Data Processing Agreement

 

Effective Date: 28.04.2026

This Data Processing Agreement (“DPA”) is entered into as part of and made pursuant to, the Narify Terms of Service or other agreement executed between Narify and Customer regarding Narify’s provision of the Narify Platform and related Services (the “Agreement”). This DPA applies to Narify’s Processing of Personal Data under the Agreement.

Customer enters into this DPA on behalf the company represented by the signatory party (deemed to be empowered), including on behalf of any Affiliates to the extent such Affiliates are included in the scope of the Agreement.

This DPA shall become legally binding upon Customer’s electronic signature of the Agreement.

1 PURPOSE

1.1 Customer and Narify have agreed that Narify shall provide access to the Narify Platform and related Services for Customer within the scope agreed in the Agreement.

1.2 The agreed Services includes processing of personal data by Narify on behalf of Customer.

1.3 The purpose of this DPA is to set out the terms and conditions governing such processing, first and foremost to ensure compliance with the requirements set by the GDPR as defined herein, and any other applicable data protection legislation.

1.4 In the event of any discrepancy between this DPA document, the main body of the Agreement, and any of the Exhibits and appendices, the terms of this document shall prevail. In the event of inconsistencies between this DPA and the Agreement, this DPA shall prevail regarding the subject matter herein.

2 TERM AND TERMINATION OF THIS DPA

2.1 This DPA shall become effective upon signing by both Parties.

2.2 This DPA shall remain in force during the validity of the Agreement and thereafter only for the period required to comply with Annex 4 (Retention and Deletion).

2.3 Any and all processing of personal data hereunder shall be in compliance with Privacy and Security Laws.

3 DEFINITIONS

3.1 The definitions set out in the Agreement are applicable to this DPA, unless otherwise clearly stated herein.

3.2 The terms “personal data”, “personal information,” “data subject”, “personal data breach”, “processing”, “Controller”, “Processor” and “supervisory authority” as used in this DPA have the meanings given in GDPR and the derived applicable Privacy and Security Laws.

3.3 The term “Controller” shall mean Customer.

3.4 The term “Processor” shall mean Narify.

3.5 “GDPR” means EU General Data Protection Regulation (679/2016) concerning the processing of personal data.

3.6 “Privacy and Security Laws” means:

all applicable national, international, federal, state, provincial, and local laws, rules, regulations, directives, and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality, and/or security of personal data, including, but not limited to, GDPR.

3.7 “Sell” or “Selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, personal data to another business or a third party for monetary or other valuable consideration.

3.8 “Sub-Processors” means a Narify affiliate and/or third parties authorized under this DPA to have logical access to and process personal data in order to provide parts of the Services.

3.9 “Parties” means Narify and Customer collectively and “Party” means Narify or Customer individually.

3.10 “Standard Contractual Clauses” mean:

  • in respect of personal data subject to the GDPR and/or the Federal Act on Data Protection (“FADP”), the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, and not including any clauses marked as optional (“EU Standard Contractual Clauses”);
  • in respect of personal data subject to the FADP, the EU Standard Contractual Clauses, provided that any references in such clauses to the GDPR shall refer to the FADP; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses; and
  • in respect of personal data subject to the UK’s Data Protection Act 2018, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the UK Data Protection Act 2018 on 2 February 2022 amended, as permitted by clause 17 of such addendum.

4 PROCESSING OF PERSONAL DATA

4.1 In terms of the GDPR, Customer is the Controller, and Narify is the data Processor, of personal data processed within the scope of this DPA.

4.2 The Controller shall be responsible for its instructions to the Processor and the legality of the personal data processing in accordance with Privacy and Security Laws.

4.3 In its capacity as Processor, Narify shall process personal data only to fulfil its obligations under the Agreement or as otherwise mandated by law, and in compliance with documented instructions by Customer. Such processing shall be carried out in accordance with the Agreement, this DPA, documented instructions by Customer, and Privacy and Security Laws.

4.4 The subject-matter and details of the processing of personal data by Narify are described in Annex 1.

4.5 Narify shall immediately inform Customer if instructions given by the data Controller, in the opinion of Narify, contravene the GDPR or the applicable European Economic Area Member State, the UK and/or Swiss data protection provisions.

5 RIGHTS OF DATA SUBJECTS

5.1 Taking into account the nature of the processing, Narify shall assist Customer in its obligation to assist Customer by appropriate technical and organizational measures in the fulfilment of its obligations as the Controller to respond to data subject requests relating to their exercise of their rights under the GDPR. Such requests may relate to the data subjects’ rights of access, correction, deletion or objection in connection with the processing of their personal data. In this respect, Narify shall provide assistance only upon request by Customer. Any request directed to Narify by a data subject shall be referred by Narify to Customer without delay.

6 NARIFY PERSONNEL

6.1 Narify shall ensure that personnel engaged on Narify’s behalf in the processing of personal data hereunder are informed of the confidential nature of the personal data, have received appropriate training on their responsibilities and have executed written confidentiality agreements with respect to such personal data, and only processes such personal data in accordance with instructions from Customer, unless required by applicable law. Narify shall ensure that such confidentiality obligations survive the termination of such personnel’s engagement with Narify.

6.2 Narify shall ensure that Narify’s access to personal data is limited to those personnel performing Services in accordance with the Agreement.

7 SUB-PROCESSORS

7.1 Narify is provided with general authorization by Customer for the engagement of sub-Processors, in compliance with GDPR Article 28. Narify shall inform Customer in writing of any intended changes concerning the addition or replacement of sub-Processors at least 2 weeks in advance, thereby giving the Customer the opportunity to object to such changes prior to the engagement of the concerned sub-Processor(s). Such notification shall include information about the replaced and new sub-Processor’s processing activities, name and place of business. The list of sub-Processors authorized by Customer as at the date of this DPA are set out in Annex 3.

7.2 Narify shall ensure that sub-Processors are bound by a written agreement which require them to provide at least the level of data protection required from Narify under the DPA. Narify will evaluate the security, privacy and confidentiality practices of a sub-Processor prior to selection. Sub-Processors may have security certifications that evidence their use of appropriate security measures. If not, Narify will regularly evaluate each sub-Processor’s security practices as they relate to data handling.

7.3 Where a sub-Processor fails to fulfill its data protection obligation, Narify shall remain fully liable to Customer for the performance of that sub-Processor’s obligations. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in GDPR Articles 79 and 82 – against the data Controller and the data Processor, including the sub-Processor.

7.4 In case Customer objects to the use of a specific Sub-Processor on reasonable data protection grounds, the Parties shall enter into good faith negotiations to resolve the issue. If the Parties are unable to agree on a resolution within a reasonable timeframe, Customer may terminate only the affected Services upon written notice.

Any termination shall not affect fees for Services already provided. Narify will refund Customer paid but unused recurring subscription fees on a pro-rata basis for the remainder of the subscription period following the effective date of termination.

One-time fees (including onboarding/implementation/training/coaching/workshop fees) are non-refundable once performed.

7.5 Emergency Replacement. Narify may change a sub-Processor where the reason for the change is outside of Narify’s reasonable control. In this case, Narify will inform Customer of the replacement sub-Processor as soon as possible. Customer retains their right to object to a replacement sub-Processor.

8 PROCESSING TAKING PLACE OUTSIDE EU/EEA

8.1 Customer provides Narify with a general authorization to transfer or otherwise process Personal Data subject to the GDPR, FADP and/or the UK GDPR outside the EU/EEA, Switzerland and/or the UK solely as necessary to provide the Services, provided Narify implements appropriate safeguards in accordance with Section 8.2 prior to such transfer taking place.

For the avoidance of doubt, transfers to authorized Sub-Processors listed in Annex 3 (and notified in accordance with Section 7) are authorized.

8.2 Where Personal Data is transferred outside the EU/EEA, Switzerland and/or the UK, Narify shall ensure appropriate safeguards are in place in accordance with Privacy and Security Laws, including (as applicable) a determination of adequacy by the EU Commission, a determination of adequacy by the EU Commission, Swiss Federal Council and the UK Government as applicable to the Personal Data transfer or the Standard Contractual Clauses.

9 SECURITY

9.1 Narify shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, cf GDPR Article 32. This shall include at least measures to:

9.1.1 technical and organizational measures for safeguarding the confidentiality, integrity, availability and resilience of systems and services processing personal data;

9.1.2 restore the availability and access to personal data in a timely manner in the event of an incident;

9.1.3 regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing; and

9.1.4 pseudonymize and/or encrypt personal data (if and to the extent agreed).

9.2 Further information about the technical and organizational security measures implemented and maintained by Narify are set out in Annex 2.

9.3 Third-Party Certifications and Audits.
Narify shall make available to Customer all information necessary to demonstrate compliance with this DPA and shall allow for audits by Customer or a third-party auditor mandated by Customer. Narify shall be given at least fourteen (14) days’ notice before an audit or inspection. Any audit or inspection shall be carried out in a time and cost-efficient manner, without unnecessary disturbance to Narify’s daily operations, in a way that respects Narify’s confidentiality obligations towards other customers and/or third parties.

9.4 Narify may also provide Customer with an audit report by a third-party auditor.

10 PERSONAL DATA BREACH AND COOPERATION WITH THE SUPERVISION AUTHORITY

10.1 Narify shall notify Customer without delay and in any case within 72 hours after becoming aware of a personal data breach relating to personal data (“Personal Data Breach”). Such notification shall at least:

  • Provide the name and contact details where more information can be obtained;
  • Provide the information that Controllers must provide when reporting a personal data breach as required by Privacy and Security Laws; and
  • Describe the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.

10.2 Narify shall not release or publish any filing, communication, notice, press release or report concerning the Personal Data Breach, or communicate directly with data subjects, without Customer’s prior written consent, unless required by applicable law.

10.3 Narify shall continue to promptly provide Customer with all assistance requested to investigate the cause of and implement mitigation and remedial measures in respect of the Personal Data Breach.

10.4 On request by a competent data protection supervisory authority, Narify shall cooperate with the supervisory authority in the performance of its tasks, and shall comply with decisions by the supervisory authority on security measures required to comply with the Security and Privacy Laws. On request by Customer, Narify shall assist Customer in the fulfilment of the Customer’s obligations to carry out a data protection impact assessment, including when required in the Customer’s prior consultation with the supervisory authority.

11 DELETION OR RETURNING OF CUSTOMER DATA

11.1 Upon termination or expiry of the Agreement or upon cessation of Narify’s processing of personal data for Customer, Narify shall, in accordance with Customer’s instructions, either return or destroy all data in accordance with Annex 4.

12 DAMAGES

13.1 Within the framework of the Agreement, Narify shall be liable for direct damages incurred by Customer, including third-party claims by a data subject or a supervisory authority, resulting from Narify’s fault or negligence (or that of Narify’s Sub-Processors) in processing Personal Data in breach of this DPA and/or applicable Privacy and Security Laws.

Narify’s total aggregate liability under this DPA shall be subject to the limitation of liability set out in the Agreement. If the Agreement does not contain an applicable limitation, Narify’s total aggregate liability under this DPA shall not exceed the fees paid by Customer under the Agreement during the twelve (12) months preceding the event giving rise to the claim.

13 APPLICABLE LAW AND DISPUTE RESOLUTION

14.1 The DPA is interpreted, construed and governed in accordance with the applicable law set out in the relevant Agreement.

14.2 Any disputes concerning the interpretation or application of the DPA shall be settled in accordance with the provisions on dispute resolution included in the relevant Agreement.

Annex 1: Description of Processing / Instructions
Annex 2: Technical and Organizational Security Measures
Annex 3: Subprocessors
Annex 4: Retention and Deletion

Annex 1: Description of processing / instructions

1. Subject Matter of the Processing

Narify provides a multi-tenant, vendor-hosted SaaS platform for content creation, collaboration, and publication management.

Personal Data is processed solely for the purpose of providing the Services under the Agreement.

2. Nature and Purpose of Processing

Processing activities include:

  • User authentication and identity management
  • Organization and role management
  • Content creation, storage, and publication workflows
  • Analytics and usage metrics
  • Platform administration and support
  • Security monitoring and fraud prevention

Narify processes Personal Data only on documented instructions from Customer, as set out in the Agreement and this DPA.

Narify shall not:

  • Sell Personal Data
  • Use Personal Data for independent marketing purposes
  • Process Personal Data outside the scope of providing the Services

3. Categories of Data Subjects

The Customer may provide Narify with multiple data subjects in order to benefit from the Services, to the extent of which is determined and controlled by Customer at its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services.

The Services are not intended for children.

4. Categories of Personal Data

Personal Data processed may include:

  • Name
  • Email address
  • Role and organization affiliation
  • Authentication credentials (managed via identity provider)
  • User-generated content
  • LinkedIn content authorized by the user
  • Usage analytics
  • Technical metadata (e.g., IP address, browser type, device information)

Narify does not intentionally process special categories of Personal Data.

5. Duration of Processing

Personal Data is processed for the duration of the Agreement and as otherwise set out in Annex 4 (Retention and Deletion).

6. Processing Operations

Processing may include:

  • Collection
  • Storage
  • Retrieval
  • Use
  • Transmission
  • Deletion or anonymization

All processing is performed in accordance with Customer’s documented instructions.

Annex 2: Technical and organizational security measures

Narify implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the following:

1. Encryption & Data Protection

  • Encryption of data in transit using TLS 1.2 or higher (HTTPS).
  • Encryption of data at rest provided by managed cloud infrastructure (database, object storage, backups).
  • Secure key management handled by underlying cloud providers.

2. Access Controls

  • Role-Based Access Control (RBAC) at application level.
  • Least-privilege access model for internal administrative access.
  • Authentication managed through WorkOS (AuthKit), including:
    • Email/password authentication
    • Social login
    • Magic link authentication
    • Optional at request: Multi-Factor Authentication (MFA)
    • Optional: SSO (SAML 2.0 / OIDC)

3. Tenant Isolation

  • Logical separation of customer organizations within a multi-tenant architecture.
  • Tenant-scoped authorization checks enforced at application and data access layers.
  • No unintentional cross-tenant data access permitted.

4. Logging & Monitoring

  • Logging of authentication attempts (successful and failed).
  • Logging of administrative actions (user management, role changes, configuration updates).
  • Centralized monitoring of availability, error rates, and performance metrics.
  • Audit log export/streaming available as optional service.

5. Development & Change Management

  • Separation of development, preview/test, and production environments.
  • Code versioning in secure repositories with access controls.
  • Controlled CI/CD deployment pipeline.
  • Code review process prior to production deployment.
  • Dependency monitoring and regular updates.

6. Vulnerability & Incident Management

  • Vulnerability monitoring via managed cloud providers and identity provider (e.g. WorkOS Radar).
  • Periodic independent security review (most recently 2024).
  • Documented incident response procedures.
  • Personal data breach notification in accordance with GDPR timelines.

7. Backup & Disaster Recovery

  • Managed database backups (automated).
  • Redundant cloud infrastructure across availability zones (provider-managed).
  • Restoration procedures in place for disaster recovery.

8. Physical Security

  • Physical security controls are managed by underlying cloud infrastructure providers (e.g. AWS, Vercel, Render, PlanetScale) and subject to their certifications and audits.

Annex 3: Subprocessors

Narify maintains an up-to-date list of Subprocessors at:
https://narify.com/subprocessors/

Narify shall notify Customer of new subprocessors in accordance with Section 7 of the DPA . The Customer’s lack of objection to the change in sub processor will be deemed as Customer’s consent to said amendments to the list of sub-Processors.

Annex 4: Retention and deletion

4.1 Retention During the Term

Personal Data is retained for the duration of the Agreement and only as necessary to provide the Services in accordance with the Agreement and applicable data protection laws.

4.2 Organization Deletion

Customer administrators may delete a Customer organization at any time via the platform interface.

Upon deletion of an organization:

  • All Personal Data associated with that organization, including organization configuration, content, preferences, and user-organization relationships, shall be deleted from active production systems within thirty (30) days, subject to backup retention cycles.
  • Deletion of an organization does not automatically delete user accounts that may be associated with other organizations.

4.3 Subscription Termination – Inactive Organizations

Upon termination or expiration of the Agreement:

  • Customer may request export of data made available within the Services prior to termination. Certain third-party platform analytics (including LinkedIn post analytics retrieved via API) may not be exportable due to third-party platform restrictions and compliance requirements.

If a subscription is terminated and the organization is not actively deleted by the administrator:

  • Narify will retain the organization’s Personal Data for up to twenty-four (24) months following termination to allow for potential reactivation.
  • If the subscription is not reactivated within this period, Narify shall delete or anonymize the organization’s Personal Data within thirty (30) days thereafter, unless applicable law requires continued retention.

Retention during this period is solely for the purpose of enabling potential organization reactivation and recovery of user-generated content created through the Services.

4.4 User Account Deletion

Users may delete their accounts at any time.

Upon user-initiated deletion:

  • All Personal Data associated with that user account shall be deleted from active production systems within thirty (30) days, subject to backup retention cycles.

4.5 Inactive User Accounts

Where a user account:

  • Is not associated with any active organization; and
  • Has been inactive for a continuous period of twenty four (24) months,

Narify may delete such user account and associated Personal Data, unless retention is required by applicable law.

Retention during this period is solely for the purpose of enabling potential user reactivation and recovery of user-generated content created through the Services.

4.6 Backup Retention

Personal Data may remain in encrypted backup systems for a limited retention period:

  • Backups are retained for up to forty-eight (48) hours.
  • Backups are automatically overwritten after this period.
  • Backup data is not actively processed except in case of disaster recovery.

If restoration occurs, previously deleted Personal Data will be deleted again in accordance with Narify’s deletion procedures.

4.7 Legal Retention

Narify may retain limited Personal Data where required to comply with applicable law (e.g., accounting) or to resolve disputes. Such retained data shall continue to be subject to the terms of this DPA and be access-restricted and deleted once the legal obligation expires.

4.8 Certification of Deletion

Upon written request following termination, Narify will confirm deletion of Customer Personal Data in accordance with this Annex.

© 2025 Alle rettigheter reservert Narify AS
KjøpsbetingelserPersonvernDPACookie-policy.

Narify er godkjent og inkludert i LinkedIns kvalitetssikrede Marketing API‑program, med tilgang til Community Management API Standard.