Data Processing Agreement

Capitalized definitions not otherwise defined herein shall have the meaning given to them in the General Data Protection Regulation (2016/679).

• "Applicable Laws" means all applicable data protection, privacy and electronic marketing legislation, including GDPR, UK Data Protection Act 2018, CCPA, and equivalent laws worldwide.
• "Data Controller" means the Customer entity determining the means and purpose of processing Personal Data.
• "Data Processor" means SquareGPS processing Personal Data on behalf of Data Controller.
• "Services" means the Navixy platform and all related GPS tracking, fleet management, and associated services.
• "GDPR" means EU General Data Protection Regulation 2016/679.
• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Services.
• "Sub-processor" means any third party engaged by SquareGPS to process Personal Data in connection with the Services.

2.1 Processing Details: Navixy shall process Personal Data as described in Annex 1.

2.2 Processing Instructions:

• SquareGPS processes Personal Data solely on documented instructions from Data Controller
• Customer's use of the Navixy platform constitutes processing instructions
• SquareGPS will inform Customer if instructions violate Applicable Laws

2.3 Customer Warranties: Customer warrants that all Personal Data has been collected lawfully, Customer has appropriate legal basis for processing, and is authorized to instruct Navixy to process such data.

3.1 Authorization: Customer authorizes SquareGPS to engage Sub-processors, subject to 30 days prior notice. Current list available at our Subprocessors page. Customer may object within 30 days on reasonable grounds.

3.2 Sub-processor Requirements: Navixy ensures Sub-processors are bound by equivalent data protection obligations, implement appropriate measures, and are subject to Standard Contractual Clauses for international transfers.

3.3 Liability: Navixy remains fully liable for Sub-processor performance of data protection obligations.

4.1 Technical and Organizational Measures:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident response procedures
• Staff training on data protection

4.2 Detailed security measures are available in our Security documentation.

4.3 Records of Processing: SquareGPS maintains records including categories of processing activities, data subjects and categories, recipients and international transfers, retention periods and security measures.

5.1 Assistance with Requests: SquareGPS will promptly notify Customer of any direct requests, provide technical assistance, and not respond directly except on Customer instructions.

5.2 Available Assistance: SquareGPS will help facilitate access (Art. 15), rectification (Art. 16), erasure (Art. 17), data portability (Art. 20), and other rights under Applicable Laws.

6.1 SquareGPS will notify Customer within 24 hours of becoming aware of a Personal Data breach.

6.2 Notification will include nature and categories of affected data, approximate number of affected subjects, likely consequences, measures taken, and contact details.

6.3 SquareGPS will cooperate with Customer's breach response and regulatory notifications.

7.1 End of Service: Upon termination, SquareGPS will delete or return all Personal Data within 30 days if requested, retain data in anonymized form for statistical purposes if no deletion request is made, and provide certification of deletion upon request.

7.2 Customer Options at Termination:

• Complete deletion: Customer may request immediate deletion
• Standard retention: Without deletion request, data may be retained in anonymized and aggregated form
• Data export: Customer is responsible for exporting data before termination

7.3 Anonymization Process: All direct identifiers are removed or encrypted, data is aggregated to prevent re-identification, and statistical data cannot be traced back to individuals.

8.1 Transfer Mechanisms: Adequacy decisions, Standard Contractual Clauses, and UK International Data Transfer Agreement.

8.2 Current data processing locations are documented in our Data Residency documentation.

8.3 By using the Services, Customer consents to international transfers as described.

9.1 SquareGPS will provide information necessary to demonstrate DPA compliance, including third-party certifications, compliance reports, and security documentation.

9.2 Customer may audit SquareGPS compliance upon reasonable notice and at Customer's expense, through third-party auditors subject to confidentiality.

11.1 SquareGPS will be liable for damages caused by processing that violates GDPR processor obligations or acting outside lawful Customer instructions.

11.2 Subject to general liability limitations in the Terms of Service.

12.1 Term: This DPA remains in effect while SquareGPS processes Personal Data for Customer.

12.2 Modifications: SquareGPS may update this DPA with 45 days notice for legal compliance requirements.

12.3 Precedence: In case of conflict: (1) Standard Contractual Clauses, (2) this DPA, (3) Terms of Service.

12.4 Contact: Data Protection inquiries: privacy@navixy.com — Security incidents: security@navixy.com

Primary Purpose: Providing services for online location and tracking of assets, people, vehicles, pets, and other objects in real-time through the Navixy platform.

Specific Processing Activities:

• Real-time GPS and GLONASS location tracking
• Historical trip and route data analysis
• Telematics data processing and enrichment
• Geo-fence monitoring and alert generation
• Fleet management and optimization analytics
• Mobile workforce coordination and task management
• Vehicle maintenance scheduling and cost calculation
• Fuel consumption monitoring and fraud prevention
• Driver behavior analysis and safety scoring
• Integration with IoT devices and sensors
• White-label GPS tracking platform services
• API access and data forwarding to third-party systems

Primary Data Subjects:

• Vehicle drivers and fleet operators
• Field service technicians and mobile workers
• Fleet managers and supervisors
• Customer administrators and account holders
• End users of Customer's GPS tracking services

Secondary Data Subjects:

• Customer support contacts
• Billing and payment contacts
• Technical integration personnel
• Emergency contacts for tracked assets
• Passengers in tracked vehicles (for public transit)

Identity and Contact Data: Full names, email addresses, phone numbers, employee IDs, professional titles, company affiliation.

Location and Movement Data: GPS coordinates, historical routes, speed and direction, geofence records, time-stamped location history.

Vehicle and Asset Information: Registration numbers, VIN, asset IDs, maintenance records, fuel consumption, mileage.

Technical and Device Data: IP addresses, device identifiers (IMEI, MAC), GPS tracker info, mobile app usage, API access logs.

Operational and Behavioral Data: Driver behavior metrics, work hours, task completion records, communication logs, alert preferences.

Financial and Billing Data: Billing addresses, payment information, invoice history, subscription details.

Sensor and Telematics Data: Engine diagnostics, CAN bus data, temperature sensors, fuel levels, vehicle security status, cargo monitoring, digital video recordings (where applicable).

Collection: Automatic reception of GPS/sensor data, manual data entry, API imports, telematics data reception and enrichment.

Storage: Real-time tracking of up to 25,000 assets per account, secure encrypted database storage, backup and disaster recovery.

Analysis: Mobile asset management analytics, route optimization, driver behavior analysis, fuel consumption analysis, anonymized statistical analysis.

Visualization: Reports in multiple formats, real-time dashboards, historical data via TimeMachine, custom scheduled reports.

Communication: Instant notifications and alerts, email/SMS notifications, in-app messaging, emergency response coordination.

Integration: API access for third-party systems, data export (CSV, XML, JSON), white-label customization.

Deletion: Automated purging based on retention policies, secure deletion upon request, anonymization for statistical purposes, certificate of destruction.

Data Center Locations:

• EU data center: Personal Data of users from Eurasia and Africa processed in EU (Frankfurt)
• US data center: Personal Data of users from the Americas processed in US
• Cross-region processing: Limited transfers for technical support, backup, and service continuity

Transfer Safeguards: Standard Contractual Clauses, UK IDTA, adequacy decisions, Binding Corporate Rules.

Regional Data Residency: Customers can specify preferred residency during onboarding. See our Data Residency documentation.