Data Processing Agreement
Effective date: May 9, 2026 Last updated: May 9, 2026When you use the Tagmaps scanning service, you (the customer) act as the controller of personal data submitted to the service, and Tagmaps, LLC acts as a processor (or service provider, under applicable US state law). Our Data Processing Agreement (DPA) governs that relationship and supplements our Terms of Service.
This page summarises what the DPA covers and how to put one in place. The full document is available on request.
What the DPA covers
- Scope and roles. Defines Tagmaps as the processor and the customer as the controller for personal data submitted through the service.
- Subject matter, duration, and processing purposes. Describes the categories of data subjects, types of personal data, and the limited purposes for which Tagmaps may process customer data.
- Confidentiality and personnel. Tagmaps personnel with access to customer data are bound by written confidentiality obligations.
- Security measures. Cross-references the technical and organisational measures described on our Security page.
- Subprocessors. Authorises the use of the subprocessors listed on our Subprocessors page, including notice and objection rights for changes.
- International transfers. Standard Contractual Clauses (Module 2) and the UK International Data Transfer Addendum apply where customer data is transferred from the EEA, the United Kingdom, or Switzerland to the United States.
- Assistance with data-subject requests. Tagmaps will assist the customer in responding to requests from data subjects exercising their rights, taking into account the nature of the processing.
- Data breach notification. Tagmaps will notify affected customers without undue delay after becoming aware of a personal data breach affecting their data.
- Audit. Customers may request our most recent third-party assessment, where one exists, and may carry out audits subject to the conditions in the agreement.
- Return or deletion on termination. Customer data is returned or deleted on termination of the agreement, except where retention is required by law.
How to execute the DPA
Email legal@tagmaps.io with:
- Your organisation's full legal name and registered address.
- The signing party's full name and title.
- The contractual contact email for notices.
We will return a copy of the DPA pre-populated with that information for signature, typically within two business days.
If you have an existing DPA template that we have already negotiated with another customer, let us know. We are happy to use a previously agreed form to speed things up.
Standard Contractual Clauses
The DPA incorporates the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module 2 (controller to processor), and where applicable the UK International Data Transfer Addendum. Customers can request the executed clauses with the relevant module selected after the DPA is signed.
Updates to this page
We update this summary as the underlying DPA changes. The version of the DPA in force at the time of execution governs the relationship; later changes are made only by mutual agreement or as expressly permitted by the DPA itself.