Data Processing Agreement

"Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given in GDPR Article 4. "Services" means the GlobMaps geo-intelligence APIs and dashboard as described in the Terms of Service.

The Controller determines the purposes and means of processing Personal Data. GlobMaps acts as Processor and processes Personal Data only on documented instructions from the Controller, including for transfers of Personal Data to a third country, unless required to do so by applicable law.

The Controller warrants that it has a lawful basis for processing and for instructing GlobMaps to process Personal Data on its behalf, has provided all required notices to Data Subjects, and complies with applicable data protection laws.

GlobMaps shall: (a) process Personal Data only on documented Controller instructions; (b) ensure persons authorised to process Personal Data are bound by confidentiality; (c) implement appropriate technical and organisational measures per Section 5; (d) respect conditions for engaging Sub-processors per Section 6; (e) assist the Controller with Data Subject rights requests; (f) assist the Controller with security obligations, breach notifications, DPIAs, and prior consultations; (g) delete or return all Personal Data upon termination; (h) provide all information necessary to demonstrate compliance.

GlobMaps implements and maintains appropriate technical and organisational measures including: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); access controls and least-privilege principles; regular security testing; incident detection and response procedures; and employee training. Measures are reviewed and updated to address evolving risks.

The Controller grants general authorisation for GlobMaps to engage Sub-processors. Current Sub-processors include cloud infrastructure providers, payment processors (Stripe), and analytics services. GlobMaps will notify the Controller of any intended changes to Sub-processors with at least 14 days' notice, giving the Controller opportunity to object. GlobMaps imposes data protection obligations on Sub-processors equivalent to those in this DPA.

Where Personal Data is transferred outside the EEA, UK, or Thailand, GlobMaps ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, UK International Data Transfer Agreements, or other lawful transfer mechanisms. Details of transfer mechanisms are available upon request.

GlobMaps will assist the Controller in responding to Data Subject requests to exercise rights under applicable law (access, rectification, erasure, restriction, portability, objection). Requests received directly by GlobMaps will be forwarded to the Controller within 5 business days.

GlobMaps will notify the Controller without undue delay, and no later than 48 hours after becoming aware of a Personal Data breach. Notification will include: nature of the breach; categories and approximate number of Data Subjects and records concerned; likely consequences; measures taken or proposed. GlobMaps will document all breaches regardless of notification requirement.

Upon termination of the Services, GlobMaps will, at the Controller's election, delete or return all Personal Data processed on behalf of the Controller, and delete existing copies unless applicable law requires retention. Confirmation of deletion will be provided within 30 days of termination.

GlobMaps will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable notice (minimum 30 days) and no more than once per year, unless a breach has occurred.

For processing of Personal Data of Thai data subjects under PDPA B.E. 2562: GlobMaps processes Personal Data in accordance with PDPA requirements; Data Subjects may exercise rights including access, correction, deletion, objection, restriction, and portability by contacting privacy@globmaps.com; GlobMaps will cooperate with the Personal Data Protection Committee (PDPC) as required.

This DPA is governed by the laws of Thailand, without prejudice to mandatory provisions of GDPR or other applicable data protection legislation in the Controller's jurisdiction. Disputes shall be resolved in accordance with the dispute resolution provisions of the GlobMaps Terms of Service.