Data Processing Agreement in Accordance with Article 28 of the General Data Protection Regulation (GDPR)

Revision: 2024/08/15

between

the Controller
natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data by using the Processor APIs, applications or services
hereafter named the "Client"

and

the Processor
KEPTAGO LTD ( "Geoapify" )
N. Nikolaidi and T. Kolokotroni, ONISIFOROU CENTER, 8011 Paphos, Cyprus
which processes personal data provided by and on behalf of the Controller
hereafter named the "Supplier"

1. Subject matter and duration of the Agreement

The subject matter and duration of the Agreement or Contract shall be determined entirely according to the information provided in the respective contractual relationship.

The Supplier shall process personal data for the Client in accordance with Art. 4 No. 2 and Art. 28 GDPR on the basis of this Agreement.

2. Object, nature, and purpose of the collection, processing, or use of data

The object, nature, and purpose of any possible collection, processing, or use of personal data, the nature of data, and the People Affected shall be in accordance with Appendix 1 of this document.

The provision of the contractually agreed-upon data processing shall occur exclusively in a member state of the European Union or another member state party to the Agreement on the European Economic Area. Any transfer to a third country shall require the prior consent of the Client and may only occur if the special conditions defined in Articles 44 et seq. of the GDPR are fulfilled.

3. Technical and organizational measures in accordance with Art. 32 GDPR (Art. 28 Para. 3 Sent. 2 Clause c of the GDPR)

(1) Before the commencement of data processing, the Supplier shall document the execution of the necessary technical and organizational measures defined in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the Agreement or Contract, and shall present these documented measures to the Client for inspection (See Appendix 2 of this document). Upon acceptance of said documents by the Client, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.

(2) The Supplier shall establish the security of the data in accordance with Art. 28 Para. 3 Sent. 2 Clause c, and Art. 32 GDPR in particular in conjunction with Art. 5 Para. 1 and Para. 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the technology; implementation costs; the nature, scope, and purposes of the processing; as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the scope of Art. 32 Para. 1 GDPR must be taken into account.

(3) The technical and organizational measures shall be subject to technical progress and further development. In this respect, the Supplier is permitted to implement alternative adequate measures. The safety level of the specified measures must not be compromised. Substantial changes must be documented.

4. Correction, restriction, and deletion of data

(1) The Supplier is not entitled to his own authority to delete or restrict the processing of data processed on behalf of third parties. Insofar as an Affected Person contacts the Supplier directly in this respect, the Supplier will immediately forward this request to the Client without delay.

(2) Insofar as the scope of services includes, the following are to be ensured without undue delay by the Supplier in accordance with the Client’s documented instructions: a deletion policy, the “right to be forgotten”, data correction, data portability, and data disclosure.

5. Quality assurance and other duties of the Supplier

In addition to complying with the provisions of this agreement, the Supplier shall comply with statutory obligations in accordance with Articles 28 to 33 GDPR; in this respect, the Supplier shall particularly ensure compliance with the following requirements:

  • Mr. Pavel Tarasenko, CEO and Head of Security and Compliance ([email protected]) is appointed to the role of Data Protection Officer by the Supplier. The Client shall be immediately notified of any change of the Data Protection Officer.
  • Confidentiality in accordance with Art. 28 Para. 3 Sent. 2 Clause b, Art. 29 and Art. 32 Para. 4 GDPR. The Supplier entrusts only such employees with the data processing defined in this agreement who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data may only process that data in accordance with the instructions of the Client (which includes the powers granted in this Agreement) unless otherwise required to do so by law.
  • The implementation and observance of all technical and organizational measures necessary for this Agreement in accordance with Art. 28 Para. 3 Sent. 2 Clause c, Art. 32 GDPR are specified in Appendix 2 of this Agreement.
  • The Supplier and the Client shall, upon request, cooperate with the supervisory authority in the performance of their duties.
  • The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Agreement or Contract. This also applies insofar as the Supplier is under investigation or is a party to an investigation by a competent authority in connection with infringements to any civil or criminal law, administrative rule, or regulation regarding the processing of personal data in connection with the processing of this Agreement or Contract.
  • Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offense or criminal procedure, a liability claim of an Affected Person or a third party or any other claim in connection with the processing of the Agreement or Contract by the Supplier, the Supplier shall make every effort to support the Client to the best of his ability.
  • The Supplier shall regularly monitor the internal processes as well as the Technical and organizational measures to ensure that the processing in his area of responsibility is executed in accordance with the requirements of the applicable data protection law and that the rights of the Affected People are protected.

The Client may request documentation to verify the execution of the Technical and organizational measures taken by the Supplier in accordance with section 3 of this Agreement.

6. Subcontracts

For the purpose of this Agreement, subcontracting relationships are defined as those services which relate directly to the provision of the principal commission. This does not include ancillary services that the Supplier uses, e.g. telecommunications services; postal/ transport services; maintenance and user support services; as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems. However, the Supplier is obligated to make appropriate and legally binding contractual arrangements and implement appropriate inspection measures to guarantee data protection and data security of the Client's data, even in the case of outsourced ancillary services.

The list of the subcontractors is presented in Appendix 3, and subject to change. The client has the right to request an up-to-date list of subcontractors at any time.

7. The Client’s inspection rights

(1) The Client shall have the right to implement inspections in consultation with the Supplier or to have them implemented by inspectors designated in individual cases. The Client shall have the right to verify compliance with this Agreement, giving the reasonable notice time and after a written confirmation from the Supplier.

(2) The Supplier shall ensure that the Client can verify the Supplier's compliance with the obligations under Article 28 of the GDPR. The Supplier is obligated to provide the Client with the necessary information upon request and in particular to provide proof of the implementation of the Technical and organizational measures.

(3) Evidence of such measures which concern not only this specific Agreement or Contract may be provided by compliance with approved codes of conduct pursuant to Article 40 GDPR; certification according to an approved certification procedure in accordance with Article 42 GDPR; current auditor’s certificates, reports, or excerpts from reports provided by independent bodies (e.g. an auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor); or a suitable certification by IT security or data protection auditing.

(4) The Supplier may assert a claim for remuneration for enabling the Client’s inspections.

8. Communication in the case of infringement by the Supplier

(1) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments, and prior consultations referred to in Articles 32 to 36 of the GDPR. These include:

  • Ensuring an adequate level of protection with the Technical and organizational measures that take into account the circumstances and purposes of the data processing, the projected probability and severity of potential breaches of the law due to security vulnerabilities, and measures that enable relevant breaches of the law to be detected immediately.
  • The obligation to immediately report violations of personal data to the Client.
  • The duty to assist the Client with regard to the Client’s own obligation to provide information to the Affected People and, in this context, to immediately inform the Client of its own obligations.
  • Assisting the Client with his data protection impact assessment.
  • Assisting the Client with regard to prior consultation with the supervisory authority.

(2) The Supplier may claim compensation for support services that are not included in the description of the services and which are not attributable to failures on the part of the Supplier.

9. The Client’s authority to issue instructions

(1) The Client shall immediately confirm oral instructions (at the minimum in text form).

(2) The Supplier shall inform the Client immediately if he believes that an instruction violates data protection regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or alters said instructions.

10. Deletion and return of personal data

(1) Copies or duplicates of the data shall not be created without the knowledge of the Client, with the exception of backup copies as far as they are necessary to ensure proper data processing as well as data required for compliance with statutory storage obligations.

(2) After the conclusion of the contracted work, or earlier upon request by the Client, at the latest upon the termination of the Service Agreement, the Supplier shall submit to the Client or – subject to prior consent – destroy all documents, processing, and utilization results, and data sets related to the contract that has come into its possession in accordance with data protection law. The same applies to any and all connected test and scrap material. Upon request, the Supplier shall provide the Client with information on nature and the time of the data’s deletion.

(3) The Supplier shall retain documentation that proves that data was processed in an orderly and contractual manner after the respective contract period has elapsed in accordance with respective retention periods beyond the end of the contract. Alternatively, the Supplier may be absolved of this duty by transferring said documentation to the Client upon the termination of the contract.

11. Other agreements

11.1. Reimbursement

A fee for this contract is not required.

If the Client requires assistance in answering inquiries from Affected People as described in section 4 of this Agreement, the Client shall be required to reimburse the Supplier for such assistance if it requires more than 8 man hours per month. If Supplier expects the assistance overhead to exceed this threshold, it must inform the Client in advance and come into written agreement about time allocation and associated costs.

If the Client exercises monitoring rights as described in section 7 of this Agreement, the amount of remuneration to be agreed upon will be based on the fixed hourly rate of the Supplier's employee who is instructed to supervise the auditor.

If the Client issues instructions to the Supplier as described in section 9 of this Agreement, the Client shall be required to pay any costs that result from these instructions.

11.2. Duration of contract

This Agreement is dependent on the existence of a principal contractual relationship as described in section 1 of this document. The cancellation or other termination of the principal contractual relationship as described in section 1 shall simultaneously invalidate this Agreement.

The right to isolated extraordinary notice of cancellation hereby remains intact as do statutory rights of rescission.

11.3. Choice of law

The laws of the Republic of Cyprus shall apply.

11.4. Place of jurisdiction

The parties agree that the place of jurisdiction shall be the location of the court responsible for the city of Paphos, Cyprus.

Appendix 1

List of Collected Personal Data and the Purpose of Data Collection

General provisions

  • Information is kept only as long as it is needed for contractual and audit purposes, or required by the law.
  • Any other information that is not deemed necessary for providing the service in a secure and reliable manner is not collected and not stored.
  • Under normal circumstances detailed, personally-identifiable information is kept for no longer than 24 hours.
  • In exceptional cases, including suspicious or fraudulent activity, particular API request details may be kept for up to 2 months for further reference and analysis.

Collected information types by Affected Persons

Client's Customers

  • IP addresses and technical metadata (HTTP headers) necessary for performing and validating API requests
  • Other information that could be sent to Supplier within API request (e.g address or GPS coordinate)

The supplier keeps detailed personally identifiable information for only as long as it is necessary to

  • Process an API request and provide a response
  • Generate aggregated statistics for billing and monitoring

Client and its Employees/Subcontractors/Affiliates

  • Account and contractual information
  • Personal and contact information necessary for Client identification and billing purposes
  • Emails and other communication histories
  • Access and audit logs

We never sell, rent, or otherwise make available any collected personal data to any 3rd party, except situations where this is required by law.

Appendix 2

Technical and Organizational Measures in Accordance with Art. 32 GDPR and Amendments

I. Confidentiality

Access control

  • Data stored exclusively in GDPR-compliant data centers equipped with strong access controls and monitoring
  • Access to APIs provided by Supplier requires anonymous access token - "API Key".
  • Client can issue and revoke as many API Keys as necessary using the self-service account administration interface.
  • Credentials used by Client for authorized access to the self-service account administration interface are defined by Client and are not known to Supplier.
  • Access to internal systems of Supplier is only granted to appropriate Supplier employees and only via personalized access credentials or cryptographic keys.

Security

  • Supplier shall prevent unauthorized access by applying security updates and industry best practices.
  • Data stored exclusively in GDPR-compliant data centers equipped with strong access controls and monitoring
  • Supplier guarantees that all data transfer and storage outside of private/secure perimeter (e.g. over the Internet) should be encrypted to prevent unauthorized access and man-in-the-middle attacks.

II. Integrity (Art. 32 Para.1 Clause b GDPR)

  • All Supplier employees are trained in accordance with Art. 32 Para. 4 GDPR and are obliged to ensure that personal data is handled in accordance with data protection regulations.
  • Deletion of data in accordance with data protection regulations after the termination of the contract.

III. Availability and Resilience (Art. 32 Para. 1 Clause b GDPR)

  • Supplier keeps at least 24 hours of backups history to guarantee rapid recovery from potential data loss (Art. 32 Para. 1 Clause c GDPR)
  • Supplier applies security programs (virus scanners, firewalls, encryption programs, spam filters) where necessary
  • Supplier applies and implements automated security, performance, and availability monitoring and alerting systems
  • Supplier implements mitigation measures against DDoS and other forms of cyber-attacks

IV. Procedures for regular testing, assessment, and evaluation (Art. 32 Para. 1 Clause d GDPR; Art. 25 Para. 1 GDPR)

  • Supplier implements and maintains internal incident response plans, procedures, and training
  • Supplier has a strong focus on security and data-protection during software development and deployment, implements best industry practices, peer code reviews, and security scans (Art. 25 Para. 2 GDPR).
  • Supplier employees are regularly instructed in data protection law and are familiar with the procedural instructions and user guidelines for data processing on behalf of the Client also with regard to the Client's right of instruction. The General Terms and Conditions contain detailed information on the type and scope of the commissioned data processing and use of the Client's personal data.
  • The General Terms and Conditions contain detailed information about the purpose limitation of the Client’s personal data.
  • Supplier has appointed a company Data Protection Officer responsible for Security and Compliance.

Appendix 3

List of Supplier Subcontractors and Affiliated 3rd Parties:

For Administrative / Billing purposes

  • Google Firebase (Google Ireland Limited / Ireland) for reliable and secure storage of Client account data.
  • 2Checkout (Verifone Payments B.V. / Belgium) for secure and PCI compliant worldwide payment processing, invoicing, handling of payment details, and tax compliance.
  • Brevo (Sendinblue SJSC / France) to send transactional emails, usage reports, news, and announcements to Clients.

For API request processing purposes

Network providers:

  • CloudFlare (Cloudflare, Inc. / USA, Cloudflare Germany GmbH / Germany) for API requests served via api.geoapify.com and maps.geoapify.com
  • BunnyCDN (BUNNYWAY, informacijske storitve d.o.o. / Slovenia) for API requests sent via api-eu.geoapify.com as content delivery network and cloud load balancer with DDoS protection for "always-on" availability and best performance.

Server & data center providers:

  • Hetzner (Hetzner GmbH / Germany) – data centers in Germany and Finland

All API request processing is guaranteed to be strictly EU-bound when accessed via API endpoint api-eu.geoapify.com