Data processing agreement (DPA)

This DPA shall not apply to any data processing activity that is subject to Nave’s Privacy Policy (e.g. to any activity performed by Nave as data controller). This DPA is an integral part of the Terms of Service and by accepting the Terms of Service, the User also accepts this DPA.

1. Definitions

1.1 “The Terms of Service” are the Terms of Service of Nave LTD. to which this DPA is an integral part.

1.2 Personal data processing (“Data Processing”/ “Processing”) refers to any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3 “The Regulation” is Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.4 “Applicable Rules/ Applicable Personal Data Rules”, within the meaning of the present DPA, are the Regulation, as well as all other applicable legislative acts in effect (regulations, laws, ordinances, etc.), documented orders issued by the User, etc., regulating the personal data protection and processing.

1.5 “User’s Personal Data” (User’s Data”) are any personal data contained in the User Content that were synced with the Product in the User Account.

1.6 All terms and definitions used in the present DPA which are not defined shall have the meaning used in the Terms of Service, and if a definition is not provided in the Terms of Service, they shall have the meaning provided in the Regulation, or if not defined in Regulation – the meaning pursuant to the other relevant Applicable Rules. This shall apply to terms, including “Personal Data”, “Controller”, “Processor”, “Processing”, etc.

2. Scope of Application of the Present DPA

2.1 To provide its Product and Services, in certain cases Nave processes personal data as a Data Controller. These cases are arranged in the Privacy Policy and include among others the following:

a. when it is necessary for the conclusion and performance of the contract concluded between the User and Nave under the Terms of Service with regard to the use of the Product;

b. when it is necessary for protecting and exercising the legitimate interests of Nave and third parties (e.g. ensuring Nave’s website and Product’s security and normal functioning);

c. when it is necessary for fulfilment of Nave's legal obligations (e.g. fulfilling legal obligations with regard to accounting, tax, financial and invoice activities)

d. when Nave gathers explicit consent (e.g. sending marketing communications and newsletters).

The present DPA does not apply in cases where Nave processes personal data as Data Controller. Nave processes Personal data as Data Controller as described in and in accordance with its Privacy Policy, which is an integral part of the Terms of Service.

2.2 The present DPA does not apply to the relations between the User and/or the Platform Users and third-party service providers – Platforms, whose services are used (such as Trello, Asana, Jira, Azure DevOps, ZenHub, etc.). Nave is not a party to the contractual relations between User and/or Platform Users and such third parties and is not in any way responsible for any personal data processing carried out by such third parties.

2.3 In regard to User’s Data as defined in this DPA, Nave processes personal data as Data Processor on behalf of the User. The present DPA applies only to processing operations carried out by Nave as Data Processor.

3. Obligations of the User

3.1 By entering into the Agreement and this DPA, the User acknowledges that (i) the User is the sole Controller of User‘s Data or (ii) has been duly instructed by and obtained authorization from the relevant Controller(s) to act and assign on behalf of the relevant Controller(s) the processing of User‘s Data by Nave as set out in this DPA.

3.2 The User:

a. undertakes to ensure and bear full responsibility that the requirements of the Regulation, the Terms of Service and this DPA will be respected and complied with by the User, its Representatives, personnel, the Platform Users and all other persons to whom it might provide personal data;

b. undertakes to bear full responsibility for Data Subject’s request under the Regulation in regard to User’s Data;

c. shall not process special categories of personal data within the meaning of Art. 9 and Art. 10 of the Regulation through the Product. The Product is not intended for collecting, processing and storing of such types of data.

3.3 The User shall be fully responsible to ensure that all User’s Data that are synced with the Product in the User Account are appropriate to be synched and that their synchronization in the User Account is lawful and compliant with the Applicable Rules. The User shall be fully responsible for any actions of synchronization or deletion of User’s Data in the User Account, this also involving any such actions performed by Platform Users. For avoidance of any doubt the actions of any person to whom an access to User Account has been granted (e.g. legal representatives, Platform Users) shall be considered actions of the User, therefore any action of synchronization or deletion of User’s Data is under the sole control of the User.

3.4 The User is solely responsible to check whether the measures for protection of the User’s Data specified in this DPA are appropriate to the risk of processing the User’s Data. In cases where those measures or other terms and provisions relevant to the processing of the User’s Data within the use of the Product do not comply or are incompatible with the requirement applicable to the processing and protection of the respective User’s Data or to the activities of the User, the User shall not use the Product or respectively shall restrict the use of the Product solely to User’s Data for which the applied measures are sufficient to ensure the compliance with the Applicable Rules for their processing.

4. Obligations of Nave as Data Processor

4.1 The User assigns to Nave to process the User’s Data for the purposes of providing the Services on the User’s behalf, strictly complying with the Terms of Service, this DPA and the User’s Instructions.

4.2 Nave undertakes not to process User’s Data for purposes other than those specified in the Terms of Service and this DPA, except when required to do so under applicable law.

4.3 Documented instructions for data processing: The instructions that are binding for Nave regarding the processing of the User’s Data are only the instructions outlined in this DPA and the instructions made through very use of the functionalities available when using the Product (e.g. button/ functions for synchronization, deletion, etc). The User agrees that they will submit their instructions in the manner provided for within the Product and that these instructions shall be in compliance with the Regulation. No instruction submitted in text form, incl. such as instructions sent via email or the online chat option will be binding for Nave, unless explicitly confirmed in writing by Nave.

4.4 The User declares that they have been informed that in some occasions set forth by law, Nave may be required to keep and disclose certain data that it has processed on their behalf to the competent authorities. Nave undertakes to inform the User of such orders, except in the cases when it is prohibited by law.

4.5 The Data Processing, related to the provision of the Services, takes place in the EU. Nave shall not use any equipment located outside the EU to process User’s Data.

4.6 Subcontractors. Nave works with Google as subcontractor for the service Google Cloud Platform (a data center service). Nave’s contract with Google requires Google to carry out data processing under the contract only within the EU and to ensure the necessary level of security. The User agrees to the use of Google and generally authorizes Nave to engage other eventual sub contractors (e.g. sub-processors) for the provision of the Product and the Services. In the event of any change, the User will be explicitly notified prior to the change. If User does not object against such change within 5-working days, then the change shall be deemed permitted by the Client.

5. Storage and Erasure of Data

5.1 The User assigns and Nave undertakes to:

a. provide technical solution to enable the storage and processing of User Content for the duration for which the User uses the Services and up to 3 (three) months after the termination of the Agreement between the User and Nave regardless of the reason for such termination. Unless it is manually deleted earlier by the User, upon the expiry of this term the User Content, including all User’s Data, that may be contained therein shall be automatically deleted by Nave in a secure manner so that the deleted User’s Data is not recoverable. This obligation of Nave does not waive the User’s obligation as Data Controller to retain or delete personal data in accordance with the requirements of the Regulation;

b. provide technological functionality in the Product to enable Users to delete User Content, including User’s Data at any time during the use of the Services. The deletion of User’s Data in the Product is done by using the functionality in the User Account for deleting already created dashboards. To avoid future storage and processing of User Content by Nave, the User must de-synchronize the Product with the respective Platform. Otherwise, deleting specific User Data without de-synchronizing an entire set of User Content in the Product (for example, removing only elements of the dashboard, instead of removing the entire dashboard in Trello,) could be done in the respective Platform where this User Content is originally stored by using of the deletion functionalities therein (if any);

5.2 The User shall not store in their User Account and not to retrieve and process User’s Data for the processing of which the User has no legal ground or the same has become invalid. In such cases, the User shall be obliged to immediately take measures for deletion of the respective User’s Data.

5.3 Upon the termination of this Agreement, the User is entitled at any time before the expiration of a period established herein above in item 5.1. (a) to request from Nave to delete any User’s Content that is in User Account and to de-synchronize from the terminated User Account all the Platforms that have been synchronized therein before the termination of the Agreement, if this was not done by the User before the termination of the Agreement. The de-synchronization and/or deletion of the User Content in the User Account does not affect the availability of this content in the respective Platforms.

6. Scope of the Assigned Activities

The scope of the processing activities assigned by the User to Nave with the acceptance of these Terms of Service and with the use of the Product is defined as follows:

6.1 Objective: the use of the Product by the User.

6.2 Data subjects: persons whose personal data is contained in the User Content who may be any person whose personal data is contained in the boards which are synced with the Product in the User's Account.

6.3 Data: User’s Data as defined in this DPA;

6.4 Subject and nature: Provision of a technical solution (the Product) that enables the User to generate visualizations through the creation of cumulative flow diagrams, cycle time scatterplots, throughput histograms and others associated with the Platforms' boards. The User Content (along with any User’s Data included therein) that is synched from the User’s Platforms’ boards is stored and available within the Product during the use of the Services. The User Content is processed automatically by the means of the analytical functionalities of the Product to generate the respective visualisation. Besides the above processing, Nave may access the User’s content for the purposes of ensuring the maintenance of the Product and its normal functioning, incl. in cases where the User reports problems with the use of the Product (e.g. to check and fix bugs) etc.

6.5 Term: for the duration of the Agreement between the User and Nave and for a period of up to 3 months after the termination.

7. Security

Nave undertakes to:

7.1 apply technical and organizational measures (with regard to personnel, buildings, software, hardware, networks, servers, encryption, control, reporting and monitoring, etc.) to ensure level of protection against unauthorized or incidental access, loss, change, disclosure or erasure of data, that takes into consideration the relevant risks. Detailed description of the technical and organisational measures that Nave undertakes to apply can be found in Annex I to this DPA;

7.2 guarantee that all persons authorized by Nave to process data shall be bound by obligation of confidentiality and shall undergo regular trainings on the protection of personal data in accordance with their activities;

7.3 not disclose personal data belonging to the User to any third party in any circumstances, except for the provided for in the Terms of Service or by law.

8. Audits on personal data processing

8.1 Nave undertakes to provide the necessary assistance to a competent supervisory authority in carrying out audits and checks of the personal data processing activities assigned by the User.

8.2 Nave shall upon request provide information necessary to demonstrate compliance with the obligations applicable to it under the Regulation. In case in relation to the User’s personal data processing obligations additional checks are required, it is possible to assign an audit after signing a preliminary agreement with Nave, specifying the scope, duration and a mutually agreed certified auditor under the Regulation. In performing such an audit, the User undertakes to pay all fees, remunerations and costs for the performed activities and services, both by the auditor and by Nave. An audit may be conducted only in a manner and to an extent that do not prejudice the obligations and rights of other users of the Product and Services with regards to personal data protection.

9. Notification of the User

Nave undertakes to inform the User:

9.1 in the event of an inspection undertaken by a supervisory authority in relation to the processing of User’s Data, except in cases where this is prohibited by law;

9.2 if it is unable to fulfil its obligations under this DPA for any reason;

9.3 without undue delay (but no later than 24 hours of becoming aware) if it detects a security breach concerning the User’s Data.

10. Assistance provided by Nave

10.1 To the extent relevant and directly related to the provided Services and the assigned data processing, Nave undertakes to:

a. assist the User, if the User needs to demonstrate the performance of their obligations in relation to the data processing assigned to Nave;

b. assist the User in performing their obligations to notify the supervisory authority in the event of a security breach;

c. assist the User in performing their obligations to notify the Data Subjects in the event of a security breach;

d. assist the User in performing their obligations to conduct a Data Protection Impact Assessment and Prior Consultation with the supervisory authority;

e. assist the User, as far as possible and reasonably expected, by providing technical and organizational measures and functionalities within the Product, in performing their obligations related to requests regarding data protection rights by Data Subjects;

10.2 The User assigns and Nave undertakes, upon receipt of a request for exercising of rights of a Data Subject under the Regulation to inform the Data Subject that he/she should contact the User directly.

11. Liabilities

11.1 A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller. Where a Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controllers or Processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.

11.2 If a User violates any of its obligations and acknowledgments under this DPA, the User undertakes to indemnify and hold harmless Nave and its subcontractors from all liabilities, claims, expenses and similar from a third party claim and/or administrative/pecuniary sanction arising of or relating to the violation of the User’s obligations or acknowledgments under of the present DPA.

12. Additional Provisions

12.1 If any provision of this DPA is held to be void or unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. This shall have no effect on the other provisions hereof or of the Terms of Service. The invalid clause will be replaced by the mandatory rules of the law or by the established practice.

12.2This DPA is governed by the law applicable to the Terms of Service.

Minimum technical and organizational measures

Nave shall implement and apply various technical and organizational measures to protect personal data. The types of measures which Nave shall implement refer to physical, personnel and documentary protection, protection of automated information systems and/or networks and cryptographic protection. In cases where Nave uses sub-processors, such sub-processors apply security measure that provide equal or higher level of security.

Type of protection Category of measures Implemented Types of Measures Comments
Physical protection Technical measures Locking the premises User Data is stored only on Google Cloud Platform
Fire extinguishers and fire detection systems User Data is stored only on Google Cloud Platform
Equipment of the premises where personal data is processed User Data is stored only on Google Cloud Platform
Organizational measures Allocation of premises where ICT systems for processing of personal data are situated User Data is stored only on Google Cloud Platform. The devices of Nave from which User Data could be accessed are situated on premises where they could be accessed only by their respective user (Nave employee).
Control of physical access User Data is stored only on Google Cloud Platform
Technical means for physical protection User Data is stored only on Google Cloud Platform
Personnel protection Organizational measures Knowledge of legislation relating to the protection of personal data  
Knowledge of threats to personal data  
Consent to assume an obligation of non-disclosure of personal data  
Introducing specific qualification and experience requirements for persons who will process personal data  
Documentary protection Organizational measures Prohibition for printing out the synced data from Users Account, except for cases where explicitly required by a competent authority or necessary for exercise, establishment or protection against claims  
Procedures for destruction  
Rules for reproduction and distribution  
Procedures for inspection and control of processing  
Protection of automated information systems and/or networks Technical measures Identification and authentication We enforce password requirements to protect all our accounts. We require strong passwords by monitoring users’ password strength and we prevent users from reusing old passwords. We also require two-factor authentication.
Copies/ backups for recovery Nave uses Google’s backup system. Backups are taken and permanently destroyed on a weekly basis.
Cryptographic protection Nave stores all User’s Data on a dedicated server managed by Google Cloud Platform. Google Cloud Platform encrypts customer data stored at rest and in transit by default. Data is automatically encrypted prior to being written to disk. Each encryption key is itself encrypted with a set of master keys. Keys and encryption policies are managed the same way, in the same keystore, as for Google’s production services. Google's backup system ensures that data remains encrypted throughout the backup process. The backup system further encrypts each backup file independently with its own data encryption key (DEK), derived from a key stored in Google's Key Management Service (KMS) plus a randomly generated per-file seed at backup time. Another DEK is used for all metadata in backups, which is also stored in Google's KMS.
Remote access via secure channels only The access to our servers is established through VPN or SSH.
Access control The access to production is limited to the admin role in the User’s organizational structure. When a User’s employee is offboarded, their accounts are removed from our platform. The passwords to any User’s accounts the employee had access to are then changed.
Organizational measures Procedures for destruction/ removal/ deletion of media  
Accidents/ contingency planning Nave acts in accordance with its Security Information Breach Notification Policy.
Action plans for unforeseen events related to the system applications and the devices Nave acts in accordance with its Security Information Breach Notification Policy.
Log keeping for the activities performed