Navio

Navio Data Processing Addendum

Last updated: April 25, 2026

This Data Processing Addendum (“DPA”), including its appendices, is part of and incorporated by reference into Navio’s Terms of Use (“Terms”) between Navio Legal Inc. (“Navio”) and the Business User. It outlines the agreement on the handling of Personal Data in accordance with Applicable Data Protection Laws. As set out in Section 3.8 of the Terms, a User becomes a Business User only upon Navio’s written confirmation, and Navio may approve or reject any request to register as a Business User in its sole discretion. Once confirmed as a Business User, the User automatically agrees to this DPA and commits to handling Personal Data responsibly and in good faith. Capitalized terms not defined in this DPA have the meanings given to them in the Terms or in Appendix 1.

Summary

This summary is provided for convenience only. Please read each section in full below to fully understand your rights and obligations.

  • Position of the Parties: The Business User is the data controller responsible for the Personal Data it provides to Navio, the data processor. The Business User must ensure that the data it provides to Navio is accurate and complies with data protection laws.
  • Local Processing of User Content: User Content (including uploaded documents, generated output, and processing rules) is processed entirely in the User’s browser and is never transmitted to or stored by Navio. Accordingly, User Content is not Personal Data processed by Navio under this DPA.
  • Subcontractors: Navio may use subcontractors to process Personal Data; all subcontractors used by Navio must comply with the same data protection obligations as Navio.
  • Security: Navio relies on industry-standard security measures provided by its service providers and will update its practices as necessary. The Business User must independently verify that Navio’s security measures meet its specific requirements.
  • Cooperation: Navio will inform the Business User of any requests regarding the data and will help the Business User meet its obligations under data protection laws, such as notifying the Business User if a data breach occurs.
  • Audits: Navio will provide all necessary information to the Business User so it may demonstrate that Navio is complying with its obligations.
  • International Data Transfers: Navio will comply with any applicable data protection laws regarding international data transfers.
  • Term: This DPA starts when a Business User registers and remains in effect as long as Navio provides Services and the User remains a Business User under the Terms.
  • Governing Law: Same as the Terms of Use.
  • European Union: For Business Users in the European Union, GDPR applies to this DPA.
  • United Kingdom: For Business Users in the United Kingdom, UK GDPR applies to this DPA.
  • California: If the Business User’s Personal Data involves California residents, the California Consumer Privacy Act applies.
  • Quebec: For Business Users in Quebec, Quebec’s Law 25 applies to this DPA.
  • General: Discusses general miscellaneous matters such as headings, governing law, and the relationship to the Terms’ limitation of liability.
  • Changes to this DPA: Navio may make changes to this DPA from time to time.
  • Appendix 1: Definitions.
  • Appendix 2: Provisions of the Standard Contractual Clauses that apply, with Annex I (List of Parties and Description of Transfer) and Annex II (Security Measures).
  • Appendix 3: Lists the sub-processors used by Navio.

1. Position of the Parties

1.1. Roles and Responsibilities: The Business User is the data controller, Navio acts as the data processor, and any third party Navio uses is a sub-processor, as defined by Applicable Data Protection Laws.

1.2. Business User’s Responsibility: The Business User is responsible for the Personal Data provided to Navio during the use of the Application, Services, and Navio Content (“Personal Data”), including ensuring it complies with Applicable Data Protection Laws and maintaining the data’s accuracy and legality.

1.3. Scope of Personal Data Processed by Navio: Personal Data processed by Navio under this DPA is limited to the categories described in Annex I to Appendix 2 (such as account, billing, security, support, and analytics data relating to the Business User’s authorized users). User Content - including documents uploaded by Users, generated output (such as bookmarked or linked PDFs), and any rules, preferences, or settings governing how documents are processed - is processed entirely within the User’s browser and is not transmitted to or stored by Navio. Accordingly, User Content is not Personal Data processed by Navio under this DPA, and the Business User remains the sole controller and possessor of User Content.

1.4. Purpose of Data Processing: Navio processes the Business User’s Personal Data to perform the Services, detailed further in Annex I to Appendix 2.

1.5. Compliance with Laws: The Business User must ensure all data processing complies with relevant Applicable Data Protection Laws, and their instructions to Navio must also be lawful.

1.6. Navio’s Compliance: Navio will process Personal Data based on the Business User’s written instructions and only for the specified purposes.

1.7. Legal Concerns: Navio will alert the Business User if any of their instructions violate Applicable Data Protection Laws.

1.8. Access Restrictions: Only Navio personnel who are performing the Services will have access to Personal Data.

1.9. Confidentiality and Training: Navio will ensure its personnel handling Personal Data are aware of its confidential nature and are bound by confidentiality obligations.

1.10. Record Keeping: If required by law, Navio will keep detailed records of its Personal Data processing activities as specified by the Applicable Data Protection Laws.

1.11. Data Return or Deletion: After the termination of a Business User’s account, Navio will either delete or return all the Business User’s Personal Data, depending on the Business User’s choice, unless laws require Navio to retain the data for longer for legal or business reasons.

1.12. Deletion Timeline: If the Business User chooses deletion, Navio will delete all the Personal Data within 90 days after the account’s termination, or sooner if requested by the Business User.

1.13. Indemnity: The Business User must indemnify and hold Navio harmless for any damages, costs, or losses Navio incurs if it shares or makes the Business User’s Personal Data available based on the Business User’s instructions, including data related to the Business User’s personnel.

2. Subcontractors

2.1. Subcontractor Use: The Business User agrees that Navio may hire, change, or replace subcontractors to process Personal Data as needed to meet its obligations under the Terms. Navio is responsible for ensuring that these subcontractors adhere to the same standards and obligations as Navio itself. A current list of Navio’s subcontractors is included in Appendix 3.

2.2. Subcontractor Compliance: Navio will impose data protection obligations on its subcontractors that are substantially equivalent to those set out in this DPA, as required by Applicable Data Protection Laws. Navio will notify the Business User in advance (except in emergencies) about any changes to its subcontractors. The Business User has the right to object to new subcontractors within thirty (30) days of being notified, on reasonable data protection grounds. If the Business User does not object within this period, the new subcontractor is considered accepted.

2.3. Right to Terminate: If the Business User objects to a new subcontractor, it may choose to terminate its account.

3. Security

3.1. Security Measures: Navio has put in place appropriate technical, physical, and organizational measures to protect Personal Data, considering factors like the risk of data breaches and the nature of the data processed. These measures are detailed in Annex II to Appendix 2 and have been acknowledged by the Business User as adequate and appropriate, factoring in technological advancements and costs.

3.2. Monitoring and Updates: Navio regularly reviews its security practices and may update its measures to maintain or enhance security levels. The Business User agrees that Navio can change these measures without notice as long as the new measures do not reduce the overall level of security.

3.3. Business User’s Responsibility: The Business User must independently verify that Navio’s security measures meet their specific requirements and comply with Applicable Data Protection Laws. The Business User is also responsible for securing any components (like devices or networks) that they provide or control, including the device on which User Content is processed in the browser.

4. Cooperation

4.1. Handling External Requests: Navio will inform the Business User about any requests from individuals or government bodies, except supervisory authorities, as long as it is legally allowed. Navio will not respond to these requests unless authorized by the Business User or required by law. Navio will also assist the Business User in handling such requests, using appropriate technical and organizational measures.

4.2. Support with Compliance: Navio will help the Business User meet its obligations under Applicable Data Protection Laws. This includes assistance with security measures, notifying about data breaches, conducting data protection impact assessments, and dealing with supervisory authority inquiries, based on the nature of the processing and the information Navio has.

4.3. Data Breach Notification: Navio will promptly notify the Business User if a data breach occurs. If the law requires, Navio will also notify the supervisory authorities and other relevant government bodies about the breach.

4.4. Costs of Assistance: The Business User will cover the reasonable costs of Navio’s assistance related to handling requests, compliance support, and data breach notifications as outlined above.

5. Audits

5.1. Information Provision: Navio will make available to the Business User information reasonably necessary to demonstrate compliance with this DPA, including written responses to reasonable due diligence questionnaires and, where available, third-party certifications, audit reports, or summaries.

5.2. On-Site Audits: On-site audits or inspections are limited to circumstances where (a) an audit is required by Applicable Data Protection Laws; (b) a competent Supervisory Authority requests one; or (c) the Business User has reasonable grounds to suspect material non-compliance by Navio that has not been resolved through the information provided under Section 5.1.

5.3. Audit Notice and Conduct: The Business User must give Navio at least 60 days’ written notice before any on-site audit, unless a quicker audit is mandated by authorities. On-site audits are limited to once per year and to three business days. The Business User and Navio will agree on the audit’s scope and agenda beforehand and will conduct the audit in a manner that does not unreasonably interfere with Navio’s operations.

5.4. Audit Deposit and Costs: As a condition of any on-site audit, the Business User shall pay Navio an advance deposit of CAD $5,000 (or such higher amount as Navio reasonably estimates the audit will cost based on scope and duration) before the audit commences. The Business User shall reimburse Navio for all reasonable costs incurred in supporting the audit, including personnel time at Navio’s then-current rates and any third-party costs. Costs exceeding the deposit will be invoiced to the Business User and are payable by the Business User within 30 days of the invoice date. Any unused portion of the deposit will be refunded to the Business User after the audit is completed, without interest. If the audit reveals material non-compliance by Navio with this DPA, Navio shall refund or waive the audit costs to the extent reasonable in light of the nature and severity of the non-compliance. The Business User must provide Navio with a copy of the audit report.

6. International Data Transfers

6.1. International Data Transfers: Navio will comply with any Applicable Data Protection Laws regarding international data transfers.

6.2. Conflict Resolution: If there is a conflict between Applicable Data Protection Laws on international transfers and any other terms of this DPA, the data protection laws will take precedence.

7. Term

7.1. Effective Date: This DPA takes effect when a User is confirmed as a Business User by Navio in accordance with Section 3.8 of the Terms.

7.2. Replacement of Previous Arrangements: This DPA replaces any previous data processing arrangements between the parties, which are now terminated.

7.3. Duration and Termination: This DPA remains in effect as long as Navio provides Services and the User remains a Business User under the Terms. It automatically ends when the User’s Business User status, their account, or the applicability of the Terms ends, whichever happens last.

8. Governing Law & Venue

8.1. Venue: This DPA is governed by the same laws as the Terms, and any disputes related to this DPA will be resolved as outlined in the Terms.

9. European Union

9.1. EU-Based Business Users: For Business Users in the European Union, GDPR applies to this DPA. GDPR is the law designed to protect personal data and ensure its free movement within the EU.

9.2. GDPR Compliance: If Navio processes Personal Data under the GDPR, it will follow the Standard Contractual Clauses (“SCCs”) attached in Appendix 2 of this DPA.

9.3. Legal Governance of SCCs: The SCCs will be governed by the specific laws mentioned within them, and any disputes related to the SCCs will be resolved in the courts specified by those clauses.

10. United Kingdom

10.1. UK-Based Business Users: For Business Users in the United Kingdom, UK GDPR applies to this DPA. This is the version of GDPR retained by the UK after leaving the EU, which continues to protect personal data and ensure its free movement.

10.2. Compliance with UK GDPR: If Navio processes Personal Data that is subject to UK GDPR, it will follow the SCCs outlined in Appendix 2 of this DPA, as supplemented by the UK Information Commissioner’s International Data Transfer Addendum where required.

10.3. Legal and Dispute Resolution under SCCs: The SCCs are governed by specified laws within them, and any disputes related to these clauses must be resolved in the designated courts as per the SCCs.

11. California

11.1. California Data Protection: If the Business User’s Personal Data involves California residents, the California Consumer Privacy Act applies. This law includes all related regulations and amendments.

11.2. Role of Navio: Under California Data Protection Laws, Navio acts as a Service Provider, meaning it processes data solely to provide services to the Business User.

11.3. Data Use Restrictions: Navio cannot sell the Personal Data it handles and is restricted to using or disclosing this data strictly for fulfilling its service obligations to the Business User. Navio is not permitted to use the Personal Data for any purpose outside the direct business relationship or for any commercial purposes other than providing the specified services.

11.4. Compliance Certification: Navio confirms its understanding of these restrictions and commits to adhere to them.

12. Quebec

12.1. Quebec-Based Business Users: For Business Users in Quebec, Quebec’s Act respecting the protection of personal information in the private sector, as amended by Law 25, applies to this DPA.

12.2. Role of Navio: Under Quebec law, the Business User is the enterprise responsible for protecting the Personal Data it entrusts to Navio. Navio acts as the person carrying out a mandate or contract for that enterprise and processes Personal Data only on the Business User’s documented instructions.

12.3. Cross-Border Transfers: Where Personal Data is transferred outside Quebec, Navio will, where required, support the Business User’s privacy impact assessment and put in place reasonable measures to ensure the Personal Data benefits from a level of protection adequate under Quebec law.

12.4. Cooperation with the CAI: Navio will cooperate with the Commission d’accès à l’information du Québec (CAI) and assist the Business User in responding to inquiries or investigations by the CAI to the extent required by law.

13. General

13.1. The headings in this DPA are for ease of reading only and do not affect the meaning of the terms.

13.2. Words in singular form also apply to their plural forms and vice versa; references to any gender include all genders.

13.3. Capitalized terms in this DPA are defined in Appendix 1 or, where not defined here, in the Terms.

13.4. Governing Law & Jurisdiction: This DPA is governed by the laws of the Province of Ontario, Canada, without regard to conflict of law principles that would require the application of the laws of another jurisdiction. Applicability of the United Nations Convention on the International Sale of Goods (CISG, 1980) is explicitly excluded. The parties irrevocably submit to the exclusive jurisdiction of the courts of the Province of Ontario.

13.5. Limitation of Liability: Navio’s total liability arising under or in connection with this DPA is subject to the limitations of liability and aggregate cap set out in Section 6 of the Terms, which apply regardless of the form of action and form an essential basis of the bargain between the parties.

14. Updates to this DPA

14.1. Navio may update this DPA from time to time to reflect changes in our practices, legal requirements, or for operational, legal, or regulatory reasons. The most current version of this DPA will always be available at naviolegal.com/dpa, and the “Last updated” date at the top of this page reflects the latest revision. If we make material changes, we will provide more prominent notice, which may include posting a notice on our website or notifying Business Users by email. Continued use of the Services after the effective date of the updated DPA will constitute acceptance of the changes.

Appendix 1: Definitions

  • Account: Defined in the Terms.
  • Annex: A section attached to an Appendix of this DPA.
  • Appendix: A supplement to this DPA.
  • Applicable Data Protection Laws: The laws and regulations related to privacy, security, and data protection that apply to the processing of Personal Data, including the GDPR, UK GDPR, the California Consumer Privacy Act, and Quebec’s Law 25, as applicable.
  • Application: Defined in the Terms.
  • Business User: Defined in the Terms.
  • Controller: The entity that decides how and why Personal Data is processed, according to Applicable Data Protection Laws.
  • Data Breach: As defined by Applicable Data Protection Laws.
  • DPA: This Data Processing Addendum.
  • Effective Date: The date on which the User was confirmed as a Business User by Navio.
  • Individual: The person whose Personal Data is being processed.
  • Navio: Navio Legal Inc., the entity that agreed to the Terms with the Business User.
  • Navio Content: Defined in the Terms.
  • Party / Parties: Refers to either Navio or the Business User, or both together.
  • Personal Data: Information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws, that is provided to or processed by Navio under this DPA. For clarity, Personal Data does not include User Content, which is processed entirely in the User’s browser and is not transmitted to or stored by Navio.
  • Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction, as defined under Applicable Data Protection Laws.
  • Processor: The entity processing Personal Data on behalf of the Controller, as defined by Applicable Data Protection Laws.
  • SCCs: The Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914, and, where applicable, as supplemented by the UK Information Commissioner’s International Data Transfer Addendum.
  • Services: Defined in the Terms.
  • Subcontractor: A third party engaged by Navio to process Personal Data, also known as a sub-processor.
  • Supervisory Authority: The official organization overseeing compliance with Applicable Data Protection Laws.
  • Terms: The Terms of Use agreement between Navio and the Business User.
  • User: Defined in the Terms.
  • User Content: Defined in the Terms.

Appendix 2: Standard Contractual Clauses Provisions

For the SCCs between the Business User (data exporter) and Navio (data importer), the following provisions are agreed upon:

  • - Docking Clause (Clause 7 SCCs): This clause will be applied, allowing additional parties to join the SCCs in the future.
  • - Use of Sub-processors (Clause 9 SCCs, Option 2): Navio is authorized to engage subcontractors as per the general authorization granted by the Business User. The current list of approved subcontractors is included in Appendix 3.
  • - Appendices: The content of Annex I to Appendix 2 will serve as Annex I to the SCCs. The content of Annex II to Appendix 2 will serve as Annex II to the SCCs.

Annex I: List of Parties and Description of Transfer

A. List of Parties

Data Exporter (Business User):

  • Name: As listed in the Business User Account.
  • Address: As specified in the Business User Account.
  • Contact Person: Details provided in the Business User Account.
  • Activities: Related to the performance of the Services as outlined in the Terms.
  • Role: Controller.

Data Importer (Navio):

  • Name: Navio Legal Inc.
  • Address: 1705-255 Village Green Square, Toronto, Ontario, M1S 0L7, Canada.
  • Contact Person: support@naviolegal.com.
  • Activities: Related to the performance of the Services as described in the Terms.
  • Role: Processor.

B. Description of Transfer

Categories of Individuals: Personal Data of the Business User’s authorized users (such as employees and contractors) who hold accounts on the Services. For clarity, Personal Data of the Business User’s clients, customers, or any other individuals whose data may appear within documents processed through the Services is not transferred to or stored by Navio, as User Content is processed entirely within the User’s browser (see Section 1.3 of this DPA).

Types of Personal Data Transferred:

  • Account Data: First and last name, email address, password (stored as a hashed value), and subscription details such as plan type and current and past subscription history.
  • Billing Data: Billing name, billing address, last four digits of payment card, and transaction history. Full payment card numbers are processed by Stripe and are not retained by Navio.
  • Account Security Data: Login timestamps, IP address at sign-in, and other security signals related to the account.
  • Support Data: Contact details, browser type, operating system, and information provided when contacting Navio about the Services.
  • Web App Analytics Data: Click behaviour, feature usage, language preferences, time zone, IP address, browser type, operating system, and device characteristics. Analytics data does not include the contents of documents processed in the browser.
  • Website Analytics Data: Click behaviour, browser type, language preferences, time zone, IP address, referral source, and pages visited on naviolegal.com.

Frequency of Transfer: Data is transferred continuously as the Business User and their authorized users use the Services.

Nature of Processing: Processing is carried out to perform the Services.

Purpose of Data Transfer and Processing: The data is processed as necessary to provide the Services and according to the Business User’s instructions.

Data Retention Period: Personal Data will be retained as outlined in Sections 1 and 7 of this DPA unless a different agreement is made in writing.

Sub-processor Transfers: Sub-processors, where used, will handle Personal Data to help perform the Services as per the terms and for the duration specified in this DPA or agreed upon in writing.

C. Competent Supervisory Authority

There are four different situations with regard to the qualification of the competent Supervisory Authority:

  • - Data Exporter Established in EU: The Supervisory Authority of the member state where the data exporter is established will oversee compliance with the EU GDPR for data transfers.
  • - Data Exporter Not Established in EU but Under EU GDPR Scope with an EU Representative: The Supervisory Authority of the member state where the EU representative is located will act as the competent authority.
  • - Data Exporter Not Established in EU, Under EU GDPR Scope but No Representative Required: The Dutch Data Protection Authority will be the competent Supervisory Authority.
  • - Data Exporter in the UK or Under UK GDPR Scope: The Information Commissioner’s Office in the UK will oversee compliance.

Annex II: Security Measures

Navio relies on industry-standard security measures provided by its service providers to protect Personal Data, supplemented by the organizational measures set out below. For clarity, User Content is processed entirely in the User’s browser and is not transmitted to or stored by Navio; the User remains solely responsible for securing the device on which User Content is processed.

Encryption of Personal Data:

  • - Encryption in transit between the User’s browser and Navio’s service providers.
  • - Encryption at rest of Personal Data stored by Navio’s database, authentication, and payment service providers.

Confidentiality, Integrity, Availability, and Resilience:

Technical:

  • - Authentication via username and password through Navio’s authentication provider, with multi-factor authentication available where supported.

Organizational:

  • - Access to Personal Data is limited to authorized personnel who require it to operate, develop, or improve the Services.
  • - Authorization is revoked promptly when employees and contractors leave Navio or change roles.
  • - Personnel handling Personal Data are bound by confidentiality obligations.

Restoration and Resilience:

  • - Personal Data stored by Navio’s database provider is backed up in accordance with the provider’s standard practices.
  • - Multi-region infrastructure hosting via Navio’s hosting provider supports recovery in the event of a regional failure.

Testing, Assessment, and Evaluation:

  • - Regular code reviews of changes to the Application and Services.
  • - Automated testing on product updates.

Appendix 3: List of Sub-processors

The Business User has authorized the use of the following sub-processors:

  • Navio Legal Inc. - Location: Canada. Description of processing: To develop and maintain the Services, create analytical reports, and provide customer support and other operational services.
  • Supabase - Location: United States. Description of processing: To provide authentication and database services for user accounts and profile data.
  • Resend - Location: United States. Description of processing: To deliver transactional and service emails (such as account verification, password reset, billing receipts, and security notifications) via SMTP integration with Supabase.
  • Stripe - Location: United States. Description of processing: To process payments and manage recurring subscriptions.
  • Netlify - Location: United States. Description of processing: To host the Navio website and web app.
  • PostHog - Location: United States. Description of processing: To create product analytics and usage reports.
  • Google Analytics (Google LLC) - Location: United States. Description of processing: To create website analytics reports.

Contact

If you have any questions about this DPA, please contact us at support@naviolegal.com.