Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service between Mapped Research LLC, a Wyoming limited liability company ("Processor" or "Mapped"), and the entity agreeing to these terms ("Controller" or "Customer"). This DPA applies where Mapped processes personal data on behalf of the Customer in the course of providing the Service.

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions of the UK GDPR.

• "Personal Data" means any information relating to an identified or identifiable natural person processed by Mapped on behalf of the Customer through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Sub-Processor" means any third party engaged by Mapped to process Personal Data on behalf of the Customer.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Mapped processes Personal Data solely to provide the systematic review platform Service as described in the Terms of Service. The processing includes:

• Data subjects: Customer's authorized users (researchers, team members, administrators)
• Categories of data: Account information (name, email, institution), usage data, technical data, and research project data as described in our Privacy Policy
• Purpose: Providing the systematic review platform, including user authentication, data storage, AI-assisted research processing, collaboration features, and customer support
• Duration: For the term of the Customer's use of the Service, plus any retention period specified in our Privacy Policy

Mapped shall:

• Process Personal Data only on documented instructions from the Customer, unless required by law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in our Privacy Policy Section 8
• Assist the Customer in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection)
• Assist the Customer in ensuring compliance with data breach notification obligations
• At the Customer's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless storage is required by law
• Make available to the Customer all information necessary to demonstrate compliance with GDPR Article 28 obligations

The Customer authorizes Mapped to engage the following Sub-Processors:

Mapped will notify the Customer at least 30 days in advance of any intended changes to Sub-Processors, giving the Customer the opportunity to object. Mapped imposes data protection obligations on each Sub-Processor equivalent to those set out in this DPA.

Mapped shall allow and contribute to audits and inspections conducted by the Customer or an independent auditor mandated by the Customer in order to verify compliance with this DPA. Audits shall be:

• Conducted with at least 30 days' prior written notice
• Limited to once per calendar year, unless a Data Breach has occurred
• Conducted during normal business hours with minimal disruption to operations
• Subject to reasonable confidentiality obligations

Mapped may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2), or other documentation demonstrating compliance.

Mapped shall notify the Customer of any Data Breach without undue delay and in any event within 72 hours of becoming aware of it. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected
• The likely consequences of the Data Breach
• The measures taken or proposed to address the Data Breach, including measures to mitigate its effects
• Contact details of Mapped's point of contact for further information

Personal Data is processed and stored in the United States. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, Mapped relies on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
• UK International Data Transfer Addendum (IDTA) for UK transfers
• Supplementary technical and organizational measures including encryption in transit (TLS 1.3) and at rest (AES-256)

Upon termination of the Service or upon written request from the Customer:

• Mapped will provide a 30-day period for the Customer to export all Personal Data using the Service's export functionality
• After the export period, Mapped will delete all Personal Data from active systems within 30 days
• Backup copies will be purged according to our standard backup rotation schedule (not exceeding 90 days)
• Mapped may retain data where required by applicable law, but only for the minimum period and scope necessary

For questions about this DPA or to request execution of a customized DPA for your institution, please contact us: