Skip to content
Back to Smart Site Plan

Data Processing Agreement

Last updated: Jun 25, 2026 · Version: dpa-2026-06-25

This document is a template provided for transparency. It has not been reviewed by an attorney and requires review by counsel before you rely on it legally.

1. Purpose and scope

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service between you (the "Customer") and Juno Maps, LLC d/b/a Smart Site Plan ("Smart Site Plan," "we," or "us"). It governs our processing of personal data on your behalf when you use the Service and applies to the extent that data protection laws such as the GDPR, UK GDPR, or the CCPA apply to that processing. If you require a signed copy, contact us as described below.

2. Roles

For personal data you upload or generate in your projects ("Customer Personal Data"), you are the controller (or business) and Smart Site Plan is the processor (or service provider). We process Customer Personal Data only to provide the Service and on your documented instructions, which include the Terms, this DPA, your configuration of the Service, and your use of its features. We will tell you if an instruction appears to violate applicable law.

As controller, you are responsible for establishing a lawful basis for your processing and for providing any notice to, and obtaining any consent from, the individuals whose data you submit, including form respondents, field workers, and people referenced in your content, and for honoring their rights. Many of those individuals provide their data to you, not to us, so you are the party positioned to give them notice at the point of collection.

3. Details of processing

  • Subject matter and duration: provision of the Service for the term of your subscription, plus the retention periods in our Privacy Policy.
  • Nature and purpose: hosting, storing, transmitting, displaying, and processing Customer Personal Data to operate, secure, support, and improve the Service and its features (including mapping, location, forms, search, property lookups, and AI analysis you invoke).
  • Categories of data: account and contact details, project content, location and GPS data, files and photos, form submissions and respondent data, usage and device data, and any other personal data you choose to submit.
  • Categories of data subjects: your users, collaborators, field workers, form respondents, visitors to projects you publish, and any individuals referenced in your content.

4. Our obligations as processor

We will:

  • process Customer Personal Data only on your documented instructions;
  • ensure personnel authorized to process the data are bound by confidentiality;
  • implement appropriate technical and organizational security measures (Section 5);
  • respect the conditions in Section 6 for engaging sub-processors;
  • assist you, taking into account the nature of the processing, in responding to data subject requests (Section 7) and in meeting your security, breach-notification, and data-protection-impact-assessment obligations; and
  • delete or return Customer Personal Data at the end of the relationship (Section 11).

As a service provider under U.S. state privacy laws, we will not sell or share Customer Personal Data, retain, use, or disclose it for any purpose other than providing the Service, or combine it with data from other sources except as permitted by law.

5. Security measures

We maintain technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, authentication safeguards, tamper-evident audit logging, network protection, and continuous monitoring, as described on our Security Practices page, which is incorporated by reference.

6. Sub-processors

You provide a general authorization for us to engage sub-processors to help provide the Service. Our current sub-processors, with their purpose and location, are listed in our Sub-Processor Register. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance.

We will provide a mechanism to be notified of new sub-processors before they begin processing, and you may object on reasonable data-protection grounds within 30 days of notice. If we cannot resolve a good-faith objection, you may terminate the affected part of the Service.

7. Assistance with data subject rights

We help you respond to requests from individuals to access, correct, delete, restrict, port, or object to the processing of their personal data, taking into account the nature of the processing and the information available to us. Individuals can also submit a request directly through our privacy request page, and we will route it appropriately.

8. Personal data breach

If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay, and in any event within 72 hours where feasible, and provide the information you reasonably need to meet your own notification obligations, including the nature of the breach, the likely consequences, and the measures taken or proposed.

9. International transfers

Customer Personal Data is processed in the United States. For restricted transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (the controller-to-processor module, Module Two, and the processor-to-processor module where a sub-processor is engaged), completed with the parties and processing details from this DPA and the Sub-Processor Register. For the United Kingdom we use the UK International Data Transfer Addendum to those clauses, and for Switzerland the Swiss adaptations. Where a recipient is certified under the EU-US Data Privacy Framework (and its UK and Swiss extensions), we may rely on that framework for transfers to it. We apply supplementary measures where appropriate, and the clauses are incorporated by reference where they apply.

10. Audits and information

On reasonable written request, and subject to confidentiality, we will make available the information reasonably necessary to demonstrate compliance with this DPA, such as our security documentation and, when available, third-party reports. This satisfies audit and inspection rights to the extent permitted by applicable law, without disrupting the Service or compromising other customers' security.

11. Return and deletion

During your subscription you can export Customer Personal Data at any time. On termination, you may export your data for at least 30 days, after which we will delete or anonymize Customer Personal Data in the ordinary course, and purge encrypted backups within 90 days, except where retention is required by law or to resolve disputes.

12. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls. The Standard Contractual Clauses, where they apply, control over both in the event of a conflict.

13. Contact

To request a signed DPA, ask a question, or raise a sub-processor objection, email privacy@smartsiteplan.com.