Data Processing Agreement

Last Updated: January 1, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Navabit LLC ("Processor" or "Navabit") and the entity agreeing to these terms ("Controller" or "Customer") for the provision of services as described in the Terms of Service.

1. Definitions

For the purposes of this DPA:

  • "Data Protection Laws" means all applicable data protection and privacy laws, including GDPR, CCPA, and other relevant regulations.
  • "Personal Data" means any information relating to an identified or identifiable natural person processed under this agreement.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Navabit to process Personal Data on behalf of the Customer.

2. Scope of Processing

2.1 Subject Matter

Navabit processes Personal Data on behalf of the Customer to provide marketing analytics, ad platform integration, and business operations services as described in the Terms of Service.

2.2 Categories of Data

Personal Data processed may include:

  • Contact information (name, email, phone)
  • Account credentials
  • Usage data and analytics
  • Marketing and advertising data from connected platforms
  • Customer transaction data from e-commerce platforms

2.3 Categories of Data Subjects

  • Customer employees and authorized users
  • Customer's end customers (when using CRM/e-commerce features)
  • Website visitors (when using tracking features)

2.4 Duration

Processing continues for the duration of the service agreement plus any legally required retention period.

3. Processor Obligations

Navabit shall:

  • Process Personal Data only on documented instructions from the Customer
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to Data Subject requests
  • Assist the Customer in ensuring compliance with security and breach notification obligations
  • Delete or return Personal Data upon termination as instructed by Customer
  • Make available information necessary to demonstrate compliance
  • Allow for and contribute to audits conducted by the Customer or an auditor

4. Security Measures

Navabit implements the following security measures:

4.1 Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for system access
  • Network security including firewalls and intrusion detection
  • Regular security assessments and penetration testing
  • Automated vulnerability scanning
  • Secure development practices

4.2 Organizational Measures

  • Access control policies based on least privilege
  • Employee security training
  • Background checks for personnel with data access
  • Incident response procedures
  • Business continuity planning

5. Sub-processors

5.1 Authorization

Customer provides general authorization for Navabit to engage sub-processors. Navabit maintains a list of current sub-processors and will notify Customer of changes.

5.2 Current Sub-processors

Sub-processor Purpose Location
Cloud Infrastructure Provider Hosting and compute services United States
Payment Processor Payment processing United States
Email Service Provider Transactional emails United States

5.3 Sub-processor Obligations

Navabit ensures all sub-processors are bound by data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

Navabit will assist Customer in fulfilling Data Subject requests including:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure of Personal Data
  • Restriction of processing
  • Data portability
  • Objection to processing

Navabit will respond to Customer requests regarding Data Subject rights within 10 business days.

7. Data Breach Notification

In the event of a Personal Data breach, Navabit will:

  • Notify Customer without undue delay (and within 48 hours of becoming aware)
  • Provide information about the nature of the breach
  • Describe likely consequences of the breach
  • Describe measures taken or proposed to address the breach
  • Cooperate with Customer in investigating and mitigating the breach

8. International Data Transfers

When Personal Data is transferred outside the European Economic Area:

  • Transfers are made to countries with adequate protection decisions, or
  • Standard Contractual Clauses (SCCs) are in place, or
  • Other appropriate safeguards as recognized by Data Protection Laws are implemented

Customer may request execution of SCCs as an addendum to this DPA.

9. Data Deletion

Upon termination of the service agreement or upon Customer request:

  • Navabit will delete all Personal Data within 30 days
  • Customer may request a copy of data before deletion
  • Navabit may retain data as required by law, clearly documenting the basis
  • Navabit will certify deletion upon Customer request

10. Audits

Customer may audit Navabit's compliance with this DPA:

  • With reasonable prior notice (minimum 30 days)
  • During normal business hours
  • Subject to confidentiality obligations
  • At Customer's expense (unless audit reveals material breach)

Navabit will also provide relevant audit reports and certifications upon request.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service, except that limitations do not apply to:

  • Breaches of confidentiality obligations
  • Gross negligence or willful misconduct
  • Statutory liability that cannot be limited

12. Term and Termination

This DPA:

  • Becomes effective when Customer accepts the Terms of Service
  • Remains in effect for the duration of the service agreement
  • Survives termination for any ongoing processing obligations

13. Contact Information

For questions about this DPA or to exercise rights under this agreement:

Navabit LLC
United States