Data Processing Addendum
Последнее обновление: 12 July 2026
Это перевод для удобства. В случае любых расхождений преимущественную силу имеет английская версия этого документа.
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”, the “controller”) and MAMMADOFF AGENCY LLC (“OSRMRoute”, the “processor”). It applies where, in using the Service, you submit personal data of your end users (for example addresses, place names or coordinates sent to our geocoding, routing, matrix, optimization or places endpoints) that we process on your behalf. Terms such as “personal data”, “processing”, “controller”, “processor” and “data subject” have the meaning given in the EU/UK GDPR.
1. Roles and scope
For account, billing and website data we are an independent controller (see the Privacy Policy). For end-user personal data contained in the requests you send to the Service, you are the controller and we are your processor. This DPA governs that processing. You are responsible for the lawfulness of the data you submit and for any required notices or consents.
2. Subject-matter, duration, nature and purpose
Subject-matter: processing of the query content you submit. Duration: for the term of your use of the Service. Nature and purpose: receiving requests and returning geocoding, routing, distance-matrix, map-matching, optimization and places results, plus operating, securing and metering the Service. Type of personal data: addresses, place names, coordinates and any personal data you choose to include in a query. Data subjects: your end users and other individuals whose data you submit.
3. Processing on documented instructions
We process end-user personal data only to provide the Service and on your documented instructions (including through your configuration and API calls), unless required otherwise by law, in which case we will inform you where legally permitted. We do not sell such data or use it for our own purposes, advertising or profiling.
4. Confidentiality
We ensure that personnel authorized to process the data are bound by appropriate confidentiality obligations.
5. Security
We implement appropriate technical and organizational measures, including encrypted transport (TLS), access controls, API-key restrictions, network isolation of databases, and transient processing of query content (we do not retain it as a separate profile). Measures are described in the Privacy Policy and may evolve as the Service improves, provided protection is not materially reduced.
6. Sub-processors
You authorize us to engage sub-processors to provide the Service. Current sub-processors include:
We impose data-protection obligations on sub-processors no less protective than this DPA and remain responsible for their performance. We will give reasonable notice of new sub-processors (via our website or email) so you may object on reasonable data-protection grounds.
- Paddle — payments and Merchant of Record;
- Brevo (Sendinblue) — transactional email;
- Cloudflare — CDN, DNS and network security;
- our infrastructure/hosting provider — servers and databases.
7. Data subject requests
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. Because query content is processed transiently and not stored as a profile, we typically hold little or no such data after a request completes.
8. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting end-user data processed under this DPA, and provide information reasonably available to help you meet your notification obligations.
9. International transfers
Where processing involves transfer of personal data out of the EEA/UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), or an adequacy decision.
10. Audit
We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to reasonable audits, subject to confidentiality and reasonable notice, scope and frequency.
11. Deletion and return
Because query content is processed transiently to return results, it is not retained as a stored dataset. Account and usage records are handled per the Privacy Policy retention terms and deleted or aggregated as described there. On termination we delete or return remaining personal data as required by applicable law.
12. Liability and precedence
Each party’s liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict on data-processing matters, this DPA prevails over the Terms and Privacy Policy. This DPA is governed by the law and forum stated in the Terms.
13. Contact
Data protection contact: [email protected] — MAMMADOFF AGENCY LLC (TIN 7200653321), Baku, Azerbaijan.
Вопросы по этому документу? Свяжитесь с нами: [email protected].