Navigare Space Ltd · UK GDPR Article 28 Data Processing Agreement
Effective date: [INSERT — to match Customer's Order Form Effective Date] Version: 1.0 Document reference: NS-DPA-v1.0
This DPA is drafted to meet the requirements of:
It is structured along the lines of standard SaaS DPAs used by UK-based providers, with industry-specific considerations relevant to Navigare Space's regulated-sector customers (legal, accountancy, estate agency).
Areas requiring particular solicitor attention:
[SOLICITOR REVIEW: …] comments inline should be removed before publication.
1.1 The Customer and Navigare Space Ltd have entered into a Master Services Agreement (the "Principal Agreement") under which Navigare Space provides hosted business software services to the Customer.
1.2 In the course of providing those services, Navigare Space processes personal data on behalf of the Customer. This document (the "DPA") sets out the terms governing that processing, as required by Article 28 of the UK GDPR.
1.3 This DPA is incorporated into the Principal Agreement. In the event of conflict between this DPA and any other part of the Principal Agreement on matters of data protection, this DPA prevails.
In this DPA:
| Term | Meaning | |---|---| | Customer Personal Data | Personal data processed by Navigare Space on behalf of the Customer in the course of providing the Services. | | Data Protection Laws | The UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any successor or related legislation in force in the United Kingdom. | | Data Subject | An identified or identifiable natural person to whom Customer Personal Data relates. | | Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data. | | Services | The services provided by Navigare Space to the Customer under the Principal Agreement. | | Sub-processor | Any third party engaged by Navigare Space to process Customer Personal Data in connection with the Services. | | Supervisory Authority | The UK Information Commissioner's Office (ICO). |
Other capitalised terms have the meanings given in the Principal Agreement, or in Data Protection Laws.
3.1 Roles. With respect to Customer Personal Data:
(a) the Customer is the data controller; and (b) Navigare Space is a data processor acting on the Customer's documented instructions.
3.2 Customer obligations. The Customer warrants and undertakes that:
(a) it has a valid lawful basis under Data Protection Laws for processing Customer Personal Data, including for instructing Navigare Space to process it; (b) where required, it has provided privacy information to Data Subjects covering the processing carried out by Navigare Space on its behalf; (c) any instructions it gives Navigare Space comply with Data Protection Laws; and (d) its instructions are reasonable and proportionate.
3.3 Navigare Space obligations. Navigare Space:
(a) will process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of personal data outside the UK, unless required to do otherwise by UK law (in which case Navigare Space will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest); (b) will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) will take all measures required pursuant to Article 32 of the UK GDPR (set out in Annex 3); (d) will respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the UK GDPR for engaging Sub-processors (§ 5 of this DPA); (e) will assist the Customer, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to requests for exercising Data Subject rights (§ 8); (f) will assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to Navigare Space (§ 9); (g) at the choice of the Customer, will delete or return all Customer Personal Data to the Customer after the end of the provision of services, and delete existing copies unless UK law requires storage (§ 10); and (h) will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (§ 11).
3.4 Documented instructions. The Principal Agreement (including the Order Form and applicable Industry Schedule) constitutes the Customer's documented instructions to Navigare Space. Further instructions during the term must be given in writing (including by email or via the support channels) and must be reasonable and consistent with the Principal Agreement. Where Navigare Space considers an instruction infringes Data Protection Laws, it will inform the Customer.
The specifics of the processing under this DPA are set out in Annex 1:
(a) subject matter and duration of processing; (b) nature and purpose of processing; (c) types of Customer Personal Data; (d) categories of Data Subject; and (e) retention periods.
5.1 General authorisation. The Customer gives Navigare Space general written authorisation to engage Sub-processors for the processing of Customer Personal Data, subject to the conditions in this clause.
5.2 Current Sub-processors. A list of Sub-processors engaged by Navigare Space at the Effective Date is at Annex 2 and is also maintained at navigarespace.co.uk/subprocessors.
5.3 Changes to Sub-processors. Navigare Space will give the Customer at least 30 days' prior written notice of any intended addition or replacement of a Sub-processor processing Customer Personal Data. Notice may be given by email to the Customer's nominated contact and/or by updating the published list with a notification banner.
5.4 Objection right. Within 30 days of notification under § 5.3, the Customer may object to the proposed change on reasonable data-protection grounds, by written notice to Navigare Space. If, despite good-faith discussion, the parties cannot agree a way forward, the Customer may terminate the Principal Agreement on 30 days' written notice without further liability, save for Fees due for services rendered.
5.5 Sub-processor terms. Navigare Space will impose on each Sub-processor data-protection obligations that are no less protective than those set out in this DPA. Navigare Space remains fully liable to the Customer for the performance of those obligations by its Sub-processors.
5.6 Excluded Sub-processors. This clause does not apply to incidental disclosures to third parties not engaged to process personal data (e.g. internet service providers, electricity suppliers).
[SOLICITOR REVIEW: Confirm the 30-day notice / 30-day objection / 30-day termination cascade is operationally sustainable. Some larger customers may demand longer notice periods.]
6.1 UK data residency. Navigare Space will store and process Customer Personal Data within the United Kingdom. This includes Customer Personal Data stored in primary databases, replicas, backups, and operational systems.
6.2 Limited operational transfers. From time to time, Customer Personal Data may transit through Sub-processors located outside the UK to the extent strictly necessary for the operation of the Services (for example, email-sending infrastructure or content-delivery networks). Where this is the case:
(a) the relevant Sub-processor is identified in Annex 2; (b) the transfer is made on the basis of an adequacy decision under UK GDPR Article 45, or under an International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses; and (c) Navigare Space implements supplementary measures where required.
6.3 No transfer to high-risk jurisdictions. Navigare Space will not transfer Customer Personal Data to a jurisdiction lacking adequate safeguards under UK GDPR Chapter V, save with the Customer's prior written consent or as required by UK law.
7.1 Navigare Space will ensure that any person it authorises to process Customer Personal Data:
(a) is bound by a written confidentiality undertaking, or is subject to an equivalent statutory duty of confidentiality; (b) has received appropriate training on data protection; (c) has access to Customer Personal Data on a need-to-know basis only; and (d) is identifiable in audit logs of access to Customer Personal Data.
8.1 Customer responsibility. As data controller, the Customer is responsible for responding to Data Subject requests under UK GDPR Articles 12 to 23.
8.2 Navigare Space assistance. Taking into account the nature of the processing, Navigare Space will provide reasonable assistance to the Customer through appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to Data Subject requests.
8.3 How requests are handled.
(a) The Services include native functionality allowing the Customer to access, rectify, erase, restrict, port, and object to processing of Customer Personal Data within its instance. The Customer is expected to use this functionality where it is sufficient to respond to the request.
(b) Where a request is forwarded directly to Navigare Space by a Data Subject, Navigare Space will, without undue delay (and in any event within 5 working days), forward the request to the Customer's nominated contact and not respond to the Data Subject directly, save to confirm receipt and signpost the controller.
(c) Where the Customer requires assistance beyond what is achievable via native functionality (e.g. extraction of personal data from backups, or technical investigation of access logs), Navigare Space will provide such assistance:
9.1 Notification to Customer. Navigare Space will notify the Customer without undue delay, and in any event within 48 hours of becoming aware of any Personal Data Breach affecting Customer Personal Data.
9.2 Information provided. The notification will include, to the extent known at the time and as further information becomes available:
(a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and records concerned; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and mitigate adverse effects; and (e) the contact point for further information.
9.3 Notification channel. Initial notification will be by email to the Customer's nominated data-protection contact, with telephone follow-up where reasonably appropriate.
9.4 Customer notification obligations. The Customer remains responsible for notifying the Supervisory Authority (where required under Article 33 of the UK GDPR) and Data Subjects (where required under Article 34). Navigare Space will provide reasonable assistance with such notifications.
9.5 No admission of liability. Notification of a Personal Data Breach by Navigare Space is not an admission of fault or liability.
10.1 During the term. The Customer may at any time export Customer Personal Data via native functionality within the Services.
10.2 At end of provision of services. Within 30 days of termination of the Principal Agreement, at the Customer's choice (notified in writing), Navigare Space will:
(a) return all Customer Personal Data to the Customer in a structured, commonly used, machine-readable format (typically a PostgreSQL database dump and filestore archive); or (b) delete all Customer Personal Data.
10.3 Backups. Following return or deletion under § 10.2, residual Customer Personal Data may persist in encrypted backups, which will be deleted in accordance with the backup retention schedule (currently up to 90 days). Such backups will not be restored to active systems except as required by law or to investigate a serious security incident.
10.4 Legal retention. Where UK law requires retention of certain records (for example, financial records under the Companies Act 2006), the data subject to such retention will be retained for the minimum period required, and processed solely for that purpose.
10.5 Confirmation. On the Customer's written request, Navigare Space will provide written confirmation of deletion within 14 days of the deletion taking effect.
11.1 Documentation. Navigare Space will, on reasonable request and no more than once per year (save where reasonably required by a Supervisory Authority or following a Personal Data Breach), make available to the Customer:
(a) this DPA and the current versions of Annexes 1, 2, and 3; (b) details of its security policies and procedures relevant to Customer Personal Data; (c) any third-party security or compliance certifications it holds (e.g. Cyber Essentials, ISO 27001 — where applicable); and (d) summary information on Sub-processors.
11.2 Audits. The Customer (or an independent auditor mandated by the Customer) may, no more than once per year and on at least 30 days' written notice, conduct audits to verify Navigare Space's compliance with this DPA, subject to:
(a) audits being conducted during normal working hours; (b) the auditor accepting reasonable confidentiality undertakings before access; (c) audits not unreasonably interfering with Navigare Space's operations; (d) Navigare Space's right to require the auditor not be a competitor of Navigare Space; (e) the Customer bearing its own audit costs, and bearing Navigare Space's reasonable costs of audit assistance beyond 8 hours per audit; and (f) audits being limited to information necessary to demonstrate compliance with this DPA.
11.3 Substitute documentation. Where Navigare Space holds a current third-party security certification covering the scope that would be subject to audit, the Customer accepts that the certification report (and reasonable supporting information) may satisfy this clause without an on-site audit.
[SOLICITOR REVIEW: Audit clause balance is delicate — too restrictive deters regulated customers, too open creates operational burden. Confirm with target customer types (legal, accountancy, estate agency) that this is acceptable.]
12.1 The limits of liability set out in the Principal Agreement apply to liability arising under this DPA, save where prohibited by Data Protection Laws.
12.2 Nothing in this DPA limits either party's liability where doing so is prohibited by Data Protection Laws, including in respect of fines imposed by the Supervisory Authority on a party for its own breach of Data Protection Laws.
13.1 This DPA takes effect on the Effective Date and continues for the duration of the Principal Agreement.
13.2 The following clauses survive termination of this DPA to the extent necessary: §§ 7, 9, 10, 11 (for so long as Customer Personal Data is retained), and 12.
14.1 Governing law and jurisdiction. This DPA is governed by the laws of England and Wales, and subject to the exclusive jurisdiction of the courts of England and Wales.
14.2 Modification. This DPA may be modified to reflect changes in Data Protection Laws or guidance from the Supervisory Authority on no less than 30 days' notice. Material changes that adversely affect the Customer entitle the Customer to terminate the Principal Agreement under § 5.4 (treating it as a Sub-processor objection).
14.3 Contracts (Rights of Third Parties) Act. Data Subjects are not third-party beneficiaries of this DPA and may not enforce its terms under the Contracts (Rights of Third Parties) Act 1999, save where Data Protection Laws expressly provide otherwise.
The processing of Customer Personal Data within the Services provided by Navigare Space under the Principal Agreement.
For the duration of the Principal Agreement, plus the periods specified in § 10 (return and deletion).
Hosting, storage, retrieval, organisation, structuring, modification, transmission, and (where appropriate) deletion of Customer Personal Data to enable the Customer to operate its business using the Services. Operations include:
Depending on the Customer's industry and use, Data Subjects may include:
Depending on the Customer's industry and use, this may include:
The Services are not designed to process special categories of personal data as a primary function. However, the Customer may, in the course of its business, input data that falls within special categories (for example, health information about a Veterinary patient's owner, or biometric measurements within a Wellness instance). The Customer is responsible for ensuring lawful basis under UK GDPR Article 9 for such processing.
The Services are not appropriate for storage of:
During the term of the Principal Agreement, Customer Personal Data is retained as long as the Customer keeps it within its instance. The Customer is responsible for setting and applying retention policies appropriate to its business and regulatory context.
After termination, retention follows § 10 of this DPA.
At the Effective Date, Navigare Space engages the following Sub-processors:
[SOLICITOR REVIEW: This list must reflect actual Sub-processors at execution. Examples below — adjust to reality.]
| Sub-processor | Location | Service provided | Categories of Customer Personal Data processed | |---|---|---|---| | [Hosting provider, e.g. Hetzner UK / OVH UK / dedicated UK data centre] | United Kingdom | Infrastructure hosting | All Customer Personal Data within the instance | | [Email transactional provider, e.g. Postmark, Mailgun EU] | UK / EU | Outbound transactional email (system notifications, password resets, invoice emails) | Recipient email addresses and email content | | [SMS gateway, e.g. Twilio / MessageBird — only if used by Customer] | UK / EU | Outbound SMS (only if Customer enables SMS features) | Recipient mobile numbers and message content | | [Backup storage provider, if separate from hosting] | United Kingdom | Encrypted off-site backup storage | All Customer Personal Data, encrypted | | [Monitoring / logging provider, e.g. Better Uptime / Sentry] | UK / EU | Service monitoring, error tracking | Limited metadata; no Customer Personal Data by default |
This list is updated at navigarespace.co.uk/subprocessors. Changes are notified under § 5.3.
Navigare Space implements and maintains the following technical and organisational measures to protect Customer Personal Data, in accordance with UK GDPR Article 32:
Navigare Space reviews its technical and organisational measures at least annually and adjusts them to reflect technological developments, changes to the threat landscape, and lessons learned from any incident.
[END OF DATA PROCESSING AGREEMENT]
Document prepared for review by qualified solicitor before publication. Not legal advice.
← All legal documents