Back to NavigatorLegal

Data Processing Addendum

Effective: April 23, 2026Last updated: April 23, 2026

Data Processing Addendum (DPA)

Last updated: 2026-04-23

This Data Processing Addendum ("DPA") forms part of the agreement ("Agreement") between the customer identified in the applicable order form ("Customer", "Controller") and Focus Global Talent Solutions, LLC ("Focus GTS", "Processor") for Customer's use of the Navigator Service (the "Service").

This DPA reflects the parties' agreement on the processing of Personal Data in connection with the Service and is intended to satisfy Article 28 GDPR, the UK GDPR, the Swiss FADP, and the California Consumer Privacy Act / CPRA ("Applicable Data Protection Law").

1. Definitions

Terms not defined here have the meaning given in Applicable Data Protection Law.

  • "Personal Data" means any Customer Data that relates to an identified or identifiable natural person and is processed by Focus GTS on behalf of Customer.
  • "Sub-processor" means any third party engaged by Focus GTS to process Personal Data under this DPA.
  • "Data Subject" means the individual to whom Personal Data relates.

2. Roles

  • Customer is the Controller (or Business, under CPRA) of Personal Data it submits to the Service.
  • Focus GTS is the Processor (or Service Provider, under CPRA).

Focus GTS will not "sell" or "share" Personal Data within the meaning of CPRA. Focus GTS will not combine Personal Data received from Customer with personal information received from any other source, except as strictly necessary to perform the Service for Customer.

3. Purpose and scope

Focus GTS will process Personal Data only:

  • for the purpose of providing, maintaining, securing, and improving the Service for Customer;
  • in accordance with Customer's documented instructions (the Agreement, this DPA, and any reasonable written instructions Customer gives to the Service);
  • as required by law binding on Focus GTS (in which case Focus GTS will inform Customer before processing, unless legally prohibited).

Focus GTS will immediately inform Customer if, in its opinion, an instruction violates Applicable Data Protection Law.

4. Categories of data and data subjects

See Annex A at the end of this DPA.

5. Confidentiality

Focus GTS ensures that all personnel authorized to process Personal Data are bound by written confidentiality obligations and have received training on data protection.

6. Security measures

Focus GTS implements and maintains appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These measures include:

  • Encryption. TLS 1.2+ in transit; AES-256 at rest (Google Cloud default).
  • Access control. SSO-enforced access (Google / Microsoft), least-privilege IAM, MFA required for all production access.
  • Network. Cloud-hosted isolation, restricted ingress/egress, planned VPC-SC perimeter (see Customer's technical roadmap).
  • Secret management. Credentials stored in Google Secret Manager; no secrets in source control.
  • Logging and monitoring. Cloud Audit Logs; Sentry for application errors (anonymized stack traces).
  • SDLC. Code review required for all production changes; vulnerability scanning on dependencies.
  • Backups. Daily automated backups; tested restore procedure; 35-day rolling retention.
  • Business continuity. Documented incident response and disaster-recovery plan; annual tabletop.
  • Vendor risk. Sub-processors are assessed and contractually bound to equivalent protections.

Customer acknowledges that security is a shared responsibility. Customer is responsible for configuring its SSO, provisioning/deprovisioning users, and managing the privilege of its users within the Service.

7. Sub-processors

Customer provides a general authorization for Focus GTS to engage Sub-processors. The current list is maintained at Subprocessor List and is incorporated by reference.

Focus GTS will:

  • impose on each Sub-processor data-protection obligations at least as protective as those in this DPA;
  • remain liable for Sub-processors' acts and omissions as if they were its own;
  • notify Customer at least 30 days before adding or replacing a Sub-processor (by email to the primary account contact and update to the public list);
  • on reasonable objection by Customer based on data-protection grounds, work in good faith to address the concern; if unresolved within 30 days, Customer may terminate the affected portion of the Service without penalty.

8. International transfers

To the extent Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not deemed adequate, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), with Customer as data exporter and Focus GTS as data importer. Clauses covering docking, governing law (Ireland), and supervisory authority apply as appropriate. For UK transfers, the UK International Data Transfer Addendum to the EU SCCs applies.

9. Data subject requests

If Focus GTS receives a request from a Data Subject relating to Customer's Personal Data, Focus GTS will direct the Data Subject to Customer and will not respond directly except to confirm the request has been received. Focus GTS will provide reasonable assistance (at no additional cost for standard requests) to help Customer respond to Data Subject requests within applicable timelines.

10. Breach notification

Focus GTS will notify Customer without undue delay and in any event within 48 hours of becoming aware of a confirmed Personal Data Breach. Notice will be sent by email to the Customer's designated security contact and will include:

  • the nature of the breach, categories and approximate number of Data Subjects and records affected;
  • the likely consequences;
  • measures taken or proposed to address the breach and mitigate its effects;
  • a point of contact for further information.

Focus GTS will cooperate with Customer and provide information reasonably required for Customer to meet its own breach-notification obligations under Applicable Data Protection Law.

11. Audits

Focus GTS makes available to Customer information necessary to demonstrate compliance with this DPA, including, at Customer's request, (a) copies of most recent third-party audit reports or security questionnaires, and (b) written responses to reasonable security questionnaires.

Customer may conduct, at its own expense and on reasonable prior notice, an audit of Focus GTS's processing activities, not more than once per year (unless legally required more often or following a Breach), under reasonable confidentiality obligations and without unreasonably disrupting the Service.

12. Deletion on termination

On termination or expiry of the Agreement:

  • For a period of 30 days, Customer may export Personal Data from the Service.
  • After that period, Focus GTS will delete or return all Personal Data in its possession or control, including copies held by Sub-processors, within 60 days, except where retention is required by law (in which case Focus GTS will continue to protect that data in accordance with this DPA).
  • Backups containing Personal Data will roll off within the standard 35-day backup retention window, after which they are overwritten.

Focus GTS will provide written confirmation of deletion on request.

13. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. Order of precedence

If there is a conflict between the Agreement and this DPA, this DPA controls with respect to the processing of Personal Data. If there is a conflict between this DPA and the SCCs, the SCCs control.

Annex A — Processing details

Subject matter. Provision of the Navigator Service (ticketing, expert support, AI-assisted synthesis, knowledge retrieval, referral workflows, time tracking, reporting) to Customer.

Duration. For the term of the Agreement plus the retention periods set forth in the Privacy Policy and Section 12 above.

Nature and purpose of processing. Hosting, storage, retrieval, analysis, embedding generation, LLM synthesis, email notification, error monitoring, and support operations, each solely to deliver the Service to Customer.

Categories of Data Subjects.

  • Customer's employees, contractors, and authorized users of the Service.
  • Individuals named in ticket content submitted by Customer (for example, a Salesforce user mentioned in a support question).
  • Customer's end users whose identifiers appear in Customer-submitted content.

Categories of Personal Data.

  • Identity and contact data: name, work email, employer, role, SSO identifier.
  • Ticket and conversation content: the full text Customer's users submit and receive.
  • Usage data: timestamps, request IDs, IP address at login, user-agent.
  • Time-tracking entries.
  • Derived embeddings and summaries of the above.

Special categories. Not intentionally processed. Customer must not submit special-category data, PHI, PCI, or government IDs to the Service.

Recipients. Focus GTS personnel under confidentiality; Sub-processors listed in the Subprocessor List.

Retention. As described in the Privacy Policy (Section 5) and Section 12 of this DPA.

Annex B — Standard Contractual Clauses

Where required, the EU Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Module 2: Controller-to-Processor) are incorporated by reference with:

  • Data Exporter: Customer, as identified in the applicable order form.
  • Data Importer: Focus Global Talent Solutions, LLC.
  • Clause 7 (Docking): applicable.
  • Clause 9 (Sub-processors): Option 2 (general written authorization) with 30-day notice period.
  • Clause 11 (Redress): independent dispute resolution body is not elected.
  • Clause 17 (Governing law): Ireland.
  • Clause 18 (Forum): Ireland.
  • Annex I.A (Parties): the parties to this DPA.
  • Annex I.B (Description of transfer): see Annex A above.
  • Annex I.C (Competent supervisory authority): the authority of the Member State in which the data exporter is established.
  • Annex II (Technical and organizational measures): Section 6 above.
  • Annex III (Sub-processors): the Subprocessor List.

For UK transfers, the UK Addendum issued by the UK Information Commissioner's Office is incorporated by reference; Tables 1–4 are completed by the parties' details above.

Contact

DPA questions and signed-DPA requests:

  • Email: privacy@focusgts.com
  • Subject: "DPA request — [customer name]"