# Data Processing Agreement **Between the Customer ("Controller") and Navio Maritime OÜ ("Processor")** **Version:** 1.1 **Date:** 27 April 2026 --- ## 1. Parties **Processor:** Navio Maritime OÜ Registered in Estonia (EU) Email: privacy@mantis-ihm.com **Controller:** The organisation entering into a subscription agreement for the MANTIS IHM compliance management service, as identified in the applicable service agreement. --- ## 2. Background and Scope 2.1. This Data Processing Agreement ("DPA") forms part of the MANTIS service agreement between the Controller and the Processor. It governs the processing of personal data by the Processor on behalf of the Controller in connection with the MANTIS IHM compliance management service. 2.2. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). 2.3. In the event of any conflict between this DPA and the service agreement, this DPA shall prevail with respect to data protection matters. --- ## 3. Definitions - **"Personal Data"** means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR. - **"Processing"** means any operation performed on Personal Data, as defined in Article 4(2) GDPR. - **"Data Subject"** means the identified or identifiable natural person to whom the Personal Data relates. - **"Sub-processor"** means any third party engaged by the Processor to process Personal Data on behalf of the Controller. - **"Data Breach"** means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. --- ## 4. Data Processed 4.1. The Processor processes the following categories of Personal Data on behalf of the Controller: | Category | Data elements | Data subjects | |---|---|---| | Account data | Name, email address, hashed password, role, MFA status | Employees and agents of the Controller who use MANTIS | | Vessel contact data | Designated Person (DP) name, email, phone number | Designated Persons and vessel contacts | | IHM compliance data | Material inventory records, supplier declarations, compliance check history, uploaded documents | N/A (primarily non-personal, but may contain personal data in uploaded documents) | | Vessel data | Vessel name, IMO number, flag state, gross tonnage, type, build year | N/A (non-personal) | | Usage data | Last login timestamp, pages viewed | Employees and agents of the Controller who use MANTIS | 4.2. The Processor does not determine the purposes or means of processing. The Controller instructs the Processor to process Personal Data solely for the purpose of providing the MANTIS service. --- ## 5. Obligations of the Processor The Processor shall: 5.1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EU/EEA, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law. 5.2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 5.3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 7. 5.4. Respect the conditions for engaging sub-processors as set out in Section 6. 5.5. Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR. 5.6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor. 5.7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data. 5.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits and inspections as set out in Section 10. --- ## 6. Sub-processors 6.1. The Controller provides general authorisation for the Processor to engage the following sub-processors: | Sub-processor | Registered office | Service provided | Data centre location | |---|---|---|---| | Supabase Inc | San Francisco, USA | Database hosting, authentication (identity + application data), file storage, edge functions | EU (Frankfurt, AWS eu-central-1) | | Cloudflare Inc | San Francisco, USA | Application hosting (Cloudflare Pages), DDoS protection, CDN, R2 backup storage, DNS | EU edge network + EU R2 region | | Sendinblue SAS (Brevo) | Paris, France | Transactional email delivery (account verification, fleet invitations, billing receipts, password reset) | EU | | Stripe Payments Europe Ltd | Dublin, Ireland | Payment processing for subscriptions | EU (Ireland) — PCI DSS Level 1 | | Sentry GmbH | Vienna, Austria | Error monitoring and crash reporting | EU (Germany) | | PostHog Inc | San Francisco, USA | Product analytics (self-hosted EU instance) | EU | | Plausible Insights OÜ | Tallinn, Estonia | Privacy-friendly web analytics (no cookies, aggregate only) | EU (Estonia) | 6.2. All sub-processors process data exclusively within the EU/EEA, regardless of where the sub-processor is incorporated. US-incorporated sub-processors operate under Standard Contractual Clauses (SCCs) for any minimal cross-border processing (e.g. account billing) and are bound by their own DPAs. 6.3. The Processor shall inform the Controller of any intended changes to the list of sub-processors by email at least 30 days in advance, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds, the parties shall discuss the matter in good faith. If no resolution is reached, the Controller may terminate the service agreement. 6.4. The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, ensuring in particular that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures. 6.5. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations. --- ## 7. Security Measures 7.1. The Processor implements the following technical and organisational measures: **Encryption:** - AES-256 encryption at rest for all stored data (database and file storage) - TLS 1.2 or higher for all data in transit - Encrypted database connections via SSL **Access control:** - Supabase Auth with bcrypt password hashing and per-user salts - Multi-factor authentication (MFA/TOTP) support - Role-based access control at the organisation level - Automatic session timeout after inactivity - Rate-limited authentication endpoints **Data isolation:** - PostgreSQL Row Level Security (RLS) on all database tables - All RLS policies scoped by organisation membership - No shared data between Controller organisations **Monitoring and audit:** - Audit trail for all data modifications, recording user, timestamp, and action - Application and infrastructure logging **Backup and recovery:** - Automated daily database backups - Point-in-time recovery capability - User-initiated data export (XLSX format) **Organisational:** - Access to production systems limited to authorised personnel - Confidentiality obligations for all personnel with access to Personal Data --- ## 8. Data Breach Notification 8.1. The Processor shall notify the Controller without undue delay, and in any event within **72 hours** of becoming aware of a Data Breach, in accordance with Article 33 GDPR. 8.2. The notification shall include, to the extent available: - A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned - The name and contact details of the Processor's contact point - A description of the likely consequences of the Data Breach - A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects 8.3. Where it is not possible to provide all information at the same time, the Processor shall provide information in phases without further undue delay. 8.4. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. --- ## 9. Data Subject Requests 9.1. The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under GDPR (access, rectification, erasure, portability, restriction, or objection). 9.2. The Processor shall not respond directly to a Data Subject request unless instructed by the Controller or required by applicable law. 9.3. The Processor shall provide reasonable technical assistance to the Controller in fulfilling Data Subject requests, including providing data exports and executing deletion requests within the system. --- ## 10. Audit Rights 10.1. The Controller may audit the Processor's compliance with this DPA **once per calendar year**, with at least **30 days' written notice**. 10.2. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations. 10.3. The Controller shall bear its own costs of the audit. If the audit requires significant involvement of the Processor's personnel, the parties shall agree on reasonable compensation in advance. 10.4. The Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA. 10.5. If the audit reveals material non-compliance, the Processor shall remediate the issues within a reasonable timeframe agreed by both parties. The Controller may conduct a follow-up audit to verify remediation. 10.6. As an alternative to an on-site audit, the Processor may provide the Controller with a current SOC 2 Type II report or equivalent third-party audit report covering the Processor's systems and controls. --- ## 11. Data Deletion and Return 11.1. Upon termination of the service agreement, the Processor shall, at the Controller's choice: - (a) Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (XLSX); or - (b) Delete all Personal Data and certify such deletion in writing. 11.2. Deletion shall be completed within **30 days** of the termination date, unless applicable law requires further retention of the Personal Data. In such a case, the Processor shall inform the Controller of the legal basis and the retention period. 11.3. Personal Data contained in automated backups shall be overwritten in accordance with the Processor's standard backup rotation schedule and in any event within 90 days. --- ## 12. International Data Transfers 12.1. The Processor does not transfer Personal Data outside the EU/EEA. 12.2. All sub-processors process data within the EU/EEA, as specified in Section 6. 12.3. If a transfer outside the EU/EEA becomes necessary in the future, the Processor shall ensure that appropriate safeguards are in place pursuant to Chapter V GDPR (such as Standard Contractual Clauses) and shall obtain the Controller's prior written consent. --- ## 13. Liability 13.1. Each party's liability under this DPA is subject to the limitations of liability set out in the service agreement, except that neither party's liability for breaches of data protection law shall be limited to the extent that such limitation is prohibited by applicable law. --- ## 14. Term and Termination 14.1. This DPA shall remain in effect for the duration of the service agreement. 14.2. The obligations of the Processor under this DPA with respect to Personal Data that remains in the Processor's possession shall survive termination of this DPA until such data is deleted or returned in accordance with Section 11. --- ## 15. Governing Law and Jurisdiction 15.1. This DPA shall be governed by and construed in accordance with the **laws of Estonia**. 15.2. Any disputes arising under this DPA shall be submitted to the exclusive jurisdiction of the **courts of Tallinn, Estonia**. --- ## 16. Signatures This DPA is entered into as of the date specified in the service agreement. **For the Processor (Navio Maritime OÜ):** Name: ____________________________ Title: ____________________________ Date: ____________________________ Signature: ________________________ **For the Controller:** Name: ____________________________ Title: ____________________________ Organisation: _____________________ Date: ____________________________ Signature: ________________________ --- **Contact for data protection matters:** privacy@mantis-ihm.com