Data Processing Agreement

1. Definitions

• “Personal Data” — any information relating to an identified or identifiable natural person.
• “Controller” — the agency or business that determines the purposes and means of processing Personal Data.
• “Processor” — Mapifyer, which processes Personal Data on behalf of the Controller.
• “Processing” — any operation performed on Personal Data, including collection, storage, use, and deletion.
• “Sub-processor” — any third party engaged by Mapifyer to process Personal Data.
• “Applicable Data Protection Law” — GDPR, UK GDPR, CCPA, and any other applicable privacy laws.

2. Scope and Purpose

Mapifyer processes Personal Data solely to provide the services described in the Terms of Service, including management of Google Business Profiles, review automation, ranking analytics, and reporting. Processing is performed only on documented instructions from the Controller.

3. Nature of Personal Data Processed

Categories of Personal Data processed may include:

• Business contact names and email addresses
• Customer names submitted via the review request feature
• Reviewer names and review content from Google Business Profile
• Business location addresses and metadata
• Usage and billing data

4. Processor Obligations

Mapifyer agrees to:

• Process Personal Data only on the Controller’s documented instructions
• Ensure personnel with access to Personal Data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Not engage sub-processors without prior notice to the Controller
• Assist the Controller in responding to data subject rights requests
• Notify the Controller without undue delay of any Personal Data breach
• Delete or return all Personal Data upon termination of the agreement
• Provide information necessary to demonstrate compliance with this DPA

5. Controller Obligations

The Controller agrees to:

• Have a lawful basis for processing Personal Data before submitting it to Mapifyer
• Provide accurate and complete instructions to Mapifyer
• Ensure end-users have been informed about data processing where required
• Not instruct Mapifyer to process data in a manner that violates applicable law

6. Security Measures

Mapifyer implements the following technical and organisational measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls
• Multi-factor authentication for platform access
• Regular security reviews
• Supabase Row Level Security (RLS) for data isolation between accounts

7. Sub-processors

Mapifyer uses sub-processors to deliver the service. A current list is maintained at /subprocessors. Mapifyer will provide at least 10 days notice before adding new sub-processors that handle Personal Data.

8. International Transfers

Personal Data may be processed in the United States and other countries where Mapifyer and its sub-processors operate. Where required, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms under applicable law.

9. Data Breach Notification

In the event of a Personal Data breach, Mapifyer will notify the Controller without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken.

10. Data Subject Rights

Mapifyer will assist the Controller in fulfilling obligations to respond to requests from data subjects exercising rights under Applicable Data Protection Law, including access, rectification, erasure, portability, and restriction of processing. Requests should be sent to support@mapifyer.com.

11. Termination and Deletion

Upon termination of the agreement, Mapifyer will, at the Controller’s choice, delete or return all Personal Data and delete existing copies, unless retention is required by applicable law.

12. Contact

For DPA inquiries: support@mapifyer.com