← NAARU.AI

NAARU Data Processing Agreement

Effective Date: January 1, 2026 Last Updated: January 1, 2026


This Data Processing Agreement ("DPA") governs NAARU's processing of Personal Data on behalf of Clients in connection with the NAARU platform and services. It is incorporated into and forms part of the Master Services Agreement ("MSA") between NAARU and each Client. In the event of conflict, this DPA controls with respect to privacy, security, and data-processing matters.

Capitalized terms not defined here have the meanings given in the MSA.


1. Definitions

"Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a natural person, or otherwise constitutes personal data or personal information under applicable law.

"Processing" means any operation performed on Personal Data, including access, collection, recording, storage, organization, retrieval, use, transmission, disclosure, analysis, deletion, or destruction.

"Security Incident" means a confirmed breach of security leading to unauthorized access to, acquisition of, or disclosure of Client Personal Data in NAARU's possession or control — excluding unsuccessful attempts or events that do not materially compromise the confidentiality, integrity, or availability of Client Personal Data.

"Subprocessor" means a third party engaged by NAARU to process Personal Data on Client's behalf in connection with the Services.


2. Roles

As between the parties, Client acts as the controller (the business or employer that determines the purposes and means of Processing Personal Data), and NAARU acts as the processor (the service provider processing data on Client's behalf and under Client's instruction), to the extent applicable under law.


3. Processing Instructions

NAARU will process Personal Data only:

  • On Client's documented instructions as reflected in the MSA, this DPA, the applicable Order Form(s), the Documentation, and Client's configured use of the Services
  • As reasonably necessary to provide, host, secure, maintain, support, improve, troubleshoot, and operate the Services
  • As required by applicable law (with notice to Client where legally permitted)

4. Categories of Data Processed

The Services may process the following categories of Personal Data on Client's behalf:

  • Video footage, still frames, clips, and related visual recordings from enrolled locations
  • Timestamps, camera identifiers, location identifiers, event markers, metadata, and system logs
  • Authorized User account information, authentication records, usage logs, and support communications
  • Flagged event records and related operational analytics
  • Occupancy, guest-count, staffing-ratio, and similar operational analytics
  • Repeat offender reporting data (where enabled under the applicable Order Form)

Data subjects may include: Client employees and contractors, visitors, customers, vendors and invitees appearing in monitored areas, Authorized Users, and any other individuals whose Personal Data is included in Client Data.


5. Biometrics and Sensitive Data

Unless separately and expressly enabled in a signed written amendment or Order Form:

  • The Services are not intended to process biometric identifiers, biometric information, or audio recordings other than data incidentally captured in Client-provided footage
  • NAARU will not intentionally use facial geometry, facial recognition, facial verification, or similar biometric identification to identify or verify individuals
  • Repeat offender reporting uses non-biometric identifiers (e.g., employee codes, roster-based identifiers, role mappings) only

Re-identification processing is scoped exclusively to flagged operational events as configured by Client. NAARU does not perform general-population tracking, persistent guest profiling, or cross-visit linkage of individuals who are not associated with a flagged event.

If Client requests functionality that may trigger laws specifically applicable to biometric data, audio recording, or other sensitive data categories, the parties will cooperate in good faith to determine whether an additional addendum is required before such functionality is enabled.


6. Client Obligations

Client is solely responsible for:

  • Obtaining and maintaining all rights, permissions, authorizations, lawful bases, notices, and consents necessary to collect, use, disclose, and permit NAARU to process Personal Data in connection with the Services
  • Compliance with all laws applicable to its use of the Services, including privacy, surveillance, workplace monitoring, employment, labor, anti-discrimination, biometrics, wiretapping, and consumer protection laws
  • Posting any required surveillance, monitoring, or privacy notices at monitored locations
  • Obtaining any required employee acknowledgments, disclosures, or consents
  • Responding to data subject, employee, consumer, regulator, or third-party requests (except where NAARU's assistance is expressly required under this DPA)
  • The accuracy of any employee roster, mapping, identifier, or other reference data supplied to NAARU

7. NAARU Obligations

NAARU will:

  • Process Personal Data only as permitted by this DPA, the MSA, and Client's documented instructions
  • Implement and maintain commercially reasonable administrative, technical, and organizational safeguards to protect Personal Data
  • Not sell or share Client Personal Data for cross-context behavioral advertising or other prohibited purposes
  • Not retain, use, or disclose Client Personal Data outside the direct business relationship between the parties, except as permitted by the MSA and this DPA
  • Be permitted to create, use, retain, and disclose Aggregated Data and de-identified data that does not identify Client or any individual

8. Security Incidents

NAARU will notify Client without undue delay after becoming aware of a confirmed Security Incident affecting Client Personal Data. Notice will include, to the extent reasonably available:

  • A general description of the nature of the Security Incident
  • The categories of Client Personal Data reasonably believed to be affected
  • Measures taken or proposed to contain, investigate, and mitigate the incident
  • Contact information for follow-up

Notification of a Security Incident does not constitute an admission of fault or liability.


9. Subprocessors

Client authorizes NAARU to engage subprocessors in connection with the Services. NAARU will impose contractual obligations on subprocessors that are materially protective of Personal Data. Upon written request, NAARU will provide a current list of material subprocessors.

NAARU may update its subprocessors from time to time. If Client reasonably objects to a new subprocessor on legitimate data-protection grounds, the parties will work in good faith to address the objection. If the issue cannot be resolved, Client may terminate the affected Services before the new subprocessor begins processing Client Personal Data.


10. Assistance and Audit Rights

Taking into account the nature of the processing and information available to NAARU, NAARU will provide reasonable assistance to Client with:

  • Data subject, employee, or consumer requests relating to Personal Data processed by NAARU on Client's behalf
  • Regulatory inquiries or investigations relating to such processing
  • Client's legally required response activities following a Security Incident

NAARU may charge reasonable fees for assistance that is excessive, repetitive, or outside standard platform functionality. Any onsite audit is permitted only if required by applicable law, a regulator, or a confirmed Security Incident, and only on reasonable advance notice, during business hours, under appropriate confidentiality restrictions, and in a manner that does not disrupt NAARU's operations or compromise the security of other customers.


11. Data Retention and Deletion

Unless otherwise specified in the applicable Order Form or written configuration:

Data TypeDefault Retention
Raw video footageUp to 1 month
Flagged event recordsUp to 12 months
Region activity recordingsUp to 12 months
Occupancy / staffing analyticsAs specified in Order Form; indefinitely in aggregate/de-identified form
Repeat offender reporting (non-biometric)Up to 12 months, or as configured and approved in writing
Aggregated / de-identified dataIndefinitely

Upon expiration or termination of the applicable Services, NAARU will delete or render inaccessible Client Personal Data within a commercially reasonable period, except where retention is required by applicable law, reasonably necessary for backups, logging, dispute resolution, or enforcement of legal rights, or permitted with respect to Aggregated Data or de-identified data.

If Client requests in writing before termination, NAARU will provide a reasonable opportunity for Client to retrieve Client Data using standard export functionality. Upon Client's written request, NAARU will provide written confirmation of deletion of time-limited Client Personal Data after deletion is completed.


12. U.S. Service Provider / Contractor Terms

To the extent applicable under U.S. privacy law:

  • NAARU receives Personal Data from Client for the limited and specified purposes described in the MSA, this DPA, applicable Order Forms, and Client's configured use of the Services
  • NAARU will not retain, use, or disclose Personal Data outside the direct business relationship between the parties except as permitted by the MSA, this DPA, or applicable law
  • NAARU will not sell or share Personal Data
  • NAARU will notify Client if it determines it can no longer meet its obligations under this section

13. Liability and Governing Terms

Liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability set forth in the MSA. This DPA is governed by, and incorporated into, the MSA. Nothing in this DPA expands NAARU's warranties, indemnities, or liabilities beyond those stated in the MSA.


14. Contact / Data Protection Inquiries

For questions about this DPA or NAARU's data processing practices:

NAARU 2332 N Brandon Cir, Wichita, KS 67226 Email: [email protected] Website: naaru.app


This DPA is effective as of the date of the Master Services Agreement to which it is incorporated.