Last reviewed 2026-06-07.
01Parties and roles
When a customer ("Customer") uses a Navelo SaaS product to process personal data of its own end users or business contacts, the Customer acts as the data controller and Navelo acts as the data processor under Article 28 GDPR. Navelo processes personal data only on documented instructions from the Customer.
02Subject matter, nature and purpose
Processing is limited to what is necessary to provide the contracted Navelo product (for example, CareFlow customer-communication workflows) for the duration of the Customer's subscription, plus a short return-or-deletion window after termination.
03Categories of data and data subjects
Typical categories include contact details, communication content, account identifiers, and product usage data. Data subjects are the Customer's end users, employees and business contacts. Special categories of personal data should not be sent into the products unless explicitly agreed in writing.
04Security measures
Navelo implements reasonable technical and organizational measures appropriate to the risk, including encrypted transport (TLS), encryption of credentials and sensitive secrets at rest, role-based access controls on administrative interfaces, audit logging, hardened server baselines, and logical tenant isolation between customer environments.
05Sub-processors
Navelo uses a limited list of infrastructure sub-processors — hosting, transactional email, and AI model providers — necessary to operate the products. The current sub-processor list is maintained and provided on request. Customers are notified before new sub-processors are added to processing of their data, with a reasonable objection period.
06International transfers
Where personal data is transferred outside the EEA, Navelo relies on appropriate safeguards, including the European Commission's Standard Contractual Clauses with the receiving party, and applies supplementary measures where required.
07Assistance with data-subject requests
Navelo will provide reasonable assistance to the Customer in responding to requests from data subjects to exercise their rights (access, correction, deletion, restriction, portability, objection), taking into account the nature of the processing and the information available to Navelo.
08Personal data breach notification
Navelo will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide information reasonably needed by the Customer to meet its own notification obligations.
09Return or deletion of personal data
At the end of the provision of services, Navelo will, at the Customer's choice, delete or return all personal data processed on behalf of the Customer, and delete existing copies unless retention is required by applicable law.
10Audit and information rights
Navelo will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR, and will allow for and contribute to audits conducted by the Customer or a mandated auditor, on reasonable notice and subject to confidentiality.
11Execution
The executable DPA is offered for signature alongside product contracts. To request a copy or to start procurement review, contact hello@navelo.io.