Between:
Navos SaaS AB (the
“Processor”)
Organization Number: 559570-1581
Address: Väktaregatan 2, 233 41 Svedala, Sweden
Email: navos-ai.team@outlook.com
And:
The Customer (the
“Controller”)
[Customer details as specified in the service agreement or invoice]
Last Updated: February 11, 2026
Effective: Upon first payment to Navos SaaS AB
WHEREAS, the Customer uses Navos AI’s customer support automation services (“Services”), which involves the processing of personal data on behalf of the Customer;
WHEREAS, the Customer acts as the data controller and Navos acts as the data processor with respect to personal data processed in connection with the Services;
WHEREAS, this Data Processing Agreement (“DPA”) establishes the parties’ obligations regarding the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Swedish data protection laws;
NOW, THEREFORE, the parties agree as follows:
1.1 Terms used in this DPA shall have the same meaning as defined in the GDPR, including but not limited to:
1.2 Services means the Navos AI customer support automation platform, including: - AI-driven customer service chatbot (v5.2.8 and v6.0.0) - Email escalation system - Live chat takeover functionality (Growth and Premium plans) - Customer conversation analytics - Chat widget integration
1.3 Chat Widget means the proprietary software interface provided by Navos for embedding on the Customer’s website to enable customer interactions.
2.1 Navos shall process personal data on behalf of the Customer only for the following purposes: - Providing AI-powered customer support responses - Escalating customer inquiries via email or live chat - Analyzing conversation data to improve service quality - Generating analytics and reports for the Customer - Storing conversation history for the duration of the service agreement
2.2 Navos shall not process personal data for any purpose other than as instructed by the Customer or as required by applicable law.
2.3 AI Training and Classification: The Customer acknowledges and agrees that: - Navos’s AI system autonomously determines whether customer inquiries constitute “chit-chat” (off-topic conversation) or legitimate support requests - The AI continuously learns and improves its classification accuracy based on approved responses and feedback - Navos may use aggregated, anonymized conversation data to train and improve the AI model - No personally identifiable information is used for AI training without explicit consent - The Customer retains the right to review and correct AI classifications through the Navos dashboard
2.4 The nature, subject matter, duration, and types of personal data processed are described in Annex A.
3.1 Compliance with Instructions
Navos shall: - Process personal data only on documented instructions from the Customer - Immediately inform the Customer if any instruction violates GDPR or applicable law - Not transfer personal data to third countries without explicit authorization from the Customer
3.2 Confidentiality
Navos shall: - Ensure that all personnel authorized to process personal data are bound by confidentiality obligations - Restrict access to personal data to personnel who require access to perform the Services - Maintain strict confidentiality of all personal data processed
3.3 Security Measures
Navos shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Encryption: All personal data is encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Control:
Data Segregation: Customer data is logically separated in the database using unique customer IDs
Infrastructure Security:
Incident Response: Documented procedures for identifying, responding to, and reporting security incidents
3.4 Sub-processors
The Customer authorizes Navos to engage the sub-processors listed in Annex B.
Navos shall:
The Customer may object to the appointment of a new sub-processor on reasonable grounds within 14 days of notification. If the Customer objects, the parties shall work together in good faith to find a resolution. If no resolution is found, either party may terminate the affected service.
3.5 Data Subject Rights
Navos shall: - Assist the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) - Implement appropriate technical measures to enable such assistance - Respond to the Customer’s requests for assistance within 5 business days - Not respond directly to data subject requests without the Customer’s prior written authorization
3.6 Data Breaches
Navos shall notify the Customer without undue delay, and in any event within 24 hours, of becoming aware of a personal data breach.
The notification shall include:
Navos shall provide reasonable assistance to the Customer in complying with the Customer’s obligation to notify the supervisory authority and affected data subjects.
3.7 Data Protection Impact Assessment
Upon the Customer’s request, Navos shall provide reasonable assistance in conducting data protection impact assessments and prior consultations with supervisory authorities.
3.8 Audits and Inspections
Navos shall make available to the Customer all information necessary to demonstrate compliance with this DPA.
The Customer may conduct audits or appoint an independent third-party auditor to conduct audits, subject to:
Navos may charge reasonable fees for assistance with audits exceeding 4 hours per year.
4.1 The Customer warrants that: - It has the legal basis to process and instruct Navos to process personal data - It has provided appropriate privacy notices to data subjects - It has obtained necessary consents where required - Its instructions to Navos comply with applicable law
4.2 The Customer shall: - Ensure the accuracy of personal data provided to Navos - Respond promptly to data subject requests - Notify Navos of any restrictions or changes that affect processing - Maintain appropriate technical and organizational measures on its own systems
5.1 Retention Period
5.2 Deletion Upon Termination
5.3 Data Portability
Upon request during the term of the agreement, Navos shall provide the Customer with copies of personal data in JSON or CSV format within 10 business days.
6.1 Navos processes personal data within the European Economic Area (EEA).
6.2 Navos uses the following sub-processors that may involve international data transfers: - Anthropic, Inc. (United States) – AI model provider (Claude) - Supabase, Inc. (United States) – Database hosting
6.3 For transfers to third countries, Navos relies on: - Standard Contractual Clauses (SCCs) approved by the European Commission - Adequacy decisions where applicable - Supplementary measures as required to ensure adequate protection
6.4 The Customer authorizes such transfers, provided Navos ensures appropriate safeguards are in place.
7.1 Intellectual Property
7.2 Chat Widget License
The Chat Widget is licensed, not sold, to the Customer.
The license is valid only for the duration of the active service subscription.
The Customer may:
The Customer may NOT:
7.3 Termination of License
7.4 Enforcement
Unauthorized use of the Chat Widget after termination constitutes copyright infringement and breach of this Agreement.
Navos reserves the right to:
The Customer acknowledges that the Chat Widget contains proprietary technology and that unauthorized use would cause irreparable harm to Navos.
7.5 Data Upon Termination
For clarity, the obligations in Section 5.2 (data deletion/return) remain in full force regardless of whether the Customer purchases a perpetual Chat Widget license.
8.1 Limitation of Liability
Each party’s total aggregate liability under this DPA shall not exceed the fees paid by the Customer in the 12 months preceding the claim.
Neither party shall be liable for indirect, incidental, consequential, special, or punitive damages, except in cases of:
8.2 Indemnification
Navos shall indemnify and hold harmless the Customer from any claims, damages, or costs arising from Navos’s breach of this DPA or applicable data protection laws.
The Customer shall indemnify and hold harmless Navos from any claims, damages, or costs arising from:
9.1 Term
This DPA shall commence on the Effective Date and shall remain in force for as long as Navos processes personal data on behalf of the Customer.
9.2 Termination for Cause
Either party may terminate this DPA immediately upon written notice if the other party: - Materially breaches this DPA and fails to cure within 30 days - Becomes subject to insolvency proceedings - Is unable to comply with applicable data protection laws
9.3 Effect of Termination
Upon termination: - Navos shall cease all processing of personal data (except as required for deletion/return) - The obligations in Section 5.2 (data deletion/return) shall apply - The Chat Widget license shall terminate (Section 7.3) - Confidentiality obligations shall survive for 5 years
10.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of Sweden, without regard to conflict of law principles.
10.2 Dispute Resolution
Any disputes arising under this DPA shall first be subject to good faith negotiations between the parties.
If negotiations fail within 30 days, either party may submit the dispute to the courts of Sweden.
Disputes relating to data protection compliance may also be submitted to the Swedish Authority for Privacy Protection (IMY).
10.3 Amendments
This DPA may only be amended by written agreement signed by both parties, except: - Navos may update Annex B (sub-processors) with 30 days’ notice - Changes required by law or supervisory authority shall be effective immediately
10.4 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
10.5 Entire Agreement
This DPA, together with the service agreement between the parties, constitutes the entire agreement regarding data processing and supersedes all prior agreements.
10.6 Order of Precedence
In case of conflict between this DPA and the service agreement, this DPA shall prevail on matters relating to data protection.
10.7 Notices
All notices under this DPA shall be in writing and sent to:
Navos SaaS AB:
Email: navos-ai.team@outlook.com
Address: Väktaregatan 2, 233 41 Svedala, Sweden
Customer:
To the email address provided in the service agreement or invoice
10.8 Language
This DPA is executed in English. In case of discrepancy between translations, the English version shall prevail.
This Data Processing Agreement is incorporated by reference into all Navos SaaS AB service agreements and invoices.
By paying any invoice from Navos SaaS AB, the Customer acknowledges that: 1. The Customer has read and understood this DPA in its entirety 2. The Customer accepts all terms and conditions herein 3. The Customer authorizes Navos to process personal data as described 4. Payment constitutes legally binding acceptance under Swedish law (Avtalslagen)
No separate signature is required. Payment of the invoice serves as conclusive evidence of acceptance of this DPA.
Date of Last Update: February 11, 2026
Effective Date: Upon first payment to Navos SaaS AB
Navos SaaS AB
Organization Number: 559570-1581
Väktaregatan 2, 233 41 Svedala, Sweden
Email: navos-ai.team@outlook.com
Website: www.navos-ai.com
Subject Matter: Provision of AI-powered customer support automation services
Duration: For the term of the service agreement
Nature: Automated and manual processing of customer service inquiries
Purpose: - Respond to customer inquiries using AI (Claude Sonnet 4) - Escalate complex inquiries to human agents - Store conversation history for service continuity - Generate analytics and insights for the Customer - Improve service quality through machine learning
The following categories of personal data may be processed:
Navos does NOT intentionally process special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation).
If such data is inadvertently provided by a data subject, the Customer shall be notified immediately and such data shall be deleted unless the Customer provides documented legal basis for processing.
The following processing operations are performed:
Navos uses the following sub-processors to provide the Services:
| Sub-processor | Service | Location | Purpose | Safeguards |
|---|---|---|---|---|
| Supabase, Inc. | PostgreSQL database hosting | United States (AWS eu-north-1) | Customer data storage | SCCs, encryption at rest |
| Amazon Web Services (AWS) | Cloud infrastructure | European Union (Stockholm) | Server hosting | ISO 27001, GDPR compliant |
| Sub-processor | Service | Location | Purpose | Safeguards |
|---|---|---|---|---|
| Anthropic, Inc. | Claude AI API | United States | Natural language processing for customer inquiries | SCCs, data minimization, no training on customer data |
| Sub-processor | Service | Location | Purpose | Safeguards |
|---|---|---|---|---|
| Amazon SES | Email delivery | European Union | Escalation email notifications | GDPR compliant, encrypted in transit |
Navos shall notify the Customer at least 30 days before engaging a new sub-processor. The Customer may object to a new sub-processor as described in Section 3.4 of this DPA.
Current notification method: Email to the Customer’s registered contact address
Navos implements the following measures to ensure data security:
Physical Access Control: - Data centers operated by AWS with 24/7 security - Biometric access controls - Video surveillance
System Access Control: - Multi-factor authentication (MFA) for all administrative access - Role-based access control (RBAC) - Unique user IDs for all personnel - Automatic session timeout after 30 minutes - Access logs retained for 12 months
Data Access Control: - Principle of least privilege - Customer data segregation using unique identifiers - Encrypted database connections (TLS 1.3) - Access requires business justification and approval
Backup and Recovery: - Automated daily backups - Point-in-time recovery capability - Backups encrypted with AES-256 - Regular backup restoration tests (quarterly) - Geographic redundancy (multiple AWS availability zones)
Resilience: - 99.9% uptime SLA - Redundant infrastructure - Automatic failover mechanisms - Documented disaster recovery plan
END OF DATA PROCESSING AGREEMENT