Security & Legal
Security & Legal
Breadcrumbs

Data Processing Addendum (DPA) – Exhibit for MobilityStream, LLC 

Data Processing Addendum Exhibit: Minimal Personal Data Processing

This Exhibit describes the scope of personal data processing by MobilityStream, LLC (“Processor”) for customers (“Controller”) in connection with the Mobility Stream Platform SaaS services.

  1. Categories of Personal Data Processed

  • IP addresses (transient, for authentication, access logging, and security monitoring)

  • User account email addresses (for authentication, access control, and support)

  • Support ticket metadata (subject, timestamps, user email, system events, if initiated by users)

  • System usage metadata (event timestamps, anonymized session IDs, device/browser type)

  • Configuration data for MobilityStream apps (non-personal, unless user-provided fields contain PII)

  1. Purposes of Processing

  • User authentication and access control

  • Security monitoring and incident response (including intrusion detection and log management)

  • Support ticket management (as initiated by users)

  • Service usage analytics (aggregated, anonymized)

  • System configuration and troubleshooting

  1. Retention and Deletion

  • IP addresses and log data are automatically purged within 30 days via scheduled AWS Lambda jobs.

  • Support ticket metadata is deleted upon ticket closure or after 90 days, enforced by SupportPlatform automation.

  • Session IDs and analytics data are anonymized and aggregated within 7 days.

  • No customer content or other personal data is stored outside these categories.

  1. Subprocessors

  • Amazon Web Services (AWS): Cloud hosting, databases (EC2, RDS, DynamoDB), networking, encryption, backups. Data processed: IP addresses, email addresses, configuration metadata. Location: USA. Transfer Mechanism: DPF/SCCs.

  • AWS GuardDuty: Intrusion detection, security event monitoring. Data processed: IP addresses, event logs. Location: USA. Transfer Mechanism: DPF/SCCs.

  • AWS CloudWatch: Log management and alerting. Data processed: authentication logs, system events. Location: USA. Transfer Mechanism: DPF/SCCs.

  • AWS Inspector: Vulnerability scanning. Data processed: system configuration, event logs. Location: USA. Transfer Mechanism: DPF/SCCs.

  • Bitbucket (Atlassian): Source code repository (no customer data). Location: USA. Transfer Mechanism: SCCs.

  • Jira (Atlassian): Internal project management and support ticketing. Data processed: support ticket metadata, user emails. Location: USA. Transfer Mechanism: SCCs.

  • Confluence (Atlassian): Internal documentation and user guides. Data processed: internal only. Location: USA. Transfer Mechanism: SCCs.

  • SupportPlatform: Customer support ticketing. Data processed: support ticket metadata, user emails. Location: USA. Transfer Mechanism: SCCs.

  • Microsoft 365: Identity management, email, office applications. Data processed: user account emails, support communications. Location: USA. Transfer Mechanism: SCCs/DPF.

  • Slack (Salesforce): Internal messaging. Data processed: internal only. Location: USA. Transfer Mechanism: SCCs.

  • AnalyticsProvider (MixPanel): Aggregated, anonymized usage analytics. Data processed: anonymized session IDs, device/browser type. Location: USA. Transfer Mechanism: SCCs/DPF.

All subprocessors are contractually obligated to comply with GDPR requirements and are reviewed annually for security posture and privacy compliance.

  1. International Transfers

  • Transfers outside the EEA/UK are governed by Standard Contractual Clauses (SCCs) or Data Privacy Framework (DPF) certification.

  • Transfer Impact Assessments (TIAs) are maintained for all relevant subprocessors and reviewed annually.

  1. Data Subject Rights

  • MobilityStream, LLC will assist customers in responding to data subject requests for access, deletion, or rectification, as required by GDPR.

  • Requests are fulfilled in accordance with documented procedures and within contractual SLAs.

  • Data subject requests are handled via privacy@mobilitystream.com and tracked in Jira Service Management.

  1. Security Measures

  • Encryption at rest and in transit (AWS KMS, TLS 1.2+)

  • Role-based access controls, quarterly access reviews

  • Multi-factor authentication for production access and administration

  • Automated vulnerability scanning (AWS Inspector), annual penetration testing

  • Network segmentation and firewall rules (AWS VPC)

  • Incident response plan tested annually

  • Automated log scrubbing and deletion jobs (AWS Lambda)

  • Data classification and retention policies reviewed annually