Data Processing Addendum
Last revised: July 11, 2025
About this DPA: This Data Processing Addendum supplements the Navis One Lab, LLC Master Subscription Agreement. It incorporates the latest Standard Contractual Clauses (SCCs). Everyone using our service gets the same high standards of privacy and security. To execute a DPA, email support@cooby.co.
1. Definitions
1.1 Affiliate
Means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
1.2 Authorized Sub-Processor
Means a third-party who has a need to know or otherwise access Customer's Personal Data to enable Company to perform its obligations under this DPA or the Agreement.
1.3–1.13 Key Definitions
Data Exporter: Customer. Data Importer: Company (Navis One Lab, LLC).
Data Protection Laws: CCPA, EU GDPR, UK GDPR, Swiss FADP, UK Data Protection Act 2018.
EU SCCs: Standard contractual clauses approved by the European Commission in Decision 2021/914 (June 4, 2021).
Standard Contractual Clauses: EU SCCs and UK SCCs.
2. Relationship of the Parties; Processing of Data
Customer may act as controller or processor. Company is a processor except where expressly stated. Customer shall process Personal Data and provide instructions in compliance with Data Protection Laws.
Company shall not process Personal Data for purposes other than those set forth in the Agreement and/or Exhibit A, in a manner inconsistent with this DPA, or in violation of Data Protection Laws.
Following completion of the Services, at Customer's choice, Company shall return or delete Customer's Personal Data.
CCPA: Company is a service provider for CCPA purposes and shall not sell Customer's personal information.
3. Confidentiality
Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company's confidentiality obligations.
4. Authorized Sub-Processors
Customer authorizes Company to engage Affiliates and Authorized Sub-Processors. A list is available at cooby.co/trust/subprocessors. Company provides 10 days' notice before adding new sub-processors. Customer may object on reasonable data protection grounds within 10 days.
Company enters written agreements with sub-processors imposing comparable data protection obligations.
5. Security of Personal Data
Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
6. Transfers of Personal Data
Personal Data may be transferred outside the EEA, UK, or Switzerland. Primary processing is in the United States. Ex-EEA transfers use EU SCCs (Module Two: Controller to Processor; Module Three: Processor to Sub-Processor). EU SCCs are governed by Ireland law. Ex-UK transfers use UK SCCs with the UK Addendum.
Supplementary measures: If Company receives Government Agency Requests, Company shall redirect the agency to Customer. Company shall not voluntarily disclose Personal Data to law enforcement or government agencies.
7. Rights of Data Subjects
Company shall notify Customer of Data Subject Requests. Customer is responsible for responding.
8. Audits & Breach Notification
Customer may audit Company's compliance records once per calendar year. In the event of a Personal Data Breach, Company shall inform Customer without undue delay.
9. Company's Role as a Controller
Company is an independent controller for Company Account Data and Company Usage Data, processed to manage the customer relationship, prevent fraud, comply with legal obligations, and optimize the Services.
10. Conflict
Precedence: (1) Standard Contractual Clauses; (2) this DPA; (3) the Agreement; (4) Privacy Policy.
11. Execution
Company has pre-signed this DPA. To complete, Customer must sign and email the completed DPA to admin@cooby.co.
Exhibit A: Details of Processing
Nature of Processing: Receiving, protecting, holding, erasing, analyzing, and sharing data (including to sub-processors).
Categories of Data Subjects: Customer's employees, consultants, contractors, and agents.
Categories of Personal Data: Names, phone numbers, emails, job titles, usernames, device identifiers, IP addresses, and message information synced through the service (message content, multimedia files, contact names and phone numbers).
Sensitive Data: Customers are prohibited from providing sensitive personal data or special categories of data, including criminal history.
Exhibit B: Parties & Transfer Details
Data Importer: Navis One Lab, LLC, 8 The Green Ste B, Dover, DE 19901 US, support@cooby.co.
Supervisory Authority: Data Exporter's supervisory authority (EU SCCs); UK Information Commissioner's Office (UK Addendum).
Sub-Processor List: cooby.co/trust/subprocessors
