Home Trust DPA

Data Processing Addendum.

This Addendum governs the processing of personal data by Navis Arca on behalf of its customers, in compliance with the EU/UK GDPR and analogous data-protection laws. It forms part of the Terms of Service between the parties.

Last updated: 27 April 2026 · Version 1.0

Contents

  1. Definitions
  2. Roles & scope
  3. Processing on instructions
  4. Confidentiality
  5. Security measures
  6. Sub-processors
  7. Data-subject requests
  8. Personal-data breaches
  9. DPIAs & prior consultation
  10. International transfers
  11. Return & deletion
  12. Audits
  13. Liability & term
  14. Annex 1 — Processing details
  15. Annex 2 — Security measures

1. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" and "Supervisory Authority" have the meanings given in the GDPR. "Customer" means the entity that has subscribed to the Service and acts as Controller. "Navis Arca" / "we" means Necurity Solutions Network Security Private Limited, acting as Processor. "Customer Personal Data" means Personal Data processed by Navis Arca on the Customer's behalf under the Agreement. "Standard Contractual Clauses (SCCs)" means the clauses approved by the European Commission for transfers of Personal Data to third countries.

2. Roles & scope

As between the parties, the Customer is the Controller and Navis Arca is the Processor of Customer Personal Data. Where the Customer itself acts as a processor for a third-party controller, Navis Arca acts as a sub-processor. The subject matter, duration, nature, purpose, types of Personal Data and categories of Data Subjects are described in Annex 1. Navis Arca processes Customer Personal Data only to provide and support the Service and as otherwise documented in the Agreement.

3. Processing on documented instructions

Navis Arca processes Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law — in which case Navis Arca will inform the Customer of that legal requirement before processing, unless the law prohibits such notice. Navis Arca will promptly inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.

4. Confidentiality

Navis Arca ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and receive appropriate data-protection and security training. Access is restricted on a least-privilege, need-to-know basis.

5. Security measures

Navis Arca implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex 2 and summarised in our security overview. These measures are maintained within Necurity Solutions' ISO/IEC 27001-certified information security management system. Navis Arca may update its measures provided the level of protection is not materially diminished.

6. Sub-processors

The Customer grants general authorisation for Navis Arca to engage the sub-processors listed at navisarca.com/subprocessors.html. Navis Arca imposes data-protection obligations on each sub-processor that are no less protective than those in this Addendum and remains liable for their performance. We will give at least 30 days' notice of any intended addition or replacement of a sub-processor, during which the Customer may object on reasonable data-protection grounds.

7. Assisting with data-subject requests

Taking into account the nature of the processing, Navis Arca assists the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests to exercise Data-Subject rights (access, rectification, erasure, restriction, portability and objection). Where a Data Subject contacts Navis Arca directly, we will refer them to the relevant Customer.

8. Personal-data breaches

Navis Arca notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information reasonably available to enable the Customer to meet its own notification obligations. Navis Arca takes reasonable steps to mitigate and remediate the breach.

9. DPIAs & prior consultation

Navis Arca provides reasonable assistance to the Customer with data-protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of processing and the information available to Navis Arca.

10. International transfers

The control plane is region-pinned; Customer Personal Data is stored in the region selected by the Customer. Where providing or supporting the Service necessitates a transfer of Personal Data to a third country without an adequacy decision, such transfer is governed by the applicable Standard Contractual Clauses (or the UK International Data Transfer Addendum), which are incorporated into this Addendum by reference, together with any supplementary measures required.

11. Return & deletion of data

On termination or expiry of the Agreement, Navis Arca will, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless retention is required by applicable law. Standard deletion is completed within 30 days of termination, subject to routine backup cycles after which residual copies are overwritten.

12. Audits

Navis Arca makes available information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits are conducted on reasonable prior notice, no more than once per year (save where required by a Supervisory Authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not disrupt the Service. Navis Arca may satisfy audit requests by providing its ISO 27001 certification, third-party assessment reports and completed security questionnaires.

13. Liability & term

This Addendum is effective for as long as Navis Arca processes Customer Personal Data under the Agreement. Each party's liability under this Addendum is subject to the limitations and exclusions of liability set out in the Terms of Service. In the event of conflict between this Addendum and the Terms on data protection, this Addendum prevails.

Annex 1 — Details of processing

  • Subject matter: provision of the Navis Arca maritime cyber protection and compliance platform.
  • Duration: the term of the Agreement, plus the deletion period in §11.
  • Nature & purpose: hosting, processing and analysis of vessel-endpoint telemetry to deliver active controls and generate compliance evidence; account administration and support.
  • Types of Personal Data: business-user identifiers (name, work email, role), authentication and access logs, and operator activity within the console. The platform is designed to process device and posture telemetry, not personal communications content.
  • Categories of Data Subjects: the Customer's authorised personnel — DPAs, superintendents, IT/OT staff, operators and administrators.

Annex 2 — Technical & organisational measures

  • Encryption of Personal Data in transit (TLS) and at rest.
  • Multi-factor authentication and role-based access control with least-privilege provisioning.
  • Logical multi-tenant isolation and region-pinned data residency.
  • Tamper-evident, queryable audit logging of administrative and operator actions.
  • Time-limited, customer-initiated, audited support access — no standing access to Customer data.
  • Vulnerability management and periodic Red Team / VAPT testing.
  • Backup, restoration and business-continuity procedures.
  • Personnel confidentiality undertakings and security training; governance under an ISO/IEC 27001-certified ISMS.

To execute this DPA as part of your subscription, contact legal@navisarca.com. We can also accept a customer-paper DPA for review.