This Data Processing Agreement ("DPA") is entered into between Geocoupler ("Processor") and the customer entity that has accepted the Geocoupler Terms and Conditions ("Controller"), and forms part of the agreement between the parties for the provision of the Geocoupler platform and services (the "Agreement").

This DPA applies where and to the extent that Geocoupler processes Personal Data on behalf of the Controller in the course of providing the Services. The terms used in this DPA shall have the meanings set forth herein, and where not defined, as set forth in applicable Data Protection Legislation.

In the event of any conflict between this DPA and any other part of the Agreement, this DPA shall prevail with respect to the subject matter of data protection and processing.

"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Legislation, including but not limited to the EU General Data Protection Regulation (GDPR) and applicable U.S. state privacy laws.

"Data Protection Legislation" means all applicable privacy and data protection laws and regulations, including GDPR (EU) 2016/679, the UK GDPR, applicable U.S. state privacy laws (including CCPA/CPRA), and any successor legislation.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

Subject matter: Geocoupler processes Personal Data as necessary to provide the Services described in the Agreement, including hosting, storing, and transmitting data submitted by the Controller and its end users through the platform.

Duration: Processing will occur for the duration of the Agreement and, where applicable, for such additional period as required to fulfill Geocoupler's obligations or as permitted under Data Protection Legislation.

Nature and purpose: Processing is carried out for the purposes of providing, maintaining, securing, and improving the Services; fulfilling contractual obligations; and complying with legal requirements. Categories of data subjects include the Controller's employees, contractors, and end users. Categories of Personal Data include account credentials, contact information, usage data, and any Personal Data contained within customer-uploaded geospatial data sets.

Geocoupler shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law. In such cases, Geocoupler shall inform the Controller of that legal requirement before processing, unless prohibited from doing so on important grounds of public interest.

Geocoupler shall ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Geocoupler shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore the availability of Personal Data in a timely manner; and a process for regularly testing and evaluating the effectiveness of security measures.

The Controller grants Geocoupler general authorization to engage sub-processors for the processing of Personal Data under this DPA. Geocoupler maintains an up-to-date list of sub-processors, which is available upon request at support@geocoupler.com. Geocoupler shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.

Geocoupler shall impose data protection terms on any sub-processor it engages that are no less protective than those set out in this DPA, and shall remain fully liable to the Controller for the performance of such sub-processor's obligations.

If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Services with written notice, and Geocoupler shall refund any prepaid fees for the remaining unused subscription period.

Geocoupler shall, to the extent technically feasible, assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable Data Protection Legislation, including rights of access, rectification, erasure, restriction, portability, and objection.

Taking into account the nature of the processing and the information available to Geocoupler, we shall assist the Controller in ensuring compliance with obligations relating to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

Geocoupler shall promptly notify the Controller if it receives a data subject request. Geocoupler shall not respond to such a request except on the documented instructions of the Controller or as required by applicable law.

In the event of a Personal Data breach, Geocoupler shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. Notification shall include, to the extent available: a description of the nature of the breach; the categories and approximate number of data subjects concerned; the categories and approximate number of Personal Data records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach.

Geocoupler shall document all Personal Data breaches, including the facts relating to the breach, its effects, and the remedial action taken. Such documentation shall be made available to the Controller upon request.

The Controller is responsible for notifying supervisory authorities and affected data subjects of Personal Data breaches to the extent required by applicable Data Protection Legislation.

Where the processing of Personal Data involves a transfer to a country outside the European Economic Area, the United Kingdom, or Switzerland that has not been recognized as providing an adequate level of data protection, the parties agree to execute Standard Contractual Clauses (SCCs) as published by the European Commission, or equivalent transfer mechanisms as required by applicable law.

The Controller represents and warrants that any transfer of Personal Data to Geocoupler for processing under this DPA is lawful, and that it has obtained all necessary consents or has a valid lawful basis for such transfer.

Geocoupler will process Personal Data primarily within the United States. Upon request, Geocoupler will provide the Controller with information about the countries in which Personal Data may be processed.

Upon termination or expiry of the Agreement, Geocoupler shall, at the Controller's choice, delete or return all Personal Data to the Controller, and delete existing copies unless applicable law requires storage of the Personal Data. The Controller must request data return within 30 days of termination.

Geocoupler shall provide the Controller with written certification upon completion of the deletion or return of Personal Data, where requested.

The confidentiality obligations set out in this DPA shall survive the termination or expiry of the Agreement for as long as Geocoupler continues to process Personal Data or retains Personal Data in its systems.

To request a signed copy of this DPA, to exercise rights under this agreement, or for any data protection inquiries, please contact us at support@geocoupler.com