Data Processing Agreement for navable SaaS Services

Preamble

The Customer has engaged web DnA GmbH, Homerstraße 10, 80637 Munich, Germany (“navable”) to provide SaaS services for accessibility audits, an accessibility widget and the generation of accessibility statements. In providing these services, navable may have access to the Customer’s personal data. Art. 28 of the General Data Protection Regulation (GDPR) sets specific requirements for such processing on behalf of a controller. To comply with these requirements, the parties enter into this Agreement.

1. Subject Matter of the Agreement

1.1 navable provides the SaaS services on the basis of the Customer’s order in accordance with navable’s offer and the applicable SaaS Terms and Conditions (“Main Contract”).

1.2 This Data Processing Agreement specifies the data protection rights and obligations of the parties. The subject matter and duration of the processing are determined by the Main Contract. In case of conflict, the provisions of this Agreement shall prevail over those of the Main Contract.

2. Scope and Purpose of Processing, Types of Data, Categories of Data Subjects, Instructions

2.1 The scope and purpose of the data processing by navable are set out in the Main Contract and the corresponding service description (in particular: dashboard, audit tool, widget, statement generator).

2.2 In the course of providing the services, navable may have access to the following categories of data stored on the SaaS platform:

• Account and user data: names, email addresses, login information, roles and permissions of dashboard users.
• Analysis and content data: URLs, technical website structure data, website content (e.g. texts, headings, alternative texts) and resulting audit findings and accessibility scores.
• Configuration data: widget settings, domains, projects, accessibility statements and related metadata.
• Log and usage data: IP addresses, timestamps, technical logs and usage metrics in connection with the use of navable services.

Payment data (e.g. card details, bank account details) is processed exclusively and directly by Stripe as an independent controller and is not subject to this Agreement.

2.3 Categories of data subjects include, in particular:

• Employees, agents and other users of the Customer (dashboard users);
• Visitors of the Customer’s websites, to the extent their personal data are contained in the website content being analyzed.

2.4 navable shall process personal data of the Customer exclusively for the purpose of fulfilling the Main Contract or on the basis of individual documented instructions from the Customer. Where navable is required by Union or Member State law to process data beyond the Customer’s instructions, navable shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.5 navable shall comply with individual instructions issued by the Customer concerning the processing of personal data. The Customer may issue such instructions at any time, including instructions regarding the rectification, deletion or blocking of data. If navable believes that an instruction violates data protection law, it shall inform the Customer without undue delay. navable may charge the Customer for reasonable costs incurred in implementing instructions that go beyond the agreed services under the Main Contract.

3. Sub-processors

3.1 navable is entitled to engage sub-processors for the provision of the services. The sub-processors currently engaged by navable are listed here. navable shall ensure that contractual arrangements with sub-processors comply with the GDPR.

3.2 navable shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes. If the Customer raises substantiated objections that the use of a new sub-processor does not comply with GDPR requirements, the Customer may object to the use of that sub-processor within 14 days of receiving the notice. If navable nevertheless decides to continue using the sub-processor despite a justified objection, the Customer shall have the right to terminate the Main Contract with four weeks’ written notice.

3.3 For the purposes of this Agreement, sub-processing refers to services that are directly related to the provision of the main services (e.g. hosting, authentication, CDN, newsletter services, AI processing on behalf). Ancillary services (e.g. telecommunications, postal/transport services, disposal of data carriers) do not qualify as sub-processing. navable shall, however, implement appropriate contractual and organizational measures to ensure data protection and data security also for such ancillary services.

3.4 Payment service providers (in particular Stripe) act as independent controllers and are not sub-processors under this Agreement.

4. Confidentiality

navable shall ensure that all employees and other persons authorized to process personal data on behalf of navable are bound by confidentiality or are under an appropriate statutory obligation of confidentiality. Such obligations shall continue to apply after termination of the employment or contractual relationship.

5. Security Measures and Controls

5.1 navable shall implement the technical and organizational measures required under Art. 32 GDPR ("TOMs"). An up-to-date overview of the TOMs is available here. navable may change and adjust the technical-organizational measures, especially in accordance with developments in technology, as long as the initial level of security is not lowered.

5.2 navable shall, upon request, provide the Customer with all informaton. navable shall also enable audits by the Customer or an auditor mandated by the Customer. For thision necessary to demonstrate compliance with Art. 28 GDPR, e.g. by providing appropriate documentati purpose, navable shall allow the auditor, upon prior notice, to carry out inspections during normal business hours without significant disruption of business operations. navable may charge the Customer for reasonable costs incurred in connection with such audits.

5.3 The Customer shall treat as strictly confidential all information, documents, data and findings obtained in the course of such audits and may use them exclusively for the purpose of verifying data protection compliance.

6. Information and Assistance Obligations

6.1 If navable becomes aware of a personal data breach affecting the Customer’s data, navable shall notify the Customer without undue delay. navable shall, in coordination with the Customer, take appropriate measures to secure the data and mitigate possible adverse effects for data subjects and shall assist the Customer in meeting its notification obligations under Art. 33 and 34 GDPR.

6.2 Taking into account the nature of processing and the information available to navable, navable shall assist the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities pursuant to Art. 35 and 36 GDPR.

6.3 If the Customer’s data at navable are at risk due to seizure, confiscation, insolvency or composition proceedings, or other events or measures of third parties, navable shall inform the Customer without undue delay. navable shall inform all responsible parties that the ownership and control of the personal data lies exclusively with the Customer as controller within the meaning of the GDPR.

7. Deletion of Data

7.1 The deletion of personal data collected, processed and used in the context of this Agreement shall take place upon termination of the Main Contract, unless statutory retention obligations require further storage. Backup copies shall be overwritten in line with the regular backup cycles.

7.2 Upon the Customer’s request prior to deletion, navable shall provide an export of the data processed on behalf of the Customer in a commonly used, machine-readable format (e.g. CSV/JSON).

8. Data Subject Rights

8.1 If a data subject contacts navable directly in order to exercise their rights (e.g. rectification, erasure, restriction of processing, data portability, objection), navable shall forward such request to the Customer without undue delay.

8.2 navable shall, upon request, assist the Customer in fulfilling data subject rights, e.g. with respect to notification, providing information, rectification, restriction of processing or erasure of personal data. navable may charge the Customer for reasonable costs incurred in providing such assistance.

9. Term and Final Provisions

9.1 This Agreement shall terminate upon termination of the Main Contract. It shall remain in force as long as navable processes personal data on behalf of the Customer.

9.2 The liability provisions agreed between the parties in the Main Contract shall also apply to this Agreement, subject to mandatory liability under the GDPR.

9.3 Amendments and supplements to this Agreement shall be made in writing or in text form. This also applies to any waiver of this requirement.

9.4 This Agreement shall be governed exclusively by the laws of the Federal Republic of Germany, excluding conflict of laws rules. The UN Convention on Contracts for the International Sale of Goods (CISG) shall not apply. Place of jurisdiction, where legally permissible, shall be the registered office of navable.

Last updated: February 2026 – web DnA GmbH