— Legal

Data Processing Agreement

Effective 2026-06-11 · Version 1.0 · Forms part of the Terms of Service

Scope & definitions
Roles & responsibilities
Processing instructions
Security measures
Sub-processors
International transfers
Data subject rights & breach notice
Audits
Termination & data return

01Scope & definitions

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Plotted Terms of Service between you ("Customer") and Plotted ("Processor"). It applies when Plotted processes Personal Data on behalf of Customer in the course of providing the Service.

"Personal Data," "Controller," "Processor," "Sub-processor," "Data Subject," and "Processing" have the meanings given in GDPR Article 4 and equivalent definitions under the CCPA.

02Roles & responsibilities

For Personal Data submitted to or accessed via the Service, Customer is the Controller and Plotted is the Processor. Plotted will process Personal Data only on documented instructions from Customer, as set out in this DPA and the Terms.

For Personal Data describing U.S. property owners that Plotted aggregates from public records and licensed sources and exposes via the API, Plotted is the Controller. Use of that data by Customer makes Customer a separate Controller for its own purposes (e.g., direct mail outreach).

03Processing instructions

Subject matter: Providing the Plotted API and dashboard.
Duration: Term of the underlying Terms of Service.
Nature & purpose: Authentication, request routing, rate limiting, billing.
Categories of data: Account identifiers (email, name), billing identifiers, API usage logs.
Categories of subjects: Customer's employees / authorized users.

04Security measures

Plotted maintains appropriate technical and organizational measures, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Role-based access control with least privilege; access logging
Mandatory 2FA for Plotted personnel with production access
Annual penetration testing by an independent third party
Vulnerability scanning of dependencies on every deploy
Documented incident response and business continuity plans

05Sub-processors

Customer authorizes Plotted to engage the following Sub-processors:

Sub-processor	Service	Location
Google Cloud / Firebase	Hosting, auth, database, functions	United States
Stripe	Payment processing	United States
Google Workspace	Support email	United States

Plotted will provide at least 30 days' notice before adding a new Sub-processor. Customer may object by terminating the Service.

06International transfers

Plotted's infrastructure is hosted in the United States. Where Personal Data of EU/UK Data Subjects is processed, Plotted relies on the EU Standard Contractual Clauses (2021/914) with the UK Addendum as required.

07Data subject rights & breach notice

Plotted will assist Customer in responding to Data Subject requests within a reasonable timeframe. Plotted will notify Customer of any Personal Data breach affecting Customer Personal Data without undue delay, and in any event within 72 hours.

08Audits

Plotted will make available all information necessary to demonstrate compliance with this DPA, including a SOC 2 Type II report (once available) and the most recent penetration testing summary. On-site audits may be arranged with reasonable notice and at Customer's expense.

09Termination & data return

On termination of the Service, Plotted will, at Customer's election, return or delete Customer Personal Data within 30 days, except where retention is required by law (e.g., billing records). Confirmation of deletion will be provided on request.

For a countersigned DPA on Plotted letterhead, email legal@plotted.to. See also: Terms of Service · Privacy Policy