This Data Processing Addendum ("DPA") applies when a business customer uses a Novix IQ software application and we process personal data on the customer's behalf. It forms part of, and is incorporated by reference into, the Terms of Service and any order form or subscription agreement between the customer and us. It does not apply to advisory services, which are governed by our confidentiality agreement.
1. Parties and Roles
This DPA is between CB Investment Holdings, LLC, operating as Novix IQ ("Processor," "we," "us"), and the business customer that subscribes to the Service ("Customer," "Controller," "you").
For personal data the Customer and its users submit to the Service ("Customer Personal Data"), the Customer is the controller and we are the processor. We process Customer Personal Data only to provide the Service and only on the Customer's documented instructions, which include these Terms, the order form, and the configuration choices the Customer makes in the Service. Where the Customer is itself a processor acting for another controller (for example, an importer handling a third party's trade records), we act as the Customer's sub-processor on the same terms.
2. Scope and Details of Processing
The subject matter, duration, nature, purpose, categories of data, and categories of data subjects are described in Annex 1. We will not sell Customer Personal Data, will not process it for our own independent commercial purposes, and will not use it to train artificial intelligence models for the benefit of other customers.
3. Our Obligations as Processor
We will:
- process Customer Personal Data only on the Customer's documented instructions, unless legally required to do otherwise (in which case we will inform the Customer where permitted by law);
- ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations;
- implement and maintain appropriate technical and organizational security measures, as described in Annex 2;
- assist the Customer, taking into account the nature of the processing, with responding to data subject requests and with the Customer's own security, breach notification, and impact assessment obligations;
- make available information reasonably necessary to demonstrate compliance with this DPA.
4. Sub-processors
The Customer authorizes us to engage the sub-processors listed in Annex 3 to help deliver the Service. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give the Customer advance notice of any intended addition or replacement of a sub-processor and a reasonable opportunity to object on legitimate data protection grounds.
5. Data Subject Rights and Cooperation
To the extent permitted by the Service, we will provide the Customer with the tools and reasonable assistance needed to respond to requests from individuals to access, correct, delete, or restrict the processing of their personal data. If we receive such a request directly from an individual relating to Customer Personal Data, we will refer the individual to the Customer.
6. Security Incidents and Breach Notification
We will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data, and will provide the information reasonably available to help the Customer meet its own notification obligations. We will take reasonable steps to mitigate and remediate the incident.
7. International and Restricted Transfers
The Service is operated from the United States, and Customer Personal Data is processed and stored in the United States. Where the Customer transfers personal data subject to data protection laws that restrict cross-border transfers, the parties will put in place an appropriate transfer mechanism (such as standard contractual clauses) on request.
8. Return and Deletion of Data
On termination or expiration of the subscription, we will, at the Customer's choice, return or delete Customer Personal Data within a reasonable period, except to the extent retention is required by law or by a regulator (for example, mandated retention of customs or security-program records). Our standard backup cycles may retain residual copies for a limited period before they are overwritten in the ordinary course.
9. Audit
On reasonable prior written notice, and no more than once per year unless required by a regulator, we will make available information reasonably necessary to demonstrate compliance with this DPA. Where a more detailed audit is required, the parties will agree in advance on reasonable scope, timing, confidentiality, and cost.
10. Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. If there is a conflict between this DPA and the Terms of Service on the processing of personal data, this DPA controls.
11. Definitions
"Controller," "processor," "data subject," "personal data," "processing," and "personal data breach" have the meanings given to them under applicable data protection law. "Service" means the Novix IQ application(s) the Customer subscribes to. "Customer Personal Data" means personal data within Customer Data processed by us on the Customer's behalf.
Annex 1 — Details of Processing
| Subject matter | Provision of the Novix IQ software application(s) the Customer subscribes to. |
|---|---|
| Duration | The term of the subscription, plus any limited post-termination return/deletion and backup-cycle period. |
| Nature and purpose | Hosting, storage, processing, and display of Customer Data to operate the application; account administration, security, support, and (where enabled) artificial intelligence features. |
| Categories of data subjects | The Customer's authorized users; and, depending on the application and modules enabled, the Customer's visitors, drivers, contractors, employees, and other individuals recorded in the application. |
| Categories of personal data | Names and contact details; account and role data; and, depending on the application and modules enabled, entry/visitor logs, photographs (including identification and security-seal images), GPS location stamps, customs and trade documentation, and compliance records (for example, C-TPAT and related security-program records). |
| Special category / sensitive data | The Customer controls what it submits. The Customer should not submit special categories of data beyond what the application is designed to handle. |
Annex 2 — Technical and Organizational Measures
We maintain measures appropriate to the risk, including:
- Encryption: data encrypted in transit (HTTPS/TLS) and at rest through our infrastructure providers.
- Access control: role-based access within the Service, least-privilege administrative access, and unique authenticated accounts.
- Tenant isolation: logical separation of each customer's data, enforced at the database and storage layers.
- Network and application security: reputable hosting with platform-level protections, including web application firewall and DDoS mitigation.
- Secret management: credentials and keys held in protected secret stores, never in source code.
- Backups and resilience: regular backups with append-only retention and defined recovery procedures.
- Monitoring and logging: audit logging of significant events and error monitoring.
- Personnel: confidentiality obligations and access granted on a need-to-know basis.
Annex 3 — Authorized Sub-processors
We use the following sub-processors to deliver the Service:
| Sub-processor | Function | Location |
|---|---|---|
| Cloudflare, Inc. | Application hosting, content delivery, security, and file/object storage | United States |
| Supabase, Inc. | Application database and user authentication | United States |
| Anthropic, PBC | Artificial intelligence features, where enabled by the Customer | United States |
| Resend (Plus Five Five, Inc.) | Transactional email delivery | United States |
| SignWell (Sign LLC) | Electronic signature of documents, where used | United States |
We will update this list and provide advance notice of changes as described in Section 4. Some applications may not use every sub-processor; the sub-processors that apply depend on the application and the features the Customer enables.
Contact
CB Investment Holdings, LLC dba Novix IQ
Brownsville, Texas
support@novix-iq.com · cbuentello@cbstrategicadvisors.com
(956) 708-6776
Note: This DPA is a professional template and not legal advice. Identification photos, GPS data, and compliance records carry real exposure and should be reviewed by qualified counsel before any product launch.