), reverse-geocoding coordinates, routing origin/destination, autocomplete search strings	Customer's end users	Performance of contract on behalf of controller (Art. 28)
Usage Telemetry	Request timestamps, response latency, HTTP status codes, tile zoom levels, API endpoint called	Customer's end users	Legitimate interests, service monitoring, abuse prevention (Art. 6(1)(f) GDPR)
Account Contact Data	Name, business email address, company name, billing address	Customer's designated contacts and billing contacts	Performance of contract (Art. 6(1)(b) GDPR)

MapAtlas does not process special categories of personal data (Article 9 GDPR) or criminal conviction and offence data (Article 10 GDPR). The Processor does not retain API query content (e.g., geocoding input strings) beyond the 90-day log retention window. No Personal Data is used for advertising, profiling, or any purpose unrelated to the Services.

Exhibit C, Technical and Organisational Security Measures

The following measures are implemented and maintained by MapMetrics B.V. as part of its ISO 27001-certified Information Security Management System (ISMS). These measures satisfy the requirements of GDPR Article 32 and Annex II of the applicable Standard Contractual Clauses.

Encryption

All data in transit is encrypted using TLS 1.2 or higher; TLS 1.3 is enforced where supported by the client.
All data at rest is encrypted using AES-256 encryption on primary storage and backup media.
API keys are stored as salted hashes; plaintext API keys are never logged or stored after initial generation.
Database backups are encrypted at rest and in transit to backup locations.

Access Control

Role-based access control (RBAC) limits access to personal data to personnel with a demonstrated business need.
Multi-factor authentication (MFA) is mandatory for all internal systems that process personal data.
Privileged access to production infrastructure is restricted to a named list of senior engineers and is reviewed quarterly.
All access to personal data is logged and retained for a minimum of 12 months for audit purposes.
Access rights are revoked within 24 hours of employment termination.

Network Security

All public-facing endpoints are protected by Cloudflare's DDoS mitigation and Web Application Firewall (WAF).
Internal production networks are isolated using private VPC subnets; no personal data systems are directly reachable from the public internet.
Intrusion detection systems (IDS) are deployed on all production segments; alerts are triaged 24/7.
Automated vulnerability scanning runs weekly on all production hosts; critical findings are remediated within 14 days.
Annual third-party penetration testing is conducted on all customer-facing infrastructure.

Physical Security

Data is processed exclusively in ISO 27001-certified data centre facilities.
Physical access to data centre facilities is restricted to authorized personnel using biometric and badge-based controls.
Visitors to data centre facilities are escorted at all times and logged.
Removable media containing personal data is encrypted and subject to secure disposal procedures.

Organizational Measures

MapMetrics B.V. maintains an ISO 27001-certified Information Security Management System (ISMS).
A Data Protection Officer (DPO) is designated and reachable at dpo@mapatlas.eu.
All personnel who process personal data receive mandatory data protection training upon hire and annually thereafter.
Data protection is evaluated for all new products and significant system changes via a Privacy by Design review process.
A formal vendor risk management programme evaluates all sub-processors before onboarding and annually thereafter.

Incident Response

A documented Incident Response Plan (IRP) covers detection, containment, eradication, recovery, and post-incident review.
A Security Incident Response Team (SIRT) is on-call 24/7 to triage and manage data security incidents.
Personal data breach notifications to controllers are issued within 72 hours of the incident being confirmed, in accordance with GDPR Article 33.
Post-incident reviews are conducted for all incidents rated High or Critical; findings are used to update controls within 30 days.

Business Continuity and Disaster Recovery

Production data is replicated in real-time to a geographically separate EU data centre.
Full backups are taken daily and retained for 30 days; point-in-time recovery is available for the last 7 days.
Recovery Time Objective (RTO): 4 hours for critical services. Recovery Point Objective (RPO): 1 hour.
Disaster recovery tests are conducted at least annually; results are documented and shared with the security team.

Execute a Countersigned DPA

Paid subscribers accept this DPA automatically upon activating a paid plan. If your organisation requires a countersigned PDF copy for compliance records, contact our legal team. We aim to turnaround standard DPA requests within 5 business days.

Request countersigned DPA Back to Legal overview

MapMetrics B.V. · KVK 86457101 · Keurenplein 4, 1069 CD Amsterdam · legal@mapatlas.eu · DPA v1.2 · Effective 1 January 2024