Data Processing Agreement
Effective Date: January 1, 2026
This Data Processing Agreement supplements the Terms of Service and applies when Customer uses Business features of the NAOA Service to process personal data of Customer's clients.
1. Definitions
Controller means the Customer, who determines the purposes and means of processing Personal Data.
Processor means Aleksander Popek (NAOA), who processes Personal Data on behalf of the Controller.
Personal Data means any information relating to an identified or identifiable natural person.
Customer Data means Personal Data that Customer uploads to the Service or instructs the Processor to process.
Data Subject means the individual whose Personal Data is processed (Customer's clients).
Sub-processor means a third party engaged by the Processor to process Personal Data.
SCCs means the Standard Contractual Clauses approved by the European Commission for international data transfers.
Data Protection Laws means GDPR and other applicable data protection legislation.
2. Scope and Roles
2.1 Application. This DPA applies when Customer uses Business features to create and store profiles of Customer's clients and process Personal Data of individuals other than Customer.
2.2 Roles. Customer is the Controller – Customer determines the purposes and means of processing Customer Data. NAOA is the Processor – NAOA processes Customer Data only on Customer's documented instructions.
2.3 Customer Responsibilities as Controller. Customer is responsible for ensuring a lawful basis exists for all processing (e.g., consent, legitimate interest), providing clear and lawful instructions to the Processor, informing Data Subjects about the processing and their rights, responding to Data Subject requests, and complying with all applicable Data Protection Laws.
3. Processing Details
3.1 Subject Matter. The Processor provides numerology analysis and CRM services, including storage of client profiles, generation of numerological analyses, and management of client data.
3.2 Duration. Processing continues for the term of Customer's subscription, plus a 30-day data retention period after termination.
3.3 Types of Personal Data. Name, birth date, AI-generated numerological reports, and any additional data Customer chooses to upload.
3.4 Categories of Data Subjects. Customer's clients and individuals whose profiles Customer creates in the Service.
3.5 Purpose. Processing Customer Data solely for providing the Service as described in the Agreement.
4. Processor Obligations
4.1 Processing Instructions. The Processor shall process Customer Data only on documented instructions from the Controller, treat Customer's use of Service features as documented instructions, and inform the Controller if an instruction violates Data Protection Laws.
4.2 Confidentiality. The Processor ensures that personnel authorized to process Customer Data are bound by confidentiality obligations and access to Customer Data is limited to those who need it to perform their duties.
4.3 Security Measures. The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS/HTTPS) and at rest, access controls with principle of least privilege, regular security monitoring and reviews, and incident response procedures. See Security Measures (Section 8) for details.
4.4 Sub-processors. The Processor maintains a list of authorized Sub-processors (see Sub-processors page), notifies the Controller of changes to Sub-processors by publishing updates on the Sub-processors page, provides the Controller 14 days to object to new Sub-processors, ensures Sub-processors are bound by data protection obligations equivalent to this DPA, and remains liable for Sub-processors' compliance.
4.5 Data Subject Requests. The Processor shall assist the Controller in responding to Data Subject requests, redirect any requests received directly to the Controller, and provide tools for data export and deletion through the Service.
4.6 Data Breach Notification. In the event of a Personal Data breach affecting Customer Data, the Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of the breach, provide details of the breach: nature, categories of data, approximate number of Data Subjects, likely consequences, and measures taken, cooperate with the Controller's investigation and remediation efforts, and document all breaches and make documentation available to the Controller.
4.7 Data Protection Impact Assessments. Upon request, the Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities.
4.8 Audits. The Processor shall make available information necessary to demonstrate compliance with this DPA, allow audits and inspections by the Controller or an authorized auditor, with reasonable advance notice (30 days), and accept relevant third-party certifications as evidence of compliance.
5. Controller Obligations
5.1 Lawful Processing. The Controller shall ensure a lawful basis exists for all processing of Customer Data, not provide instructions that would cause the Processor to violate Data Protection Laws, and obtain all necessary consents from Data Subjects.
5.2 Instructions. The Controller's instructions to the Processor are: this DPA and the Agreement, use of Service features and settings, and written instructions provided via official communication channels.
5.3 Data Subject Communication. The Controller is responsible for providing Data Subjects with appropriate privacy notices, informing Data Subjects that their data is processed using the Service, and handling Data Subject requests and complaints.
6. International Transfers
6.1 Primary Processing Location. Customer Data is primarily stored and processed in the European Union (Google Cloud region europe-west1, Belgium).
6.2 Sub-processor Transfers. Some Sub-processors may process data outside the EU. For such transfers, the Processor ensures appropriate safeguards are in place, transfers to the United States rely on Standard Contractual Clauses (SCCs), and Sub-processors with US operations have signed Data Processing Agreements with SCCs.
6.3 Transfer Mechanisms. The following mechanisms are used for international transfers: EU Standard Contractual Clauses (Module 3: Processor to Processor) and Sub-processors' compliance with applicable data protection frameworks. See the Sub-processors page for details on each Sub-processor's location and safeguards.
7. Data Return and Deletion
7.1 During Subscription. The Controller may export Customer Data at any time using the Service's export features.
7.2 After Termination. Upon termination of the subscription, the Controller has 30 days to export Customer Data. After 30 days, Customer Data is permanently deleted. The Processor provides certification of deletion upon request.
7.3 Exceptions. Customer Data may be retained beyond the 30-day period if required by applicable law, necessary for ongoing legal proceedings, or subject to a legal hold. The Processor informs the Controller of any such retention requirements.
8. Security Measures
The Processor implements the following technical and organizational security measures:
8.1 Data Encryption. In transit: TLS 1.2 or higher (HTTPS). At rest: AES-256 encryption (Firebase/Google Cloud default).
8.2 Access Control. Role-based access control (RBAC), principle of least privilege, and multi-factor authentication for administrative access.
8.3 Infrastructure Security. Google Cloud Platform (Firebase) with enterprise-grade security, data stored in EU region (europe-west1), automatic backups with point-in-time recovery, and redundancy and failover capabilities.
8.4 Application Security. Input validation and sanitization, protection against SQL injection, XSS, CSRF, and regular security updates and patching.
8.5 Monitoring and Incident Response. Error tracking and monitoring (Sentry), automated alerts for security events, documented incident response procedures, and post-incident reviews.
8.6 Personnel Security. Confidentiality agreements for all personnel, security awareness training, and background checks where applicable.
8.7 Data Minimization. Collection limited to necessary data, anonymization where possible, and regular review of data retention.
9. Liability
9.1 Processor Liability. The Processor is liable for damages caused by processing that does not comply with Data Protection Laws applicable to Processors or is outside or contrary to the Controller's lawful instructions.
9.2 Controller Liability. The Controller is liable for damages caused by processing that does not comply with Data Protection Laws applicable to Controllers or results from the Controller's instructions to the Processor.
9.3 Limitation. Liability under this DPA is subject to the limitations set forth in the Agreement (Terms of Service).
9.4 Indemnification. The Controller indemnifies the Processor against claims arising from the Controller's violation of Data Protection Laws, processing performed on the Controller's instructions, and claims by Data Subjects relating to the Controller's obligations.
10. Term and Termination
10.1 Term. This DPA is effective upon Customer's acceptance of the Agreement and continues for the duration of Customer's use of Business features.
10.2 Survival. The following provisions survive termination: confidentiality obligations, data deletion obligations, and liability and indemnification provisions.
11. Amendments
This DPA may be amended by the Processor with at least 30 days' notice, to reflect changes in Data Protection Laws, or to update Sub-processor lists or security measures.
Continued use of Business features after amendments become effective constitutes acceptance.
12. Contact
For questions about this DPA or to exercise rights under it, contact:
Email: hello@naoa.app
Address: Aleksander Popek ul. Pawia 3/14 05-803 Pruszków, Poland
Exhibits
Exhibit A: Authorized Sub-processors
Exhibit B: Security Measures – see Section 8 of this DPA