Data Processing Agreement

Written By Andrew Sheridan

Last updated 3 months ago

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between:

  1. The Client (as defined in the Terms of Service) ("Controller"); and

  2. Hirafu Consulting Limited (trading as Mapping Clarity), a New Zealand company ("Processor").

This DPA is incorporated into and forms part of the Main Agreement (as defined below) entered into by the Controller and Processor.

1. Definitions

  • "Main Agreement" means the Mapping Clarity Terms of Service.

  • "Client Data" means the data uploaded to the Service by the Controller.

  • "Data Protection Laws" means all applicable data protection and privacy laws, including the UK GDPR (the UK General Data Protection Regulation) and the EU GDPR (Regulation (EU) 2016/679).

  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is contained within the Client Data and processed by the Processor on behalf of the Controller.

  • "Processing," "Processor," "Controller," and "Data Subject" shall have the meanings given to them in the Data Protection Laws.

  • "Sub-processor" means any third-party processor engaged by the Processor to process Personal Data.

  • "TOMs" means Technical and Organizational Measures.

2. Scope and Purpose of Processing

  • 2.1 Role of Parties: The Controller (Client) is the data controller, and the Processor (Mapping Clarity) is the data processor for the Personal Data.

  • 2.2 Subject Matter: The provision of the Mapping Clarity data mapping services as described in the Main Agreement.

  • 2.3 Duration: For the term of the Main Agreement, until the Controller’s account is deleted.

  • 2.4 Nature and Purpose: To host, store, and process Client Data to perform data mapping and analysis using a rules-based engine and artificial intelligence (Vertex AI), as initiated and directed by the Controller.

  • 2.5 Types of Personal Data: Personal Data contained within the Client Data, as determined and uploaded by the Controller. This may include, but is not limited to, names, email addresses, contact details, or any other personal data the Controller chooses to upload.

  • 2.6 Categories of Data Subjects: Data Subjects whose Personal Data is included in the Client Data, as determined by the Controller.

3. Processor's Obligations

The Processor (Mapping Clarity) agrees to:

  • 3.1 Process Only on Instructions: Only process Personal Data on the documented instructions of the Controller (i.e., as part of the normal use of the Service), unless required to do so by applicable law.

  • 3.2 Confidentiality: Ensure that all personnel authorized to process the Personal Data are bound by a strict duty of confidentiality.

  • 3.3 Security (TOMs): Implement and maintain appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. (These measures are described in Annex B).

  • 3.4 Data Subject Rights: To the extent legally permissible, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise their rights (e.g., access, rectification, erasure). The Processor shall provide reasonable assistance to the Controller to enable the Controller to respond to such requests.

  • 3.5 Assistance to Controller: Provide reasonable assistance to the Controller in ensuring compliance with its obligations under Data Protection Laws, including in relation to data security, Data Protection Impact Assessments (DPIAs), and consultations with data protection authorities.

  • 3.6 Data Breach Notification: Notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting the Controller's Personal Data. The Processor will provide the Controller with sufficient information to allow the Controller to meet its own breach notification obligations.

4. Sub-processors

  • 4.1 General Authorization: The Controller provides a general written authorization for the Processor to engage Sub-processors, as listed in Annex A.

  • 4.2 Notification: The Processor shall inform the Controller of any intended changes (additions or replacements) to its Sub-processors, thereby giving the Controller the opportunity to object to such changes.

  • 4.3 Liability: The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's data protection obligations. The Processor shall have a written agreement with each Sub-processor containing data protection obligations at least as protective as those in this DPA.

5. International Data Transfers

  • The Processor shall not transfer Personal Data outside of a jurisdiction with an adequate data protection framework (such as New Zealand, or from the UK to the EEA) without ensuring appropriate safeguards are in place, as required by Data Protection Laws.

  • Where the Processor engages a Sub-processor (e.g., Google Cloud) that processes data in a third country (like the USA), the Processor shall ensure such transfers are protected by a valid mechanism, such as the Standard Contractual Clauses (SCCs).

6. Audit Rights

Upon reasonable request (no more than once per year), the Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or their designated auditor (at the Controller's expense).

7. Data Return and Deletion

Upon termination of the Main Agreement (i.e., account deletion), the Processor shall, at the choice of the Controller, delete or return all Personal Data. The Processor confirms that its policy, as stated in the Main Agreement, is to delete all Client Data immediately upon account termination.

8. General

  • 8.1 Precedence: In the event of any conflict between this DPA and the Main Agreement, the terms of this DPA shall prevail in relation to data protection matters.

  • 8.2 Governing Law: This DPA and any disputes arising from it shall be governed by the laws of the United Kingdom.

ANNEX A: LIST OF SUB-PROCESSORS

The Controller provides general authorization for the Processor to use the following Sub-processors:

Sub-processor

Purpose of Processing

Location

Google (Cloud, Firebase, Vertex AI

Application hosting, secure database storage, AI-powered data analysis

Global

Sendgrid (Twilio)

Transaction email delivery

USA

Google Analytics

Service usage analytics

USA

Stripe

Payment processor

USA

ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

The Processor implements the following categories of security measures:

  1. Access Control:

    • Authentication is required for all access to systems processing Personal Data.

    • Role-based access controls are used to ensure users only have access to the data necessary for their role.

  2. Encryption:

    • Data is encrypted in transit (using HTTPS/TLS).

    • Data is encrypted at rest (using storage-level encryption provided by Google Cloud).

  3. Confidentiality:

    • All employees and contractors are subject to binding confidentiality agreements.

  4. Resilience:

    • Systems are deployed on high-availability cloud infrastructure (Google Cloud) designed for resilience and fault tolerance.

  5. Data Minimization:

    • The Processor only processes Personal Data as instructed by the Controller and as necessary to provide the Service.

    • Data is deleted immediately upon account termination.