Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated by reference into the applicable Master Services Agreement (“MSA”) or Order Form between the parties.

1. Scope and Definitions

1.1 This DPA governs how Mapp (“Processor”) processes Personal Data on behalf of the Client (“Controller”) in connection with the Services.

1.2 Hierarchy

• Mandatory data protection laws always prevail.
• Where the Order Form expressly includes agreed data protection Special Terms, those terms apply only to the extent stated and override conflicting provisions of this DPA.
• In all other cases, this DPA prevails over the MSA regarding personal data protection.

1.3 Definitions

• Data Protection Laws means all applicable laws relating to Personal Data, including European, UK, and applicable US state privacy laws, as amended.
• Data Subject means an individual whose Personal Data is processed.
• Personal Data Breach means a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• Services means the services provided by Mapp as described in the MSA, Order Form, and Appendix 1.
• Affiliate means any entity that controls, is controlled by, or is under common control with a party.
• Undefined capitalized terms have the meaning given in the MSA or applicable Data Protection Laws.

2. Roles & Instructions

2.1 The Client is the Controller and Mapp is the Processor.

2.2 Each party shall comply with Data Protection Laws applicable to its role.

2.3 Mapp shall process Personal Data only to provide the Services and in accordance with the Client’s documented instructions, which include:

• the MSA and Order Form;
• this DPA and its Appendices;
• configurations and settings applied by the Client within the Services; and
• written instructions submitted through agreed support or account management channels.

2.4 If Mapp reasonably believes an instruction violates Data Protection Laws, it will inform the Client without undue delay and may pause execution until clarified.

2.5 Mapp does not sell or share Personal Data as defined under applicable US privacy laws.

3. Sub-Processing and International Data Transfers

3.1 All Sub-processors are bound by written data protection obligations no less protective than this DPA. Mapp remains responsible for their compliance. The Client authorizes:

• Mapp Affiliates located in the EEA or UK; and
• Sub-processors necessary to provide the Services purchased under the Order Form.

3.2 Mapp will notify the Client at least thirty (30) days before engaging a new Sub-processor. If the Client raises a documented data protection concern, the parties will work in good faith to resolve it. If unresolved, the Client may terminate only the affected Services.

3.3 Personal Data may be processed outside the EEA or UK only where permitted under this DPA or where the Client has contracted with a Mapp entity established outside those regions.

3.4 Where Personal Data is processed in countries without an approved adequacy decision, Mapp will apply appropriate safeguards required by Data Protection Laws. Where required, the parties will reasonably cooperate to assess international processing risks and apply appropriate protective measures.

3.5 Mapp maintains a current list of its Sub-processors on its website (see Appendix 2).

4. Security Measures

4.1 Mapp shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures aligned with ISO 27001 standards where applicable. These measures aim to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Details are described in Appendix 3.

4.2 Security measures are reviewed regularly and updated where appropriate, provided the overall level of the protection is not materially reduced.

4.3 Access to Personal Data is limited to authorized personnel subject to confidentiality obligations.

5. Audit and Verification

5.1 Mapp shall provide reasonable information needed to demonstrate compliance with this DPA, including relevant certifications or standard security documentation.

5.2 If this information is insufficient, the Client may conduct one (1) audit per year with at least twenty (20) business days’ notice. Audits must:

• be limited to activities relevant to the Services;
• avoid unreasonable disruption; and
• be subject to confidentiality.

5.3 The Client bears audit costs, including reasonable internal supervision costs, unless the audit is required by a supervisory authority, follows a confirmed Personal Data Breach, or is based on documented, objective evidence of material non-compliance.

5.4 Third-party auditors must be independent, bound by confidentiality, and not competitors of Mapp.

6. Personal Data Breach Notification

6.1 Mapp will notify the Client without undue delay and no later than twenty-four (24) hours after confirming a Personal Data Breach.

6.2 Notifications will include available details on the nature of the breach, likely impact, and mitigation steps. Updates will follow as information becomes available.

6.3 Breaches caused solely by the Client’s actions or omissions are excluded, unless directly caused by Mapp’s failure to apply the measures in Appendix 3.

7. Data Subject Requests

7.1 If Mapp receives a Data Subject request directly, it will notify the Client without undue delay and will not respond unless authorized.

7.2 The Client will use available Service features to respond to requests.

7.3 Where requests cannot be handled via self-service, Mapp will provide reasonable assistance. Fees may apply where permitted by law.

8. Data Protection Assistance

8.1 Mapp will provide reasonable assistance to help the Client meet its data protection obligations related to security, breach handling, impact assessments, and regulatory engagement, limited to the Processing under this DPA and information available to Mapp.

8.2 Mapp maintains records of its Processing activities and will make relevant information available upon reasonable request.

9. Return and Deletion of Data

9.1 Upon termination or expiry, Mapp will, at the Client’s choice, delete or return all Personal Data and then delete it within thirty (30) days, unless retention is required by law or a longer transition period applies under an appendix to the MSA governing data handling upon termination or service changes.

9.2 The Client may request a copy during this period. Reasonable fees may apply.

9.3 Encrypted backups are deleted in line with Mapp’s retention practices.

9.4 Deletion will be confirmed in writing upon request. The retention period may be extended up to ninety (90) days to support migration.

9.5 Where the Client exercises contractual or statutory rights to retrieve or transition data in connection with a change or discontinuation of the Services, deletion under this Section shall occur only after completion of the applicable transition period.

10. Liability

10.1 Each party’s liability arising out of or related to this DPA and all DPAs between Affiliates and Mapp, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability section agreed under the MSA, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the MSA and all DPAs together.

10.2 For the avoidance of doubt, Mapp’s total liability for all claims from the Client and all of its Affiliates arising out of or related to the MSA and each DPA shall apply in the aggregate for all claims under both the MSA and all DPAs established under this Agreement.

10.3 If a Data Subject asserts any claim against one party, the other party will reasonably cooperate in defending those claims.

11. Governing Law

11.1 This DPA is governed by the laws stated in the MSA. Disputes shall be resolved in the courts agreed under the MSA.

Appendix 1: Processing Details

Nature and Purpose of Processing

Mapp processes Personal Data solely for the purpose of providing the Services and only in accordance with the Client’s documented instructions.

Processing activities may include the collection, storage, organization, use, analysis, and reporting of data as required to perform the Services. This may also involve transforming, aggregating, pseudonymizing, or anonymizing data where relevant to the delivery of such Services. Mapp does not collect Personal Data directly from individuals unless explicitly initiated and configured by the Client (e.g. via forms, APIs, or tracking technologies). Mapp does not determine the purposes or essential means of the processing and acts solely on behalf of the Client, who remains responsible for ensuring the lawful collection and use of Personal Data under applicable Data Protection Laws.

Types of Personal Data Processed

Mapp processes Personal Data on behalf of Client. The exact types of data depend on Client’s use of the Services and platform configuration. Data may include, but is not limited to:

Personal and Contact Information

• Full Name
• Email address
• Phone number
• Postal address

Demographic Data

• Age or date of birth
• Gender
• Language preferences
• Salutation or title

Marketing Engagement Data

• Consent status
• Opt-in / Opt-out Records
• Message interaction data
• Bounce data

Online and Technical Identifiers

• IP address
• Cookie IDs
• Device and browser information
• Referrer URLs and visit timestamps

Commercial and Custom Information

• Product interests
• Transaction dates
• Data fields defined by Controller

Note: The Services are not designed to process special categories of Personal Data (as defined in Article 9 GDPR) or data relating to children. Such processing is prohibited unless explicitly authorized in writing by Mapp, legally permitted, and in accordance with Mapp’s Acceptable Use Policy.

Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed depend entirely on how Client uses the Services. These may include:

• Customers, subscribers, or users of the Client
• Prospective customers or leads (e.g. marketing contacts) of the Client
• Website or app visitors interacting with Client-managed properties
• Recipients of communications or campaigns initiated by the Client
• Individuals whose data is uploaded or otherwise made available by or on behalf of the Client

Note: Client determines which categories of Data Subjects are relevant based on its use of the Services. Mapp does not determine such categories and will not process data for purposes other than those defined by Client in accordance with the Agreement.

Appendix 2: Sub-Processors

Mapp Affiliates located in the EEA or UK

Sub-processors necessary for the delivery of the ordered Services

In accordance with applicable Order Form(s).

Note: The current list of engaged sub-processors is available online at any time at mapp.com/trust.

Appendix 3: Technical and Organizational Measures

1. Physical Access Control

Mapp implements a range of measures to prevent unauthorized persons from gaining access to data processing systems used for processing or managing personal data. These measures apply to both Mapp’s data centers, which host the Mapp Marketing Cloud application and its infrastructure, and its office spaces. In principle, no local data processing takes place in office spaces; maintenance and support activities are carried out via remote access:

A. Measures in Office Spaces

• Office Security: Mapp uses office spaces located in industry-standard multi-tenant office buildings with multiple parties. These offices are secured with electronic access control systems at all entrances. Offices are generally locked and accessible only to authorized personnel who hold a chip card or transponder.
• Issuance Process: The issuance and management of chip cards or transponders for Mapp employees and relevant service providers (e.g., cleaning staff) are governed by a defined process. This process ensures proper granting and revocation of access permissions at the start, change, or termination of employment or a service relationship.
• Key Management: Traditional keys are issued only to administrative personnel under strict control, ensuring access to office spaces in the event of an access control system failure. All issued keys, chip cards, and transponders are assigned to specific individuals, ensuring accountability at all times. Any unassigned keys or access devices are stored securely.
• Visitor Policy: External visitors are allowed entry to office spaces only after prior registration. Dedicated, segregated meeting areas are excluded. Visitors must be accompanied by a staff member or reception personnel throughout their visit and are required to wear a clearly visible visitor badge.
• Video Surveillance: The entrance areas of Mapp offices are monitored using video surveillance systems. These measures are implemented in compliance with data protection requirements to deter and to enable the clarification of unauthorized entry.
• Mobile Work: Specific policies have been established to ensure the physical security of data and systems when employees work outside the office. Employees are regularly trained to adhere to these policies and maintain security standards.

B. Measures in Data Centers

• Secure Hosting: All server systems hosting the Mapp Marketing Cloud and processing customer data are operated in specially secured data centers. These centers are certified to international security standards, at least ISO 27001. Depending on the service, Mapp utilizes data center colocations within the European Union, where we operate our own hardware, or cloud-based data center infrastructures managed by the operator.
• Safeguards: Security measures include structural, technical and organizational safeguards according to ISO 27001 Annex A or ISO 27002, such as the implementation of security zones, secure locking systems, traceable key management, stringent access control and logging, strong authentication, clear regulations for handling visitors, and access monitoring (alarm systems and video surveillance).
• Provider Obligations: All agreements with data center operators define minimum security requirements, and Mapp additionally ensures compliance with standards like ISO 27017 and ISO 27018 for the providers of cloud data center infrastructures.

2. System Access Control

Mapp employs stringent access controls to safeguard IT systems against unauthorized use:

• Authentication: Access to Mapp’s IT systems is strictly controlled. Users must successfully authenticate and have explicit access permissions to gain entry, except for resources intentionally made publicly accessible.
• Account Management: User accounts are managed following a well-defined process. This process governs the creation, modification, and deactivation of accounts at the start, change, or end of an employee’s role. The process also ensures role-based access permissions are consistently applied and regularly updated. Management is centralized as much as possible. Accounts that are inactive for extended periods are automatically locked.
• Accountability: Each user account is uniquely assigned to an individual to ensure accountability. Shared or impersonal accounts are not permitted.
• Password Security: Mapp enforces strong password policies to enhance security. Users must create passwords with a minimum length of 8 characters, including complex combinations. Administrative and service account passwords must meet even higher standards, requiring a minimum of 14 characters. Passwords must differ from the last eight previously used passwords. Passwords are reset by users during initial login or following a manual reset by administrators. Sharing passwords is prohibited, and employees are regularly trained on secure password practices. If a security incident occurs, affected passwords are immediately locked and must be reset by users.
• Password Expiry: Customers can define the frequency of forced password changes for their accounts. Internally, Mapp does not enforce periodic password changes in line with the state of the art.
• Brute Force Protection: Access is temporarily blocked after a maximum of five unsuccessful login attempts within a defined timeframe. The ability to log in interactively to the Mapp Marketing Cloud application via API is technically prevented.
• Preference Management: Individuals receiving emails via the Mapp Marketing Cloud application can revoke subscriptions or update their preferences through a secure process. Authentication typically involves a temporary token sent via email.
• Remote Access: Remote access to Mapp’s internal network is strictly limited to company-owned devices and requires both an encrypted VPN connection and multi-factor authentication (MFA). Access to critical corporate applications and communication systems also requires MFA.
• Secure Support Interfaces: Mapp employees providing support services can only access customer systems using devices connected to the internal network or through MFA-secured devices.
• Access to Customer Systems: Customers are responsible for managing their own accounts and securing their login information. The Mapp Marketing Cloud offers a customizable role and permission model that allows customers to tailor access rights to their specific needs. Additional options include Single Sign-On (SSO), implementing MFA, and restricting access to pre-defined IP addresses.
• Least Privilege: Privileged access rights are granted following the principle of least privilege. These rights are regularly reviewed and tightly controlled. Logs of privileged account activity are monitored and reviewed automatically or manually. The use of super-user accounts, such as “root” in Linux, is highly restricted.
• Network Segmentation: Mapp’s production networks are segmented to separate sensitive systems from less critical environments. Development, testing, and office networks are isolated from production systems. Demilitarized zones (DMZ) ensure that customer data is not stored on servers directly accessible from the internet.
• Network Threat Mitigation: Firewall systems filter all inbound and outbound traffic to Mapp’s network. Unnecessary services are blocked to minimize security risks. At key entry points, network intrusion detection and prevention systems are deployed to detect and mitigate threats. Firewall configurations undergo strict change management and are reviewed regularly.
• Logging: Mapp logs and centrally evaluates security-relevant events, such as user activities, system errors, and network anomalies, to detect and respond to suspicious behavior. Logs are protected against unauthorized access, tampering, or deletion and are retained for a defined period. Synchronized system clocks ensure consistent and analyzable log data.
• Secure Development: Mapp follows a secure development lifecycle based on OWASP guidelines, integrating security into every phase of software development, from design to maintenance. Developers receive regular training in security practices, and the code undergoes automated and manual security checks.
• Vulnerability Management: Mapp performs at least monthly vulnerability scans and annual independent penetration tests to identify risks early and to remediate them within an appropriate timeframe in accordance with internal processes.
• Malware Protection: All Windows and macOS systems are equipped with anti-malware solutions that are centrally managed and updated regularly.
• Infrastructure Hardening: Mapp’s infrastructure is hardened taking into account industry benchmarks, such as the CIS Configuration Standards, to minimize attack surfaces.
• Patching: Security patches for operating systems and software are installed promptly, using automated processes wherever feasible, based on a risk assessment.
• Workstation Security: Employees are required to lock their systems when leaving their workstations. Inactivity-triggered screen locks ensure compliance, and staff are regularly reminded of this policy.
• Session Expiry: Sessions in the Mapp Marketing Cloud application automatically expire after 30 minutes of inactivity, requiring users to reauthenticate.

3. Data Access Control

Mapp ensures access to customer data is strictly controlled and limited to authorized individuals:

• Authorization: Data access permissions for employees are granted and revoked based on a documented authorization process. Access is assigned according to defined role profiles or approval from supervisors in line with the “need-to-know” principle. Geographic restrictions specified in customer contracts are also taken into account when assigning permissions.
• Permissions: Employees can only access customer data if required for service delivery and only after system verification of the user account’s permissions. We conduct regular reviews of employee access permissions to ensure they remain appropriate.
• Customer Access Management: Customers are responsible for managing account permissions within their organizations. The Mapp Marketing Cloud provides a flexible role and permission model, enabling customers to customize access levels according to specific operational needs.
• Accountability Logs: All changes to access permissions, including granting or modifying access rights, are logged for accountability. These logs are reviewed periodically and retained securely for a defined period to prevent unauthorized access, tampering, or deletion.
• No Physical Data Processing: Customer data is exclusively processed electronically, with no physical (paper) copies created. Employees are regularly trained on this policy to ensure compliance.
• Irreversible Deletion: Customer data that is no longer needed, such as data at the termination of a contract or after a deletion request, is irreversibly deleted from storage systems. Defective or obsolete storage media are destroyed by certified service providers in compliance with DIN 66399 protection class 2 standards.

4. Separation Control

Mapp implements robust measures to ensure that data collected for different purposes is processed separately:

• Logical Separation: Data and functionality within the Mapp Marketing Cloud are logically separated to ensure that one customer’s data cannot be accessed or processed with another customer’s data. This separation is applied at both the application and database levels.
• Environment Isolation: Development, testing, and production environments are strictly separated to prevent unauthorized access or accidental data exposure. Developers are prohibited from accessing or making changes to the production environment directly, ensuring operational stability and security.
• Test Data: Customer data must not be used for testing purposes unless we are specifically instructed to do so by the customer.
• AI Model Isolation: When employing AI technologies for data analysis and predictions, Mapp uses dedicated, customer-specific models trained exclusively on personal data provided by that respective customer. This ensures that customer data remains logically isolated and protected. Mapp strictly prohibits the use of personal customer data to train, fine-tune, or improve public or shared AI models.
• Device Policy: Employees are prohibited from using private devices for business purposes, including accessing customer data. Remote access to internal networks and systems is restricted to company-owned devices that are secured and centrally managed.
• Restrictions of Mobile Devices: Mobile devices are allowed for accessing corporate communication tools such as email and collaboration systems but are restricted from accessing customer data or performing administrative activities. Processing customer data on mobile devices is explicitly prohibited. Mobile devices are centrally managed, and network access is restricted to minimize security risks.

5. Pseudonymization & Encryption

Mapp ensures strong data protection using encryption and pseudonymization techniques:

• Laptop Encryption: All employee laptops are encrypted using state-of-the-art encryption algorithms, such as AES-256, to protect data stored on the devices.
• Data at Rest: Customer data stored within the Mapp Marketing Cloud is encrypted using advanced encryption standards (e.g., AES-256), excluding data that is effectively pseudonymized or anonymized for analysis purposes. Customer-specific or managed encryption keys are not feasible due to the shared infrastructure.
• Encrypted Backups: Backup copies of customer data are encrypted to ensure the security of stored information. This includes all backups except those containing only pseudonymized or anonymized data.
• Network Encryption: Administrative access to servers and remote network access is secured using encrypted connections, such as SSH with RSA (minimum key length of 2048 bits).
• Secure Exchange: Mapp offers encrypted data exchange options, such as secure file transfer protocol (SFTP). The configurations of SFTP servers are regularly reviewed and updated to align with industry best practices.
• TLS Security: Access to the Mapp Marketing Cloud’s web interfaces and APIs is secured using at least TLS 1.2 encryption. Mapp exclusively uses SSL certificates issued by trusted certification authorities. Web server configurations are regularly reviewed and updated to maintain compatibility and adhere to modern encryption standards.
• Password Hashes: User passwords are securely stored as cryptographic hashes (e.g., bcrypt) with salt, ensuring they are never stored in plaintext.
• Secure Crypto Standards: Mapp ensures that cryptographic algorithms with known vulnerabilities are not used in any of its systems or processes.
• Pseudonymization: The Mapp Marketing Cloud offers configuration options for processing pseudonymized or anonymized data. Customers can customize implementations based on specific use cases to align with privacy and compliance requirements.

6. Input Control

Mapp maintains detailed logs and controls to ensure accountability in data access and modification:

• Logging Integrity: All actions related to data access, entry, modification, and deletion are logged in detail. These logs are retained for a defined period and are secured against unauthorized access, tampering, or deletion.
• Account Linking: Activities within the system are uniquely linked to specific authenticated user accounts. Shared or impersonal accounts are strictly prohibited to ensure traceability and accountability.
• Double Opt-in: To verify email contact information entered via publicly accessible registration forms, Mapp Marketing Cloud offers a double opt-in (DOI) mechanism. After entering an email address, the system sends a confirmation link to the address, ensuring that the owner consents to the registration. DOI confirmation logs are retained throughout the lifecycle of the contact.
• Authorized Entry: Only authorized individuals can make data entries, and such activities are tightly controlled and monitored within the system to prevent unauthorized changes.

7. Transfer Control

Mapp ensures secure data transfers and monitors compliance with transfer policies:

• Encrypted Channels: All data transmissions, including customer data, are conducted over encrypted channels. Secure protocols such as SSH and TLS 1.2 or higher are used to protect data during transfer.
• Mailing Infrastructure: The Mapp Marketing Cloud mailing infrastructure supports SPF, DKIM, DMARC, and optionally BIMI standards to secure outgoing emails and prevent domain misuse.
• Traceability: Logs of all data transfers and communications are maintained to ensure full traceability. These logs are securely stored, protected against unauthorized access, tampering, or deletion, and retained for a defined period.
• Suppliers: Data is transferred to external service providers only when authorized by customer contracts and necessary for service delivery. Contracts with service providers include data protection clauses aligned with customer agreements, ensuring the same level of security and compliance.
• International Transfers: Personal data is only transferred to organizations in countries outside the EU/EEA that meet EU data protection standards or implement equivalent safeguards (e.g., standard contractual clauses). Such transfers occur only with customer authorization.
• Infrastructure Location: Mapp ensures that its cloud infrastructure is located in data centers within the EU or EEA unless explicitly requested otherwise by the customer. Exceptions, such as optional data collection outside the EU for specific use cases, are always agreed upon in advance with the customer.
• Handling Restrictions: Employees are prohibited from storing customer data on portable devices, sending it via email, or using unauthorized file-sharing platforms. USB ports are technically restricted, and employees are regularly trained on secure data handling policies.

8. Availability Control & Resilience

Mapp ensures operational continuity and protects against data loss with robust availability measures:

• Data Redundancy: Customer data is continuously replicated and backed up daily in geo-redundant locations. Backup restorability is tested regularly to ensure reliability.
• System Redundancy: Critical infrastructure components, such as web servers, firewalls, and network switches, are designed with redundancy to maintain functionality during high loads or individual component failures.
• Capacity Management: Network connections, computing resources, and storage systems are regularly reviewed to ensure adequate capacity for current and future needs. Automated and manual monitoring allows for proactive responses to fluctuations and disturbances.
• Maintenance: All systems undergo regular maintenance and updates to ensure stability, security, and performance. Change management processes are applied to minimize risks during updates.
• DoS Defense: Systems are equipped with measures to detect and defend against most forms of Denial of Service (DoS) attacks. Where automated measures are insufficient, manual response protocols are in place.
• Disaster Recovery: Mapp has comprehensive disaster recovery plans to restore services in case of major disruptions, such as data center outages or ransomware attacks. These plans are tested annually through simulations and exercises to ensure effectiveness.
• Physical Safeguards: Mapp’s external data centers are equipped with structural and technical protective measures to mitigate environmental risks such as fire, water, and power outages. These measures include fire protection systems, including smoke detection and automated extinguishing systems, climate control to maintain optimal server room conditions, uninterruptible power supply (UPS) systems and backup diesel generators with fuel reserves for at least 24 hours. All protective measures are regularly tested for functionality.

9. Order Control

Mapp ensures that customer data is processed strictly according to customer instructions:

• Contractual Purpose: Mapp processes customer data under explicit contractual agreements that define the type, scope, and purpose of the data processing. These agreements clearly outline the customer’s authority to issue instructions and limit processing to agreed purposes.
• Documentation: Manual instructions from customers, such as support requests or special processing orders, are systematically documented to ensure traceability and compliance.
• Policy Enforcement: Mapp has established comprehensive policies that govern the secure and compliant handling of customer data. Employees are regularly trained and sensitized to understand and apply these policies.
• Sub-processor Control: When engaging external service providers for data processing tasks, Mapp ensures compliance by entering into data processing agreements with these providers. These agreements require sub-processors to adhere to the same strict requirements defined in customer contracts. Mapp conducts regular evaluations and reviews of sub-processor compliance to ensure they meet contractual and regulatory obligations.

10. Data Protection Management

Mapp integrates data protection into its organizational processes through an effective management system:

• Management System: Mapp operates a comprehensive information security, business continuity, and data protection management system that aligns with international standards, including ISO 27001, ISO 27017, ISO 27018, ISO 22301, and ISO 27701. These systems are embedded in company-wide workflows to ensure consistent adherence.
• Policy Framework: A high-level information security and data protection policy, approved by senior management, provides the foundation. It is complemented by more detailed policies, all of which are binding for employees and reviewed annually for relevance and effectiveness.
• Training & Awareness: Employees undergo mandatory information security and data protection training during onboarding and annually thereafter. In addition, Mapp provides regular updates and awareness measures to address evolving threats, policy changes, and best practices.
• Roles & Responsibilities: Mapp has clearly defined roles for information security and data protection, staffed by qualified personnel, including an appointed Data Protection Officer. A dedicated information security and data protection team oversees the implementation, operation, and continuous improvement of the management system, and is involved in critical business and IT processes from the outset to ensure security and privacy considerations are integrated into design and implementation phases.
• Audit: Regular internal audits and at least annual external audits ensure the effectiveness of the management system. Core components of Mapp’s management system are certified under ISO 27001.
• Incident Response: Employees and relevant service providers are required to immediately report suspected or actual information security incidents or data protection breaches. A defined reporting and escalation process ensures timely containment and resolution. Incident response processes include responsibilities for assessment, remediation, and reporting to customers, supervisory authorities and/or affected individuals, as needed. All incidents undergo post-mortem analysis to improve processes and prevent recurrence.
• Supplier Governance: Mapp ensures that information security and data protection requirements are included in supplier contracts. A formal process governs the regular evaluation of suppliers, as well as handling changes or terminations of supplier relationships.

Note: Also available at mapp.com/trust