Data Processing Agreement
This Data Processing Agreement (DPA) applies automatically to all customers using GISGP services. By using GISGP, the Customer accepts this DPA. A countersigned copy can be requested at .
1. Parties and definitions
Controller (Customer): The organisation or individual that registers for and uses GISGP services. The Controller determines the purposes and means of processing personal data.
Processor (GISGP): GISGP, operating at gisgp.com, which processes personal data on behalf of the Controller to provide the contracted services.
Data Subjects: Any natural persons whose personal data appears in files uploaded to, or data exported from, GISGP.
Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).
2. Scope and nature of processing
GISGP processes personal data solely to provide the services described in the Terms of Service — specifically: importing, exporting, transforming and validating GIS data between the Customer's files and their ArcGIS Online account.
| Category | Details |
|---|---|
| Subject matter | GIS data transformation and ArcGIS Online integration |
| Duration | For the duration of the Customer's active subscription, plus any retention period specified below |
| Nature of processing | Storage (temporary), transformation, transmission to ArcGIS Online REST API |
| Purpose | Providing import, export, field mapping and GIS utility tools as contracted |
| Types of personal data | Names, addresses, coordinates, contact details and any other personal data included by the Customer in uploaded files |
| Categories of data subjects | Any natural persons whose data appears in Customer-uploaded files (field workers, property owners, survey respondents, etc.) |
3. Instructions and compliance
GISGP processes personal data only on documented instructions from the Controller (the Customer). By uploading a file or initiating an import/export operation, the Customer instructs GISGP to process that data for the stated purpose.
GISGP will immediately inform the Customer if it believes a processing instruction infringes applicable data protection law (GDPR Art. 28(3)(h)).
4. Data retention and deletion
Uploaded files: Files uploaded for import operations (Excel, CSV, KML, KMZ, photos) are stored temporarily on AWS S3 solely to perform the operation. Files are automatically deleted from our servers immediately after the import or export operation completes — typically within 60 seconds. We do not retain copies of Customer GIS data.
Account data: The Customer's email address, hashed password, subscription status and operation history (metadata only — row counts, timestamps, service names) are retained for the duration of the subscription and deleted within 30 days of account termination upon request.
ArcGIS tokens: If the Customer authenticates via "Sign in with ArcGIS Online" (OAuth2), their ArcGIS Online access token and refresh token are stored encrypted and used solely to perform API calls on their behalf. Tokens are deleted upon account termination.
5. Confidentiality
GISGP ensures that all personnel authorised to process personal data are bound by appropriate confidentiality obligations. Access to Customer data is restricted to personnel who need it to deliver the contracted services.
6. Security measures
GISGP implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction:
- Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+
- Encryption at rest: AWS S3 server-side encryption (AES-256) for temporary files
- Authentication: Passwords stored as bcrypt hashes; session tokens are HttpOnly, Secure JWT cookies
- Access control: Principle of least privilege; no employee has standing access to Customer data
- Temporary storage: Uploaded files auto-deleted after each operation; no persistent GIS data store
- Infrastructure: Hosted on AWS EU (eu-west-1 / Ireland); AWS is SOC 2 Type II and ISO 27001 certified
7. Sub-processors
GISGP uses the following sub-processors to deliver its services. Each is bound by data protection obligations no less protective than this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, temporary file storage (S3), serverless compute (Lambda), transactional email (SES) | EU (Ireland, eu-west-1) |
| Anthropic (Claude API) | AI field mapping suggestions — sample rows (first 5 rows, headers only) sent when AI mapping is used. No full dataset is sent. | USA (covered by Standard Contractual Clauses) |
| Stripe | Payment processing and subscription management. GISGP does not store card numbers. | USA / EU (covered by Standard Contractual Clauses) |
| Esri (ArcGIS Online) | The Customer's own ArcGIS Online account — data is written directly to the Customer's AGOL instance at their instruction. | As per Customer's AGOL region |
GISGP will notify the Customer of any intended changes to sub-processors (additions or replacements) by updating this page and emailing registered account holders at least 30 days in advance. The Customer may object within 14 days.
8. International transfers
Personal data is processed primarily within the EU (AWS eu-west-1 / Ireland). Where data is transferred to sub-processors outside the EEA (Anthropic, Stripe), GISGP relies on Standard Contractual Clauses (SCC) approved by the European Commission under GDPR Art. 46(2)(c) as the legal transfer mechanism.
AI mapping data minimisation: When AI field mapping is used, only the file headers and a maximum of 5 sample rows are sent to Anthropic's API for mapping suggestions. The full dataset is never transmitted to Anthropic.
9. Assistance to the Controller
GISGP will assist the Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible given the nature of the processing.
GISGP will also assist with security obligations (GDPR Art. 32), data breach notification (Arts. 33–34), data protection impact assessments (Art. 35) and prior consultation (Art. 36), as appropriate.
10. Data breach notification
GISGP will notify the Customer without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting Customer data. Notification will be sent to the registered account email address and will include, to the extent available: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
11. Data Protection Officer
GISGP is not currently required to appoint a DPO under GDPR Art. 37 given the scale and nature of its processing activities. Data protection queries can be directed to .
12. Audit rights
GISGP will provide the Customer with all information necessary to demonstrate compliance with this DPA (GDPR Art. 28(3)(h)). The Customer may audit compliance upon 30 days' written notice, at the Customer's cost, no more than once per calendar year. GISGP may require execution of a non-disclosure agreement before providing access to infrastructure documentation.
13. Termination and return of data
Upon termination of the Customer's subscription or upon written request, GISGP will delete all Customer account data (email, hashed password, operation history, stored tokens) within 30 days. GIS data (uploaded files) is deleted automatically after each operation as described in Section 4 and therefore no return mechanism is needed.
GISGP will provide written confirmation of deletion upon request.
14. Governing law and jurisdiction
This DPA is governed by the laws applicable to the main Terms of Service agreement. For EU/EEA Customers, GDPR is the applicable data protection law. For any conflict between this DPA and the Terms of Service, this DPA takes precedence in matters of personal data processing.
15. Contact
For DPA-related enquiries, countersigned DPA requests, or data subject rights requests:
- Email:
- Privacy policy: /privacy
Need a countersigned DPA?
EU public sector organisations and enterprises often require a signed copy. Email us and we will return a signed DPA within 2 business days.
Request signed DPA →