Data Processing Addendum
This Data Processing Addendum ('DPA') forms part of the agreement between Customer and Prodio, Inc. d/b/a ChangeMap and governs the processing of Personal Data on behalf of Customer.
1. Purpose
This Data Processing Addendum ('DPA') forms part of the agreement between Customer and Prodio, Inc. d/b/a ChangeMap and governs the processing of Personal Data on behalf of Customer.
2. Roles of the Parties
For Personal Data processed through the Services, Customer acts as the Controller and ChangeMap acts as the Processor. Each party shall comply with its respective obligations under applicable data protection laws.
3. Processing Instructions
ChangeMap shall process Personal Data only on documented instructions from Customer, as necessary to provide the Services, comply with applicable law, and fulfill contractual obligations.
4. Confidentiality
ChangeMap shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
5. Security Measures
ChangeMap shall maintain reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction.
6. Data Subject Rights Assistance
Taking into account the nature of processing, ChangeMap shall provide reasonable assistance to Customer in responding to requests from data subjects where required by applicable law.
7. Security Incidents
ChangeMap shall notify Customer without undue delay after becoming aware of a confirmed security incident affecting Personal Data and shall provide available information reasonably necessary to understand the incident.
8. Government Requests
If ChangeMap receives a legally binding request for Customer Personal Data from a governmental authority, ChangeMap will notify Customer unless legally prohibited from doing so.
9. Subprocessors
Customer authorizes ChangeMap to engage subprocessors. ChangeMap will maintain a list of subprocessors and provide at least thirty (30) days notice of material subprocessor changes.
10. Audit Rights
Customer may request reasonable documentation regarding ChangeMap's privacy and security practices. On-site audits are not provided under this DPA.
11. Return and Deletion of Data
Upon termination of the Services, Personal Data shall be deleted in accordance with ChangeMap's retention schedule. Deleted data may remain recoverable for up to seven (7) days before permanent deletion, subject to backup retention, legal obligations, and disaster recovery requirements.
12. International Transfers
Where Personal Data is transferred internationally, ChangeMap will implement appropriate safeguards as required by applicable law.
13. Liability
The liability provisions of the applicable Terms of Service apply to this DPA and are incorporated by reference.
Annex I: Processing Description
Categories of Data Subjects: Customers, authorized users, support requestors, business contacts, and individuals whose information is submitted by customers.
Categories of Personal Data: Account information, workspace information, project information, evidence records, support requests, analytics information, technical logs, AI inputs, and AI outputs.
Purpose of Processing: Provision of the ChangeMap service, authentication, customer support, analytics, AI-powered functionality, security, and legal compliance.
Annex II: Technical and Organizational Measures
- TLS encryption in transit
- Infrastructure security controls provided by Vercel and Supabase
- Authentication and access controls
- Operational logging and monitoring
- Vendor management practices
- Incident response procedures
- Confidentiality obligations for authorized personnel