¶¶Òõ¶ÌÊÓƵ

¶¶Òõ¶ÌÊÓƵ Legal Portal

TermsPrivacySupportSuppliers

Service Level Agreement

(last updated April 15, 2024)

Availability

If Customer has an active executed order, and the ¶¶Òõ¶ÌÊÓƵ APIs covered by and used in accordance with such order are not available 99.9% of the time every month, Customer will be eligible to receive a Service Credit as described below.

Unavailability

An API will be considered unavailable when it is inaccessible during two or more consecutive 90-second intervals. If an API is accessible in some regions but not others, availability for the API for the relevant time period will be calculated as the fraction of Customer's API requests that are failing worldwide. Uptime in a month will be calculated across APIs based on the uptime of each individual API Customer uses during the month, weighted by the fraction of all of Customer's API requests accounted for by each API during that month. For purposes of this guarantee, a "month" means a calendar month.

Service Credits

Service credits are calculated as a percentage of the total charges Customer owes ¶¶Òõ¶ÌÊÓƵ for services each month, or Customer's annual fee divided by 12, as follows:

Total Available Uptime

(across all APIs) per month

100% - 99.9% - 0% Credit Amount
99.89% - 99% - 10% Credit Amount
Less than 99% - 25% Credit Amount

To receive a credit, as its sole remedy, Customer must contact ¶¶Òõ¶ÌÊÓƵ within 30 days following the end of the unavailability via email at info@mapbox.com and include the dates and times of unavailability. If ¶¶Òõ¶ÌÊÓƵ confirms that the uptime percentage in a month covered by Customer's request is below 99.9%, ¶¶Òõ¶ÌÊÓƵ will issue Customer the service credit. Service credits (i) may be applied to any future invoice issued by ¶¶Òõ¶ÌÊÓƵ to Customer (including renewals, subsequent orders and overages), (ii) cannot be exchanged for, or converted to, monetary compensation, and (iii) will expire if not used within twelve months of being issued. The maximum service credit that ¶¶Òõ¶ÌÊÓƵ will issue for downtime in a month is 25% of the fees Customer otherwise owes ¶¶Òõ¶ÌÊÓƵ for that month.

Limitations

A period of unavailability is excluded from the service level guarantee, and will not count towards unavailability calculations for purposes of service credits, due to force majeure, scheduled maintenance, and/or Customer¡¯s breach or otherwise due to its actions.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Bold text

Emphasis

Superscript

Subscript

Privacy & Security FAQ

Last Updated: ?Aug 22, 2023

¶¶Òõ¶ÌÊÓƵ provides a location data platform that powers maps and location services. ¶¶Òõ¶ÌÊÓƵ provides SDKs (software development kits) and APIs (application programming interfaces), which businesses and developers use to incorporate ¶¶Òõ¶ÌÊÓƵ mapping and navigation technologies into the licensed applications and websites they make. The SDKs contain libraries of software code which are incorporated into a customer¡¯s licensed application or website. These libraries of software code facilitate API requests to ¶¶Òõ¶ÌÊÓƵ¡¯s location data platform (which is a backend data server, hosted in the cloud (AWS-US)) which then responds with map and location content to the customer¡¯s application or website.

In addition, ¶¶Òõ¶ÌÊÓƵ offers an on-premise version of its location data services, called Atlas.

No. ¶¶Òõ¶ÌÊÓƵ does not sell personal data.

No. For customers on a monthly active user (¡°MAU¡±) billing model, ¶¶Òõ¶ÌÊÓƵ maintains counts of MAUs for billing purposes only. ¶¶Òõ¶ÌÊÓƵ does not (and cannot) track an end user¡¯s activity across billing cycles and does not build targeted profiles with the data processed through its products/services.

Data Category Examples
Identifiers Such as randomly generated billing ID, session ID & feedback ID (if given), and IP address (to provide the service, for billing/security purposes and deleted after 30 days).
Commercial Information Such as user agent, which may include an application ID (determined by the ¶¶Òõ¶ÌÊÓƵ customer to identify its application), ¶¶Òõ¶ÌÊÓƵ customer¡¯s account ID (so that ¶¶Òõ¶ÌÊÓƵ knows which company to bill) and ¶¶Òõ¶ÌÊÓƵ product name(s) and version(s). Such as data that an individual may upload to ¶¶Òõ¶ÌÊÓƵ products/services or otherwise provide to ¶¶Òõ¶ÌÊÓƵ in connection with support, or feedback that end users voluntarily contribute to ¶¶Òõ¶ÌÊÓƵ along with their associated contact information.
Internet or other electronic network activity Such as timestamp accompanying received data elements, an end user¡¯s abandonment of a given navigation route / use of an alternate navigation route;
Such as connectivity and device data including device model and browser information, operating system, and contents of an API or SDK request.
Geolocation Data Such as latitude and longitude, altitude, horizontal and vertical accuracy (the session ID association is broken within 24 hours.)Applies only to Navigation SDK: If ¶¶Òõ¶ÌÊÓƵ Copilot is enabled, ¶¶Òõ¶ÌÊÓƵ receives detailed full trip trace files and searchresults of navigation sessions. ¶¶Òõ¶ÌÊÓƵ Copilot is disabled by default and may only be enabled by ¶¶Òõ¶ÌÊÓƵ Navigationcustomers (not end users) in their licensed applications.At any time, end users may change their location permissions for a given licensed application through their mobiledevice and choose to disable access to location data. Such change may affect the designed functionality of the licensed application.

¶¶Òõ¶ÌÊÓƵ applies the principle of data minimization to product development and operations in an effort to collect only limited ?data ?from ?the ?outset. ¶¶Òõ¶ÌÊÓƵ ?operates ?a ?number ?of ?technical ?and ?organization measures regarding the limited personal dataset that we process, such as strict access controls and prompt deletion of raw log files that contain IP addresses and billing IDs. ¶¶Òõ¶ÌÊÓƵ deploys regular ID rotation and 1-way hashing for billing IDs, which must be retained for accounting and billing purposes, to minimize the ability ?to ?track ?user ?requests over time. Billing ?IDs ?are ?not ?transmitted with ?unrelated ?events, ?further reducing ?the ?feasibility ?of ?correlating ?a ?user¡¯s ?activities ?over ?time. ?In ?addition, ¶¶Òõ¶ÌÊÓƵ?operates ?strict anonymization procedures, such as clipping traces, for telemetry events that send location data.

Communication through the Internet requires the presence of IP addresses, which specify each transmission¡¯s origin and destination. When end users engage with applications that access ¶¶Òõ¶ÌÊÓƵ products/services through the Internet, the end user necessarily discloses their current IP address to one or more ¶¶Òõ¶ÌÊÓƵ servers. IP addresses are retained in cloudfront logs for 30 days for billing and customer usage reporting, unless involved in an ongoing security, anti-fraud, or misuse investigation.

¶¶Òõ¶ÌÊÓƵ receives location data when a ¶¶Òõ¶ÌÊÓƵ customer¡¯s end users uses a licensed application that incorporates ¶¶Òõ¶ÌÊÓƵ mobile SDKs and the end user has authorized the licensed application¡¯s use of the end user¡¯s device location via their mobile phone or device operating system.

Location data includes fields such as latitude and longitude, altitude, horizontal and vertical accuracy, a session ID rotating every 24 hours, and origin IP address (as would any Internet communication). The IP address that accompanies location data is retained at the load balancer (where it is used for security and PUBLISHED: Aug 22, 2023/legal/legal-faq ¶¶Òõ¶ÌÊÓƵ Customer FAQ, Page 3billing purposes and discarded after 30 days). This IP address is not forwarded to the location telemetry processing pipeline. Location data is encrypted in transit and at rest, and is subject to the principle of least access, with the minimal number of personnel and processes having access to it in its pre-aggregated form.

In the location data anonymization pipeline, the location data is then anonymized by clipping off the origin and destination of the trip and further dividing the trip into segments, which cannot be reassembled. The anonymized location data is then used to improve ¶¶Òõ¶ÌÊÓƵ mapping products, including the Traffic and Movement data products.

In AWS in the United States. However, for performance purposes, ¶¶Òõ¶ÌÊÓƵ regularly caches content on its AWS content delivery network (¡°CDN¡±) located in various regions. ¶¶Òõ¶ÌÊÓƵ employees who work for ¶¶Òõ¶ÌÊÓƵ wholly-owned subsidiaries may access personal data from the countries where they work in order to support, develop and provide ¶¶Òõ¶ÌÊÓƵ products/services.

No. ¶¶Òõ¶ÌÊÓƵ¡¯s products/services store and serve source data from an AWS primary region in the US. As noted above, data is cached and served out of various regions outside the US for performance reasons, however ¶¶Òõ¶ÌÊÓƵ cannot serve its data from one limited geographic region. To comply with GDPR and safeguard transfers to the US and other countries, please see ¶¶Òõ¶ÌÊÓƵ's DPA, Schedule C, which includes the Standard Contractual Clauses released in 2021 by the European Commission.

Yes. ¶¶Òõ¶ÌÊÓƵ carefully scrutinizes the personal data it processes within its engineering lifecycle, which includes conducting a privacy review for new (or changed) processing activities. ¶¶Òõ¶ÌÊÓƵ follows privacy-by-design principles and works diligently to limit the personal data it processes from the outset. A DPIA is conducted in any situation in which processing of personal data may be considered high risk and not able to be accomplished in a lower risk manner.

¶¶Òõ¶ÌÊÓƵ runs a global data protection program designed to operate in compliance with applicable global privacy laws, including: VCDPA (Virginia, USA), UCPA (Utah, USA), UK-GDPR (UK), TIPA (Tennessee, USA), TDPSA (Texas, USA),PIPEDA (Canada), MTCDPA (Montana, USA), LGPD (Brazil),IDPL (Iowa, USA), ICDPA(Indianna, USA), GDPR (Europe), CTDPA (Connecticut, USA), CCPA and its implementing regulations including CPRA (California, USA), CPA (Colorado, USA), and APPI (Japan), among many other important jurisdictions.
?
¶¶Òõ¶ÌÊÓƵ¡¯s privacy program is based on privacy by design, which includes monitoring for upcoming privacy laws and regulations to assess whether its practices may need to be adjusted to maintain compliance; product/service privacy reviews; data breach response processes; and operationalized technical and organizational measures designed to ensure the security of the personal data it receives including: security audits and SOC2 certification; anonymization & pseudonymization of personal data (where applicable); strict access control with logging; limited data retention periods.

Yes. ¶¶Òõ¶ÌÊÓƵ is SOC2 Type 2 certified with a summary SOC3 report available for customer review. In addition, ¶¶Òõ¶ÌÊÓƵ earned and maintains Trusted Information Security Assessment Exchange (¡°TISAX¡±) and ISO 9001 certifications. Upon request and execution of an NDA, ¶¶Òõ¶ÌÊÓƵ may share a copy of its latest SOC2 report.

¶¶Òõ¶ÌÊÓƵ welcomes any further questions you may have regarding its ongoing commitment to privacy and data security. Please contact ¶¶Òõ¶ÌÊÓƵ¡¯s privacy office at privacy@mapbox.com.

Want to receive updates on our sub-processors?

Please subscribe below:

Stay tuned for updates!
Please enter an email address that includes @.