Legal
This Addendum applies where, in providing the managed cloud, [Company Legal Name] (“Processor”) processes personal data on behalf of a customer (“Controller”) that is subject to applicable data protection law (e.g. the GDPR/UK GDPR). The Controller determines the purposes and means; the Processor processes only as described here and on the Controller’s documented instructions.
“Personal data”, “processing”, “data subject”, “controller”, “processor” and “supervisory authority” have the meanings in applicable data protection law. “Customer personal data” means personal data within customer content processed under the Terms.
The Processor will process customer personal data only on the Controller’s documented instructions (including via configuration of the Service), unless required by law, in which case it will inform the Controller unless prohibited. The Controller is responsible for the accuracy and lawfulness of its instructions and its right to provide the data.
The Processor ensures personnel authorized to process customer personal data are bound by confidentiality and process it only as instructed.
The Processor implements appropriate technical and organizational measures to protect customer personal data, as described in Annex II, taking into account the state of the art, costs, and the risks of processing.
The Controller grants general authorization for the Processor to engage sub-processors listed in Annex III to provide the Service. The Processor imposes data-protection obligations on sub-processors no less protective than this Addendum and remains responsible for their performance. The Processor will give notice of intended changes and a reasonable opportunity to object.
Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, and to the extent the Service permits, to respond to data-subject requests. Requests received directly will be referred to the Controller.
The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting customer personal data, and will provide information reasonably available to help the Controller meet its notification duties.
The Processor will provide reasonable assistance to the Controller with data-protection impact assessments and prior consultations with supervisory authorities, taking into account the information available to the Processor.
Where the Processor transfers customer personal data across borders subject to transfer restrictions, it will rely on an appropriate mechanism, such as the EU Standard Contractual Clauses (Module Two: controller-to-processor) and, for the UK, the IDTA or UK Addendum, which are incorporated by reference where applicable.
On termination, the Processor will, at the Controller’s choice, delete or return customer personal data and delete existing copies, unless law requires storage. Backups are deleted on their normal cycle.
The Processor will make available information reasonably necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Controller or an authorized auditor, subject to reasonable notice, confidentiality, and frequency limits, and may satisfy audit rights via third-party reports where available.
Each party’s liability under this Addendum is subject to the limitations and exclusions in the Terms. This Addendum takes effect when incorporated and continues for as long as the Processor processes customer personal data. If it conflicts with the Terms on data protection, this Addendum controls.
Controller: the customer. Processor: Mapwright.
As applicable to the Controller or its EU representative.
| Area | Measure |
|---|---|
| Encryption | TLS for data in transit; encryption at rest for stored data |
| Access control | Least-privilege access, unique credentials, MFA for admin access |
| Network security | Segmentation, firewalls, restricted management interfaces |
| Logging & monitoring | Audit logs and monitoring for security-relevant events |
| Resilience | Backups and recovery procedures for the managed service |
| Secure development | Code review, dependency management, change control |
| Personnel | Confidentiality obligations and security awareness |
| Incident response | Documented procedures to detect, respond and notify |
Measures may evolve as the Service develops, provided protection is not materially reduced. See our Security page.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting & compute | us-east-1 |
| Amazon CloudFront | Content delivery / edge cache | Global edge |