Effective date: 2026-05-12 · Version 1.0
The English version of this document is the legally authoritative version; translations are provided for convenience.
This Data Processing Agreement ("DPA") forms part of the GlobMaps Terms of Service between GlobMaps ("Processor") and the customer entity ("Controller") and governs the processing of personal data in accordance with GDPR (EU) 2016/679, UK GDPR, and PDPA B.E. 2562.
"Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given in GDPR Article 4. "Services" means the GlobMaps climate intelligence APIs and dashboard as described in the Terms of Service.
The Controller determines the purposes and means of processing Personal Data. GlobMaps acts as Processor and processes Personal Data only on documented instructions from the Controller, including for transfers of Personal Data to a third country, unless required to do so by applicable law.
The Controller warrants that it has a lawful basis for processing and for instructing GlobMaps to process Personal Data on its behalf, has provided all required notices to Data Subjects, and complies with applicable data protection laws.
GlobMaps shall: (a) process Personal Data only on documented Controller instructions; (b) ensure persons authorised to process Personal Data are bound by confidentiality; (c) implement appropriate technical and organisational measures per Section 5; (d) respect conditions for engaging Sub-processors per Section 6; (e) assist the Controller with Data Subject rights requests; (f) assist the Controller with security obligations, breach notifications, DPIAs, and prior consultations; (g) delete or return all Personal Data upon termination; (h) provide all information necessary to demonstrate compliance.
GlobMaps implements and maintains appropriate technical and organisational measures including: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); access controls and least-privilege principles; regular security testing; incident detection and response procedures; and employee training. Measures are reviewed and updated to address evolving risks.
The Controller grants general authorisation for GlobMaps to engage Sub-processors. Current Sub-processors include cloud infrastructure providers, payment processors (Stripe), and analytics services. GlobMaps will notify the Controller of any intended changes to Sub-processors with at least 14 days' notice, giving the Controller opportunity to object. GlobMaps imposes data protection obligations on Sub-processors equivalent to those in this DPA.
Where Personal Data is transferred outside the EEA, UK, or Thailand, GlobMaps ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, UK International Data Transfer Agreements, or other lawful transfer mechanisms. Details of transfer mechanisms are available upon request.
GlobMaps will assist the Controller in responding to Data Subject requests to exercise rights under applicable law (access, rectification, erasure, restriction, portability, objection). Requests received directly by GlobMaps will be forwarded to the Controller within 5 business days.
GlobMaps will notify the Controller without undue delay, and no later than 48 hours after becoming aware of a Personal Data breach. Notification will include: nature of the breach; categories and approximate number of Data Subjects and records concerned; likely consequences; measures taken or proposed. GlobMaps will document all breaches regardless of notification requirement.
GlobMaps will provide reasonable assistance to the Controller for carrying out Data Protection Impact Assessments and prior consultations with supervisory authorities where required under GDPR Article 35–36.
GlobMaps retains Personal Data for the duration of the Services agreement. Upon termination, GlobMaps will, at the Controller's election, delete or return all Personal Data within 30 days, unless applicable law requires continued storage. API usage logs are retained for 90 days; consent records are retained for 7 years to meet legal obligations.
The Controller may audit GlobMaps' compliance with this DPA up to once per year upon 30 days' written notice, or immediately following a confirmed security incident. Audits shall be conducted during business hours with minimum disruption. GlobMaps may satisfy this obligation by providing a current third-party audit report (e.g. SOC 2 Type II) where available.
This DPA is effective for the duration of the Services agreement and terminates automatically upon its expiry or termination. Obligations relating to confidentiality, security, and deletion survive termination.
This DPA is governed by Thai law for Controllers established in Thailand; by the law of Ireland for Controllers established in the EEA; by the law of England and Wales for UK Controllers; and by the law of the State of Delaware for US Controllers, unless otherwise agreed in writing.
To request a countersigned DPA, contact legal@globmaps.com with your organisation name, registration number, and jurisdiction. GlobMaps will respond within 5 business days. Download the DPA template below to review terms before submission.
Enterprise and Professional tier customers may request a countersigned DPA for GDPR, UK GDPR, or PDPA compliance purposes.
Request DPA → legal@globmaps.com