Data Processing Agreement (EU/UK)

Last Updated: 26 June 2025

This Data Processing Agreement (“DPA”) forms part of the agreement between “Navgar” and “Customer” for the provision of professional services from Navgar (the “Agreement”). This DPA applies to all activities performed in connection with the Agreement in which Navgar, or its Sub-Processors or a third party acting on behalf of the Data Processor may come into contact with Customer's personal data. This DPA is effective as of the date of the last party to sign this DPA (the “Effective Date”).

In the course of providing Navgar Services, Maintenance, Technical Support to Customer pursuant to the Agreement, Navgar may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. Scope

1.1 This DPA applies to the Processing of Personal Data provided to Navgar by Customer as part of the provision of Navgar Cloud Services, Professional Services, Maintenance and Technical Support.

2. Definitions and Interpretation

2.1 Capitalized terms used but not defined in this DPA will have the meaning assigned to them in the Agreement.

2.2 The following terms shall have the meanings set out below:

2.2.1 Affiliate: means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2.2.2 Data Protection Laws: means any laws and regulations relating to privacy or the use or processing of data relating to natural persons, including but not limited to:

(a) EU Regulation 2016/679 ("GDPR");
(b) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR or the UK GDPR;
(c) the UK GDPR; and
(d) any guidance or codes of practice issued by a governmental or regulatory body or authority in relation to compliance with the foregoing;
in each case, to the extent in force, and as such are updated, amended or replaced from time to time.

2.2.3 Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.2.4 Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

2.2.5 Data Subject: means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

2.2.6 Data Protection Regulator: means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.

2.2.7 Data Subject Request: means a request from a Data Subject to exercise its rights under the Data Protection Laws in respect of that Data Subject's Personal Data.

2.2.8 Permitted Region: means the European Economic Area and countries with adequacy regulations.

2.2.9 Restricted EU to Non-EU Transfer: means a transfer from the EU to a country which does not provide an adequate level of data protection within the meaning of EU Data Protection Law.

2.2.10 Personal Data: means any information relating to a Data Subject that Customer or its authorized users provide to Navgar as part of the Services. It also includes personal data supplied to or accessed by Navgar or its Sub-Processors in order to provide support under the Agreement.

2.2.11 Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2.2.12 Process or Processing: means any operation or set of operations which is performed by Navgar or its Sub-Processors as part of the scope of this Agreement upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.2.13 Services: means the Cloud Services, Maintenance and Support Services, and Professional Services provided by Navgar to Customer pursuant to the Agreement.

2.2.14 Standard Contractual Clauses: means the model clauses approved pursuant to the European Commission’s decision 2021/914/EU of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, including as incorporated into the UK Transfer Addendum, if applicable.

2.2.15 Sub-Processor: means a third party appointed by Navgar to process Customer’s Personal Data in accordance with this DPA.

2.2.16 UK: means the United Kingdom.

2.2.17 UK GDPR: means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

2.2.18 UK Transfer Addendum: means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner’s Office on March 21, 2022.

2.2.19 Restricted UK to Non-UK Transfer: means a UK to Non-UK Transfer to a country which does not provide an adequate level of data protection within the meaning of UK Data Protection Law.

3. Compliance with Data Protection Laws

3.1 Each party shall comply with its obligations under Data Protection Laws as they apply to their respective roles as Data Controller or Data Processor.

3.2 Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws and shall make such information available to any Data Protection Regulator on request.

4. Processing and Security

4.1. In performing its obligations under this Agreement, Navgar shall only process the types of Personal Data, and only in respect of the categories of Data Subjects, and only for the nature and purposes of processing and duration, as is set out in the Schedule 1 to this DPA.

4.2. In processing Customer’s Personal Data, Navgar shall:

4.2.1. process Customer Personal Data only in accordance with written instructions provided from Customer from time to time (including those set out in this DPA) unless otherwise required by applicable law;

4.2.2. not process the Customer’s Personal Data for any purpose other than those set out in this Agreement or otherwise expressly authorised by the Customer;

4.2.3. promptly notify the Customer if it receives a Data Subject Request in respect of Customer Personal Data;

4.2.4. provide the Customer with its reasonable co-operation and assistance in relation to any Data Subject Request;

4.2.5. utilise appropriate technical and organisational measures to facilitate responding to requests from Data Subjects;

4.2.6. not disclose any of Customer’s Personal Data to any Data Subject or to a third party (including any subcontractor or Affiliate) other than at the written request of the Customer or as expressly provided for in this Agreement or when it is necessary for the establishment, exercise or defence of legal claims;

4.2.7. protect the Customer Personal Data by ensuring that it has in place appropriate technical and organisational measures, including measures to protect against Security Breaches, taking into consideration:

4.2.7.1. the state of the art;
4.2.7.2. the nature, scope, context and purposes of the processing; and
4.2.7.3. the risk and severity of potential harm.

4.3. Ensure that only persons authorised by Navgar process Customer Personal Data and that such persons are:

(i) subject to binding obligations to maintain the confidentiality of the Customer Personal Data; and

(ii) trained on both (1) the requirements of the Data Protection Laws, and (2) their obligations under this Agreement.

4.4. Without undue delay after discovering any Personal Data Breach or any failure or defect in security which might reasonably be expected to lead to one (a "Security Issue"), notify the Customer.

4.5. Where a Security Issue arises, Navgar shall:

4.5.1. as soon as reasonably practicable, after providing the initial notice under clause 4.4, give the Customer full details of the Security Issue, the actual or expected consequences, and (where appropriate) the measures taken or proposed to be taken;

4.5.2. co-operate with the Customer and provide all reasonable assistance requested by the Customer in connection with that Security Issue;

4.5.3. unless required by law, not make any notifications to a Data Protection Regulator or any Data Subjects about the Security Issue without the Customer’s prior written consent (not to be unreasonably withheld or delayed).

5. Return or Destruction of Personal Data

5.1. Subject to paragraph 5.2 and any specific timeframes set forth in the Agreement, on the expiry or termination of the Agreement, Navgar shall either return or irreversibly delete all of the Customer Personal Data in its possession or control.

5.2. If Navgar is required by applicable law to retain part or all of the Customer’s Personal Data (“Retained Data”), Navgar shall:

5.2.1. cease all processing of the Retained Data other than as required by that law;

5.2.2. keep the Retained Data confidential in accordance with the confidentiality terms in the Agreement; and

5.2.3. continue to comply with this DPA in respect of such Retained Data.

6. Audit

6.1. If the Customer or its third-party independent auditors request to audit and verify that Navgar and its Sub-Processors are complying with their obligations under this Agreement and the Data Protection Laws in relation to Customer Personal Data, Navgar may respond by providing documentation reasonably necessary for such verification.

6.2. If the Customer requires additional information after reviewing such documentation, or if the Customer is required to do so by a Data Protection Regulator, the Customer or its third-party independent auditor may, no more than once per calendar year, conduct an on-site audit of Navgar’s relevant premises, records and personnel involved in the processing of Customer Personal Data, provided that:

6.2.1. the Customer provides Navgar with at least 14 business days’ prior written notice of its intention to conduct such audit, including a detailed audit plan;

6.2.2. the audit is conducted during Navgar’s normal business hours and so as not to interfere with Navgar’s business operations; and

6.2.3. the audit is conducted at the Customer’s sole expense.

7. Co-operation and Assistance

7.1. Navgar shall co-operate with the Customer, and provide such information and assistance as the Customer may reasonably require, to enable the Customer to:

7.1.1. comply with the Customer's obligations under the Data Protection Laws (including Articles 32–36 of GDPR) in respect of Customer Personal Data; and

7.1.2. deal with and respond to all investigations and requests for information relating to the Customer Personal Data from any Data Protection Regulator.

7.2. If Navgar receives any complaint, notice or communication from a Data Protection Regulator or other third party (excluding a Data Subject Request) which relates directly to Customer Personal Data, Navgar shall notify the Customer as soon as reasonably practicable.

8. Sub-Processors

8.1. Some or all of Navgar’s obligations under the Agreement may be performed by Sub-Processors listed in Schedule 2.

8.2. Customer authorizes Navgar to subcontract the processing of Customer’s Personal Data to these Sub-Processors. Navgar is responsible for any breaches of the Agreement caused by its Sub-Processors.

8.3. Navgar will notify Customer in advance (by email or other appropriate way) of any changes to the list of Sub-Processors in place on the effective date and the Customer shall have ten (10) days to notify Navgar of any objection to the appointment or removal of Sub-Processor(s).

8.4. If Navgar appoints a Sub-Processor, Navgar shall ensure that:

8.4.1. such Sub-Processor shall only process Customer’s Personal Data in order to perform one or more of Navgar’s obligations under this Agreement; and

8.4.2. it enters into a written agreement with that Sub-Processor, prior to any processing by the Sub-Processor, requiring the Sub-Processor to:

8.4.2.1. process Customer’s Personal Data only in accordance with the written instructions of Navgar or the Customer; and

8.4.2.2. comply with data protection obligations equivalent in all material respects to those imposed on Navgar under this DPA.

8.5. Notwithstanding the appointment of a Sub-Processor, Navgar is responsible and liable to the Customer for any processing by the Sub-Processor in breach of this DPA.

9. Transfer of Personal Data

9.1. Navgar and its Sub-Processors may process Customer’s Personal Data, or otherwise transfer or access Customer’s Personal Data, outside of the European Economic Area where such transfer is in compliance with the Data Protection Laws.

9.2. Restricted EEA to Non-EEA Transfers of Personal Data originating from the EEA or other permitted region that have not received a binding adequacy decision by the European Commission or by a competent national data protection authority, are subject to (i) the terms of the Standard Contractual Clauses; or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the Data Protection Laws.

Restricted UK to Non-UK Transfers of Personal Data originating from the UK to Sub-Processors located in countries outside the UK, EEA or other permitted region that have not received UK adequacy regulations, including the EEA and all countries, territories and international organisations covered by European Commission adequacy decisions, are subject to (i) the terms of the Standard Contractual Clauses; or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the UK Data Protection Law.

In this regard, for these transfers, the International Data Transfer Addendum to the SCCs as of 21 March 2022, as issued under Section 119A(1) of the UK Data Protection Act 2018 (as may be amended, updated or superseded from time to time by the UK Government or the Information Commissioner’s Office), is included as reference in Schedule 4 of the DPA.

10. Application of the Standard Contractual Clauses Document

10.1. If processing of Personal Data involves a transfer outside the EEA or Switzerland, the SCCs apply as stated in this section and section 10 and are incorporated by reference.

10.2. The SCCs apply where there is an international transfer to a country that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission.

10.3. For Sub-Processors, Navgar has entered into the unchanged version of the Standard Contractual Clauses prior to the Sub-Processor’s processing of Personal Data, using Module II (Controller to Processor), which shall be populated as follows:

10.3.1. Clause 7: The optional docking clause shall apply.
10.3.2. Clause 9: Option 2 shall apply and the time period for notice of Sub-Processor changes shall be 15 days.
10.3.3. Clause 11(a): The optional language shall not apply.
10.3.4. Clause 13 and Annex I.C.: The supervisory authority of the Member State in which the data subjects whose personal data is transferred under the SCCs shall act as competent supervisory authority.
10.3.5. Clause 17: Option 1 shall apply, and the governing law shall be the laws of Spain.
10.3.6. Clause 18(b): Disputes shall be resolved by the courts of Spain.
10.3.7. Annex I:

(a) the List of Parties shall be as set forth in the Agreement and any applicable Statement of Work (SOW), Change Order or other document more fully describing the applicable services;
(b) the description of activities relevant to the data transferred under the SCCs are further described in Schedule 1 of this DPA and the Agreement; and
(c) the Competent Supervisory Authority shall be as set forth above.

10.3.8. Annex II: the Technical and Organisational Measures shall be set forth in Schedule 3 (Technical and Organisational Measures).
10.3.9. Annex III: the List of Sub-Processors shall be maintained in Schedule 2.

10.4. If any transfer of Customer Personal Data between Customer and Navgar requires the execution of the UK IDTA in order to comply with Data Protection Laws, Customer, as controller and data exporter, and Navgar, as processor and data importer, hereby enter into (and incorporate herein by reference) the UK IDTA effective as of the commencement of such transfer. The UK IDTA shall be populated as follows:

10.4.1. Part 1, Table 1 (Parties): The parties shall be as set forth in the Agreement and any applicable SOW, Change Order or other document more fully describing the applicable services.
10.4.2. Part 1, Table 2 (Selected SCCs, Modules and Selected Clauses): The UK IDTA shall be appended to the SCCs as set forth in section 10.3.
10.4.3. Part 1, Table 3 (Appendix Information): The appendix information shall be as set forth in section 10.3.
10.4.4. Part 1, Table 4 (Ending this Addendum when the Approved Addendum Changes): Either Party may end the UK IDTA as set out in Section 19 thereof.

10.5. Swiss Data Protection Act. The SCCs, as set forth in section 10.3, shall apply to any cross-border transfers of Customer Personal Data governed by the Swiss Data Protection Act, with the following modifications:

10.5.1. Any references in the SCCs to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss Data Protection Act, and any references in the SCCs to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss Data Protection Act.

10.5.2. Any references in the SCCs to "EU", "Union", "Member State" or "Member State law" shall be interpreted as references to Switzerland and the laws of Switzerland, as the case may be, and shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the SCCs. In furtherance of the foregoing, Clause 17 of the SCCs shall be modified to provide that the governing law shall be the laws of Switzerland.

10.5.3. Any references in the SCCs to "competent supervisory authority" or "competent courts" shall be interpreted as references to the Federal Data Protection and Information Commissioner of Switzerland (the “Swiss FDPIC”) and the courts of Switzerland, as the case may be. In furtherance of the foregoing:

(a) Clause 13 and Annex I.C. of the SCCs shall be modified to provide that the Swiss FDPIC shall have authority over data transfers governed by the Swiss Data Protection Act (it being agreed that authority over data transfers not governed by the Swiss Data Protection Act shall be as otherwise set forth in this DPA); and
(b) Clause 18(b) of the SCCs shall be modified to provide that disputes shall be resolved by the courts of Switzerland.

10.5.4. The parties may supplement the Annexes to the SCCs in any SOW, Change Order or other document more fully describing the applicable services, which shall be deemed incorporated herein by reference with respect to such services. In the event of any conflict or inconsistency between this DPA or any such supplemental document, on the one hand, and the SCCs, on the other hand, the SCCs shall prevail to the extent required by Data Protection Laws. Notwithstanding anything to the contrary herein, in no event shall this DPA or any such supplemental document, directly or indirectly, prejudice the rights of data subjects under Data Protection Laws.

11. Limitation of Liability:

11.1. Navgar, as a Data Processor, shall have no liability to Data Controller for losses, damages or costs that are indirect, special, punitive or consequential. In this regard, each Party’s liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.

12. Modifications.

12.1. Navgar may change this DPA where (a) the change is required to comply with an Applicable Law; or (b) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of Navgar’s processing of Customer Personal Data, and does not have a material adverse impact on Customer’s rights under this DPA.

Schedule 1

Details of Processing of Customer Personal Data

The Personal Data processing activities carried out by Navgar under this Agreement may be described as follows:

Subject matter of processing
Processing by Navgar of Personal Data provided by Customer during its use of the Services under the Agreement.
Nature and purpose of processing
To fulfil Navgar’s obligations under the Agreement, including making the Services available.
Categories of Personal Data. Frequency of the transfer.
The Personal Data that is sent to Navgar by, or on behalf of, Customer for the purpose of using the Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal Data is transferred on a continuous basis.
Categories of data subjects
Customer and its Authorized Users, Customer’s clients and prospective clients.
Duration
The Term of this Agreement

Schedule 2

To Data Processing Agreement

SUB-PROCESSORS LIST

Navgar engages a select group of trusted third-party service providers—known as sub-processors—to help us deliver, maintain, and improve our platform. These sub-processors may process limited personal data on our behalf as part of providing their services.

The table below outlines each sub-processor's name, a description of the services they provide, and the location where processing occurs. We regularly assess our sub-processors to ensure they meet our security, privacy, and compliance standards. This list is reviewed and updated as needed to reflect any changes in our operational or legal obligations.

If you have any questions or concerns about how your data is handled, please don’t hesitate to contact us.

  
      SUBPROCESSOR NAME
      DESCRIPTION
      LOCATION OF PROCESSING
    

  
      AWS
      Purpose:
Provides cloud infrastructure for hosting, data storage, and application services.

Function:
Used to securely store data, run backend systems, and deliver reliable performance at scale.

Privacy:
Data is encrypted in transit and at rest, with strict access controls in place.
      410 Terry Ave N, 
Seattle 98109, WA
US
    

      INTERCOM
      Purpose:
Used for customer support, user engagement, and lead generation.

Function:
Provides live chat, automated messaging, and help desk tools to assist users and communicate product updates.

Privacy:
Handles contact and usage data in line with our privacy practices.
      55 2nd Street, 4th Floor, 
San Francisco, CA 94105
US
    

      LOG ROCKET
      Purpose:
Used to diagnose and resolve user experience issues by replaying user sessions.

Function:
Captures in-app interactions using browser APIs (like MutationObserver) to generate visual replays that help identify bugs and understand behavior.

Privacy:
Data is handled securely and sensitive information is excluded or masked where appropriate.
      87 Summer St HQ
Boston, MA 02110
US
    

      OPENAI
      Purpose:
Supports user-initiated content generation and product improvement via anonymized analytics.

Function:
Processes user inputs to generate responses and provide usage insights. No data is used for independent purposes or shared beyond these functions.

Privacy:
Customer data is processed solely to fulfill user requests and is handled securely and anonymously.
      87 Summer St HQ
Boston, MA 02110
US
    

      RETOOL
      Purpose:
Used for internal analytics on user, account, and client portfolio health.

Function:
Enables custom dashboards and queries to monitor usage patterns and support business insights.

Privacy:
Access is restricted and data is used solely for operational analysis within our platform.
      1550 Bryant Street,
San Francisco, CA 94102
US
    

Schedule 3

Navgar Technical and Organizational Security Measures

1. Navgar TOMS

Navgar provides a cloud communications platform for a wide range of customer and business needs. Recognizing the importance of information security, we invest considerable time and effort into ensuring our platform is secure. This page outlines some of the steps we take to protect your account and information. For further questions, please contact your Account Manager.

1.1. Physical Security

Navgar’s servers are hosted by IBM SoftLayer and AWS in data centres in Europe, the United States and SE Asia. SoftLayer provides us with hardware, network connectivity and secure physical space relating to our customer data. SoftLayer is compliant with ISO 27001 and other standards.

1.2. System Security

We use firewalls and logical access control to protect our servers from unauthorized system access, allowing only trusted operations personnel to manage our systems. We also make sure to use strong configuration standards to harden our servers, and we keep them up-to-date with the latest security patches.

1.3. Application Security

We support strong cryptography for communication over public networks, so that your Navgar Dashboard password, API secret, and contents of your communications may be protected in transit as set forth below.

1.4. Type of Communication – Secure Protocols Used / Other Protocols

BetweenSecure Protocols UsedOther Protocols UsedCustomers and Navgar APIsHTTPS, SMPP-over-SSL, SIP, RTPSMPPNavgar DashboardHTTPS—Between Navgar and CarriersHTTPS, SMPP-over-IPsec, ENUM-over-IPsecHTTP, SMPP, ENUM, SIP, RTP

We still support unencrypted protocols on the customer side in response to customer demand, but we strongly encourage customers to use secure protocols. Rest assured, the security of your data is unaffected by the communications protocols used by Navgar’s other customers because of the logical segregation between customer accounts.

In connection with the provision of our services, Navgar has secured direct relationships with telecommunications carriers and similar service providers around the globe. While many of our connections with these carriers are secure, some of these “last mile” connections are unencrypted. This is beyond our control and depends on the carrier, as some telecommunications providers have legacy infrastructure and do not currently support secure protocols. We opt for secured communication with carriers when available.

We have rate limiting in place on API calls and Navgar Dashboard logins to prevent brute force attacks. Password complexity requirements are enforced on API secrets and Navgar Dashboard passwords.

Navgar Dashboard passwords are cryptographically hashed and not accessible to any Employee or Contractor.

The Navgar Dashboard supports 2-factor authentication (2FA using Navgar Verify) when elected by customers. If this is enabled, Navgar Dashboard logins require an additional verification code, which is sent by SMS or automated phone call to the phone registered on your account, to be entered when logging in from an IP address different from the one used on the previous successful login.

On request, we can enable restrictions on a Navgar Dashboard account such that it can only be logged into from specified IP addresses.

Accounts are logically segregated from each other, and we use role-based access control within our company for access to systems and information.

1.5. Redundancy, Availability, and Uptime

Navgar is committed to supplying a highly available platform and we do our best to minimize outages. Through use of a content delivery network, geographically redundant data centers, and redundancy within each data center, we ensure failovers exist at several levels to maximize uptime.

We currently provide 99% availability and endeavour to increase it further to 99.9%. Information about availability and outages will be found shortly on our status page.

We also take regular offsite backups of important data to ensure business continuity.

2. Exclusions

2.1. Navgar shall have no liability for any incidents involving disclosure of Customer Data, which arise out of the inadequate use of Authorized User accounts or Customer’s Applications. The Customer is solely responsible for configuring, operating, maintaining, and securing access to Customer Applications and their content, by managing Customer’s accounts when using their own identity management system, and enforcing use of strong password policies, enforcing account lockout policies, defining access rights for these accounts, and configuring adequate session expiration.

2.2. In any case, Navgar will take appropriate steps to ensure compliance with the Technical and Organizational Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate confidentiality obligations.

Schedule 4

Standard Contractual Clauses

Pursuant to GDPR Article 46, the SCCs are incorporated into the DPA by reference at clause 2.1.14 and by reference to the information required to complete the SCCs, the parties agree the following:

The names and addresses of the parties as defined in the Agreement shall be incorporated into these SCCs, it being understood that the Customer shall be the "data exporter" and Controller and Navgar shall be the "data importer" and Processor.
In Clause 9 of the SCCs, option 2 (general written authorisation) shall be considered chosen by and applicable to the parties, and fifteen (15) calendar days shall be the specified time period for changes to the list of Sub-Processors.
In Clause 11 of the SCCs, the optional provision shall not be considered chosen by and applicable to the parties.
In Clause 17 of the SCCs, option 2 shall be considered chosen by and applicable to the parties and the governing law shall be the law of Spain.
In Clause 18 of the SCCs, the choice of forum and jurisdiction shall be the law of Spain.
Your and our signature to the Agreement shall be considered as signature to the SCCs.
The information specific to the competent supervisory authority and which is required to complete Annex I.C. to the SCCs is as follows:
For data transfers subject to GDPR, the Agencia Española de Protección de Datos shall act as the competent supervisory authority.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter:
Customer is the data exporter.
Data importer:
The data importer is Navgar, an Affiliate of Navgar Group Limited, which may perform certain aspects of the Navgar Services, such as service administration and technical support. To this extent, Navgar may process personal data upon the instruction of the data exporter in accordance with the terms of the Navgar Agreement – Modeler Services.
Data subjects:
The personal data transferred may concern the categories of Data Subjects set out in section “Categories of Data Subjects” in Schedule 1 of the DPA.
Categories of data:
The personal data transferred may concern the categories of Data set out in section “Categories of Personal Data” in Schedule 1 of the DPA.
Processing operations:
The personal data transferred may be subject to the basic processing activities set out in “Subject Matter of Processing” in Schedule 1 of the DPA.

Appendix 2 to the Standard Contractual Clauses

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

Personnel:
Data importer’s personnel will not process Customer Data without authorization. Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.
Data Privacy Contact:
The data compliance officer of the data importer can be reached at the following address:
📧 Legal@navgar.com
Technical and Organizational Measures:
The data importer has implemented and will maintain appropriate technical and organizational security measures, internal controls, and information security routines intended to protect Customer Data, as defined in the DPA, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction, as follows:
The technical and organizational measures, internal controls, and information security routines set forth in the DPA are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.

Schedule 5

UK Data Transfer Mechanism

The UK Data Transfer Mechanism is incorporated into the DPA by reference at clause 2.1.18 and by reference to the information required to complete the UK Data Transfer Mechanism, the Parties agree to the following:

In Table 1 of the UK Data Transfer Mechanism, the names and addresses of the parties as defined in the Agreement and Exhibit C shall be incorporated into the UK Data Transfer Mechanism, it being understood that the Customer shall be the "data exporter" and Controller, and Navgar shall be the "data importer" and Processor.
In Table 2 of the UK Data Transfer Mechanism, Module 2 is selected, with the information required to complete Module 2 in Exhibits A and C.
In Table 3 of the UK Data Transfer Mechanism, the information required to complete Table 3 is as listed in the DPA and Exhibits A, B, and C.
In Table 4 of the UK Data Transfer Mechanism, “exporter” is selected.