Last Updated: February 18, 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Navigent.io ApS (CVR: 46285395), with registered address at Nørre Voldgade 70, 1358 København K, Denmark (the "Processor" or "Navigent") and the entity subscribing to the Service (the "Controller" or "Customer").

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data carried out by Navigent on behalf of the Customer.

1. Definitions

Terms not defined herein shall have the meaning ascribed to them in the GDPR or the Terms of Service.

• "Personal Data" means any information relating to an identified or identifiable natural person processed by Navigent on behalf of the Customer through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
• "Data Subjects" means the individuals whose Personal Data is processed under this DPA (typically the Customer's leads, contacts, or email recipients).
• "Sub-Processor" means a third party engaged by Navigent to process Personal Data on behalf of the Customer.

2. Roles & Scope

2.1 Controller & Processor

The Customer is the Data Controller. The Customer determines the purposes and means of Processing Personal Data. Navigent is the Data Processor. Navigent processes Personal Data only on documented instructions from the Customer and solely for the purpose of providing the Service.

2.2 Categories of Data

The following categories of Personal Data may be processed under this DPA:

• Contact information: names, email addresses, phone numbers, job titles, company names.
• Communication data: email content, subject lines, timestamps, delivery status.
• Behavioral data: email opens, clicks, replies, engagement metrics.
• Enrichment data: publicly available business information associated with contacts.

2.3 Categories of Data Subjects

• Customer's leads and prospective clients.
• Customer's existing clients and contacts.
• Recipients of email Campaigns created by the Customer.

3. Obligations of the Processor

Navigent shall:

1. Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
2. Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6).
4. Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
5. Assist the Controller in ensuring compliance with obligations under GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).
6. At the Controller's choice, delete or return all Personal Data upon termination of the Service, unless EU or Member State law requires continued storage.
7. Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for audits.

4. Sub-Processors

4.1 Authorized Sub-Processors

The Controller grants general written authorization for Navigent to engage Sub-Processors. The current list of Sub-Processors is maintained in our Privacy Policy (Section 4).

Key Sub-Processors include:

• Supabase, Inc. — Database hosting and authentication (EU region).
• Stripe, Inc. — Payment processing (US, EU SCCs).
• OpenAI, LLC — AI processing for email generation and enrichment (US, EU SCCs/DPA).
• Google LLC — Calendar integration (US, EU SCCs).
• Vercel, Inc. — Application hosting (Global, EU SCCs).

4.2 Changes to Sub-Processors

Navigent shall inform the Controller of any intended changes to Sub-Processors at least 14 days in advance, giving the Controller the opportunity to object. If the Controller reasonably objects and Navigent cannot accommodate the objection, the Controller may terminate the affected Service.

4.3 Sub-Processor Obligations

Navigent shall impose data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA, by way of a written contract in accordance with GDPR Article 28(4).

5. International Data Transfers

Where Personal Data is transferred outside the EU/EEA, Navigent ensures that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
• Transfer Impact Assessments where required, evaluating the legal framework of the destination country.
• Supplementary measures such as encryption, pseudonymization, and access controls where appropriate.

6. Security Measures

Navigent implements and maintains the following technical and organizational security measures:

6.1 Encryption

• Data in transit: TLS 1.2 or higher for all communications.
• Data at rest: AES-256 encryption for databases and file storage.

6.2 Access Control

• Role-based access control (RBAC) with the principle of least privilege.
• Multi-factor authentication for all administrative access.
• Regular access reviews and revocation upon personnel changes.

6.3 Infrastructure

• Hosted on SOC 2 Type II compliant infrastructure.
• Network isolation and firewall rules restricting unauthorized access.
• Automated vulnerability scanning and patching.

6.4 Backups & Recovery

• Automated daily backups with point-in-time recovery capability.
• Backups stored in encrypted form in geographically separate locations within the EU.
• Disaster recovery procedures tested periodically.

6.5 Personnel

• All personnel with access to Personal Data are bound by confidentiality agreements.
• Regular data protection training for relevant personnel.

7. Data Breach Notification

In the event of a Personal Data breach, Navigent shall:

1. Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach.
2. Provide the Controller with sufficient information to enable the Controller to fulfill its notification obligations under GDPR Articles 33 and 34, including: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
3. Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.

8. Audits

Navigent shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller (or an independent third-party auditor mandated by the Controller) may conduct audits, including inspections, with reasonable notice (at least 30 days) and during normal business hours. The Controller shall bear the cost of any such audit.

9. Duration & Termination

This DPA shall remain in effect for the duration of the Controller's subscription to the Service. Upon termination, Navigent shall, at the Controller's election, delete or return all Personal Data within 30 days, and certify such deletion in writing upon request.

10. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party's liability arising out of or related to this DPA shall not exceed the limitations set forth in the Terms of Service.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Kingdom of Denmark. Any dispute shall be submitted to the exclusive jurisdiction of Byretten i København (Copenhagen City Court), Denmark.

12. Contact