Data Processing Addendum
Last updated: March 18, 2026
PARTIES AND INCORPORATION
This Data Processing Addendum ("DPA") forms part of the Stadia Maps Terms of Service ("Agreement"; available at https://stadiamaps.com/terms-of-service/), or other written or electronic agreement between Stadia Maps, Inc., a Delaware corporation ("Stadia Maps"), and the entity agreeing to these terms ("Customer"), and is effective as of the date Customer accepts this DPA or first accesses the Services, whichever is earlier ("Effective Date").
This DPA governs the Processing of Personal Data by Stadia Maps on behalf of Customer in connection with the Services. All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
1. DEFINITIONS
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party.
"Control" means ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests of an entity.
"Customer Data" means Personal Data that Stadia Maps Processes on behalf of Customer as a Processor or Sub-processor in connection with the Services.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including:
- The EU General Data Protection Regulation 2016/679 ("EU GDPR");
- The UK General Data Protection Regulation as incorporated into UK law ("UK GDPR") and the UK Data Protection Act 2018;
- The Swiss Federal Act on Data Protection ("Swiss FADP") as revised September 2023; and
- Any other applicable data protection or privacy laws.
"EEA" means the European Economic Area.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means an entity that Processes Personal Data on behalf of a Controller.
"Controller" means an entity that determines the purposes and means of Processing Personal Data.
"Restricted Transfer" means a transfer of Personal Data to a country outside the EEA, UK, or Switzerland that has not been recognized as providing an adequate level of data protection.
"Services" means the products and services provided by Stadia Maps to Customer under the Agreement.
"Standard Contractual Clauses" or "SCCs" means:
- For transfers subject to EU GDPR: the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914;
- For transfers subject to UK GDPR: the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner ("UK Addendum"); and
- For transfers subject to Swiss FADP: the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner.
"Sub-processor" means any Processor engaged by Stadia Maps to Process Customer Data.
2. ROLES AND RELATIONSHIP
2.1 Determination of Roles
The parties acknowledge that Customer's role varies depending on its relationship with the individuals whose Personal Data is Processed:
(a) Customer as Controller. Where Customer determines the purposes and means of Processing Personal Data (for example, where Customer uses the Services for its own internal business operations), Customer is a Controller and Stadia Maps is a Processor.
(b) Customer as Processor. Where Customer Processes Personal Data on behalf of a third party (for example, where Customer integrates the Services into applications or services provided to Customer's own customers), Customer is a Processor and Stadia Maps is a Sub-processor.
2.2 Stadia Maps as Controller
This DPA applies only where Stadia Maps acts as a Processor or Sub-processor on behalf of Customer. Stadia Maps acts as an independent Controller for Personal Data it processes for its own purposes, including account administration, billing, fraud prevention, security monitoring, and legal compliance.
2.3 Applicability of Standard Contractual Clauses Modules
Where the SCCs apply pursuant to Section 6:
- Module Two (Controller to Processor) applies where Customer is a Controller;
- Module Three (Processor to Sub-processor) applies where Customer is a Processor.
Customer represents and warrants that it has accurately determined its role and will notify Stadia Maps if its role changes.
2.4 Customer Obligations
Customer shall:
(a) Comply with its obligations under Data Protection Laws, including ensuring it has a lawful basis for Processing and for instructing Stadia Maps to Process Customer Data;
(b) Provide all required notices and obtain all necessary consents, authorizations, or legal bases required under Data Protection Laws for Stadia Maps to Process Customer Data as contemplated by this DPA;
(c) Ensure that its Processing instructions to Stadia Maps comply with Data Protection Laws; and
(d) Where Customer is a Processor, ensure that Customer's Controller has authorized the use of Stadia Maps as a Sub-processor and the transfers contemplated by this DPA.
2.5 Stadia Maps Obligations
Customer's documented instructions for Processing Customer Data include the Agreement, this DPA, and Customer's use and configuration of the Services within the functionality, defaults, and documented parameters of the Services (including via API parameters, account settings, and support requests). Such instructions do not override Stadia Maps' technical, organizational, or security baselines.
Stadia Maps shall:
(a) Process Customer Data only in accordance with Customer's documented instructions, unless required to do otherwise by applicable law (in which case Stadia Maps shall notify Customer before Processing unless prohibited by law);
(b) Inform Customer without undue delay if, in Stadia Maps' opinion, an instruction infringes applicable Data Protection Laws;
(c) Ensure that persons authorized to Process Customer Data are subject to appropriate confidentiality obligations;
(d) Implement and maintain appropriate technical and organizational security measures as described in Annex II;
(e) Comply with the conditions for engaging Sub-processors set forth in Section 4;
(f) Assist Customer, taking into account the nature of Processing, in responding to requests from data subjects exercising their rights under Data Protection Laws;
(g) Assist Customer in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of Processing and information available to Stadia Maps;
(h) At Customer's election, delete or return Customer Data upon termination of the Agreement, subject to Section 8; and
(i) Make available to Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set forth in Section 5.6.
Stadia Maps shall provide assistance under subsections (f) and (g) at no additional charge, unless such assistance requires disproportionate effort, in which case Stadia Maps may charge reasonable fees subject to Customer's prior written agreement. This does not limit Stadia Maps' statutory cooperation obligations under applicable Data Protection Laws.
3. SCOPE OF PROCESSING
3.1 Processing Details
The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are described in Annex I.
3.2 Processing Limitations
Stadia Maps shall Process Customer Data only for the purposes of providing the Services as described in the Agreement and this DPA. Stadia Maps shall not:
(a) Process Customer Data for any purpose other than providing the Services unless required by applicable law;
(b) "Sell" or "share" Customer Data as those terms are defined under applicable privacy laws;
(c) Retain, use, or disclose Customer Data outside the direct business relationship between Stadia Maps and Customer; or
(d) Combine Customer Data with Personal Data received from other sources, except as necessary to provide the Services.
3.3 Anonymous Data
Nothing in this DPA restricts Stadia Maps from using anonymous data that has been derived from Customer Data and processed such that it cannot reasonably be used to identify any individual, whether directly or indirectly, taking into account all means reasonably likely to be used (in accordance with GDPR Recital 26). For the avoidance of doubt, anonymous data is distinct from pseudonymized data, which remains Personal Data under applicable Data Protection Laws. Stadia Maps shall not attempt to re-identify any such anonymous data. Anonymous data is not Customer Data under this DPA and may be used by Stadia Maps for legitimate business purposes including service improvement, analytics, and benchmarking.
4. SUB-PROCESSORS
4.1 Authorization
Customer provides general authorization for Stadia Maps to engage Sub-processors to Process Customer Data, subject to the requirements of this Section 4.
4.2 Sub-processor List
Stadia Maps maintains a current list of Sub-processors at: https://stadiamaps.com/legal/subprocessors/ (the "Sub-processor List").
4.3 Sub-processor Changes
Stadia Maps shall notify Customer of any new or replacement Sub-processor by updating the Sub-processor List. For Customers with a negotiated Agreement that designates notice contacts, Stadia Maps shall also use commercially reasonable efforts to provide written notice.
Unless expressly agreed otherwise in a negotiated Agreement, notice may be provided concurrently with a Sub-processor's engagement. Customer's remedy for an unresolved objection is set forth in Section 4.4.
Customer may object within thirty (30) days of (i) receipt of written notice (for Customers with negotiated Agreements that designate notice contacts) or (ii) the Sub-processor List update (for all other Customers), in each case in accordance with Section 4.4.
4.4 Objection Right
If Customer has a reasonable, documented objection to a Sub-processor based on data protection grounds, Customer shall notify Stadia Maps in writing within the time period specified in Section 4.3. The parties shall discuss Customer's concerns in good faith with a view to achieving resolution.
Where Customer raises a reasonable data protection objection, Stadia Maps may, at its discretion, provide an alternative Sub-processor or processing path, or implement appropriate mitigation measures. Stadia Maps shall consider in good faith any reasonable alternative proposed by Customer. Customer acknowledges that certain Sub-processors are essential to provide the Services, and Stadia Maps is not obligated to provide Services that require an objected-to Sub-processor.
If the parties cannot resolve the objection within thirty (30) days of Customer's objection notice, and no reasonable alternative exists, Customer may terminate the affected Services without penalty by providing written notice within the following thirty (30) days.
4.5 Sub-processor Obligations
Stadia Maps shall:
(a) Conduct appropriate due diligence on Sub-processors;
(b) Enter into written agreements with Sub-processors imposing data protection obligations no less protective than those in this DPA; and
(c) Remain liable for the acts and omissions of its Sub-processors to the same extent Stadia Maps would be liable if performing the services directly.
5. SECURITY
5.1 Security Measures
Stadia Maps shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data against Data Breaches and to ensure the ongoing confidentiality, integrity, and availability of Processing systems. The current security measures are described in Annex II.
5.2 Updates to Security Measures
Stadia Maps may update its security measures from time to time, provided that such updates do not materially diminish the overall protection of Customer Data.
5.3 Customer Responsibilities
Customer is responsible for:
(a) Securing its account credentials and access to the Services;
(b) Ensuring appropriate security of Customer Data in transit to and from the Services; and
(c) Implementing appropriate security measures for any systems that interface with the Services.
5.4 Data Breach Notification
Stadia Maps shall notify Customer without undue delay after becoming aware of a Data Breach affecting Customer Data. Stadia Maps will use reasonable efforts to provide such notification within seventy-two (72) hours where feasible. Such notification shall include, to the extent known:
(a) A description of the nature of the Data Breach;
(b) The categories and approximate number of data subjects and records concerned;
(c) The likely consequences of the Data Breach; and
(d) Measures taken or proposed to address the Data Breach.
Stadia Maps shall cooperate with Customer and provide information reasonably necessary for Customer to comply with its breach notification obligations under Data Protection Laws.
5.5 Confidentiality
Stadia Maps shall ensure that any person authorized to Process Customer Data is subject to a duty of confidentiality.
5.6 Audits
Upon Customer's written request (no more than once per twelve-month period, except as provided below), Stadia Maps shall make available information reasonably necessary to demonstrate compliance with this DPA. Stadia Maps may satisfy its obligations under this Section by providing Customer with access to security documentation, certifications, or completed industry-standard questionnaires made generally available to customers.
Customer may, at Customer's expense and upon reasonable notice:
(a) Request that Stadia Maps complete a written security questionnaire; and/or
(b) Conduct or commission a third-party audit of Stadia Maps' Processing activities, subject to reasonable confidentiality obligations and conducted during normal business hours with minimal disruption to Stadia Maps' operations.
The annual frequency limitation shall not restrict audits: (i) following a Data Breach affecting Customer Data; (ii) where required by a supervisory authority or applicable law; or (iii) where reasonably necessary to comply with Customer's or Stadia Maps' obligations under the SCCs. Following a Data Breach, Stadia Maps shall provide affected customers with a written incident report describing the nature of the breach, categories of data affected, and remediation measures. Additional audit requests following a Data Breach are at Customer's expense; provided that, if a Data Breach is determined to have been caused by Stadia Maps' failure to comply with its obligations under this DPA, Stadia Maps shall bear the reasonable costs of one audit limited to the controls reasonably related to the Data Breach, which may be conducted jointly or on behalf of multiple affected Customers.
6. INTERNATIONAL TRANSFERS
6.1 Transfers Generally
Stadia Maps may Process Customer Data in any country where Stadia Maps or its Sub-processors maintain operations, subject to appropriate safeguards as required by Data Protection Laws.
6.2 Transfer Mechanisms
For Restricted Transfers, the parties agree to the following transfer mechanisms:
(a) EU Transfers. The SCCs (Module Two or Module Three, as applicable per Section 2.3) are incorporated by reference and apply to transfers of Personal Data subject to EU GDPR to countries not recognized by the European Commission as providing adequate protection. For purposes of the SCCs:
- Annex I to this DPA serves as Annex I to the SCCs;
- Annex II to this DPA serves as Annex II to the SCCs;
- The Sub-processor List serves as Annex III to the SCCs;
- The optional docking clause (Clause 7) applies;
- For Module Two, Option 2 of Clause 9(a) applies, with a notice period of 30 days;
- For Module Three, Option 2 of Clause 9(a) applies, with a notice period of 30 days;
- The optional redress clause (Clause 11) does not apply;
- The governing law is that of the EU Member State in which Customer (as data exporter) is established; if Customer is not established in an EU Member State, the governing law is that of Ireland (Clause 17);
- Disputes shall be resolved by the courts of the EU Member State whose law governs pursuant to the preceding clause (Clause 18).
(b) UK Transfers. The UK Addendum is incorporated by reference and applies to transfers of Personal Data subject to UK GDPR. For purposes of the UK Addendum:
- Table 1: The parties' details are as set forth in Annex I;
- Table 2: The version of the Approved EU SCCs incorporated is as set forth in Section 6.2(a);
- Table 3: Annex I, II, and the Sub-processor List to this DPA apply;
- Table 4: Neither party may terminate the UK Addendum as set out in Section 19 of the UK Addendum;
- The governing law is that of England and Wales.
(c) Swiss Transfers. The SCCs apply to transfers of Personal Data subject to Swiss FADP, with the following modifications:
- References to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss FADP;
- References to "EU," "Union," or "Member State" shall not be interpreted to exclude data subjects in Switzerland;
- The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;
- The governing law and jurisdiction is Switzerland.
6.3 Transfer Impact Assessment
The parties acknowledge that, in agreeing to the transfer mechanisms set forth in this Section 6, they have considered the nature of the transfers, the laws of the destination country (including regarding government access to data), and the safeguards implemented pursuant to this DPA. The parties shall cooperate in good faith to implement supplemental measures if required by applicable law, regulatory guidance, or supervisory authority direction.
6.4 Alternative Transfer Mechanisms
If an alternative lawful transfer mechanism becomes available (such as the EU-US Data Privacy Framework or any successor adequacy decision covering the United States), Stadia Maps may rely on such mechanism in lieu of or in addition to the mechanisms specified above.
7. US STATE PRIVACY LAWS
7.1 Applicability
This Section 7 applies to the extent that US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and other similar state laws (collectively, "US Privacy Laws"), apply to Stadia Maps' Processing of Customer Data.
7.2 Processor Obligations
To the extent Stadia Maps Processes Customer Data subject to US Privacy Laws as a "service provider," "processor," or equivalent role:
(a) Stadia Maps shall not sell or share (as those terms are defined under applicable US Privacy Laws) Customer Data;
(b) Stadia Maps shall not retain, use, or disclose Customer Data for any purpose other than providing the Services as specified in the Agreement, or as otherwise permitted by applicable US Privacy Laws;
(c) Stadia Maps shall not retain, use, or disclose Customer Data outside of the direct business relationship between Stadia Maps and Customer, except as permitted by applicable US Privacy Laws;
(d) Stadia Maps shall not combine Customer Data with personal information received from other sources or collected from Stadia Maps' own interactions with individuals, except as permitted by applicable US Privacy Laws to perform the Services;
(e) Stadia Maps shall comply with applicable obligations under US Privacy Laws and provide the same level of privacy protection as required by such laws; and
(f) Stadia Maps shall notify Customer if it determines that it can no longer meet its obligations under applicable US Privacy Laws.
7.3 Assistance with Consumer Rights
Stadia Maps shall provide reasonable assistance to Customer in responding to verifiable consumer requests to exercise rights under US Privacy Laws, taking into account the nature of the Processing and the information available to Stadia Maps.
7.4 Certification
Stadia Maps certifies that it understands the restrictions in this Section 7 and will comply with them.
8. DATA RETENTION AND DELETION
8.1 During the Agreement
Stadia Maps shall retain Customer Data only for as long as necessary to provide the Services.
8.2 Upon Termination
Upon termination or expiration of the Agreement, Stadia Maps shall, at Customer's election and written request made within thirty (30) days of termination:
(a) Return Customer Data to Customer in a commonly used format; or
(b) Delete Customer Data.
If Customer makes no election within thirty (30) days, Stadia Maps shall delete Customer Data.
8.3 Exceptions
The deletion or return obligations do not apply to the extent Stadia Maps is required to retain Customer Data by applicable law, provided that Stadia Maps:
(a) Maintains the confidentiality of such retained Customer Data;
(b) Processes such data only as required by applicable law; and
(c) Deletes such data when the retention obligation expires.
Customer Data contained in backup or archival systems shall be deleted in accordance with Stadia Maps' standard backup retention schedules, provided that such data remains protected by the security measures in this DPA and is not actively processed.
8.4 Certification
Upon Customer's written request, Stadia Maps shall certify in writing that it has complied with the deletion requirements of this Section 8.
9. GENERAL PROVISIONS
9.1 Order of Precedence
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Data. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
Where obligations under US Privacy Laws (as defined in Section 7) conflict with non-US Data Protection Laws applicable to the same Processing, the stricter or more protective requirement shall govern.
9.2 Limitation of Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Any exclusions or limitations of liability in the Agreement that apply to specific categories of liability (such as fraud, willful misconduct, gross negligence, or death or personal injury) shall apply equally under this DPA.
Notwithstanding anything to the contrary in the Agreement or this DPA, Stadia Maps shall not be liable for any claim arising from or related to Stadia Maps' acts or omissions to the extent that Stadia Maps was acting in accordance with Customer's documented instructions.
Nothing in this DPA limits either party's liability to data subjects under applicable Data Protection Laws, including under GDPR Article 82.
9.3 Governing Law
This DPA shall be governed by the laws of the State of Delaware (excluding conflict-of-laws principles), except that:
(a) The SCCs for EU transfers shall be governed by the laws of the EU Member State in which Customer is established, or Ireland if Customer is not established in an EU Member State, as specified in Section 6.2(a);
(b) The UK Addendum shall be governed by the laws of England and Wales as specified in Section 6.2(b);
(c) The Swiss transfer provisions shall be governed by Swiss law as specified in Section 6.2(c); and
(d) Where otherwise required by Data Protection Laws, the laws of the applicable jurisdiction shall govern.
9.4 Survival
This DPA shall remain in effect for so long as Stadia Maps Processes Customer Data on behalf of Customer.
9.5 Amendments
This DPA may be updated by Stadia Maps from time to time to reflect changes in Data Protection Laws or Processing activities. Material changes shall be notified to Customer in accordance with the notice provisions of the Agreement.
9.6 Entire DPA
This DPA, including its Annexes and the incorporated SCCs, constitutes the entire agreement between the parties regarding the Processing of Customer Data and supersedes any prior data processing agreements between the parties.
ANNEX I: PROCESSING DETAILS
A. LIST OF PARTIES
Data Exporter (Customer):
| Field | Value |
|---|---|
| Name | As specified in the Agreement or Customer's account |
| Address | As specified in the Agreement or Customer's account |
| Contact | As specified in the Agreement or Customer's account |
| Role | Controller or Processor (as determined per Section 2.1) |
Data Importer (Stadia Maps):
| Field | Value |
|---|---|
| Name | Stadia Maps, Inc. |
| Address | 1690 Watertower Place Ste 100 #216, East Lansing, MI 48823, USA |
| Contact | legal@stadiamaps.com |
| Role | Processor or Sub-processor (corresponding to Customer's role) |
B. DESCRIPTION OF TRANSFER
| Element | Description |
|---|---|
| Categories of Data Subjects | End users of Customer's applications or services that integrate with the Services; Customer's employees or contractors who access the Services. |
| Categories of Personal Data | IP addresses; approximate geographic location (derived from IP address); device identifiers; usage data related to API requests (timestamps, endpoints accessed, request parameters that may contain location data). |
| Sensitive Data | The Services are not designed or intended to process special categories of data (as defined in Article 9 of GDPR) or other sensitive data. Customer shall avoid transmitting special category data unless strictly necessary. If Customer determines that special category data must be transmitted, Customer shall: (a) ensure an appropriate legal basis and safeguards are in place; and (b) notify Stadia Maps in advance. Stadia Maps may require additional safeguards or contractual terms, or may decline to process such data if appropriate safeguards cannot be implemented. |
| Frequency of Transfer | Continuous, in connection with Customer's use of the Services. |
| Nature of Processing | Receipt, routing, and processing of API requests; delivery of mapping, geocoding, routing, and related geographic data services; logging and monitoring for service delivery and security. |
| Purpose of Processing | To provide the Services as described in the Agreement. |
| Retention Period | API request and access logs: approximately 7-14 days. Security, audit logs, and backups: retained in accordance with Stadia Maps' internal policies and applicable legal requirements. Stadia Maps may retain data longer where required by law, security investigation, or regulatory obligation. |
C. COMPETENT SUPERVISORY AUTHORITY
For purposes of the SCCs, the competent supervisory authority shall be:
- For EU GDPR: The supervisory authority of the EU Member State in which Customer is established, or if Customer is not established in the EU, the supervisory authority of the Member State where Customer's EU representative is located, or where data subjects are located.
- For UK GDPR: The UK Information Commissioner's Office.
- For Swiss FADP: The Swiss Federal Data Protection and Information Commissioner.
ANNEX II: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Stadia Maps implements and maintains the following security measures:
1. Access Controls
- Authentication measures including secure credential management and multi-factor authentication for administrative access
- Role-based access controls limiting access to Customer Data based on job function and need-to-know
- Procedures for timely access revocation upon personnel changes
2. Network Security
- Firewall protection and network segmentation
- Encryption of data in transit using industry-standard algorithms
- Intrusion detection and prevention systems
- DDoS mitigation measures
3. Data Security
- Encryption of Customer Data at rest using industry-standard algorithms
- Secure key management practices
4. Infrastructure Security
- Use of reputable cloud infrastructure providers with appropriate certifications
- Regular security patching and vulnerability management
- Secure configuration management
5. Monitoring and Incident Response
- Security event logging and monitoring
- Documented incident response procedures
- Regular review of security logs and alerts
6. Personnel Security
- Security awareness training
- Confidentiality obligations in employment agreements
7. Business Continuity
- Regular data backups
- Disaster recovery procedures
- Redundant systems for service availability
8. Security Assessments
- Periodic assessment of security measures
- Vulnerability scanning
- Remediation of identified security issues
ANNEX III: SUB-PROCESSOR LIST
The current list of authorized Sub-processors is maintained at:
https://stadiamaps.com/legal/subprocessors/
Customer will be notified of changes to this list in accordance with Section 4.3.
ACCEPTANCE
This DPA is accepted by Customer through Customer's use of the Services or by executing a written agreement that incorporates this DPA.
End of Data Processing Addendum