BigGeo's primary infrastructure is located in Canada. BigGeo shall not transfer Customer Personal Data outside of Canada except as described in this Article 6 or as otherwise approved in writing by Customer.
Customer Personal Data may be transferred to Stytch, Google Maps, and Stripe API in the United States as described in Schedule 2. BigGeo shall ensure that such transfers are subject to contractual protections with each Sub-Processor that provide a level of protection comparable to PIPEDA, including obligations of confidentiality, security, and limited use.
Where Customer Personal Data includes EU/EEA Personal Data, the transfer of such data from the EU/EEA to BigGeo in Canada shall be governed by the Standard Contractual Clauses (Module 2: Controller to Processor), which are hereby incorporated into this DPA by reference. The parties shall execute the Standard Contractual Clauses as a separate annex to this DPA prior to any transfer of EU/EEA Personal Data. Where BigGeo processes EU/EEA Personal Data as Controller (as described in Article 2.2), the parties shall assess whether additional transfer mechanisms, including Module 1 SCCs (Controller to Controller), are required, and shall execute such mechanisms prior to any such transfer. BigGeo's designated EU / EEA Representative for the purposes of Article 27 of the GDPR is: Verasafe.
If you are in the European Economic Area or the United Kingdom, VeraSafe can be contacted in addition to privacy@biggeo.com, only on matters related to the processing of personal data.
To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031 or at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
Keizersgracht 555
1017 DR Amsterdam
Netherlands
37 Albert Embankment
London SE1 7TL
United Kingdom
BigGeo shall, taking into account the nature of the processing, assist Customer in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of: (a) access; (b) correction or rectification; (c) deletion or erasure; (d) restriction of processing; (e) data portability; and (f) objection to processing. This Article 7 applies to Data Subject rights arising under PIPEDA, PIPA, and the CCPA, and, where Customer Personal Data includes EU/EEA Personal Data, the GDPR (including Articles 15–22 thereof).
If BigGeo receives a Data Subject request directly relating to Customer Personal Data, BigGeo shall promptly notify Customer and shall not respond to such request without Customer's prior written authorisation, except as required by applicable law.
BigGeo shall provide Customer with such assistance as is reasonably necessary to enable Customer to respond to Data Subject requests within the timelines required by applicable Data Protection Laws.
All Data Subject rights requests relating to Customer Personal Data processed by BigGeo as Processor shall be directed to privacy@biggeo.com.
BigGeo shall implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, taking into account the nature, scope, context, and purposes of processing and the risks to Data Subjects.
The security measures currently implemented by BigGeo are described in Schedule 3. BigGeo shall review and update those measures as necessary to address changes in technology and the threat landscape.
BigGeo shall ensure that all personnel with access to Customer Personal Data are subject to appropriate confidentiality obligations and receive appropriate data protection training.
Upon becoming aware that a Data Breach has occurred affecting Customer Personal Data, BigGeo shall notify Customer without undue delay and in any event as soon as reasonably practicable, and in no case later than 72 hours of BigGeo confirming that a Data Breach has occurred, in accordance with BigGeo's obligations under PIPEDA and applicable Canadian law, by contacting Customer's designated contact as specified in the applicable Order Form, with a copy to privacy@biggeo.com. Where a Data Breach affects EU/EEA Personal Data, BigGeo shall notify Customer without undue delay, and in any event within 48 hours of confirming the breach, to allow Customer sufficient time to fulfil its own notification obligations to the relevant supervisory authority under Article 33 of the GDPR.
BigGeo's breach notification shall, to the extent then known, include: (a) a description of the nature of the Data Breach; (b) the categories and approximate volume of Customer Personal Data affected; (c) the likely consequences of the Data Breach; and (d) the measures taken or proposed by BigGeo to address the Data Breach and to mitigate its effects.
BigGeo shall cooperate fully with Customer in investigating, remediating, and documenting the Data Breach and shall provide Customer with such further information and assistance as Customer reasonably requires to fulfil its obligations under applicable Data Protection Laws.
BigGeo's notification of a Data Breach shall not constitute an admission of fault or liability.
BigGeo shall make available to Customer, on written request, a detailed questionnaire covering BigGeo's processing activities, security measures, Sub-Processor controls, and compliance with this DPA ("Compliance Questionnaire"). BigGeo shall respond to the Compliance Questionnaire fully and accurately within 30 days of receipt.
Customer may submit a Compliance Questionnaire once per calendar year, upon 30 days' prior written notice to privacy@biggeo.com.
Each party shall bear its own costs in connection with the audit process.
Customer shall treat all information received through the audit process as BigGeo's Confidential Information and shall not disclose it to any third party without BigGeo's prior written consent, except as required by applicable law.
If Customer reasonably determines, based on the Compliance Questionnaire response, that the questionnaire is insufficient to demonstrate BigGeo's compliance with this DPA, Customer may request an independent third-party audit at Customer's cost. BigGeo shall cooperate with such third-party audit, subject to reasonable confidentiality protections and scheduling accommodation. Where Customer Personal Data includes EU/EEA Personal Data, Customer's right to conduct or commission an audit under this Article 10.5 shall be interpreted consistently with BigGeo's obligations under Article 28(3)(h) of the GDPR. BigGeo shall not unreasonably withhold cooperation with such audits.
Upon termination or expiration of the MSA for any reason, BigGeo shall make Customer Personal Data available to Customer for electronic retrieval for a period of 30 days following termination ("Export Window").
Following the Export Window, BigGeo shall securely delete all Customer Personal Data from its systems in accordance with the retention periods set out in Schedule 1. BigGeo shall complete deletion within 60 days of the end of the Export Window.
Upon completion of deletion, BigGeo shall provide Customer with a written deletion confirmation certificate confirming that all Customer Personal Data has been deleted from BigGeo's systems and Sub-Processors' systems, within 15 days of completion.
Notwithstanding the above, BigGeo may retain Customer Personal Data for the minimum period required by applicable law, or where retention is necessary to resolve a bona fide dispute or enforce BigGeo's rights. Any such retained data shall be securely isolated and not used for any other purpose.
Subject to Sections 12.2 and 12.3, each party's aggregate liability under this DPA is subject to the limitation of liability provisions set out in Section 10 of the MSA, including the Ordinary Cap (fees paid in the 12 months prior to the event giving rise to the claim).
Notwithstanding Section 12.1, liability arising from a Data Breach caused by BigGeo's breach of its obligations under this DPA shall not be limited by the Ordinary Cap where such breach constitutes gross negligence or wilful misconduct, consistent with Section 10.3(a) of the MSA.
Nothing in this DPA limits either party's liability for: (a) gross negligence or wilful misconduct; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be limited or excluded by applicable law.
This DPA is effective from the date of the MSA (or the date BigGeo grants written approval for Customer to upload Personal Data, whichever is later) and remains in force for the duration of the MSA.
This DPA terminates automatically upon termination or expiration of the MSA for any reason.
The following provisions survive termination or expiration of this DPA for any reason: Article 7 (Data Subject Rights, in respect of any outstanding requests), Article 9 (Data Breach Notification, in respect of breaches discovered post-termination), Article 10 (Audit Rights, for the audit period following termination), Article 11 (Return and Deletion), Article 12 (Liability), and Article 16 (Governing Law).
Where BigGeo processes Personal Information (as defined under the CCPA) on behalf of Customer, BigGeo acts as a "Service Provider" as defined under the CCPA, Cal. Civ. Code § 1798.140(ag).
BigGeo shall not: (a) sell or share Customer Personal Information; (b) retain, use, or disclose Customer Personal Information for any purpose other than providing the Services specified in the MSA and this DPA; (c) retain, use, or disclose Customer Personal Information outside of the direct business relationship between BigGeo and Customer; or (d) combine Customer Personal Information with Personal Information received from other sources except as permitted by the CCPA.
BigGeo shall assist Customer in responding to verifiable consumer requests under the CCPA, including requests to know, delete, correct, and opt-out of sale or sharing, within the timelines required by applicable law.
BigGeo certifies that it understands the restrictions set forth in this Article 14 and will comply with them.
As of the effective date of this DPA, BigGeo does not use any third-party AI models, large language models, or AI APIs to process Customer Personal Data as part of delivering the Services. BigGeo does not log AI service call inputs or outputs containing Customer Personal Data, and Customer Personal Data is not used to train, fine-tune, or improve any AI models.
BigGeo shall not introduce any third-party AI service that processes Customer Personal Data without: (a) providing Customer with at least 60 days' prior written notice; (b) adding the relevant AI service provider to Schedule 2 as a Sub-Processor in accordance with Article 5; (c) assessing and implementing any required transfer mechanisms in accordance with Article 6; and (d) obtaining Customer's written consent where required by applicable Data Protection Laws.
If BigGeo introduces AI services that process Customer Personal Data in future, BigGeo shall ensure that: (a) only Personal Data strictly necessary for the AI-assisted function is passed to the AI service; (b) PII is redacted before writing to logs where technically feasible; and (c) Customer Personal Data is not used to train, fine-tune, or improve any AI model without Customer's explicit prior written consent.
Any AI platform intermediary engaged by BigGeo to process Customer Personal Data shall be listed as an Authorised Sub-Processor in Schedule 2 and shall be subject to Article 5 of this DPA.
This Article 15A supplements the parties' obligations under this DPA as described in Recital 3 and incorporates the definitions set out in Articles 1.12 through 1.15. This Article 15A applies where Customer Personal Data includes EU/EEA Personal Data and supplements the obligations of both parties under this DPA with respect to the requirements of the GDPR.
For the purposes of the GDPR, Customer acts as Controller and BigGeo acts as Processor with respect to EU/EEA Personal Data processed under this DPA.
BigGeo has designated an EU / EEA Representative pursuant to Article 27 of the GDPR. BigGeo's designated EU / EEA Representative is: Verasafe.
VeraSafe can be contacted in addition to privacy@biggeo.com, only on matters related to the processing of personal data.
To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031 or at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
Keizersgracht 555
1017 DR Amsterdam
Netherlands
37 Albert Embankment
London SE1 7TL
United Kingdom
Customer, as Controller, is responsible for identifying and documenting a valid lawful basis under Article 6 of the GDPR (and Article 9, where applicable for special category data) for all EU/EEA Personal Data processed by BigGeo on its behalf under this DPA.
BigGeo shall maintain records of processing activities carried out on behalf of Customer with respect to EU/EEA Personal Data, as required by Article 30(2) of the GDPR, and shall make such records available to Customer upon request.
Where required by Article 35 of the GDPR, BigGeo shall provide reasonable assistance to Customer in conducting data protection impact assessments and in any prior consultation with supervisory authorities.
Transfers of EU/EEA Personal Data to BigGeo in Canada shall be conducted under the Standard Contractual Clauses (Module 2: Controller to Processor) as set out in Article 6.3 of this DPA.
This DPA is governed by and construed in accordance with the laws of the Province of Alberta and the federal laws of Canada applicable therein, consistent with Section 11.8 of the MSA, without giving effect to any choice or conflict of law provision.
Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Alberta, consistent with Section 11.8 of the MSA.
In the event of any conflict between this DPA and the MSA or any Order Form on any matter relating to data protection or cybersecurity, this DPA shall prevail, consistent with Section 11.6 of the MSA.
This DPA, together with the MSA and applicable Order Forms, constitutes the entire agreement between the parties with respect to the processing of Customer Personal Data and supersedes all prior agreements, representations, and understandings relating to such subject matter.
No amendment to this DPA shall be binding unless executed in writing by duly authorised representatives of both parties, consistent with Section 11.7 of the MSA.
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be amended to the minimum extent necessary to make it valid and enforceable.
This DPA may be executed in counterparts, each of which shall constitute an original, and all of which together shall constitute one and the same instrument.
This DPA does not create any third-party beneficiary rights.
IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the date of the MSA.
Signature
Name
Title
Date
Signature
Name
Title
Date
This Schedule 1 sets out the details of BigGeo's processing of Customer Personal Data as Processor.
| Controller | Customer (as identified in the applicable Order Form) |
| Processor | BigGeo Global Inc., an Alberta corporation |
| Subject Matter | Processing of Customer Personal Data in connection with the delivery of the Services (Datalab, Marketplace, Datascape, Professional Services) as described in the MSA. |
| Duration | For the duration of the MSA, plus any post-termination retention period as specified below. |
| Nature of Processing | Storage, retrieval, transmission, transformation, and deletion of Customer Personal Data in the course of providing data integration and visualisation services. |
| Purpose of Processing | Delivery of the Services to Customer as described in the MSA and applicable Order Forms. |
| Categories of Personal Data | Location data; User identifiers; Contact records. |
| Categories of Data Subjects | Authorized Users of Customer; end users of Customer's products and services where Customer Personal Data relates to such individuals. Where applicable, this includes individuals located in the European Union or European Economic Area whose Personal Data is processed in accordance with Article 15A of this DPA. |
| Data Category | Retention Period | Notes |
|---|---|---|
| Location Data | MSA term + 90 days post-termination | Privacy-sensitive category; short post-termination tail appropriate. |
| User Identifiers | MSA term + 90 days post-termination | Delete promptly post-termination, subject to legal hold. |
| Contact Records | MSA term + 12 months post-termination | Supports dispute resolution and audit. Delete or anonymise after 12 months. |
The following Sub-Processors are authorised as at the effective date of this DPA:
| Sub-Processor | Processing Location | Category of Processing |
|---|---|---|
| Stytch | United States | Authentication and identity management |
| Google Maps API | United States | Geocoding of location data |
| Stripe | United States | Payment processing |
Pursuant to Article 27 of the GDPR, BigGeo has designated the following third-party representative in the European Union / European Economic Area: Verasafe.
If you are in the European Economic Area or the United Kingdom, VeraSafe can be contacted in addition to privacy@biggeo.com, only on matters related to the processing of personal data.
To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031 or at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
Keizersgracht 555
1017 DR Amsterdam
Netherlands
37 Albert Embankment
London SE1 7TL
United Kingdom
The EU Representative is authorized to be contacted by supervisory authorities and Data Subjects in addition to or instead of BigGeo in respect of all matters relating to BigGeo's processing of EU/EEA Personal Data.
BigGeo's lead supervisory authority for GDPR purposes is: Verasafe.
https://verasafe.com/public-resources/contact-data-protection-representative
Telephone at: +420 228 881 031 or at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
Keizersgracht 555
1017 DR Amsterdam
Netherlands
37 Albert Embankment
London SE1 7TL
United Kingdom
BigGeo has assessed its obligations under applicable data protection laws, including the GDPR, with respect to the appointment of a Data Protection Officer (DPO).
Based on the nature, scope, and scale of its processing activities, BigGeo has determined that it is not currently required to designate a DPO. In particular, BigGeo does not engage in large-scale systematic monitoring of individuals, nor does it process special categories of personal data on a large scale.
Notwithstanding this determination, BigGeo remains committed to maintaining high standards of data protection and privacy. Responsibility for data protection compliance is assigned to appropriate internal personnel, and BigGeo has implemented policies, procedures, and controls designed to ensure ongoing compliance with applicable data protection requirements.