Mapbox DPA

Data Processing Addendum

This Data Processing Agreement ("DPA") is made and entered into effective as of the date you submit your Order ("Effective Date").

Between:

(1) The company set forth on your Order, which specifically references this online DPA, including the URL ("Customer"); and

(2) Mapbox, Inc. ("Mapbox"), a company constituted under the laws of Delaware with an address of 740 15th Street NW, 5th Floor, Washington DC 20005

(together, the "Parties" and the "Party" shall be construed accordingly).

Recitals

A. Mapbox is the provider of the Services, as defined in the Order by and between the Parties ("Agreement").

B. Mapbox may from time to time process certain personal data or personal information identified on Schedule A("Customer Data") on behalf of Customer to enable Mapbox to provide the Services to Customer in accordance with the Agreement ("Purpose") and Customer may make Customer Data available to Mapbox in connection with this Purpose.

C. This DPA forms part of the Agreement to reflect the Parties' agreement with regard to the processing of Customer Data.

D. The Parties intend that the processing activities carried out by Mapbox on behalf of Customer shall comply with the provisions of this DPA.

1. Definitions

Words and expressions used in this DPA but not defined herein shall have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) ("GDPR") or the Agreement.

The "Privacy Shield Principles" means the EU-US Privacy Shield Framework Principles issued by the U.S. Department of Commerce which forms Annex II to EC Commission Implementing Decision of 12 July 2016 (C(2016) 4176 final) and the Swiss-US Privacy Shield Framework Principles issued by the U.S. Department of Commerce.

Collectively, the GDPR, the CaliforniaConsumer Privacy Act of 2018 (“CCPA”), and the Privacy Shield Principles shall be referred to "Applicable Data Protection Law".

2. Details of the Processing Operations

The subject matter of the processing, including the processing operations carried out by Mapbox on behalf of Customer are described in Schedule A, which forms an integral part of this DPA. Mapbox acts on behalf of and on the instructions of Customer, as described in the Agreement, in carrying out the processing operations.

3. Obligations of Customer

• 3.1. Customer determines the purposes for which Customer Data are being or will be processed and the manner in which they are being or will be processed.
• 3.2. Customer represents, warrants and agrees that with respect to Customer Data provided to Mapbox pursuant to this DPA, Customer:
• 3.2.1. complies with personal data security and other obligations prescribed by Applicable Data Protection Law;
• 3.2.2. confirms that the provision of Customer Data to Mapbox complies with Applicable Data Protection Law;
• 3.2.3. has established a procedure for the exercise of the rights of the individuals whose Customer Data are collected;
• 3.2.4. only processes data that have been lawfully and validly collected and ensures that such data is relevant and proportionate to the respective uses;
• 3.2.5. ensures that after assessment of the requirements of Applicable Data Protection Law, the security and confidentiality measures implemented are suitable for protection of Customer Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and
• 3.2.6. takes reasonable steps to ensure compliance with the provisions of this DPA by its personnel and by any person accessing or using Customer Data on its behalf.

4. Obligations of Mapbox

• 4.1. Mapbox carries out the processing of Customer Data on behalf of Customer.
• 4.2. Mapbox agrees to provide Customer Data with at least the same level of protection as required under the Privacy Shield Principles. Mapbox further agrees to only process Customer Data (i) in furtherance of the Purpose, and (ii) in accordance with the Agreement, this DPA and the Privacy Shield Principles.
• 4.3 Mapbox agrees that it will:
• 4.3.1. not sell Customer Data;
• 4.3.2 adhere to the requirements of Article 28 of GDPR;
• 4.3.3 process Customer Data only on behalf of Customer and in compliance with Customer's written instructions, as specified in this DPA and the Agreement, unless required to do so by EU, Member State or local law to which Mapbox is subject;
• 4.3.4. if in Mapbox's opinion an instruction from Customer infringes Applicable Data Protection Law, promptly inform Customer;
• 4.4.5. implement the technical and organizational security measures provided for in Schedule B prior to the commencement of the processing activities for Customer Data, maintain such security measures (or security measures that are not materially less protective) for the duration of this DPA, and provide Customer with reasonable evidence of its privacy and security policies upon request;
• 4.3.6. take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Customer Data comply with this DPA;
• 4.4.7. comply with confidentiality obligations in respect of Customer Data (as specified in the Agreement) and take reasonable steps to ensure that its employees, authorized agents and any sub-processors comply with such confidentiality obligations;
• 4.3.8. inform Customer of:
• 4.3.8.1. any legally binding request for disclosure of Customer Data by a law enforcement authority, to the extent permitted by law and legal process, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
• 4.3.8.2. any personal data breach within the meaning of Applicable Data Protection Law relating to Customer Data which would require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Law;
• 4.3.8.3. any relevant notice, inquiry or investigation by a supervisory authority relating to Customer Data, to the extent permitted by applicable law and legal process; and
• 4.3.8.4. any requests for access to, rectification or blocking of Customer Data received directly from a data subject prior to responding to that request, unless Customer has authorized a response or such a response is required by law;
• 4.3.9. provide reasonable co-operation and assistance to Customer in respect of Customer's obligations regarding:
• 4.3.9.1. requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Customer Data;
• 4.3.9.2. the investigation of any personal data breach within the meaning of Applicable Data Protection Law relating to Customer Data and the notification to the supervisory authority and data subjects in respect of such a personal data breach;
• 4.3.9.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority;
• 4.3.9.4. the security of Customer Data, including by implementing the technical and organizational security measures provided for in Schedule B;
• 4.3.10. if Mapbox is required by law to process Customer Data to which GDPR applies, take reasonable steps to inform Customer of this requirement in advance of any processing, unless Mapbox is prohibited from informing Customer on grounds of important public interest; and
• 4.3.11. upon reasonable request, make available to Customer information reasonably necessary to demonstrate compliance with the obligations in this section 4. All such information shall be provided subject to a strict duty of confidentiality.
• 4.4. Mapbox agrees at the request of Customer to submit to an audit to ascertain and/or monitor Mapbox's compliance with this DPA and Applicable Data Protection Law which audit shall be carried out no more than once in any 12 month period (unless otherwise required by a supervisory authority) for cause with reasonable notice and during regular business hours and in a manner which is not disruptive to Mapbox's business and under a duty of confidentiality, by one of the 'big 4' auditing firms appointed by Customer and accepted by Mapbox. The scope of such an audit will be agreed in advance and shall not involve physical access to the network and hosting infrastructure on which the Services are hosted. Customer hereby agrees that an audit may only be conducted if necessary to prove facts which Mapbox cannot verify by providing Customer with independent evidence, including evidence of its compliance with a third party certification programme. Customer will bear its own costs, the fees of any auditor and any expenses incurred by Mapbox in complying with this section 4.4 and section 4.3.7. This paragraph only applies to the extent expressly required under Applicable Data Protection Law.

5. Transfer, Disclosure and Third Parties

Mapbox may engage third parties acting on its behalf to assist in satisfying its obligations in accordance with this DPA and to delegate all or part of the processing activities to such sub-processors. Mapbox shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this section 5, Customer hereby consents to Mapbox engaging sub-processors. Mapbox shall maintain a current list of its sub-processors with respect to Customer Data, access to which can be provided to Customer, and which information shall be held by Customer as strictly confidential and only used to enforce its rights under this Section 5. Customer may object to changes concerning the engagement or replacement of a sub-processor but only on reasonable and documented grounds relating to the protection of Customer Data. Such an objection must be given by notifying Mapbox promptly in writing, within 5 business days after Mapbox updates its sub-processor list, explaining reasonable grounds for the objection. In the event Customer objects to a new sub-processor, as permitted in the preceding sentence, Mapbox shall have the right to make available to Customer a change in the Services or recommend a commercially reasonable change to Customers configuration or use of the Services to avoid processing of personal data by the objected-to new sub-processor. If Mapbox is unable to make available such change within a reasonable period of time, which shall not exceed ninety (90) days (the "Cure Period"), either party may terminate without penalty by either party that part of the Services which cannot be provided by Mapbox without the use of the objected-to new sub-processor by providing written notice to the other party within 5 business days after the end of the Cure Period.

6. Post-termination Obligations

During the term of the Agreement, Customer can use the functionality provided to access and download uploaded data. Upon expiration or termination of Customer’s relationship with Mapbox, Mapbox will delete all Customer Data in accordance with its standard deletion policy unless applicable EU, Member State or local law prevents it from destroying all or part of Customer Data. In such case, Mapbox agrees to preserve the confidentiality of Customer Data retained by it and that it will only actively process such Customer Data after such date in order to comply with the laws it is subject to.

7. International Data Transfers

As of the Effective Date of this DPA, Mapbox self-certifies to and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the U.S. Department of Commerce.

8. Disclaimer

To the fullest extent permissible pursuant to applicable law, Mapbox disclaims all warranties not expressly set out in the Agreement and this DPA. In particular, Mapbox does not warrant that Customer Data will continue to be stored, will continued to be available or will not become corrupted.

9. Governing Law and Jurisdiction

The governing law, venue, liability and dispute resolution provisions of the Agreement shall apply to this DPA.

10. Conflict

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail.

‍

Schedule A

Details of the Processing Activities

Data subjects

The Customer Data transferred concern the following categories of data subjects or consumers:

• personal data or personal information that is contained in "Your Uploads" (as defined in the Agreement) (if any).

Categories of data

The personal data transferred is:

• personal data or personal information comprised in "Your Uploads" meaning data which is uploaded by Customer to Mapbox via Mapbox Studio, Mapbox Studio Classic, our Dataset API, Tilesets API or our Upload API so that Mapbox can host it for Customer as part of providing our Services.

Special categories of data

Customer is not permitted to submit special categories of personal data to Mapbox through the Services, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and/or sex life.

Processing operations

The Customer Data transferred may be subject to the following processing activities:

• storage and other processing necessary to provide, maintain and improve the Services provided to Customer;
• to provide customer and technical support to Customer; and
• disclosures in accordance with the Agreement.

‍

Schedule B

Technical and Organisational Security Measures

In accordance with section 4 of the DPA, Mapbox will adopt and maintain reasonable (including organisational and technical) security measures in dealing with Customer Data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

In determining the technical and organizational security measures required by section 4 of the DPA, Mapbox will take account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Mapbox will implement the following specific security measures, as applicable:

• The security measures detailed at: https://www.mapbox.com/platform/security/ as amended from time to time.