DATA PROTECTION ADDENDUM

This Data Processing Agreement (“DPA”) forms part of the Terms of Use (or other similarly titled written or electronic agreement addressing the same subject matter) (“Agreement”) between Customer (as defined in the Agreement) and “MapUp” under which the Processor provides the Controller with the software and services (the “Services”). The Controller and the Processor are individually referred to as a “Party” and collectively as the “Parties”.

The Parties seek to implement this DPA to comply with the requirements of EU GDPR (defined hereunder) in relation to Processor’s processing of Personal Data (as defined under the EU GDPR) as part of its obligations under the Agreement. This DPA shall apply to Processor’s processing of Personal Data, provided by the Controller as part of Processor’s obligations under the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
  1. Definitions

    Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:


    1. 1.1 "Data Transfer" means a transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub-processor by the Processor.
    2. 1.2 “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
    3. 1.3 “Standard Contractual Clauses” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection.
    4. 1.4 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
    5. 1.5 “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
    6. 1.6 “Sub-processor” means a processor/ sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller.
  2. Purpose of this Agreement

    This DPA sets out various obligations of the Processor in relation to the Processing of Personal Data and shall be limited to the Processor’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

  3. Categories of Personal Data and Data Subjects

    The Processor may process the Personal Data as necessary to provide the Services. The categories of Personal Data processed are described in Annex I to Schedule 1 to this DPA and may be updated from time to time based on the Services provided.

  4. Purpose of Processing

    The Processor shall Process Personal Data as necessary to provide the Services under the Agreement and for the Processor's legitimate business operations related to providing the Services.

  5. Duration of Processing

    The Processor will Process Personal Data for the duration of the Agreement and any period thereafter required by law or needed for the Processor's legitimate business purposes.

  6. Data Controller’s Obligations
    1. 6.1

      The Data Controller warrants that it has all necessary rights and legal bases to provide the Personal Data to the Data Processor. The Controller is solely responsible for the lawfulness of Personal Data collection, including obtaining any required consents and providing required notices to Data Subjects.

    2. 6.2

      The Data Controller shall provide required privacy notices to Data Subjects.

    3. 6.3

      The Data Controller may request deletion of Personal Data subject to the Processor's right to retain Personal Data as permitted under this DPA or applicable law.

    4. 6.4

      The Data Controller shall promptly notify the Data Processor of:

      1. 6.4.1

        Any claim of non-compliance with Data Privacy Laws;

      2. 6.4.2

        Data Subject requests regarding their Personal Data;

      3. 6.4.3

        Relevant inquiries or complaints from individuals;

      4. 6.4.4

        Regulatory or legal demands for Personal Data;

  7. Data Processor’s Obligations
    1. 7.1

      The Processor will process Personal Data in accordance with the Agreement and this DPA, which constitute the complete documented instructions from the Controller.

    2. 7.2

      Additional instructions beyond the scope of the Agreement may be subject to additional fees at Processor's standard rates.

    3. 7.3

      The Processor will provide commercially reasonable assistance to the Controller in responding to data subject requests, at Controller's expense.

    4. 7.4

      The Controller shall be responsible for obtaining all necessary consents and providing all required notices to data subjects.

    5. 7.5

      For international transfers, the Processor shall comply with the requirements set forth in Schedule 1 of this DPA.

    6. 7.6

      The Processor shall inform the Controller if an instruction appears to infringe applicable data protection laws.

    7. 7.7

      The Processor shall provide reasonable assistance with Data Protection Impact Assessments, considering the nature of processing and information available to the Processor, at Controller's expense.

  8. Data Secrecy
    1. 8.1

      The Processor will ensure that personnel processing Personal Data:

      1. 8.1.1

        Are subject to appropriate confidentiality obligations

      2. 8.1.2

        Perform services in accordance with the Agreement

    2. 8.2

      The Processor will provide appropriate data privacy training to relevant personnel in accordance with its standard practices.

    3. 8.3

      The Processor will maintain reasonable security measures to protect Personal Data, as further described in Section 14 of this DPA.

  9. Audit Rights
    1. 9.1

      Upon the Controller's reasonable request, limited to once per calendar year, the Processor will make available to the Controller documentation reasonably necessary to demonstrate compliance with its obligations under the EU GDPR.

    2. 9.2

      When the Controller wishes to conduct an audit at Processor's site, it shall provide at least ninety (90) days' prior written notice to the Processor. Any audit shall be limited to one business day per year, conducted during regular business hours, and shall not unreasonably interfere with Processor's operations.

    3. 9.3

      The Controller shall bear all costs associated with the audit, including Processor's internal costs at Processor's then-current professional services rates.

  10. Mechanism of Data Transfers

    Any Data Transfer by the Processor to a country outside the European Economic Area (the "EEA") shall be governed by the Standard Contractual Clauses in Schedule 1 to this DPA or another valid transfer mechanism under GDPR. The parties acknowledge that such transfers are necessary for the performance of the Agreement.

  11. Sub-processors
    1. 11.1

      The Processor shall notify the controller of any intended changes through its standard notification process. Changes will be deemed accepted unless Controller objects within fifteen (15) business days.

    2. 11.2

      If the Controller objects to a new sub-processor, the Processor may either continue with the planned change and allow Controller to terminate the affected services, continue with the existing sub-processor, or propose an alternative solution.

  12. Personal Data Breach Notification
    1. 12.1

      The Processor shall inform the Controller if it determines that a Personal Data Breach has occurred that poses a material risk to data subjects. The timing and content of notifications will be based on the circumstances and information available to the Processor.

    2. 12.2

      The Processor shall provide reasonable assistance with breach-related obligations by considering the nature of processing, information available to the Processor, the urgency of the situation, and the Processor's other business obligations.

    3. 12.3

      No Acknowledgement of Fault by Processor. Processor's notification of or response to a Personal Data Breach under this DPA will not be construed as an acknowledgement by Processor of any fault or liability with respect to the data incident.

  13. Return and Deletion of Personal Data
    1. 13.1

      Within one hundred and twenty (120) days following termination of services, the Processor shall either return Personal Data or delete it according to its standard procedures, unless retention is required by law or for legitimate business purposes.

    2. 13.2

      The Processor may retain Personal Data where required by law, present in standard backup systems, or necessary for legitimate business purposes. Any retained data shall remain subject to this DPA's confidentiality obligations.

  14. Technical and Organizational Measures
    1. 14.1

      Having regard to the state of technological development and the cost of implementing any measures, the Processor will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected [including the measures stated in Annex II of Schedule 1].

SCHEDULE 1

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name : Customer (As set forth in the relevant Order Form).

Address: As set forth in the relevant Order Form.

Contact person’s name, position, and contact details: As set forth in the relevant Order Form.

Activities relevant to the data transferred under these Clauses: Recipient of the Services provided by MapUp in accordance with the Agreement.

Signature and date: Signature and date are set out in the Agreement.

Role (Controller/ Processor): Controller

Data exporter(s):

Name: MapUp

Address: MapUp Inc, 440 N Wolfe Rd, E022 Sunnyvale, CA 94085 USA

Contact person’s name, position, and contact details: Maneesh Mahlawat, DPO, maneesh@mapup.ai

Activities relevant to the data transferred under these Clauses: Provision of the Services to the Customer in accordance with the Agreement.

Signature and date: Signature and date are set out in the Agreement.

Role (controller/processor): Processor.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer’s authorized users of the Services.

Categories of personal data transferred

Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, Username.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No sensitive data collected.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Continuous basis

Nature of the processing

The nature of the processing is more fully described in the Agreement and accompanying order forms but will include the following basic processing activities: The provision of Services to Customer.

Purpose(s) of the data transfer and further processing

The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The period for which the Customer Personal Data will be retained is more fully described in the Agreement, Addendum, and accompanying order forms.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing

The subject matter, nature, and duration of the Processing more fully described in the Agreement, Addendum, and accompanying order forms.

C.COMPETENT SUPERVISORY AUTHORITY

Data exporter is established in an EEA country.

The competent supervisory authority is as determined by application of Clause 13 of the EU SCCs.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA


Description of the technical and organisational security measures implemented by MapUp as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.


ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors:

Name of Sub-ProcessorDescription of ProcessingLocation of Sub-Processor
Google WorkspaceEmail servicesUSA
GithubCode version controlUSA
HubspotCRM solutionUSA
ApolloCustomer OutreachUSA
KekaHRMSIndia
ScrutSecurity controlsIndia
Amazon Web Services (AWS)Cloud servicesUSA, India