Data Processing Addendum
This Data Processing Agreement ("DPA") is made and entered into effective as of the later of May 25, 2018 and the date you submit your Order ("Effective Date").
(1) The company set forth on your Order, which specifically references this online DPA, including the URL ("Customer"); and
(2) Mapbox, Inc. ("Mapbox"), a company constituted under the laws of Delaware with an address of 740 15th Street NW, 5th Floor, Washington DC 20005
(together, the "Parties" and the "Party" shall be construed accordingly).
A. Mapbox is the provider of the Services, as defined in the Order by and between the Parties ("Agreement").
B. Mapbox may from time to time process certain personal data identified on Schedule A("Customer Data") on behalf of Customer to enable Mapbox to provide the Services to Customer in accordance with the Agreement ("Purpose") and Customer may make Customer Data available to Mapbox in connection with this Purpose.
C. This DPA forms part of the Agreement to reflect the Parties' agreement with regard to the processing of Customer Data.
D. The Parties intend that the processing activities carried out by Mapbox on behalf of Customer shall comply with the provisions of this DPA.
Words and expressions used in this DPA but not defined herein shall have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) ("GDPR") or the Agreement.
The "Privacy Shield Principles" means the EU-US Privacy Shield Framework Principles issued by the U.S. Department of Commerce which forms Annex II to EC Commission Implementing Decision of 12 July 2016 (C(2016) 4176 final) and the Swiss-US Privacy Shield Framework Principles issued by the U.S. Department of Commerce.
Collectively, the GDPR and the Privacy Shield Principles shall be referred to "Applicable Data Protection Law".
2. Details of the Processing Operations
The subject matter of the processing, including the processing operations carried out by Mapbox on behalf of Customer are described in Schedule A, which forms an integral part of this DPA. Mapbox acts on behalf of and on the instructions of Customer, as described in the Agreement, in carrying out the processing operations.
3. Obligations of Customer
4. Obligations of Mapbox
5. Transfer, Disclosure and Third Parties
Mapbox may engage third parties acting on its behalf to assist in satisfying its obligations in accordance with this DPA and to delegate all or part of the processing activities to such sub-processors. Mapbox shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this section 5, Customer hereby consents to Mapbox engaging sub-processors. Mapbox shall maintain a current list of its sub-processors with respect to Customer Data, access to which can be provided to Customer, and which information shall be held by Customer as strictly confidential and only used to enforce its rights under this Section 5. Customer may object to changes concerning the engagement or replacement of a sub-processor but only on reasonable and documented grounds relating to the protection of Customer Data. Such an objection must be given by notifying Mapbox promptly in writing, within 5 business days after Mapbox updates its sub-processor list, explaining reasonable grounds for the objection. In the event Customer objects to a new sub-processor, as permitted in the preceding sentence, Mapbox shall have the right to make available to Customer a change in the Services or recommend a commercially reasonable change to Customers configuration or use of the Services to avoid processing of personal data by the objected-to new sub-processor. If Mapbox is unable to make available such change within a reasonable period of time, which shall not exceed ninety (90) days (the "Cure Period"), either party may terminate without penalty by either party that part of the Services which cannot be provided by Mapbox without the use of the objected-to new sub-processor by providing written notice to the other party within 5 business days after the end of the Cure Period.
6. Post-termination Obligations
During the term of the Agreement, Customer can use the functionality provided to access and download uploaded data. Upon termination of Customer’s relationship with Mapbox, Mapbox will delete all Customer Data in accordance with its standard deletion policy unless applicable EU, Member State or local law prevents it from destroying all or part of Customer Data. In such case, Mapbox agrees to preserve the confidentiality of Customer Data retained by it and that it will only actively process such Customer Data after such date in order to comply with the laws it is subject to.
7. International Data Transfers
As of the Effective Date of this DPA, Mapbox self-certifies to and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the U.S. Department of Commerce.
To the fullest extent permissible pursuant to applicable law, Mapbox disclaims all warranties not expressly set out in the Agreement and this DPA. In particular, Mapbox does not warrant that Customer Data will continue to be stored, will continued to be available or will not become corrupted.
9. Governing Law and Jurisdiction
The governing law, venue, liability and dispute resolution provisions of the Agreement shall apply to this DPA.
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail.
Details of the Processing Activities
The personal data transferred concern the following categories of data subjects:
Categories of data
The personal data transferred is:
Special categories of data
Customer is not permitted to submit special categories of personal data to Mapbox through the Services, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and/or sex life.
The personal data transferred may be subject to the following processing activities:
Technical and Organisational Security Measures
In accordance with section 4 of the DPA, Mapbox will adopt and maintain reasonable (including organisational and technical) security measures in dealing with Customer Data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
In determining the technical and organizational security measures required by section 4 of the DPA, Mapbox will take account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Mapbox will implement the following specific security measures, as applicable: