[]New Map

Legal

Data Processing Agreement

Last updated: July 2026

This Data Processing Agreement (the “DPA”) forms part of, and supplements, the Terms of Service between New Map and you (the “Client”). It applies where New Map processes personal data on the Client's behalf in providing the Service, and it sets out the parties' obligations under Article 28 of the UK GDPR and the EU General Data Protection Regulation (together, “GDPR”). If there is a conflict between this DPA and the Terms on the subject of data protection, this DPA prevails.

1. Definitions and roles

Terms such as “controller”, “processor”, “sub-processor”, “personal data”, “processing”, “data subject” and “supervisory authority” have the meanings given in the GDPR. For the personal data processed under the Service, the Client is the controller and New Map is the processor, acting on the Client's behalf. Where New Map determines the purposes and means of processing for its own operations (for example account administration and platform security), New Map acts as an independent controller, and that processing is governed by our Privacy Policy rather than this DPA.

2. Subject matter and duration

The subject matter of the processing is the provision of the New Map AI-visibility platform and related services to the Client. This DPA takes effect when the Client accepts the Terms and continues for as long as New Map processes personal data on the Client's behalf. On termination of the Service, New Map's obligations under sections 8 and 9 (return or deletion of data, and continued confidentiality) survive.

3. Nature and purpose of processing

New Map processes personal data in order to: create and operate the Client's account; run audits and produce the Client's dashboard; monitor how the Client's brand appears in AI engines; operate the AI account manager and store its conversation history for continuity; provide strategy and content recommendations; send transactional and service email; and secure, maintain and improve the Service. Processing is carried out by automated means using the sub-processors listed in section 6.

4. Types of personal data and categories of data subjects

Types of personal data. The personal data processed on the Client's behalf may include:

  • Identity and contact data of the Client's authorised users (name, work email, company, role).
  • Account credentials (passwords, stored only in hashed form by our authentication provider).
  • Brand and channel data the Client submits (brand name, website, industry, and the owned social profiles, apps and blogs the Client chooses to share).
  • Audit inputs (a submitted website and an email address given to receive a report).
  • Account manager conversation content (the messages exchanged with the AI account manager).
  • Usage and basic technical data (interactions with the platform, IP address, device and browser data), processed to operate and secure the Service.

Categories of data subjects. The data subjects are the Client's authorised users and personnel, and any individuals who request an audit or whose contact details the Client submits. The Service is a business-to-business tool and is not intended to process special-category data; the Client agrees not to submit special-category data through it.

5. Processor obligations

New Map will:
  • Process only on documented instructions. Process the personal data only on the Client's documented instructions, including as to international transfers, unless required to do otherwise by law (in which case New Map will inform the Client of that requirement before processing, unless the law prohibits it). The Terms, this DPA and the Client's use of the Service constitute the Client's complete instructions. New Map will tell the Client if, in its opinion, an instruction infringes the GDPR.
  • Confidentiality. Ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality and process it only as needed to provide the Service.
  • Security (Article 32). Implement appropriate technical and organisational measures as set out in section 7.
  • Sub-processors. Engage sub-processors only in accordance with section 6.
  • Assistance with data-subject requests. Taking account of the nature of the processing, assist the Client by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability and objection). If a data subject contacts New Map directly about the Client's data, New Map will refer them to the Client without responding to the substance.
  • Assistance with compliance (Articles 32 to 36). Assist the Client, taking into account the nature of processing and the information available to New Map, in ensuring compliance with the obligations on security (Article 32), personal-data-breach notification (Articles 33 and 34), data-protection impact assessments (Article 35) and prior consultation (Article 36). New Map will notify the Client without undue delay after becoming aware of a personal-data breach affecting the Client's data.
  • Deletion or return of data. On termination of the Service, delete or return the personal data in accordance with section 8.
  • Demonstrating compliance and audits. Make available to the Client the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, in accordance with section 10.

6. Sub-processors

The Client provides general authorisation for New Map to engage the sub-processors below to provide the Service. Each sub-processor is engaged under a written contract imposing data-protection obligations that are, in substance, no less protective than those in this DPA.

  • Supabase: database, authentication and storage
  • Vercel: hosting and serverless infrastructure
  • Anthropic (Claude): the AI models that power the account manager, audits and strategy
  • Era and Otterly: AI-visibility measurement data
  • Resend: transactional and notification email
  • Serper: web search used by the agent for research and grounding
  • Upstash: rate limiting and caching
  • Calendly: booking calls, where a user chooses to

New Map will give the Client reasonable prior notice of any intended addition or replacement of a sub-processor (for example by updating this list or the Privacy Policy, or by email). The Client may object on reasonable data-protection grounds within a reasonable period; the parties will then work in good faith to resolve the concern, and if it cannot be resolved the Client may terminate the affected part of the Service. New Map remains responsible to the Client for its sub-processors' performance of their data-protection obligations.

Our AI and data sub-processors do not use the prompts, content or Client data we send them to train their public or foundation models, in accordance with their business or enterprise terms.

7. Security measures (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to individuals, New Map maintains appropriate technical and organisational measures, including:
  • Encryption in transit for data moving between the Client, the platform and our sub-processors (TLS/HTTPS).
  • Hashed passwords. Account credentials are stored only in salted, hashed form by our authentication provider and are never accessible to New Map in plain text.
  • Access controls. Access to personal data is restricted to authorised personnel on a need-to-know basis, using authenticated accounts.
  • Row-level security (RLS) in the database so that each Client's data is logically isolated and only accessible to that Client's authorised users and to the Service acting on their behalf.
  • Reputable infrastructure providers that maintain their own recognised security and availability controls.
  • Rate limiting and monitoring to protect the Service against abuse and to support detection of and response to security events.

New Map reviews these measures and may update them, provided the level of protection is not materially reduced.

8. Return or deletion of data on termination

On termination of the Service, or at the Client's earlier written request, New Map will, at the Client's choice, delete or return the personal data processed on the Client's behalf and delete existing copies, unless applicable law requires further storage. Deletion propagates to sub-processors, subject to their standard deletion cycles and any backups, which are overwritten on their normal schedule. Nothing in this section requires New Map to delete data it is required by law to retain.

9. Confidentiality

New Map will keep the personal data processed under this DPA confidential and will not disclose it except to sub-processors as permitted here, to its personnel bound by confidentiality obligations, or where required by law. This obligation survives termination.

10. Audits and demonstrating compliance

New Map will make available to the Client the information reasonably necessary to demonstrate compliance with Article 28, which may take the form of policies, descriptions of the measures in section 7, or third-party certifications and reports held by New Map or its sub-processors. Where that information is not sufficient, the Client may audit New Map's processing on reasonable prior written notice, no more than once per year (except following a personal-data breach or a request from a supervisory authority), during business hours, without unreasonably disrupting New Map's operations, and subject to confidentiality. The Client bears its own costs for an audit.

11. International transfers

Some sub-processors are located outside the UK and EEA, including in the United States. Where personal data is transferred to a country that is not the subject of an adequacy decision, the transfer is made under an appropriate safeguard within the meaning of Article 46, principally the Standard Contractual Clauses (and, for the UK, the UK International Data Transfer Addendum or the UK IDTA), together with any supplementary measures needed to ensure an essentially equivalent level of protection. Where an adequacy decision or an equivalent approved mechanism applies to a given transfer, New Map may rely on it instead.

12. Liability and general

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Terms. This DPA is governed by the same law and subject to the same jurisdiction as the Terms. If any provision of this DPA is held invalid or unenforceable, the remainder continues in effect.

13. Contact

Questions or requests under this DPA, including data-subject requests and audit requests: privacy@thenewmap.ai.