Data Processing Agreement

Updated April 21, 2025

This Data Processing Agreement ("DPA") is entered into between Naro Technologies, Inc. ("Company") and the Customer identified in the applicable Order Form or Enterprise SaaS Agreement.

1. Definitions

  • Affiliate — an entity with a 50% or greater ownership stake or under common control.
  • Authorized Sub-Processor — a third party that accesses personal data to enable service provision.
  • Company Account Data — personal data relating to the business relationship, including contact information and billing details.
  • Company Usage Data — service usage information collected for optimization and performance maintenance.
  • Data Exporter — the Customer.
  • Data Importer — the Company.
  • Data Protection Laws — applicable regulations including GDPR, CCPA, VCDPA, CPA, CTDPA, UCPA, and UK/Swiss data protection acts.

2. Relationship of the Parties; Processing of Data

Customer may act as controller or processor. Company operates as a processor except where otherwise specified. Customer shall not provide or make available to Company any Personal Data in violation of the Agreement.

Key responsibilities:

  • Customer ensures data accuracy and legality of transfer.
  • Company processes data only per Customer's documented instructions.
  • Company will not process data for unauthorized purposes or inconsistently with documented instructions.
  • Upon service completion, Company returns or deletes personal data unless retention is required by law.

3. Confidentiality

Company ensures that personnel with access to personal data have signed confidentiality agreements. Company may disclose data to advisers, auditors, or third parties as reasonably required and in accordance with this DPA.

4. Authorized Sub-Processors

  • Company may engage Affiliates and listed sub-processors to assist in providing the Services.
  • The current sub-processor list is available upon request.
  • Company provides ten days' notice prior to engaging any new sub-processor.
  • Customers may object to new sub-processors on reasonable data protection grounds.
  • Essential sub-processors cannot be refused without discontinuing the affected Service.
  • Company imposes comparable data protection obligations on all sub-processors via written agreement.

5. Security of Personal Data

Company maintains appropriate technical and organizational measures to protect personal data, taking into account implementation costs, the nature of processing, and the risk severity to data subjects. Details are provided in Exhibit C.

6. Transfers of Personal Data

6.1 General Authority

Company may transfer data outside the EEA, UK, or Switzerland as necessary to provide the Services. Primary operations occur in the United States.

6.2 Ex-EEA Transfers

Conducted via the Data Privacy Framework or EU Standard Contractual Clauses (EU SCCs), with Module Two applying when Customer is the controller and Company is the processor.

6.3 Module-Specific Terms

  • The docking clause does not apply.
  • General written authorization applies for sub-processor changes.
  • Governed by the law of the Republic of Ireland.
  • Disputes resolved in Irish courts.

6.4 Ex-UK Transfers

Made via the Data Privacy Framework or UK SCCs with UK Addendum modifications.

6.5 Swiss Transfers

Made via the Data Privacy Framework or modified EU SCCs, with Swiss FADP protections and FDPIC authority recognized.

6.6 Supplementary Measures

  • Company has not received formal government requests for data access.
  • If compelled by government agencies, Company provides reasonable notice and cooperates with protective order efforts unless legally prohibited.
  • Parties will meet regularly to assess adequacy of transfer protections.
  • Either party may implement alternative arrangements if transfer mechanisms become invalid.

7. Rights of Data Subjects

Company will notify Customer of data subject requests for access, rectification, erasure, portability, restriction, withdrawal of consent, or objection to automated decision-making.

Customer is responsible for:

  • Responding to data subject requests.
  • Maintaining consent records.
  • Communicating erasure and restriction requests to Company.

Company provides technical assistance where Customer cannot respond independently and where legally permissible. Customer bears the costs associated with such assistance.

8. Actions and Access Requests; Audits

  • Company assists with data protection impact assessments and supervisory authority cooperation as necessary.
  • Company maintains compliance records for three years post-termination.
  • Upon reasonable request (maximum once per year), Company provides certifications or reports demonstrating security compliance, or permits an independent third-party audit during business hours.
  • Audits require reasonable advance notice and must not be unreasonably disruptive. Customer bears audit costs.
  • Company immediately notifies Customer if it believes any instructions violate Data Protection Laws.
  • In the event of a data breach, Company provides notice without undue delay and assists with supervisory authority and data subject notifications. Company remains liable only where the breach is not caused by Customer's actions or omissions.

9. Company's Role as Controller

Company acts as an independent controller (not a joint controller) regarding Company Account Data and Company Usage Data for the following purposes:

  • Relationship management
  • Core business operations (accounting, audits, tax, compliance)
  • Fraud prevention and security incident detection
  • Identity verification
  • Legal and regulatory compliance
  • Service optimization and maintenance

Such processing is governed by Naro's privacy policy at narohq.com/privacy.

10. Conflict

In the event of any inconsistency between the documents governing this relationship, the order of precedence is:

  1. Standard Contractual Clauses terms
  2. This DPA
  3. The Enterprise SaaS Agreement terms
  4. Company's privacy policy

All claims under this agreement are subject to the exclusions and limitations of liability set forth in the Enterprise SaaS Agreement.

Contact

For questions regarding this DPA, please contact us at hello@narohq.com or write to us at 1150 Wewatta St #200, Denver CO 80202.