Legal
Data Processing Agreement
Last updated: July 2026
This Data Processing Agreement (the “DPA”) forms part of, and supplements, the Terms of Service between New Map and you (the “Client”). It applies where New Map processes personal data on the Client's behalf in providing the Service, and it sets out the parties' obligations under Article 28 of the UK GDPR and the EU General Data Protection Regulation (together, “GDPR”). If there is a conflict between this DPA and the Terms on the subject of data protection, this DPA prevails.
1. Definitions and roles
2. Subject matter and duration
3. Nature and purpose of processing
4. Types of personal data and categories of data subjects
Types of personal data. The personal data processed on the Client's behalf may include:
- Identity and contact data of the Client's authorised users (name, work email, company, role).
- Account credentials (passwords, stored only in hashed form by our authentication provider).
- Brand and channel data the Client submits (brand name, website, industry, and the owned social profiles, apps and blogs the Client chooses to share).
- Audit inputs (a submitted website and an email address given to receive a report).
- Account manager conversation content (the messages exchanged with the AI account manager).
- Usage and basic technical data (interactions with the platform, IP address, device and browser data), processed to operate and secure the Service.
Categories of data subjects. The data subjects are the Client's authorised users and personnel, and any individuals who request an audit or whose contact details the Client submits. The Service is a business-to-business tool and is not intended to process special-category data; the Client agrees not to submit special-category data through it.
5. Processor obligations
- Process only on documented instructions. Process the personal data only on the Client's documented instructions, including as to international transfers, unless required to do otherwise by law (in which case New Map will inform the Client of that requirement before processing, unless the law prohibits it). The Terms, this DPA and the Client's use of the Service constitute the Client's complete instructions. New Map will tell the Client if, in its opinion, an instruction infringes the GDPR.
- Confidentiality. Ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality and process it only as needed to provide the Service.
- Security (Article 32). Implement appropriate technical and organisational measures as set out in section 7.
- Sub-processors. Engage sub-processors only in accordance with section 6.
- Assistance with data-subject requests. Taking account of the nature of the processing, assist the Client by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability and objection). If a data subject contacts New Map directly about the Client's data, New Map will refer them to the Client without responding to the substance.
- Assistance with compliance (Articles 32 to 36). Assist the Client, taking into account the nature of processing and the information available to New Map, in ensuring compliance with the obligations on security (Article 32), personal-data-breach notification (Articles 33 and 34), data-protection impact assessments (Article 35) and prior consultation (Article 36). New Map will notify the Client without undue delay after becoming aware of a personal-data breach affecting the Client's data.
- Deletion or return of data. On termination of the Service, delete or return the personal data in accordance with section 8.
- Demonstrating compliance and audits. Make available to the Client the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, in accordance with section 10.
6. Sub-processors
The Client provides general authorisation for New Map to engage the sub-processors below to provide the Service. Each sub-processor is engaged under a written contract imposing data-protection obligations that are, in substance, no less protective than those in this DPA.
- Supabase: database, authentication and storage
- Vercel: hosting and serverless infrastructure
- Anthropic (Claude): the AI models that power the account manager, audits and strategy
- Era and Otterly: AI-visibility measurement data
- Resend: transactional and notification email
- Serper: web search used by the agent for research and grounding
- Upstash: rate limiting and caching
- Calendly: booking calls, where a user chooses to
New Map will give the Client reasonable prior notice of any intended addition or replacement of a sub-processor (for example by updating this list or the Privacy Policy, or by email). The Client may object on reasonable data-protection grounds within a reasonable period; the parties will then work in good faith to resolve the concern, and if it cannot be resolved the Client may terminate the affected part of the Service. New Map remains responsible to the Client for its sub-processors' performance of their data-protection obligations.
Our AI and data sub-processors do not use the prompts, content or Client data we send them to train their public or foundation models, in accordance with their business or enterprise terms.
7. Security measures (Article 32)
- Encryption in transit for data moving between the Client, the platform and our sub-processors (TLS/HTTPS).
- Hashed passwords. Account credentials are stored only in salted, hashed form by our authentication provider and are never accessible to New Map in plain text.
- Access controls. Access to personal data is restricted to authorised personnel on a need-to-know basis, using authenticated accounts.
- Row-level security (RLS) in the database so that each Client's data is logically isolated and only accessible to that Client's authorised users and to the Service acting on their behalf.
- Reputable infrastructure providers that maintain their own recognised security and availability controls.
- Rate limiting and monitoring to protect the Service against abuse and to support detection of and response to security events.
New Map reviews these measures and may update them, provided the level of protection is not materially reduced.