Get Demo

Data Processing Agreement

Last updated: November 24, 2025

This Map My Customers Data Processing Agreement and its Annexes ("DPA") reflects the parties' agreement with respect to the Processing of Personal Data by Map My Customers on behalf of Customer in connection with the Map My Customers Subscription Service pursuant to the Map My Customers Terms of Service ("Agreement").

1. Definitions

2. Customer Responsibilities

a. Compliance with Laws

Customer is responsible for compliance with all Data Protection Laws, including:

b. Controller Instructions

The parties agree that the Agreement (including this DPA), together with your use of the Subscription Service in accordance with the Agreement, constitute your complete Instructions to Map My Customers in relation to the Processing of Personal Data.

c. Security

Customer is responsible for determining if the security measures adequately meet the DPA obligations and for securing data in transit.

3. Map My Customers Obligations

a. Compliance with Instructions

We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions.

b. Conflict of Laws

Map My Customers will notify the Customer of any legal requirements preventing compliance with Instructions and will cease all non-storage Processing until new lawful Instructions are issued.

c. Security

We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA. Modifications are permitted if they do not materially degrade protection.

d. Confidentiality

Map My Customers ensures that all personnel processing data are subject to confidentiality obligations.

e. Personal Data Breaches

We will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or as is reasonably requested by you.

f. Deletion or Return of Personal Data

We will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of the Agreement. Exceptions apply where law requires retention or for archived backup data, which will be securely isolated and protected from any further Processing.

4. Non-Disclosure and Usage

Map My Customers will not disclose Confidential Information to third parties except as necessary, only per Customer's written instructions or as required by law.

Map My Customers may use aggregated and anonymized data derived from the Customer's data solely for analytics, research, and to improve its products and services, provided that such use does not directly or indirectly identify the Customer.

a. Confidentiality Safeguards

Map My Customers implements appropriate technical, administrative, and organizational safeguards to protect Confidential Information against unauthorized access, use, disclosure, alteration, or destruction.

b. Exceptions

Information is not deemed confidential if it is: publicly available, known prior to disclosure, lawfully received from a third party, or independently developed.

c. Duration of Obligation

Confidentiality obligations survive termination for two (2) years unless otherwise agreed or required by law.

5. Data Subject Requests

Map My Customers provides reasonable assistance to address Data Subject Requests through the Subscription Service.

Upon Customer's written request, Map My Customers provides assistance responding to data protection authority requests, at Customer's cost.

If a Data Subject Request is directed to Map My Customers, it will inform the Customer and advise the requestor to contact Customer. Customer is solely responsible for the substantive response.

6. Sub-Processors

Customer agrees that Map My Customers may engage Sub-Processors via three channels:

  1. Hosting and infrastructure assistance
  2. Product features and integrations support
  3. Map My Customers Affiliates for service and support

Map My Customers lists Sub-Processors upon written request to support@mapmycustomers.me.

Map My Customers imposes data protection terms on Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses).

Map My Customers remains responsible for Sub-Processor compliance and their acts or omissions.

7. Data Transfers

Map My Customers may access and Process Personal Data globally to provide the Subscription Service, including transfers to the United States and other jurisdictions where Map My Customers Affiliates and Sub-Processors operate.

Transfers of Personal Data outside its country of origin must comply with applicable Data Protection Laws requirements.

8. Additional Provisions for European Data

a. Scope

This section applies only to European Data.

b. Roles of the Parties

Customer is the Controller; Map My Customers is the Processor when Processing European Data per Customer's Instructions.

c. Instructions

Map My Customers will notify Customer within a reasonable timeframe if it believes Instructions infringe European Data Protection Laws.

d. Sub-Processor Agreements

Map My Customers uses reasonable efforts to require any Sub-Processor to permit it to disclose the Sub-Processor agreement to Customer, subject to confidentiality.

e. Data Protection Impact Assessments

Map My Customers provides reasonable assistance for DPIAs and prior supervisory authority consultations where the information is reasonably available.

f. Transfer Mechanisms for Data Transfers

Map My Customers will not transfer European Data to countries or recipients without adequate protection unless necessary measures ensure compliance, including: a suitable framework or legally adequate transfer mechanism, binding corporate rules authorization, or Standard Contractual Clauses.

If the contracting entity is not Map My Customers, Inc., that entity remains fully and solely responsible and liable for the performance of the Standard Contractual Clauses.

Customer must provide reasonable notice for cure if Map My Customers breaches the SCCs or UK Addendum. If the breach is uncurable, Customer may suspend or terminate without liability.

Map My Customers, Inc. is not currently relying on Privacy Shield. If adopted as an alternative transfer mechanism, it will apply automatically instead of the Standard Contractual Clauses.

h. Demonstration of Compliance

Map My Customers makes information available to demonstrate compliance and allows audits by Customer or Customer's auditor to assess DPA compliance.

Map My Customers provides SOC 2 reports and summary copies of penetration testing reports under confidentiality obligations.

Map My Customers responds to reasonable written information requests, limited to once per calendar year unless non-compliance is suspected.

9. Additional Provisions for California Personal Information

a. Scope

This section applies only to California Personal Information.

b. Roles of the Parties

Customer is the Business; Map My Customers is the Service Provider under the CCPA when Processing California Personal Information per Customer's Instructions.

c. Responsibilities

Map My Customers Processes California Personal Information as a Service Provider strictly for the Business Purpose (providing the Subscription Services) or as otherwise permitted by the CCPA.

10. General Provisions

a. Amendments

Map My Customers reserves the right to update this DPA. The "Amendment; No Waiver" section of the General Terms applies.

b. Severability

Invalid provisions do not affect the validity or enforceability of the remaining DPA provisions.

c. Limitation of Liability

The parties' aggregate liability arising out of or related to this DPA and the Standard Contractual Clauses is subject to the "Limitation of Liability" section of the General Terms.

In no event will either party's liability be limited with respect to any individual's data protection rights under this DPA (including the Standard Contractual Clauses) or otherwise.

d. Governing Law

This DPA is governed by the laws of the United States and North Carolina, with exclusive jurisdiction in Raleigh, North Carolina state and federal courts, unless Data Protection Laws require otherwise.

11. Parties to this DPA

a. Permitted Affiliates

By signing the Subscription Agreement, Customer enters into this DPA on behalf of itself and its Permitted Affiliates.

b. Authorization

The legal entity represents that it is authorized to agree to this DPA for itself and applicable Permitted Affiliates.

c. Remedies

Only the contracting Customer entity may exercise rights and seek remedies for Permitted Affiliates, in a combined manner and not separately.

d. Other Rights

Customer takes reasonable measures to limit audit impact, combining multiple requests into a single audit.

Annex 1 — Details of Processing

A. List of Parties

Data Exporter (Controller):

Data Importer (Processor):

B. Description of Transfer

Categories of Data Subjects:

Categories of Personal Data:

Sensitive Data: The parties do not anticipate the transfer of sensitive data.

Frequency of Transfer: Continuous.

Nature of Processing: Storage and Processing necessary to provide, maintain, and improve the Subscription Services, and disclosure per the Agreement and/or as compelled by applicable law.

Purpose of Transfer and Further Processing: Map My Customers Processes Personal Data as necessary to provide the Subscription Services per the Agreement and Customer's use-based Instructions.

Retention Period: During the Agreement duration, unless otherwise agreed in writing.

C. Competent Supervisory Authority

Per GDPR, the competent supervisory authority is determined in accordance with the GDPR.

Annex 2 — Security Measures

Map My Customers observes the following security measures in connection with the Processing of Personal Data.

a) Access Control

i. Preventing Unauthorized Product Access

Outsourced Processing: Map My Customers hosts its Service with outsourced cloud infrastructure providers, relying on contractual agreements, privacy policies, and vendor compliance programs to protect data.

Physical and Environmental Security: Production servers and client-facing applications are logically and physically secured from internal corporate information systems. Physical and environmental security controls are audited for SOC 2 Type II compliance, among other certifications.

Authentication: Map My Customers implements a uniform password policy. Customers must authenticate before accessing non-public customer data.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Authorization models ensure only appropriately assigned individuals access relevant features, views, and customization options.

API Access: Public product APIs are accessed via API key or OAuth authorization.

ii. Preventing Unauthorized Product Use

Access Controls: Network access control mechanisms prevent unauthorized protocols from reaching the product infrastructure, including VPC implementations, security groups, and firewall rules.

Intrusion Detection and Prevention: Map My Customers implements a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications.

Static Code Analysis: Code is checked for best practices and identifiable software flaws using automated tooling.

Penetration Testing: Map My Customers maintains relationships with industry-recognized penetration testing service providers for four annual penetration tests.

iii. Limitations of Privilege and Authorization Requirements

Product Access: A subset of employees access products and customer data via controlled interfaces for customer support, product development and research, troubleshooting, and security incident detection and response.

Access is enabled through "just in time" (JITA) requests. All access is logged. Access is granted by role; high-risk grants are reviewed daily. Administrative and high-risk permissions are reviewed at least semiannually.

b) Transmission Control

In-Transit: Map My Customers requires HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and on every customer site hosted on the Map My Customers products. HTTPS implementation uses industry standard algorithms and certificates.

At-Rest: Passwords are stored following industry standard practices for security. Map My Customers has implemented technologies to ensure that stored data is encrypted at rest.

c) Input Control

Detection: Infrastructure logs extensive information about system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert employees of malicious, unintended, or anomalous activities.

Response and Tracking: Map My Customers maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected or confirmed incidents are investigated; resolution steps are identified and documented. For confirmed incidents, Map My Customers takes appropriate steps to minimize product and Customer damage or unauthorized disclosure.

d) Availability Control

Infrastructure Availability: Infrastructure providers use commercially reasonable efforts to ensure a minimum of 99% uptime and maintain minimum of N+1 redundancy to power, network, and HVAC services.

Fault Tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online Replicas and Backups: Production databases are designed to replicate data between no less than 1 primary and 1 secondary database. Databases are backed up using at least industry standard methods.

Disaster Recovery Plans: Map My Customers maintains and regularly tests disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes. Products are designed to ensure redundancy and seamless failover. Server instances are architected with a goal to prevent single points of failure.

Revisions and Changes

We post any changes to this DPA on this page. The revision date is identified at the top of the page. You are responsible for periodically visiting the Site and this DPA to check for changes.

Contact Information

To ask questions or comment about this DPA, contact us at:

Map My Customers, Inc.
Attn: Legal
167 E Chatham St., Suite 300
Cary, NC 27511

Or via email at: legal@mapmycustomers.com