Data Processing Agreement

1.1 Maplo processes Personal Data exclusively to provide the Service ordered by the Customer (search, audit, save, generate outreach, send, track replies).

1.2 Customer is the Controller. Maplo is the Processor. Customer determines the purposes and means of processing; Maplo carries out the processing according to Customer's documented instructions (the Service configuration + these terms).

Subject matter

Provision of the Maplo lead-generation platform.

Duration

For the term of the Customer's subscription plus 30 days for export, then deletion.

Nature and purpose

Storage, retrieval, transmission, and analysis of business and outreach data for the Customer's legitimate B2B activity.

Categories of data subjects

• Authorized users of the Customer's account.
• Decision-makers / contacts at businesses the Customer chooses to outreach.

Categories of personal data

• Account: name, email, locale, hashed password / OAuth identifier.
• Outreach context: lead name (where it's a natural person), business phone/email, conversation history.
• Usage: IP, timestamps, feature interactions.

Maplo will only process Personal Data on documented Customer instructions, including the Customer's configuration of the Service. Maplo will inform the Customer if, in its opinion, an instruction breaches applicable data protection law.

All Maplo personnel with access to Personal Data are bound by written confidentiality obligations and trained on data protection. Access is granted on a least-privilege basis and reviewed quarterly.

• TLS 1.3 in transit; AES-256 at rest.
• SSO + 2FA on all production systems; audit logs retained 12 months.
• Network isolation: production database is not publicly accessible.
• Daily encrypted backups; quarterly restore tests.
• Vulnerability scanning on every deploy; dependency monitoring continuous.
• Documented incident response plan, with 72h notification commitment to Customer.

The Customer authorises Maplo to engage the sub-processors listed below. Maplo flows down equivalent data-protection obligations.

• Supabase Inc. (US, EU region) — managed Postgres + auth.
• Vercel Inc. (US, EU edge) — application hosting.
• Whop Inc. (US) — payment / billing.
• Resend Inc. (US) — transactional email.
• Anthropic PBC (US) — LLM inference. Inputs not used to train.
• Mapbox Inc. (US) — map tiles.
• Plausible Insights OÜ (Estonia, EU) — analytics.

Maplo will give Customer 30 days' prior notice (via email) of any new sub-processor. The Customer may object on reasonable data-protection grounds; if the parties can't resolve, the Customer may terminate the affected service for refund of prepaid unused fees.

Where Personal Data is transferred outside the EEA/UK, Maplo relies on the EU Standard Contractual Clauses (Module 2: Controller → Processor) and, where applicable, the UK Addendum, and the EU-US Data Privacy Framework. The SCCs are deemed incorporated by reference; copies are available on request.

Maplo will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfil its obligations to respond to requests from data subjects exercising their rights under GDPR Chapter III. Most requests can be satisfied directly through self-service in the Customer's dashboard; for the rest contact privacy@trymaplo.com.

Maplo will notify the Customer without undue delay and, in any case, within 72 hours of becoming aware of a confirmed Personal Data Breach. Notification will include the information set out in Art. 33(3) GDPR insofar as known at the time, with further updates as the investigation progresses.

On reasonable written request (no more than once per year, save for following a confirmed breach) and at the Customer's expense, Maplo will make available the most recent SOC 2 / ISO 27001 attestations of its critical sub-processors and Maplo's own security checklist, and reasonably cooperate with the Customer's inquiries.

On termination of the Service, the Customer can export all Customer Personal Data via the dashboard for 30 days. After this period Maplo will delete or anonymise all Customer Personal Data in its systems and confirm deletion in writing on request, save for any data Maplo is legally required to retain (e.g. tax records, anonymised aggregate metrics).

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except for liabilities that cannot be limited under applicable data-protection law.