Data Processing Agreement (Canada)

If you are a Navgar customer needing a signed copy of this document for your records, please reach out to us at legal@navgar.com

Last Updated: 15 July 2025

This Data Processing Agreement (“DPA”) forms part of the agreement between “Navgar” and “Customer” for the provision of professional services from Navgar (the “Agreement”). This DPA applies to all activities performed in connection with the Agreement in which Navgar, or its Sub-Processors or a third party acting on behalf of the Data Processor may come into contact with Customer's personal data. This DPA is effective as of the date of the last party to sign this DPA (the “Effective Date”).

In the course of providing Navgar Services, Maintenance, Technical Support to Customer pursuant to the Agreement, Navgar may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. Scope

1.1 This DPA applies to the Processing of Personal Data provided to Navgar by Customer as part of the provision of Navgar Cloud Services, Professional Services, Maintenance and Technical Support.

2. Definitions and Interpretation

2.1. Capitalized terms used but not defined in this DPA will have the meaning assigned to them in the Agreement:

2.1.1. Affiliate: means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2.1.2 Data Protection Laws: means any laws and regulations relating to privacy or the use or processing of data relating to natural persons, including but not limited to the Canadian and US Data Privacy Laws, in particular: (a) The Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level; (b) The Personal Information Protection Act (PIPA) applicable in British Columbia: (c) the Personal Information Protection Act of Alberta(“PIPA Alberta”); and (d) any guidance or codes of practice issued by a governmental or regulatory body or authority in relation to compliance with the foregoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.

2.1.3. Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.2.4. Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

2.1.5. Data Subject: means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

2.1.6. Data Protection Regulator: means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws. In particular, it shall mean the Canadian Information and Privacy Commissioner as applicable.

2.1.7. Data Subject Request: means a request from a Data Subject to exercise its rights under the Data Protection Laws in respect of that Data Subject's Personal Data.

2.1.8. Personal Data: means any information relating to a Data Subject that Customer or its authorized users provide to Navgar as part of the Services. It also includes personal data supplied to or accessed by Navgar or its Sub-Processors in order to provide support under the Agreement.

2.1.9. Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

2.1.10. Personal Health Information: means personal health information about an individual as defined by Applicable Privacy Law;.

2.2.11. Process or Processing: means any operation or set of operations which is performed by Navgar or its Sub-Processors as part of the scope of this Agreement upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.2.12. Services: means the Cloud Services, Maintenance and Support Services, and Professional Services provided by Navgar to Customer pursuant to the Agreement.

2.2.13. Sub-Processor: means a third party appointed by Navgar to process Customer´s Personal Data in accordance with this DPA.

3. Compliance with Data Protection Laws

3.1. Each party shall comply with its obligations under Data Protection Laws as they apply to their respective roles as Data Controller or Data Processor, including but not limited to PIPEDA and PIPA in Canada, and any applicable US Privacy Laws.

3.2. Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws and shall make such information available to any DP Regulator on request.

3.3. Regarding Personal Health Information, as applicable and in case that Navgar requires the processing of such personal information to provide its services to the Customer, Navgar shall process Personal Health Information only on the documented instructions of the Controller and in compliance with all applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and any relevant provincial health information legislation.

3.4. In this regard, the Customer as the Data Controller, shall obtain any required explicit and informed consent from Data Subjects prior to the collection, use, or disclosure of Health Data, and shall at all times comply with its data protection obligations, while also ensuring that it has a legitimate legal basis to process such personal data and verifying data that all health information provided to or processed by Navgar is accurate, complete, and up-to-date as necessary for the purposes for which it is collected, used, or disclosed, and for implementing reasonable measures to verify and maintain the accuracy of such information.

3.5. Navgar shall not be liable for any failure by the Customer to obtain a valid legal basis for processing, or to ensure the accuracy, completeness, or timeliness of health information, or for any non-compliance by the Customer with its obligations under applicable privacy laws in this regard, such as PIPA or PIPEDA.

3.6. The customer remains fully responsible regarding the processing of these special categories of personal data, as Navgar will only process data following documented instructions from the Client, for the provision of the services, assuming that the Controller has a valid legal basis for the collection and processing of such personal data, and complying with applicable data privacy laws, including but not limited to PIPA and PIPEDA.

3.7. Under Canadian Privacy Laws, and with respect to Personal Data that is Processed under this DPA and governed by Canadian Privacy Laws, the parties acknowledge and agree that Navgar Processes Personal Data on behalf of Customer and assumes the obligations under applicable Canadian Privacy Laws that apply to that role, and (ii) Customer, through its Instructions to Supplier, determines the purposes and means of the Processing of Personal Data and assumes the obligations under applicable Canadian Privacy Laws that apply that role.

3.8. Under US Privacy Laws, with respect to Personal Data that is Processed under this DPA and governed by US Privacy Laws, the parties acknowledge and agree that Navgar is a Processor and Customer is a Controller.

4. Processing and Security

4.1. In performing its obligations under this Agreement, Navgar shall only process the types of Personal Data, and only in respect of the categories of Data Subjects, and only for the nature and purposes of processing and duration, as is set out in the Schedule 1 to this DPA.

4.2. In processing Customer’s Personal Data, Navgar shall:

4.2.1. process Customer Personal Data only in accordance with written instructions provided from Customer from time to time (including those set out in this DPA) unless otherwise required by applicable law;

4.2.2. not process the Customer’s Personal Data for any purpose other than those set out in this Agreement or otherwise expressly authorized by the Customer;

4.2.3. promptly notify the Customer if it receives a Data Subject Request in respect of Customer Personal Data;

4.2.4. provide the Customer with its reasonable co-operation and assistance in relation to any Data Subject Request;

4.2.5. utilise appropriate technical and organisational measures to facilitate responding to requests from Data Subjects;

4.2.6. not disclose any of Customer’s Personal Data to any Data Subject or to a third party (including any subcontractor or Affiliate) other than at the written request of the Customer or as expressly provided for in this Agreement or when it is necessary for the establishment, exercise or defence of legal claims;

4.2.7. protect the Customer Personal Data by ensuring that it has in place appropriate technical and organisational measures, including measures to protect against Security Breaches, taking into consideration:

4.2.7.1. the state of the art;
4.2.7.2. the nature, scope, context and purposes of the processing; and
4.2.7.3. the risk and severity of potential harm.

4.3. Ensure that only persons authorised by Navgar process Customer Personal Data and that such persons are:

(i) subject to binding obligations to maintain the confidentiality of the Customer Personal Data; and

(ii) trained on both (1) the requirements of the Data Protection Laws, and (2) their obligations under this Agreement.

4.4. Navgar shall, without undue delay after discovering any Personal Data Breach or any failure or defect in security which leads, or might reasonably be expected to lead, to a Personal Data Breach (together a "Security Issue") notify the Customer of the same.

4.5. Where a Security Issue arises, Navgar shall:

4.5.1. as soon as reasonably practicable, after providing the initial notice, provide the Customer with full details of the Security Issue, the actual or expected consequences of it, and (where appropriate) the measures taken or proposed to be taken to address or mitigate it

4.5.2. co-operate with the Customer, and provide the Customer with all reasonable assistance in relation to the Security Issue; and

4.5.3. unless required by applicable law, not make any notifications to a Data Protection Regulator or any Data Subjects about the Security Issue without the Customer's prior written consent (not to be unreasonably withheld or delayed).

5. Return or Destruction of Personal Data

5.1. Subject to paragraph 5.2 and subject to any specific timeframes set forth in the Agreement, Navgar shall either return or irretrievably delete all Customer Personal Data in its control or possession on expiry or termination of the Agreement.

5.2. To the extent that Navgar is required by applicable law to retain all or part of the Customer’s Personal Data (the "Retained Data"), Navgar shall:

5.2.1. cease all processing of the Retained Data other than as required by that law;

5.2.2. keep the Retained Data confidential in accordance with the confidentiality terms in the Agreement; and

5.2.3. continue to comply with this DPA in respect of such Retained Data.

6. Audit

6.1. If Customer or its third-party independent auditors request to audit and verify that Navgar and its Sub-Processors are complying fully with their obligations under this Agreement and under the Data Protection Laws in relation to Customer´s Personal Data, Navgar may comply with those requests by providing any documentation that is reasonably necessary in order for Customer or its third-party independent auditors to verify such compliance.

6.2. If Customer requires additional information, Customer or its third-party independent auditor may perform an additional audit of Navgar’s premises, records, and personnel that are relevant to any processing of Customer’s Personal Data. All such audits shall:

6.2.1. Take place no more than once annually;

6.2.2. Be notified to Navgar at least 14 business days in advance of the audit, with the notification including a detailed audit plan; and

6.2.3. Be at the sole expense of the Customer.

7. Co-operation and Assistance

7.1. Navgar shall co-operate with the Customer, and provide such information and assistance as the Customer may reasonably require, to enable the Customer to:

7.1.1. comply with the Customer's obligations under the Data Protection Laws in respect of Customer Personal Data; and

7.1.2. deal with and respond to all investigations and requests for information relating to the Customer Personal Data from any Data Protection Regulator.

7.2. If Navgar receives any complaint, notice or communication from a Data Protection Regulator or other third party (excluding a Data Subject Request) which relates directly to Customer Personal Data, they shall notify the Customer as soon as reasonably practicable.

8. Sub-Processors

8.1. Some or all of Navgar’s obligations under the Agreement may be performed by Sub-Processors listed in Schedule 2.

8.2. Customer authorizes Navgar to subcontract the processing of Customer´s Personal Data to these Sub-Processors. Navgar is responsible for any breaches of the Agreement caused by its Sub-Processors.

8.3. Navgar will notify Customer in advance (by email or other appropriate way) of any changes to the list of Sub-Processors in place on the effective date and the Customer shall have ten (10) days to notify Navgar of any objection to the appointment or removal of Sub-Processor(s).

8.4. If Navgar appoints a Sub-Processor, Navgar shall ensure that:

8.4.1. such Sub-Processor shall only process Customer´s Personal Data in order to perform one or more of Navgar’s obligations under this Agreement; and

8.4.2. it enters into a written agreement with that Sub-Processor, prior to any processing by the Sub-Processor, requiring the Sub-Processor to:

8.4.2.1. process Customer´s Personal Data only in accordance with the written instructions of Navgar or the Customer; and

8.4.2.2. comply with data protection obligations equivalent in all material respects to those imposed on Navgar under this DPA.

8.5. Notwithstanding the appointment of a Sub-Processor, Navgar is responsible and liable to the Customer for any processing by the Sub-Processor in breach of this DPA.

9. Transfer of Personal Data

9.1. Navgar and its Sub-processors may process Customer’s Personal Data, or otherwise transfer or access Customer’s Personal Data, where such transfer is in compliance with the Data Protection Laws.

9.2. In this regard, Customer acknowledges and agrees that Navgar may require to transfer personal data as necessary to provide the Products in accordance with the Agreement, and Navgar shall ensure such transfers are made in compliance with the requirements of applicable Data Protection Laws.

9.3. Parties agree that, in order for Navgar to provide the services contracted by the Customer, there will be necessary to transfer personal data from Canada. Navgar, as the Data Processor may transfer, access, or process Personal Information outside of Canada, including to the United States of America, solely for the purposes described in this Agreement and in compliance with applicable privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), and any relevant provincial legislation.

9.4. Where Personal Data is transferred outside Canada, the Navgar will ensure that the Personal Information is afforded a comparable level of protection as in Canada by implementing appropriate contractual, technical, and organizational safeguards. Such safeguards may include written agreements with overseas recipients obligating them to protect Personal Information in a manner consistent with the requirements under Canadian privacy legislation.

9.5. However, the Client, as the Data Controller, shall ensure that affected individuals are informed, as required by law, that their Personal Information may be transferred, stored, and/or processed outside of Canada, and may be accessible from third-countries under applicable law.

10. Limitation of Liability:

10.1. Navgar, as a Data Processor, shall have no liability to Data Controller for losses, damages or costs that are indirect, special, punitive or consequential. In this regard, each Party’s liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.

10.2. In no event shall either Customer’s liability be limited with respect to any individual Data Subject’s data protection rights under this DPA or otherwise.

11. Modifications:

11.1. Navgar may change this DPA where (a) the change is required to comply with an Applicable Law; or (b) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of Navgar’s processing of Customer Personal Data, and does not have a material adverse impact on Customer’s rights under this DPA.

12. Governing Law and conflicts of laws:

12.1. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement between the parties, unless required otherwise by Data Protection Laws.

12.2. If Navgar becomes aware that it can no longer meet its obligations under the applicable Data Protection Laws or Process Personal Data in accordance with Customer’s Instructions due to a legal requirement under any applicable law, it will: (i) promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions with which Navgar is able to comply. If this provision is invoked, Navgar will not be liable to Customer under the Agreement for any failure to provide the applicable Products until such time as Customer issues new lawful Instructions with regard to the Processing.

Schedule 1

Details of Processing of Customer Personal Data

The Personal Data processing activities carried out by Navgar under this Agreement may be described as follows:

Subject matter of processing
Processing by Navgar of Personal Data provided by Customer during its use of the Services under the Agreement.
Nature and purpose of processing
To fulfil Navgar’s obligations under the Agreement, including making the Services available.
Categories of Personal Data. Frequency of the transfer.
The Personal Data that is sent to Navgar by, or on behalf of, Customer for the purpose of using the Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The parties may process the special categories of Personal Data or sensitive personal information, as part of the provision of the services included in the Agreement.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal Data is transferred on a continuous basis.
Categories of data subjects
Customer and its Authorized Users, Customer’s clients and prospective clients.
Duration
The Term of this Agreement

Schedule 2 To Data Processing Agreement

SUB-PROCESSORS LIST

Navgar engages a select group of trusted third-party service providers—known as sub-processors—to help us deliver, maintain, and improve our platform. These sub-processors may process limited personal data on our behalf as part of providing their services.

The table below outlines each sub-processor's name, a description of the services they provide, and the location where processing occurs. We regularly assess our sub-processors to ensure they meet our security, privacy, and compliance standards. This list is reviewed and updated as needed to reflect any changes in our operational or legal obligations.

If you have any questions or concerns about how your data is handled, please don’t hesitate to contact us.

Updated list of Navgar´s Subprocessors can be found at: https://navgar.com/sub-processors

  
      SUBPROCESSOR NAME
      DESCRIPTION
      LOCATION OF PROCESSING
    

  
      AWS
      Purpose:
Provides cloud infrastructure for hosting, data storage, and application services.

Function:
Used to securely store data, run backend systems, and deliver reliable performance at scale.

Privacy:
Data is encrypted in transit and at rest, with strict access controls in place.
      410 Terry Ave N, 
Seattle 98109, WA
US
    

      INTERCOM
      Purpose:
Used for customer support, user engagement, and lead generation.

Function:
Provides live chat, automated messaging, and help desk tools to assist users and communicate product updates.

Privacy:
Handles contact and usage data in line with our privacy practices.
      55 2nd Street, 4th Floor, 
San Francisco, CA 94105
US
    

      LOG ROCKET
      Purpose:
Used to diagnose and resolve user experience issues by replaying user sessions.

Function:
Captures in-app interactions using browser APIs (like MutationObserver) to generate visual replays that help identify bugs and understand behavior.

Privacy:
Data is handled securely and sensitive information is excluded or masked where appropriate.
      87 Summer St HQ
Boston, MA 02110
US
    

      OPENAI
      Purpose:
Supports user-initiated content generation and product improvement via anonymized analytics.

Function:
Processes user inputs to generate responses and provide usage insights. No data is used for independent purposes or shared beyond these functions.

Privacy:
Customer data is processed solely to fulfill user requests and is handled securely and anonymously.
      87 Summer St HQ
Boston, MA 02110
US
    

      RETOOL
      Purpose:
Used for internal analytics on user, account, and client portfolio health.

Function:
Enables custom dashboards and queries to monitor usage patterns and support business insights.

Privacy:
Access is restricted and data is used solely for operational analysis within our platform.
      1550 Bryant Street,
San Francisco, CA 94102
US
    

SCHEDULE 3: NAVGAR TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

1. Navgar TOMS. Navgar provides a cloud communications platform for a wide range of customer and business needs. Recognizing the importance of information security, we invest considerable time and effort into ensuring our platform is secure. This page outlines some of the steps we take to protect your account and information. For further questions, please contact your Account Manager.

1.1. Physical security. Navgar’s servers are hosted by IBM Soft layer and AWS in data centres in Europe, the United States and SE Asia. Softlayer provides us with hardware, network connectivity and secure physical space relating to our customer data. Soft layer is compliant with ISO 27001 and other standards, and security information about their data centers.

1.2. System security. We use firewalls and logical access control to protect our servers from unauthorized system access, allowing only trusted operations personnel to manage our systems. We also make sure to use strong configuration standards to harden our servers, and we keep them up-to-date with the latest security patches.

1.3. Application security. We support strong cryptography for communication over public networks, so that your Navgar Dashboard password, API secret, and contents of your communications may be protected in transit as set forth below.

1.4. Type of communication. Secure protocols used. Other protocols used Between customers and HTTPS, SMPP-over-SSL, SMPP, SIP, RTP Navgar y APIs Navgar Dashboard HTTPS – Between Navgar and HTTPS, SMPP-over-IPsec, HTTP, SMPP, carriers ENUM-over-IPsec ENUM, SIP, RTP

We still support unencrypted protocols on the customer side in response to customer demand, but we strongly encourage customers to use secure protocols. Rest assured, the security of your data is unaffected by the communications protocols used by Navgar’s other customers because of the logical segregation between customer accounts.

In connection with the provision of our services, Navgar has secured direct relationships with telecommunications carriers and similar services providers around the globe. While many of our connections with these carriers are secure, some of these “last mile” connections are unencrypted. This is beyond our control and depends on the carrier, as some telecommunications providers have legacy infrastructure and do not currently support secure protocols. We opt for secured communication with carriers when available.

We have rate limiting in place on API calls and Navgar Dashboard logins to prevent brute force attacks. Password complexity requirements are enforced on API secret and Navgar Dashboard password.

Navgar Dashboard passwords are cryptographically hashed and not accessible to either any Employee or the Contractor.

The Navgar Dashboard supports 2-factor authentication (2FA using Navgar Verify) when elected for customers who want to add an additional access control. If this is enabled, Navgar Dashboard logins require an additional verification code, which is sent by SMS or automated phone call to the phone registered on your account, to be entered when logging in from an IP address which differs from the one used on the previous successful login.

On request, we can enable restrictions on a Navgar Dashboard account such that it can only be logged into from specified IP addresses.

Accounts are logically segregated from each other, and we use role-based access control within our company for access to systems and information.

1.5. Redundancy, availability and uptime. Navgar is committed to supplying a highly available platform and we do our best to minimize outages. Through use of a content delivery network, geographically redundant data centers, and redundancy within each data center, we ensure failovers exist at several levels to maximize uptime. We currently provide 99% availability, and endeavour to increase it further to 99.9%. Information about availability and outages will be found shortly on our status page.

We also take regular offsite backups of important data to ensure business continuity.

2.0. EXCLUSIONS

2.1. Navgar shall have no liability for any incidents involving disclosure of Customer Data, which arise out of the inadequate use of Authorized User accounts or Customer’s Applications. The Customer is solely responsible for configuring, operating, maintaining, and securing access to Customer Applications and their content, by managing Customer’s accounts when using their own identity management system, and enforcing use of strong password policies, enforcing account lockout policies, defining access rights for these accounts, and configuring adequate session expiration.

2.2. In any case, Navgar will take appropriate steps to ensure compliance with the Technical and Organizational Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate confidentiality obligations.