Last Updated: 3 September, 2025
Effective Date: 3 September, 2025
Parties:
● Customer: the entity identified in the applicable Order Form, Enterprise Agreement, or Subscription Agreement (the “Data Controller” or “Controller”); and
● NAUAS Ark Ltd, a company incorporated in England and Wales with company number 13387691 and registered office at 124 City Road, London, England, EC1V 2NX (“Data Processor”, “Processor”, “we”, “our”, or “us”).
Background:
This Data Processing Addendum (“Addendum”) forms part of the applicable Enterprise Subscription Agreement, Terms & Conditions, or other written agreement between the Parties (the “Agreement”) under which NAUAS Ark Ltd provides the Services.
This Addendum governs the processing of Personal Data by NAUAS Ark on behalf of the Customer in connection with the Services, in accordance with:
● the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and
● where applicable, the EU General Data Protection Regulation (EU GDPR) and other data protection laws.
1. Definitions
In this Addendum:
1.1. “Applicable Data Protection Laws” means all applicable laws relating to data protection, privacy, and the processing of personal data, including the UK Data Protection Act 2018, the UK GDPR, and, where applicable, the EU GDPR, together with any codes of practice or guidance issued by relevant supervisory authorities.
1.2. “Customer Data” means all Personal Data processed by NAUAS Ark Ltd on behalf of the Customer in connection with the Services.
1.3. “Services” means the cloud-based IT audit and access management solution, and any related products and services, provided by NAUAS Ark Ltd under the Agreement.
1.4. “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” shall have the meanings given in the Applicable Data Protection Laws.
1.5. “Sub-processor” means any third party appointed by or on behalf of NAUAS Ark Ltd to process Customer Data in connection with the Services.
1.6. All other capitalised terms have the meaning given to them in the Agreement.
2. Roles and Scope
2.1. Roles of the Parties: For the purposes of Applicable Data Protection Laws:
2.1.1. the Customer acts as the Data Controller (or, where acting on behalf of a third-party controller, as a Processor); and
2.1.2. NAUAS Ark Ltd acts as the Data Processor.
2.2. Scope of Processing: This Addendum applies only to the Processing of Customer Data by NAUAS Ark Ltd on behalf of the Customer in connection with the Services under the Agreement.
2.3. Controller Responsibilities: The Customer is responsible for:
2.3.1. determining the lawful basis for Processing Customer Data;
2.3.2. providing all required notices and obtaining all necessary consents from Data Subjects; and
2.3.3. ensuring that its instructions to NAUAS Ark Ltd comply with Applicable Data Protection Laws.
2.4. Processor Responsibilities: NAUAS Ark Ltd will Process Customer Data solely on the Customer’s documented instructions and in accordance with this Addendum, the Agreement, and Applicable Data Protection Laws.
3. Processing Instructions
3.1. Lawful Instructions: NAUAS Ark Ltd shall Process Customer Data only:
3.1.1. in accordance with the Customer’s documented instructions (including those set out in the Agreement and this Addendum);
3.1.2. to the extent necessary to provide the Services; and
3.1.3. as required by Applicable Data Protection Laws.
If NAUAS Ark Ltd is required by Applicable Data Protection Laws to Process Customer Data beyond the Customer’s instructions, it shall (unless legally prohibited) notify the Customer before carrying out such Processing.
3.2. Notification of Unlawful Instructions: If NAUAS Ark Ltd believes that an instruction from the Customer infringes Applicable Data Protection Laws, it shall promptly inform the Customer. In such cases, NAUAS Ark Ltd will not be required to comply with the instruction until the Customer confirms or modifies it in a manner that is lawful.
3.3. No Independent Processing: NAUAS Ark Ltd shall not determine the purposes or means of Processing Customer Data, and shall not Process Customer Data for its own purposes or for any purpose other than those set out in this Addendum and the Agreement.
4. Nature, Purpose, and Duration of Processing
4.1. Nature and Purpose: The nature and purpose of the Processing is the collection, storage, transmission, and analysis of Personal Data entered by Authorised Users into the Services, solely as necessary to deliver and support the platform’s IT audit, asset management, and access control functionality, and any related support services provided under the Agreement.
4.2. Duration: The Processing shall continue for the Subscription Term of the Agreement, unless otherwise required by Applicable Data Protection Laws.
4.3. Types of Personal Data: The categories of Personal Data processed may include, but are not limited to:
4.3.1. identification data (name, job title, organisation details);
4.3.2. contact data (email address, login credentials);
4.3.3. technical data (IP address, device and browser information, usage logs); and
4.3.4. any other Personal Data that the Customer or its Authorised Users choose to input into the Services.
4.4. Categories of Data Subjects: The categories of Data Subjects may include the Customer’s employees, contractors, Authorised Users, and any other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer.
4.5. Customer Responsibility: The Customer acknowledges that NAUAS Ark Ltd does not determine the categories of Personal Data that the Customer or its Authorised Users choose to process through the Services and remains solely responsible for ensuring that such Processing complies with Applicable Data Protection Laws.
5. Confidentiality
5.1. Personnel Commitments: NAUAS Ark Ltd shall ensure that all employees, contractors, and authorised Sub-processors who have access to Customer Data are subject to appropriate obligations of confidentiality, whether under contractual, statutory, or professional duty.
5.2. Survival: These confidentiality obligations shall survive termination of the Agreement and this Addendum for as long as NAUAS Ark Ltd continues to hold or have access to Customer Data.
6. Security Measures
6.1. Implementation of Safeguards: NAUAS Ark Ltd shall implement and maintain appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful Processing, accidental loss, destruction, or damage. Such measures shall include, at a minimum:
6.1.1. Cyber Essentials–certified security controls (or equivalent industry-recognised framework);
6.1.2. Encryption of Customer Data in transit and at rest;
6.1.3. Role-based access controls and least-privilege principles;
6.1.4. Regular security audits, vulnerability scanning, and penetration testing; and
6.1.5. Business continuity and disaster recovery planning.
6.2. Security Objectives: The measures are designed to ensure a level of security appropriate to the risk, including:
6.2.1. the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
6.2.2. the ability to restore availability and access to Customer Data in a timely manner in the event of an incident; and
6.2.3. processes for regularly testing, assessing, and evaluating the effectiveness of security measures.
6.3. Updates to Measures: NAUAS Ark Ltd may update or modify its security measures from time to time, provided such updates do not materially reduce the overall level of protection for Customer Data.
6.4. Documentation: A detailed description of the current technical and organisational measures may be set out in a separate schedule (“Security Measures Schedule”) or made available to the Customer upon request.
7. Sub-Processing
7.1. Authorisation: The Customer authorises NAUAS Ark Ltd to engage Sub-processors for the provision of the Services.
7.2. Obligations: NAUAS Ark Ltd shall:
7.2.1. maintain an up-to-date list of current Sub-processors or otherwise provided to the Customer upon request;
7.2.2. notify the Customer in advance of any intended changes to Sub-processors, thereby giving the Customer an opportunity to object on reasonable grounds;
7.2.3. impose on all Sub-processors data protection obligations equivalent to those set out in this Addendum; and
7.2.4. remain fully responsible for the acts and omissions of its Sub-processors.
8. International Transfers
8.1. Restriction on Transfers: NAUAS Ark Ltd will not transfer Customer Data outside the United Kingdom or the European Economic Area (“EEA”) unless such transfer complies with Applicable Data Protection Laws.
8.2. Transfer Mechanisms: Where a transfer of Customer Data outside the UK or EEA is required, NAUAS Ark Ltd shall ensure that:
8.2.1. the transfer is to a country that has been granted an adequacy decision by the UK Government or the European Commission (as applicable); or
8.2.2. appropriate safeguards are implemented, such as the Standard Contractual Clauses, the UK International Data Transfer Addendum, or other valid transfer mechanism recognised under Applicable Data Protection Laws.
8.3. Customer Information: NAUAS Ark Ltd shall inform the Customer of any such transfer and, upon request, provide the Customer with a copy or summary of the relevant safeguard mechanism (subject to redactions where necessary to protect confidentiality).
9. Assistance with Data Subject Rights
9.1. NAUAS Ark Ltd shall, taking into account the nature of the Processing and the information available to it, assist the Customer by appropriate technical and organisational measures in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including (where applicable) rights of access, rectification, erasure, restriction, data portability, and objection.
9.2. If NAUAS Ark Ltd receives a request directly from a Data Subject in relation to Customer Data, it shall promptly forward the request to the Customer and shall not respond directly unless authorised to do so by the Customer in writing or required by law.
9.3. To the extent legally permitted, NAUAS Ark Ltd may charge the Customer for reasonable costs incurred in providing assistance with Data Subject requests, particularly where such requests are manifestly unfounded, repetitive, or excessive.
10. Data Breach Notification
10.1. Notification: NAUAS Ark Ltd shall notify the Customer without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting Customer Data.
10.2. Content of Notification: The notification shall, to the extent available at the time, include:
10.2.1. the nature of the Personal Data Breach, including categories and approximate number of affected Data Subjects and records;
10.2.2. the likely consequences of the Personal Data Breach; and
10.2.3. the measures taken or proposed to address the breach, including mitigation steps.
10.3. Cooperation: NAUAS Ark Ltd shall promptly provide the Customer with additional information as it becomes available, and will cooperate with the Customer in investigating, mitigating, and remedying the breach, to enable the Customer to meet its obligations under Applicable Data Protection Laws (including any obligation to notify supervisory authorities or affected Data Subjects).
10.4. No Direct Notification: Unless required by law, NAUAS Ark Ltd shall not notify any supervisory authority or Data Subject of a Personal Data Breach involving Customer Data without the Customer’s prior written consent.
11. Data Deletion or Return
11.1. Customer Choice: Upon termination or expiry of the Agreement, NAUAS Ark Ltd shall, at the written instruction of the Customer, either:
11.1.1. return all Customer Data (in a commonly used machine-readable format) to the Customer; or
11.1.2. securely delete all Customer Data.
11.2. Timing: Unless otherwise agreed in writing, NAUAS Ark Ltd shall complete the return or deletion within thirty (30) days of termination or expiry of the Agreement.
11.3. Backups and Residual Copies: Customer Data stored in automated backups or archival systems may remain for up to ninety (90) days after termination but shall be securely isolated and protected from further processing (except as required by law) until deleted in the ordinary course of business.
11.4. Legal Retention: NAUAS Ark Ltd may retain Customer Data where required by Applicable Data Protection Laws or other legal obligations, provided that such data remains subject to the protections of this Addendum.
12. Audit Rights
12.1. Information: Upon reasonable written notice, NAUAS Ark Ltd shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Addendum and Applicable Data Protection Laws.
12.2. Audits: The Customer (or an independent auditor appointed by the Customer, subject to NAUAS Ark Ltd’s prior written consent) may conduct an audit of NAUAS Ark Ltd’s processing of Customer Data no more than once in any twelve (12) month period, unless:
12.2.1. required by Applicable Data Protection Laws; or
12.2.2. in response to a verified Personal Data Breach.
12.3. Conditions of Audit: Audits must be:
12.3.1. conducted during normal business hours;
12.3.2. subject to reasonable confidentiality obligations; and
12.3.3. carried out in a manner that minimises disruption to NAUAS Ark Ltd’s business operations.
12.4. Alternative Evidence: NAUAS Ark Ltd may, at its discretion, provide recent third-party certifications (such as ISO 27001, SOC 2, or Cyber Essentials) or independent audit reports as an alternative to a direct audit, provided such evidence reasonably demonstrates compliance.
12.5. Costs: The Customer shall bear its own costs and expenses of any audit. If the audit identifies a material breach of this Addendum, NAUAS Ark Ltd shall reimburse the Customer for its reasonable, documented audit costs.
13. Governing Law
This Addendum shall be governed by and construed in accordance with the governing law specified in the Agreement. Any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Addendum shall be subject to the exclusive jurisdiction of the courts specified in the Agreement.