Back to Recon

Data Processing Agreement

Last updated: April 18, 2026

This Data Processing Agreement forms part of the agreement between HH Metta Sdn Bhd and the customer using Naamy Recon.

For customer personal data processed through Recon, the customer is the controller and Naamy acts as processor, except where Naamy processes data for its own account administration, billing, security, or legal obligations.

Processing Scope

We process personal data to authenticate users, store nominated brands and competitors, generate reports, deliver email digests, process payments, prevent abuse, and maintain the service.

  • Categories of data subjects: authorised customer users and individuals incidentally appearing in public business content.
  • Categories of data: names, work emails, company details, authentication identifiers, billing identifiers, usage logs, and incidental public business information.
  • Duration: the term of the customer relationship plus the retention periods described in the Privacy Policy.

Processor Obligations

Naamy processes customer personal data only on documented instructions, keeps personnel bound by confidentiality, and applies technical and organisational safeguards appropriate to the risk.

We will assist customers with data subject requests, breach notifications, and deletion or export requests where required by applicable law and technically feasible.

Security Measures

Current safeguards include TLS in transit, managed database encryption at rest, row-level security, role-separated service access, webhook signature verification, rate limiting, and least-privilege operational access.

Subprocessors

Recon uses trusted subprocessors to operate the service. Current providers include Supabase, Vercel, Stripe, Resend, Anthropic, Apify, Google, Meta, Upstash, and Cloudflare Turnstile.

Subprocessors may process data outside Malaysia. Where required, we rely on contractual safeguards and applicable transfer mechanisms.

Breach Notification

If we become aware of a personal data breach affecting customer personal data, we will notify the affected customer without undue delay and provide available information about impact and remediation.

Return Or Deletion

At the end of the service relationship, customer personal data will be deleted or returned according to the Privacy Policy, unless retention is required by law or legitimate security needs.

Audits

On reasonable written notice, and no more than once per year unless required by law or a material incident, customers may request information necessary to verify compliance with this DPA.

Questions? Email hello@naamy.co.