Data Processing Agreement (DPA)

1. Subject Matter and Duration

This Data Processing Agreement (“DPA”) governs the processing of personal data by Location Science GmbH (“Processor”) on behalf of its users (“Controller”) in connection with the services provided through our applications.

2. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

  • User authentication and authorization
  • Service provision and improvement
  • Analytics and performance monitoring
  • Compliance with legal obligations

3. Types of Personal Data

The Processor processes the following categories of personal data:

  • Email addresses (for authentication)
  • Usage data and analytics
  • Technical data (IP addresses, device information)
  • Location data (when explicitly permitted by the user)

4. Categories of Data Subjects

The Processor processes personal data of:

  • Registered users
  • Website visitors
  • Application users

5. Technical and Organizational Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments
  • Access controls and authentication
  • Data backup and recovery procedures
  • Incident response procedures

6. Subprocessors

The Processor uses the following subprocessors:

  • Keycloak (for authentication)
  • GitHub (for code hosting)
  • Mapbox, Maptiler and OpenStreetMap (for map background)

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR, including:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

8. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

9. Deletion or Return of Data

Upon termination of services, the Processor shall delete or return all personal data to the Controller, unless retention is required by law.

10. Audit Rights

The Controller has the right to audit the Processor’s compliance with this DPA, subject to reasonable notice and confidentiality obligations.

11. Governing Law

This DPA shall be governed by German law.

12. Contact Information

For questions regarding this DPA, please refer to our Imprint.

Last Updated: 06.04.2025