Mapbox Legal Portal

TermsPrivacySupportSuppliers

Service Level Agreement

(last updated November 1, 2023)

Availability

If the Mapbox APIs covered by and used in accordance with this Agreement are not available 99.9% of the time every month, Customer will be eligible to receive a Service Credit as described below.

Unavailability

An API will be considered unavailable when it is inaccessible during two or more consecutive 90-second intervals. If an API is accessible in some regions but not others, availability for the API for the relevant time period will be calculated as the fraction of Customer's API requests that are failing worldwide. Uptime in a month will be calculated across APIs based on the uptime of each individual API Customer uses during the month, weighted by the fraction of all of Customer's API requests accounted for by each API during that month. For purposes of this guarantee, a "month" means a calendar month.

Service Credits

Service credits are calculated as a percentage of the total charges Customer owes Mapbox for services each month, or Customer's annual fee divided by 12, as follows:

Total Available Uptime

(across all APIs) per month

100% - 99.9% - 0% Credit Amount
99.89% - 99% - 10% Credit Amount
Less than 99% - 25% Credit Amount

To receive a credit, as its sole remedy, Customer must contact Mapbox within 30 days following the end of the unavailability via email at info@mapbox.com and include the dates and times of unavailability. If Mapbox confirms that the uptime percentage in a month covered by Customer's request is below 99.9%, Mapbox will issue Customer the service credit. Service credits (i) may be applied to any future invoice issued by Mapbox to Customer (including renewals, subsequent orders and overages), (ii) cannot be exchanged for, or converted to, monetary compensation, and (iii) will expire if not used within twelve months of being issued. The maximum service credit that Mapbox will issue for downtime in a month is 25% of the fees Customer otherwise owes Mapbox for that month.

Limitations

A period of unavailability is excluded from the service level guarantee, and will not count towards unavailability calculations for purposes of service credits, due to force majeure, scheduled maintenance, and/or Customer’s breach or otherwise due to its actions.

Privacy & Security FAQ

Last Updated:  Aug 22, 2023

1. What is Mapbox?

Mapbox provides a location data platform that powers maps and location services. Mapbox provides SDKs (software   development   kits)   and   APIs   (application   programming   interfaces),   which   businesses   and developers use to incorporate Mapbox mapping and navigation technologies into the licensed applications and  websites  they  make.  The  SDKs  contain  libraries  of  software  code  which  are  incorporated  into  a customer’s  licensed  application  or  website.  These  libraries  of  software  code  facilitate  API  requests  to Mapbox’s location data platform (which is a backend data server, hosted in the cloud (AWS-US)) which then responds with map and location content to the customer’s application or website.
In addition, Mapbox offers an on-premise version of its location data services, called Atlas.

2. Does Mapbox sell personal data?

No. Mapbox does not sell personal data.

3. Does Mapbox track end users or build end user profiles?

No. For customers on a monthly active user (“MAU”) billing model, Mapbox maintains counts of MAUs for billing purposes only. Mapbox does not (and cannot) track an end user’s activity across billing cycles and does not build targeted profiles with the data processed through its products/services.

4. What types of personal data does Mapbox collect from end users and why?

Data Category Examples
Identifiers Such as randomly generated billing ID, session ID & feedback ID (if given), and IP address (to provide the service, for billing/security purposes and deleted after 30 days).
Commercial Information Such as user agent, which may include an application ID (determined by the Mapbox customer to identify its application), Mapbox customer’s account ID (so that Mapbox knows which company to bill) and Mapbox product name(s) and version(s). Such as data that an individual may upload to Mapbox products/services or otherwise provide to Mapbox in connection with support, or feedback that end users voluntarily contribute to Mapbox along with their associated contact information.
Internet or other electronic network activity Such as timestamp accompanying received data elements, an end user’s abandonment of a given navigation route / use of an alternate navigation route;
Such as connectivity and device data including device model and browser information, operating system, and contents of an API or SDK request.
Geolocation Data Such as latitude and longitude, altitude, horizontal and vertical accuracy (the session ID association is broken within 24 hours.)Applies only to Navigation SDK: If Mapbox Copilot is enabled, Mapbox receives detailed full trip trace files and searchresults of navigation sessions. Mapbox Copilot is disabled by default and may only be enabled by Mapbox Navigationcustomers (not end users) in their licensed applications.At any time, end users may change their location permissions for a given licensed application through their mobiledevice and choose to disable access to location data. Such change may affect the designed functionality of the licensed application.

5. What measures does Mapbox take to minimize and protect personal data?

Mapbox applies the principle of data minimization to product development and operations in an effort to collect  only  limited  data  from  the  outset.  Mapbox  operates  a  number  of  technical  and  organization measures regarding the limited personal dataset that we process, such as strict access controls and prompt deletion of raw log files that contain IP addresses and billing IDs. Mapbox deploys regular ID rotation and 1-way hashing for billing IDs, which must be retained for accounting and billing purposes, to minimize the ability  to  track  user  requests  over  time.  Billing  IDs  are  not  transmitted  with  unrelated  events,  further reducing  the  feasibility  of  correlating  a  user’s  activities  over  time.  In  addition,  Mapbox  operates  strict anonymization procedures, such as clipping traces, for telemetry events that send location data.

6. Why are IP addresses collected?

Communication   through   the   Internet   requires   the   presence   of   IP   addresses,   which   specify   each transmission’s  origin  and  destination.  When  end  users  engage  with  applications  that  access  Mapbox products/services through the Internet, the end user necessarily discloses their current IP address to one or more Mapbox servers. IP addresses are retained in cloudfront logs for 30 days for billing and customer usage reporting, unless involved in an ongoing security, anti-fraud, or misuse investigation.

7. Why (and when) is location data collected?

Mapbox  receives  location  data  when  a  Mapbox  customer’s  end  users  uses  a  licensed  application  that incorporates Mapbox mobile SDKs and the end user has authorized the licensed application’s use of the end user’s device location via their mobile phone or device operating system.

Location  data  includes  fields  such  as  latitude  and  longitude,  altitude,  horizontal  and  vertical  accuracy,  a session  ID  rotating  every  24  hours,  and  origin  IP  address  (as  would  any  Internet  communication).   The  IP address that accompanies location data is retained at the load balancer (where it is used for security and PUBLISHED: Aug 22, 2023https://www.mapbox.com/legal/legal-faq Mapbox Customer FAQ, Page 3billing  purposes  and  discarded  after  30  days).  This  IP  address  is  not  forwarded  to  the  location  telemetry processing pipeline. Location data is encrypted in transit and at rest, and is subject to the principle of least access, with the minimal number of personnel and processes having access to it in its pre-aggregated form.

In the location data anonymization pipeline, the location data is then anonymized by clipping off the origin and destination of the trip and further dividing the trip into segments, which cannot be reassembled. The anonymized  location   data  is  then  used  to  improve  Mapbox  mapping  products,   including  the  Traffic  and Movement data products.

8. Where (geographically) does Mapbox process personal data?

In AWS in the United States. However, for performance purposes, Mapbox regularly caches content on its AWS  content  delivery  network  (“CDN”)  located  in  various  regions.  Mapbox  employees  who  work  for Mapbox wholly-owned subsidiaries may access personal data from the countries where they work in order to support, develop and provide Mapbox products/services.

9. Can Mapbox limit its geographic processing to Europe (or another specific region)?

No. Mapbox’s  products/services  store  and  serve  source  data  from  an  AWS  primary  region  in  the  US.  As noted  above,  data  is  cached  and  served  out  of  various  regions  outside  the  US  for  performance  reasons, however  Mapbox  cannot  serve  its  data  from  one  limited  geographic  region.  To  comply  with  GDPR  and safeguard transfers to the US and other countries, please see Mapbox's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.

10. Does Mapbox conduct data processing impact assessments (DPIA)?

Yes.  Mapbox  carefully  scrutinizes  the  personal  data  it  processes  within  its  engineering  lifecycle,  which includes conducting a privacy review for new (or changed) processing activities. Mapbox follows privacy-by-design principles and works diligently to limit the personal data it processes from the outset. A DPIA is conducted in any situation in which processing of personal data may be considered high risk and not able to be accomplished in a lower risk manner.

11. How does Mapbox manage compliance with global privacy laws?

Mapbox runs a global data protection program designed to operate in compliance with applicable global privacy laws, including: VCDPA (Virginia, USA), UCPA (Utah, USA), UK-GDPR (UK), TIPA (Tennessee, USA), TDPSA (Texas, USA),PIPEDA (Canada), MTCDPA (Montana, USA), LGPD (Brazil),IDPL (Iowa, USA), ICDPA(Indianna,  USA),  GDPR  (Europe),  CTDPA  (Connecticut,  USA),  CCPA  and  its  implementing  regulations including  CPRA  (California,  USA),  CPA  (Colorado,  USA),  and  APPI  (Japan),  among  many  other  important jurisdictions.


Mapbox’s privacy program is based on privacy by design, which includes monitoring for upcoming privacy laws  and  regulations  to  assess  whether  its  practices  may  need  to  be  adjusted  to  maintain  compliance; product/service  privacy  reviews;  data  breach  response  processes; and  operationalized  technical  and organizational measures designed to ensure the security of the personal data it receives including: security audits  and  SOC2  certification;  anonymization  &  pseudonymization  of  personal  data  (where  applicable); strict access control with logging; limited data retention periods.

12. Does Mapbox have information security credentials?

Yes.  Mapbox  is  SOC2  Type  2  certified  with  a summary  SOC3  report  available  for  customer  review.   In addition, Mapbox earned and maintains Trusted Information Security Assessment Exchange (“TISAX”) and ISO 9001 certifications. Upon request and execution of an NDA, Mapbox may share a copy of its latest SOC2 report.

13. More questions?

Mapbox welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact Mapbox’s privacy office at privacy@mapbox.com.

Want to receive updates on our sub-processors?

Please subscribe below:

Stay tuned for updates!
Please enter an email address that includes @.
This is some text inside of a div block.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.