Last Updated: June 2, 2026

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the agreement, order form, statement of work, online terms, or other written or electronic agreement that references this DPA and governs Customer’s access to and use of Swift’s precise positioning products, correction services, cloud services, software, APIs, support, and related services (collectively, the “Agreement”). This DPA applies to Swift’s Processing of Customer Personal Data in connection with the Services.

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Customer Personal Data. If there is a conflict between this DPA and the EU SCCs, UK Addendum, or Swiss transfer terms, the applicable transfer terms control to the extent of the conflict.

1. Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.

“Agreement” means the agreement, order form, statement of work, online terms, or other written or electronic agreement that references this DPA and governs Customer’s access to and use of the Services.

“Applicable Data Protection Laws” means all privacy, data protection, and data security laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, the GDPR, UK GDPR, Swiss FADP, U.S. State Privacy Laws, and implementing regulations.

“CCPA/CPRA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.

“Controller” means the entity that determines the purposes and means of Processing Personal Data, and includes equivalent terms under Applicable Data Protection Laws, including a “Business” under the CCPA/CPRA.

“Customer” means the entity that has entered into the Agreement with Swift.

“Customer Personal Data” means Personal Data that Customer submits to the Services or otherwise makes available to Swift for Processing on Customer’s behalf under the Agreement.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates and includes equivalent terms such as “consumer” under U.S. State Privacy Laws.

“Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, household, or device, subject to safeguards required by Applicable Data Protection Laws.

“EU SCCs” means the standard contractual clauses for international transfers adopted by the European Commission in Implementing Decision (EU) 2021/914, as amended or replaced.

“GDPR” means Regulation (EU) 2016/679.

“Personal Data” means any information relating to an identified or identifiable natural person, and includes “personal information,” “personal data,” and equivalent terms under Applicable Data Protection Law.

“Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, use, disclosure, transmission, restriction, deletion, or destruction. “Process” and “Processed” have corresponding meanings.

“Processor” means an entity that Processes Personal Data on behalf of a Controller, and includes equivalent processor, service provider, contractor, or similar roles under Applicable Data Protection Laws, including the CCPA/CPRA.

“Security Incident” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Personal Data Processed by Swift or its Subprocessors. Security Incident does not include unsuccessful attempts or activities that do not compromise Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.

“Sensitive Data” means special categories of Personal Data under the GDPR, sensitive personal information under the CCPA/CPRA, precise geolocation data where regulated as sensitive data, children’s data, protected health information, payment card data, government identification numbers, biometric data, and other data subject to heightened legal protection. For clarity, precise positioning, localization, geolocation, trajectory, telemetry, device, vehicle, diagnostic, usage, and log data processed in connection with the Services are not prohibited solely because they include location-related or operational data, but remain Customer Personal Data to the extent they identify or relate to an identifiable individual.

“Service Operations Data” means telemetry, diagnostic, usage, performance, security, log, and operational data generated by or relating to the Services that Swift uses to provide, secure, support, monitor, troubleshoot, analyze, or improve the Services.

“Services” means Swift’s precise positioning products, correction services, cloud services, software, APIs, support, and related services provided under the Agreement.

“Subprocessor” means any third party engaged by Swift or its Affiliates to Process Customer Personal Data on Customer’s behalf in connection with the Services.

“Swift” means Swift Navigation, Inc. and, where applicable, its Affiliates that Process Customer Personal Data.

“Swiss FADP” means the Swiss Federal Act on Data Protection, as amended or replaced.

“Transfer Risk Assessment” means an assessment of whether Customer Personal Data transferred internationally receives protection required by Applicable Data Protection Laws.

“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018, as amended or replaced.

“UK GDPR” means the GDPR as incorporated into UK law under the UK Data Protection Act 2018.

“U.S. State Privacy Laws” means U.S. state privacy laws applicable to the Processing of Customer Personal Data, including the CCPA/CPRA and similar state consumer privacy laws.

2. Roles and Scope

The Parties acknowledge that Customer is the Controller of Customer Personal Data and Swift is the Processor of Customer Personal Data, except where Applicable Data Protection Laws require a different characterization for a particular Processing activity. Customer is responsible for determining whether the Services are appropriate for Customer’s intended Processing and for providing all notices and obtaining all rights, permissions, consents, and lawful bases required for Customer to use the Services and provide Customer Personal Data to Swift.

Swift may Process Customer Personal Data only for the purposes permitted by this DPA and Applicable Data Protection Laws. These purposes include (a) providing, securing, supporting, maintaining, monitoring, troubleshooting, improving, and documenting the Services, (b) complying with the Agreement, applicable orders, Customer’s configuration and use of the Services, and other written instructions mutually agreed by the Parties, and (c) complying with applicable law. Swift will promptly notify Customer if, in Swift’s opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited from doing so by law.

3. Processing Details

The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex A. Customer acknowledges that precise positioning services may involve location, device, telemetry, diagnostic, and network data depending on Customer’s configuration and use of the Services.

4. Customer Obligations

• Customer will use the Services in compliance with Applicable Data Protection Laws and the Agreement.
• Customer will not submit Sensitive Data to the Services unless the Agreement expressly permits such data and the Parties have agreed on any required additional safeguards; provided that the Services may process precise positioning, localization, geolocation, trajectory, telemetry, device, vehicle, diagnostic, usage, and log data as described in Annex A when Customer configures or uses the Services for those purposes. Customer is responsible for ensuring that its configuration and use of the Services comply with Applicable Data Protection Laws for any Sensitive Data it submits or generates through the Services.
• Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

5. Swift Obligations

• Swift will keep Customer Personal Data confidential and require personnel authorized to Process Customer Personal Data to be subject to confidentiality obligations.
• Swift will limit access to Customer Personal Data to personnel and Subprocessors with a business need to know for purposes permitted under this DPA.
• Swift will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data as described in Annex B.
• Swift will not sell Customer Personal Data or share Customer Personal Data for cross-context behavioral advertising.
• Swift will not retain, use, or disclose Customer Personal Data except for the business purposes described in this DPA and the Agreement, as reasonably necessary to perform the Services, or as otherwise permitted by Applicable Data Protection Laws.
• Swift will not combine Customer Personal Data with Personal Data received from another source except as permitted for a Processor under Applicable Data Protection Laws, including for security, fraud prevention, debugging, internal service operations, or other permitted business purposes.

6. Assistance

Taking into account the nature of the Processing and information available to Swift, Swift will provide commercially reasonable assistance to Customer for Customer’s compliance with obligations under Applicable Data Protection Laws, including obligations relating to Data Subject requests, security, breach notification, data protection impact assessments, Transfer Risk Assessments, and consultations with supervisory authorities. To the extent legally permitted, Customer will be responsible for Swift’s reasonable costs for assistance that is not required due to Swift’s breach of this DPA.

If Swift receives a request from a Data Subject relating to Customer Personal Data, Swift will not respond to the request except to redirect the Data Subject to Customer, to confirm that the request relates to Customer, or as legally required. Swift will notify Customer of the request where legally permitted and will provide commercially reasonable assistance if Customer cannot fulfill the request through the Services or its own systems.

7. Security Incidents

Swift will notify Customer without undue delay after becoming aware of a Security Incident and within any timeframe required by Applicable Data Protection Laws, unless prohibited by law. Swift’s notification will include information reasonably available to Swift that Customer reasonably requires to meet its legal obligations, such as the nature of the Security Incident, affected data categories, likely consequences, and measures taken or proposed to address the Security Incident. Swift will provide additional relevant information as it becomes reasonably available and will take reasonable steps to investigate, contain, and remediate the Security Incident. Swift’s notification of or response to a Security Incident is not an acknowledgement of fault or liability.

8. Subprocessors

Customer grants Swift a general authorization to engage Subprocessors to provide, secure, support, maintain, or improve the Services. Swift will make its current Subprocessor list available to Customer through a maintained webpage, customer portal, upon request, or another commercially reasonable mechanism. The list will identify, where feasible, each Subprocessor or category of Subprocessor, the relevant processing purpose, and the country or region from which processing is expected to occur. Swift will provide notice of material changes through a commercially reasonable mechanism.

Swift will impose written obligations on each Subprocessor that are no less protective of Customer Personal Data than the obligations imposed on Swift under this DPA, to the extent applicable to the services provided by the Subprocessor. Swift remains responsible for each Subprocessor’s performance of its data protection obligations as set forth in the Agreement.

Customer may object to Swift’s appointment of a new Subprocessor on reasonable data protection grounds by providing written notice within ten (10) business days after Swift’s notice. The Parties will work in good faith to address the objection. If Swift cannot reasonably address the objection, Customer may terminate only the affected Services that cannot be provided without use of the objected-to Subprocessor, and Swift will refund any prepaid unused fees for the terminated Services, unless the Agreement provides otherwise.

9. Audits and Information

Upon Customer’s reasonable written request and subject to confidentiality obligations, Swift may satisfy Customer audit or information requests by making available information reasonably necessary to demonstrate Swift’s compliance with this DPA, such as applicable third-party audit reports, certifications, security summaries, policies, questionnaire responses, or other information reasonably demonstrating compliance. If the information provided is insufficient to demonstrate compliance, Customer may request an audit no more than once annually, unless required by a supervisory authority or following a confirmed Security Incident affecting Customer Personal Data.

Any audit will be conducted during normal business hours, on reasonable prior notice, by Customer or an independent auditor that is not a competitor of Swift, under a mutually agreed scope and confidentiality terms, and in a manner that does not unreasonably interfere with Swift’s operations or compromise the security, confidentiality, or availability of Swift systems or other customers’ data. Swift may restrict access to systems, facilities, personnel, and information to the extent reasonably necessary to protect security, confidentiality, availability, legal privilege, or other customers’ data. Customer will bear its audit costs and reimburse Swift for reasonable costs incurred in supporting an audit, unless the audit identifies a material breach of this DPA by Swift.

10. Return and Deletion

Upon expiration or termination of the Agreement, Swift will, at Customer’s written request and taking into account the functionality of the Services, return or delete Customer Personal Data in Swift’s possession or control, unless retention is required or permitted by law. Swift may retain Customer Personal Data in backups, logs, archival copies, or records maintained for legal, security, compliance, or business continuity purposes, provided such retained data remains protected under this DPA and is deleted in accordance with Swift’s ordinary-course retention practices. Upon request, Swift will certify deletion after completion of the deletion process.

11. Deidentified, Aggregated, and Service Operations Data

Swift may Process Service Operations Data to provide, secure, support, maintain, monitor, troubleshoot, analyze, develop, and improve the Services. To the extent Service Operations Data includes Customer Personal Data, Swift will Process that Customer Personal Data only as permitted by this DPA, the Agreement, and Applicable Data Protection Laws, including in its role as a Processor. Swift will not use Service Operations Data to identify an individual except as permitted under the Agreement, this DPA, or Applicable Data Protection Laws. Swift may use Deidentified Data or aggregated data for lawful business purposes if Swift has implemented reasonable measures to prevent reidentification and does not attempt to reidentify the data except as permitted by law.

12. International Transfers

If Customer Personal Data subject to the GDPR is transferred to Swift in a country that is not recognized as providing an adequate level of protection, the Parties incorporate by reference the EU SCCs, Module Two (Controller to Processor). The Parties are deemed to have completed the EU SCCs as follows: Clause 7 optional docking clause applies; Clause 9 Option 2 general written authorization applies with the notice and objection period in Section 8; Clause 11 optional redress language is not selected; Clause 17 governing law is the law of Ireland unless the Agreement specifies another EU Member State law; Clause 18 forum is the courts of Ireland unless the Agreement specifies another EU Member State forum; Annex I.A is completed by the party and contact information in the Agreement and Annex A of this DPA; Annex I.B is completed by the processing details in Annex A; Annex II is completed by Annex B; and Annex III is completed by Annex C together with Swift’s then-current Subprocessor list.

For transfers subject to the UK GDPR, the Parties incorporate the UK Addendum. The tables in the UK Addendum are deemed complete based on the information in the Agreement, Annex A, Annex B, Annex C, and Swift’s then-current Subprocessor list. For transfers subject to the Swiss FADP, the EU SCCs apply with Swiss-specific adaptations required by Swiss law, including references to the competent Swiss authority where applicable.

If the EU SCCs, UK Addendum, Swiss adaptations, or another lawful transfer mechanism are amended, replaced, or invalidated, the Parties will cooperate in good faith to implement a valid transfer mechanism that preserves the intent of this DPA.

13. U.S. State Privacy Laws

For Customer Personal Data subject to U.S. State Privacy Laws, Swift acts as a Processor. Customer discloses Customer Personal Data to Swift only for the limited and specified business purposes described in the Agreement, this DPA, and Annex A. Swift will provide the same level of privacy protection required of a Processor under applicable U.S. State Privacy Laws. Swift will not sell or share Customer Personal Data, retain, use, or disclose Customer Personal Data outside the direct business relationship between the Parties, or combine Customer Personal Data with personal data from other sources, except as permitted by Applicable Data Protection Laws. Swift certifies that it understands and will comply with the restrictions and obligations applicable to a Processor under applicable U.S. State Privacy Laws. Swift will notify Customer if Swift determines it can no longer meet its obligations under such laws. Customer may take reasonable and appropriate steps, subject to the audit and information provisions of this DPA, to help ensure Swift uses Customer Personal Data in a manner consistent with Customer’s obligations, and to stop and remediate unauthorized use of Customer Personal Data.

14. Government and Legal Requests

If Swift receives a legally binding request from a governmental or regulatory authority for Customer Personal Data, Swift will, where legally permitted, promptly notify Customer and provide reasonable cooperation so Customer may seek protective treatment or challenge the request. Swift will disclose only the Customer Personal Data it reasonably believes is legally required.

15. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to Customer Personal Data. If there is a conflict between this DPA and the EU SCCs, UK Addendum, or Swiss transfer terms, the applicable transfer terms control to the extent of the conflict. The liability limitations and exclusions in the Agreement apply to this DPA except to the extent prohibited by the EU SCCs or Applicable Data Protection Laws.