GISGP
GISGP
Features How it works Free Tools Templates Pricing Help
Sign in Start free →
Features How it works Free Tools Templates Pricing Help
Sign in Start free →

Data Processing Agreement

Version 1.0 · Effective: 16 May 2026 · GDPR Art. 28 compliant

This Data Processing Agreement (DPA) applies automatically to all customers using GISGP services. By using GISGP, the Customer accepts this DPA. A countersigned copy can be requested at .

1. Parties and definitions

Controller (Customer): The organisation or individual that registers for and uses GISGP services. The Controller determines the purposes and means of processing personal data.

Processor (GISGP): GISGP, operating at gisgp.com, which processes personal data on behalf of the Controller to provide the contracted services.

Data Subjects: Any natural persons whose personal data appears in files uploaded to, or data exported from, GISGP.

Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).

2. Scope and nature of processing

GISGP processes personal data solely to provide the services described in the Terms of Service — specifically: importing, exporting, transforming and validating GIS data between the Customer's files and their ArcGIS Online account.

CategoryDetails
Subject matter GIS data transformation and ArcGIS Online integration
Duration For the duration of the Customer's active subscription, plus any retention period specified below
Nature of processing Storage (temporary), transformation, transmission to ArcGIS Online REST API
Purpose Providing import, export, field mapping and GIS utility tools as contracted
Types of personal data Names, addresses, coordinates, contact details and any other personal data included by the Customer in uploaded files
Categories of data subjects Any natural persons whose data appears in Customer-uploaded files (field workers, property owners, survey respondents, etc.)

3. Instructions and compliance

GISGP processes personal data only on documented instructions from the Controller (the Customer). By uploading a file or initiating an import/export operation, the Customer instructs GISGP to process that data for the stated purpose.

GISGP will immediately inform the Customer if it believes a processing instruction infringes applicable data protection law (GDPR Art. 28(3)(h)).

4. Data retention and deletion

Uploaded files: Files uploaded for import operations (Excel, CSV, KML, KMZ, photos) are stored temporarily on AWS S3 solely to perform the operation. Files are automatically deleted from our servers immediately after the import or export operation completes — typically within 60 seconds. We do not retain copies of Customer GIS data.

Account data: The Customer's email address, hashed password, subscription status and operation history (metadata only — row counts, timestamps, service names) are retained for the duration of the subscription and deleted within 30 days of account termination upon request.

ArcGIS tokens: If the Customer authenticates via "Sign in with ArcGIS Online" (OAuth2), their ArcGIS Online access token and refresh token are stored encrypted and used solely to perform API calls on their behalf. Tokens are deleted upon account termination.

5. Confidentiality

GISGP ensures that all personnel authorised to process personal data are bound by appropriate confidentiality obligations. Access to Customer data is restricted to personnel who need it to deliver the contracted services.

6. Security measures

GISGP implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction:

  • Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+
  • Encryption at rest: AWS S3 server-side encryption (AES-256) for temporary files
  • Authentication: Passwords stored as bcrypt hashes; session tokens are HttpOnly, Secure JWT cookies
  • Access control: Principle of least privilege; no employee has standing access to Customer data
  • Temporary storage: Uploaded files auto-deleted after each operation; no persistent GIS data store
  • Infrastructure: Hosted on AWS EU (eu-west-1 / Ireland); AWS is SOC 2 Type II and ISO 27001 certified

7. Sub-processors

GISGP uses the following sub-processors to deliver its services. Each is bound by data protection obligations no less protective than this DPA:

Sub-processorPurposeLocation
Amazon Web Services (AWS) Cloud infrastructure, temporary file storage (S3), serverless compute (Lambda), transactional email (SES) EU (Ireland, eu-west-1)
Anthropic (Claude API) AI field mapping suggestions — sample rows (first 5 rows, headers only) sent when AI mapping is used. No full dataset is sent. USA (covered by Standard Contractual Clauses)
Stripe Payment processing and subscription management. GISGP does not store card numbers. USA / EU (covered by Standard Contractual Clauses)
Esri (ArcGIS Online) The Customer's own ArcGIS Online account — data is written directly to the Customer's AGOL instance at their instruction. As per Customer's AGOL region

GISGP will notify the Customer of any intended changes to sub-processors (additions or replacements) by updating this page and emailing registered account holders at least 30 days in advance. The Customer may object within 14 days.

8. International transfers

Personal data is processed primarily within the EU (AWS eu-west-1 / Ireland). Where data is transferred to sub-processors outside the EEA (Anthropic, Stripe), GISGP relies on Standard Contractual Clauses (SCC) approved by the European Commission under GDPR Art. 46(2)(c) as the legal transfer mechanism.

AI mapping data minimisation: When AI field mapping is used, only the file headers and a maximum of 5 sample rows are sent to Anthropic's API for mapping suggestions. The full dataset is never transmitted to Anthropic.

9. Assistance to the Controller

GISGP will assist the Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible given the nature of the processing.

GISGP will also assist with security obligations (GDPR Art. 32), data breach notification (Arts. 33–34), data protection impact assessments (Art. 35) and prior consultation (Art. 36), as appropriate.

10. Data breach notification

GISGP will notify the Customer without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting Customer data. Notification will be sent to the registered account email address and will include, to the extent available: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

11. Data Protection Officer

GISGP is not currently required to appoint a DPO under GDPR Art. 37 given the scale and nature of its processing activities. Data protection queries can be directed to .

12. Audit rights

GISGP will provide the Customer with all information necessary to demonstrate compliance with this DPA (GDPR Art. 28(3)(h)). The Customer may audit compliance upon 30 days' written notice, at the Customer's cost, no more than once per calendar year. GISGP may require execution of a non-disclosure agreement before providing access to infrastructure documentation.

13. Termination and return of data

Upon termination of the Customer's subscription or upon written request, GISGP will delete all Customer account data (email, hashed password, operation history, stored tokens) within 30 days. GIS data (uploaded files) is deleted automatically after each operation as described in Section 4 and therefore no return mechanism is needed.

GISGP will provide written confirmation of deletion upon request.

14. Governing law and jurisdiction

This DPA is governed by the laws applicable to the main Terms of Service agreement. For EU/EEA Customers, GDPR is the applicable data protection law. For any conflict between this DPA and the Terms of Service, this DPA takes precedence in matters of personal data processing.

15. Contact

For DPA-related enquiries, countersigned DPA requests, or data subject rights requests:

  • Email:
  • Privacy policy: /privacy

Need a countersigned DPA?

EU public sector organisations and enterprises often require a signed copy. Email us and we will return a signed DPA within 2 business days.

Request signed DPA →
© 2026 GISGP.com
Help Privacy Policy Terms of Service DPA Contact
AGOL DATA EXCHANGE PLATFORM
We use essential cookies for authentication and anonymous analytics to improve the site. Privacy Policy
🗺️

Daily limit reached

You've used 5 free conversions today. Create a free account to get unlimited conversions plus direct ArcGIS Online import.

Create free account → Already have an account? Sign in
What's new in v1.2.5
  • New3 free tools — Attachment Downloader (all photos as ZIP + Excel index), Survey123 Repeats Export (joined Excel), Schema Comparator
  • NewExport in your CRS — Shapefile & GeoJSON in any EPSG, not just WGS84
  • NewScheduled attachment backup — layer photos as a ZIP link, on a schedule
June 2026