Data processing agreement

Effective Date: July 14, 2025

This Data Processing Agreement ("DPA") is concluded between:

1. SquareGPS Inc, a limited company incorporated under USA laws, with its registered office at 21550 Oxnard Street, Los Angeles, CA, hereinafter: Data Processor, as defined in Section 2  of this DPA. - hereinafter: "Data Processor"

and

2. Customer (as defined in SquareGPS Terms of Service) - hereinafter: "Data Controller"

individually referred to as "Party" and jointly referred to as "Parties".

This DPA forms an integral part of the SquareGPS Terms of Service and applies when SquareGPS processes personal data on behalf of Customer through the Navixy platform.

1. DEFINITIONS

Capitalized definitions not otherwise defined herein shall have the meaning given to them in the General Data Protection Regulation (2016/679).

"Applicable Laws" means all applicable data protection, privacy and electronic marketing legislation, including GDPR, UK Data Protection Act 2018, CCPA, and any equivalent laws worldwide.

"Data Controller" means the Customer entity determining the means and purpose of processing Personal Data.

"Data Processor" means SquareGPS processing Personal Data on behalf of Data Controller.

"SquareGPS" means SquareGPS Inc., the legal entity providing the Services.

"Navixy" means the GPS tracking and fleet management platform and services operated by SquareGPS.

"Services" means the Navixy platform and all related GPS tracking, fleet management, and associated services provided by SquareGPS.

"GDPR" means EU General Data Protection Regulation 2016/679 and any subsequent amendments.

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Services.

"Sub-processor" means any third party engaged by SquareGPS to process Personal Data in connection with the Services.

2. SCOPE OF PROCESSING

2.1 Processing Details

Navixy shall process Personal Data as described in Annex 1: Details of Processing.

2.2 Processing Instructions

• SquareGPS processes Personal Data solely on documented instructions from Data Controller
• Customer's use of the Navixy platform constitutes processing instructions
• SquareGPS will inform Customer if instructions violate Applicable Laws

2.3 Customer Warranties

Customer warrants that:

• All Personal Data provided has been collected lawfully
• Customer has appropriate legal basis for processing
• Customer is authorized to instruct Navixy to process such data

3. SUB-PROCESSING

3.1 Authorization

Customer authorizes SquareGPS to engage Sub-processors for providing the Services, subject to:

• 30 days prior notice of any new or replaced Sub-processor
• Current Sub-processor list available at: https://www.navixy.com/legal/subprocessors/
• Customer may object within 30 days on reasonable privacy/security grounds

3.2 Sub-processor Requirements

Navixy ensures that Sub-processors:

• Are bound by data protection obligations equivalent to this DPA
• Implement appropriate technical and organizational measures
• Are subject to Standard Contractual Clauses for international transfers

3.3 Liability

Navixy remains fully liable for Sub-processor performance of data protection obligations.

4. SECURITY MEASURES

4.1 Technical and Organizational Measures

Navixy implements appropriate measures including:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident response procedures
• Staff training on data protection

4.2 Security Documentation

Detailed security measures are available in SquareGPS Security Documentation at https://www.navixy.com/legal/security/.

4.3 Records of Processing

SquareGPS maintains records including:

• Categories of processing activities
• Data subjects and personal data categories
• Recipients and international transfers
• Retention periods and security measures

5. DATA SUBJECT RIGHTS

5.1 Assistance with Requests

SquareGPS will assist Customer in responding to data subject rights requests by:

• Promptly notifying Customer of any direct requests received
• Providing technical assistance to facilitate Customer's response
• Not responding directly to data subjects except on Customer instructions

5.2 Available Assistance

SquareGPS will help Customer facilitate:

• Access requests (Article 15 GDPR)
• Rectification requests (Article 16 GDPR)
• Erasure requests (Article 17 GDPR)
• Data portability requests (Article 20 GDPR)
• Other rights under Applicable Laws

6. DATA BREACH NOTIFICATION

6.1 Notification Timeline

SquareGPS will notify Customer within 24 hours of becoming aware of a Personal Data breach.

6.2 Breach Information

Notification will include:

• Nature and categories of affected data
• Approximate number of affected data subjects
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for further information

6.3 Cooperation

SquareGPS will cooperate with Customer's breach response and regulatory notifications.

7. DATA DELETION AND RETURN

7.1 End of Service

Upon termination of the Services, SquareGPS will:

• Delete or return all Personal Data within 30 days if specifically requested by Customer
• Retain data in anonymized form for statistical purposes and platform improvement if no deletion request is made
• Provide certification of deletion upon request
• Retain data only as required by law

7.2 Customer Options at Termination

• Complete deletion: Customer may request immediate deletion of all Personal Data
• Standard retention: Without deletion request, data may be retained in anonymized and aggregated form for statistical analysis
• Data export: Customer is responsible for exporting data before service termination using available export tools

7.3 Anonymization Process

When data is retained for statistical purposes:

• All direct identifiers are removed or encrypted
• Data is aggregated to prevent re-identification
• Statistical data cannot be traced back to individual data subjects
• Customer may request details about anonymization methods

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Mechanisms

Personal Data may be transferred internationally using:

• Adequacy decisions for adequate countries
• Standard Contractual Clauses for other transfers
• UK International Data Transfer Agreement for UK transfers

8.2 Transfer Locations

Current data processing locations are documented at https://www.navixy.com/legal/data-residency/.

8.3 Customer Consent

By using the Services, Customer consents to international transfers as described.

9. AUDITS AND COMPLIANCE

9.1 Information Access

SquareGPS will provide information necessary to demonstrate DPA compliance, including:

• Third-party security certifications
• Compliance reports and attestations
• Security documentation

9.2 Audit Rights

Customer may audit SquareGPS compliance:

• Upon reasonable notice and at Customer's expense
• Through third-party auditors subject to confidentiality
• SquareGPS may object to auditors that pose security risks

10. DATA PROTECTION IMPACT ASSESSMENTS

SquareGPS will assist Customer with Data Protection Impact Assessments when:

• Processing activities likely result in high risk
• Customer specifically requests assistance
• Assistance relates to SquareGPS processing activities

11. LIABILITY AND INDEMNIFICATION

11.1 Processor Liability

SquareGPS will be liable for damages caused by:

• Processing that violates GDPR processor obligations
• Acting outside or contrary to lawful Customer instructions

11.2 Liability Limitations

Subject to general liability limitations in the Terms of Service.

12. MISCELLANEOUS

12.1 Term

This DPA remains in effect while SquareGPS processes Personal Data for Customer.

12.2 Modifications

SquareGPS may update this DPA with 45 days notice for legal compliance requirements.

12.3 Precedence

In case of conflict: (1) Standard Contractual Clauses, (2) this DPA, (3) Terms of Service.

12.4 Contact Information

Data Protection inquiries: [email protected]
Security incidents: [email protected]

ANNEX 1: DETAILS OF PROCESSING

A. PURPOSE AND NATURE OF PROCESSING

Primary Purpose: Providing an array of services for online location and tracking of assets, people, vehicles, pets, and other objects in real-time, trip history overview, geo-based notifications, field task management, communication, fleet costs calculation, fuel consumption, vehicle maintenance scheduling, related Apps, tools, and support services through the Navixy platform.

Specific Processing Activities:

• Real-time GPS and GLONASS location tracking
• Historical trip and route data analysis
• Telematics data processing and enrichment
• Geo-fence monitoring and alert generation
• Fleet management and optimization analytics
• Mobile workforce coordination and task management
• Vehicle maintenance scheduling and cost calculation
• Fuel consumption monitoring and fraud prevention
• Driver behavior analysis and safety scoring
• Integration with IoT devices and sensors
• White-label GPS tracking platform services
• API access and data forwarding to third-party systems

B. DURATION OF PROCESSING

• Active service period: For the duration of Customer subscription to Navixy Services
• Data retention during service: Location and tracking data stored to provide platform features and historical analysis
• Post-termination: 30 days for data deletion/return upon service termination
• Legal retention: As required by applicable law and regulatory requirements
• Backup retention: Up to 90 days in secure backup systems for disaster recovery

C. CATEGORIES OF DATA SUBJECTS

Primary Data Subjects:

• Vehicle drivers and fleet operators
• Field service technicians and mobile workers
• Fleet managers and supervisors
• Customer administrators and account holders
• End users of Customer's GPS tracking services

Secondary Data Subjects:

• Customer support contacts
• Billing and payment contacts
• Technical integration personnel
• Emergency contacts for tracked assets
• Passengers in tracked vehicles (for public transit)

D. TYPES OF PERSONAL DATA PROCESSED

Identity and Contact Data:

• Full names and usernames
• Email addresses and phone numbers
• Employee identification numbers
• Professional titles and roles
• Company affiliation details

Location and Movement Data:

• GPS coordinates and precise geographic location data determined through GPS technology (or similar technology like GLONASS)
• Historical route and trip information
• Speed, direction, and movement patterns
• Geofence entry/exit records
• Address and landmark data
• Time-stamped location history

Vehicle and Asset Information:

• Vehicle registration numbers and VIN
• Asset identification codes and serial numbers
• Vehicle specifications and characteristics
• Maintenance records and schedules
• Fuel consumption data
• Mileage and odometer readings

Technical and Device Data:

• IP addresses assigned to devices and computers
• Device identifiers (IMEI, MAC addresses)
• GPS tracker model and firmware information
• Mobile app usage data and preferences
• Browser information and session data
• API access logs and system interactions

Operational and Behavioral Data:

• Driver behavior metrics (speeding, harsh braking, acceleration)
• Work hours and shift patterns
• Task completion records and timestamps
• Communication logs within the platform
• Alert and notification preferences
• Custom field data as configured by Customer

Financial and Billing Data:

• Billing addresses and payment information
• Invoice and payment history
• Subscription plan details
• Cost allocation and expense tracking data

Sensor and Telematics Data:

• Engine diagnostics and CAN bus data
• Temperature, humidity, and environmental sensors
• Fuel level and consumption metrics
• Vehicle security system status
• Cargo and load monitoring data
• Digital video recordings (where applicable)

E. SPECIAL CATEGORIES OF DATA

SquareGPS does not intentionally collect or process special categories of personal data (e.g., health data, biometric data, religious beliefs). However, if such data is inadvertently processed through:

• Voice recordings during emergency situations
• Video surveillance systems integrated with GPS tracking
• Health monitoring devices connected to the platform

Customer must immediately notify SquareGPS and ensure appropriate legal basis exists for such processing.

F. PROCESSING OPERATIONS

Collection and Recording:

• Automatic reception of GPS and sensor data from tracking devices
• Manual data entry through web interface and mobile applications
• Import of data from Customer systems via API integrations
• Reception, enrichment, and transmission of telematics data

Storage and Organization:

• Real-time tracking of up to 25,000 assets in a single account
• Secure database storage with encryption at rest
• Data organization by Customer, user, and asset hierarchies
• Backup and disaster recovery procedures

Analysis and Processing:

• Comprehensive analytics focusing on mobile asset management
• Route optimization and efficiency calculations
• Driver behavior analysis and safety scoring
• Fuel consumption and cost analysis
• Statistical analysis using aggregated and anonymized data for platform improvement and industry insights
• Legitimate interest-based processing for service enhancement and research purposes (always in anonymized form)

Visualization and Reporting:

• Reports with charts provided in multiple formats, on request or by schedule
• Real-time dashboard displays and mapping
• Historical data visualization through TimeMachine feature
• Custom report generation and scheduled delivery

Communication and Alerts:

• Instant notifications and alerts about important events based on device sensors and server-side logic
• Email and SMS notifications to designated recipients
• In-app messaging and communication features
• Emergency response coordination

Integration and Transmission:

• API access for third-party software integration and direct data forwarding
• Data export in various formats (CSV, XML, JSON)
• Integration with Customer's business systems
• White-label platform customization and branding

Deletion and Anonymization:

• Automated data purging based on retention policies
• Secure deletion upon Customer request
• Data anonymization for statistical purposes
• Certificate of destruction upon service termination

G. INTERNATIONAL TRANSFERS

Data Center Locations and Regional Distribution:

• European Union (EU data center): Personal Data of users from Eurasia and Africa is processed and stored in EU data centers
• United States (US data center): Personal Data of users from North and South America is processed and stored in US data centers
• Cross-region processing: Limited data may be transferred between data centers for technical support, backup operations, and service continuity
• Third-party services: Data may be processed by Sub-processors in other countries as specified in SquareGPS Sub-processor List

Transfer Safeguards: All international transfers are protected by appropriate safeguards including:

• Standard Contractual Clauses (SCCs) for transfers from EU to third countries
• UK International Data Transfer Agreement (IDTA) for transfers from UK to third countries
• Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework participants)
• Binding Corporate Rules for intra-group transfers
• Other approved transfer mechanisms under applicable data protection laws

Regional Data Residency:

• Customers can specify preferred data residency during onboarding
• Data residency options are detailed in SquareGPS Data Residency documentation
• Cross-border transfers for technical operations are minimized and always protected by appropriate safeguards
• Emergency data access may involve temporary cross-border transfers for incident response

For detailed information about current data processing locations and transfer mechanisms, please refer to the SquareGPS Data Residency documentation at https://www.navixy.com/legal/data-residency/.