Data Processing Addendum

For B2B subscribers: This DPA applies when you use AIGrowthNav to process personal data of your employees, customers, or contacts on your behalf. It forms part of your subscription agreement. No separate signature is required — the DPA is incorporated into your agreement when you accept our Terms of Service. For executed copies with your company letterhead, email legal@aigrowthnav.ai.

1. Definitions

In this DPA:

"Controller" means the Customer, who determines the purposes and means of processing Personal Data.
"Processor" means AIGrowthNav, which processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person submitted to the Service by Customer.
"Processing" has the meaning given in the GDPR.
"GDPR" means the General Data Protection Regulation (EU) 2016/679 and, where applicable, the UK GDPR.
"Sub-processor" means a third party engaged by AIGrowthNav to process Personal Data.
"Services" means the AIGrowthNav platform and related services described in the subscription agreement.
"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Relationship

This DPA applies to Processing of Personal Data that Customer submits to the Services. It supplements and is incorporated into the Terms of Service. In the event of conflict between this DPA and the Terms of Service on data protection matters, this DPA governs.

Customer is the Controller. AIGrowthNav is the Processor. AIGrowthNav will process Personal Data only on Customer's documented instructions as set out in this DPA and the Terms of Service.

3. Obligations of AIGrowthNav (Processor)

AIGrowthNav shall:

Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law.
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational security measures as described in Section 6.
Respect the conditions for engaging Sub-processors as set out in Section 7.
Take reasonable steps to assist Customer in responding to requests from Data Subjects exercising their rights under GDPR.
Assist Customer in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation).
Delete or return all Personal Data to Customer upon termination of the Services, at Customer's option, unless retention is required by applicable law.
Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits (subject to reasonable notice and conditions).
Notify Customer if AIGrowthNav believes an instruction violates applicable data protection law.

4. Obligations of Customer (Controller)

Customer shall:

Ensure that it has a lawful basis to submit Personal Data to the Services and to instruct AIGrowthNav to process it.
Provide all required notices to Data Subjects and obtain all required consents.
Ensure that Personal Data submitted to the Services is accurate and relevant.
Comply with all applicable data protection laws in its use of the Services.

5. Details of Processing (Schedule 1)

Schedule 1 — Processing Details

Field	Details
Subject matter	Revenue operations analysis, pipeline health assessment, and related B2B analytics services
Duration	For the duration of the Services subscription, plus retention period per Privacy Policy
Nature of processing	Collection, storage, analysis, AI-assisted generation of outputs, aggregation (anonymized), deletion
Purpose	Providing the Services to Customer as described in the Terms of Service
Categories of data subjects	Customer's employees, sales representatives, and business contacts whose data is submitted by Customer
Categories of personal data	Business email addresses, names, job titles, company information, pipeline data, business performance metrics submitted by Customer
Special categories	None — Customer must not submit special category data (health, racial/ethnic origin, biometric, etc.) to the Services

6. Security Measures (Schedule 2)

AIGrowthNav implements the following technical and organizational security measures:

Schedule 2 — Security Measures

Encryption in transit: TLS 1.2+ for all data transmission
Encryption at rest: Database encryption via Neon PostgreSQL's encrypted storage
Credential encryption: Sensitive credentials (OAuth tokens, API keys) encrypted with AES-256-GCM
Access controls: Role-based access controls; principle of least privilege for employees
Authentication: Multi-factor authentication for administrative access
Infrastructure security: Services hosted on Render (SOC 2 compliant infrastructure); database hosted on Neon
Vulnerability management: Regular dependency updates and security reviews
Incident response: Documented Security Incident response procedure
Employee training: Data protection awareness for all employees with access to Personal Data

7. Sub-processors (Schedule 3)

AIGrowthNav engages the following Sub-processors to process Personal Data:

Schedule 3 — Authorized Sub-processors

Sub-processor	Purpose	Location
Neon	Database hosting and storage	United States
Render	Application hosting and infrastructure	United States
Stripe	Payment processing (billing contact data)	United States
Resend	Transactional email delivery	United States
AI model provider	AI-assisted analysis of submitted business data	United States

AIGrowthNav will provide at least 30 days' notice before engaging new Sub-processors or making material changes to existing Sub-processors. Customer may object to new Sub-processors within that notice period by contacting legal@aigrowthnav.ai.

8. Security Incidents

AIGrowthNav will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Security Incident affecting Personal Data processed on Customer's behalf. Notification will include:

Nature of the Security Incident
Categories and approximate number of data subjects affected
Categories and approximate number of records affected
Likely consequences of the Security Incident
Measures taken or proposed to address the incident

Security Incident notifications should be sent to legal@aigrowthnav.ai. Notification does not constitute an admission of fault or liability.

9. International Data Transfers

AIGrowthNav operates primarily in the United States. When Personal Data is transferred from the EEA, UK, or Switzerland to the United States or other countries without an adequacy decision, AIGrowthNav relies on:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor)
UK International Data Transfer Addendum to the SCCs where applicable

By entering into this DPA, the parties agree to be bound by the applicable SCCs, which are incorporated herein by reference. Copies of the applicable SCCs are available upon request at legal@aigrowthnav.ai.

10. Data Subject Rights

AIGrowthNav will promptly notify Customer if it receives a request from a Data Subject exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection). AIGrowthNav will not respond to such requests directly but will provide Customer with reasonable assistance to fulfill them.

Customer is responsible for responding to Data Subject requests within the timeframes required by applicable law.

11. Audit Rights

Customer may, upon reasonable written notice (at least 30 days), request an audit of AIGrowthNav's compliance with this DPA. Audits may be conducted by Customer or a mutually agreed independent third party, subject to:

Reasonable scheduling to minimize disruption
Confidentiality obligations on the auditor
Costs borne by Customer unless a Security Incident precipitated the audit
Limitation to once per calendar year absent a Security Incident

In lieu of an on-site audit, AIGrowthNav may provide current third-party security certifications or audit reports.

12. Termination and Return of Data

Upon termination of the Services, at Customer's written request, AIGrowthNav will:

Return all Personal Data to Customer in a machine-readable format (CSV or JSON), within 30 days of the request, or
Securely delete all Personal Data, and certify deletion in writing, within 30 days

AIGrowthNav may retain Personal Data for longer periods where required by applicable law. Any such retained data remains subject to the obligations of this DPA.

13. Executed Copies

This DPA is incorporated into and forms part of Customer's agreement with AIGrowthNav upon acceptance of the Terms of Service. No separate signature is required for this standard DPA to be effective.

For enterprises requiring an executed, countersigned DPA with specific modifications for their compliance program, contact legal@aigrowthnav.ai. We review such requests within 10 business days.

14. Contact

Data protection inquiries: privacy@aigrowthnav.ai
Legal / DPA requests: legal@aigrowthnav.ai