ANNEX C – DATA PROCESSING AGREEMENT
Between
Customer, as defined in the Commercial Agreement (hereinafter “Controller”)
And
Compri, as defined in the Commercial Agreement (hereinafter “Processor”)
(The Controller and the Processor are hereinafter also referred to individually as the “Party “and jointly as the “Parties”).
Whereas
A Commercial Agreement (hereinafter “Agreement”) has been stipulated between the Controller and the Processor to which this Data Processing Agreement (hereinafter “DPA”) is attached and of which it forms an integral and substantial part.
The object of the Agreement is the provision, in accordance with the methods and terms defined therein, of the SaaS Compri (hereinafter “SaaS”), aimed at managing and streamlining the Customer's supply chain.
The use of the SaaS involves the processing of personal data, as defined pursuant to art. 4(1)(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “GDPR”).
With respect to such processing, the Customer acts as Controller, as defined pursuant to Article 4(1)(7) of the GDPR and Compri acts as Processor, pursuant to Article 28 of the GDPR.
The Processor certifies and guarantees that it possesses the experience, ability, and reliability necessary to adopt appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, so that the processing carried out in performance of the task referred to in the Agreement meets the requirements of the GDPR and, in general, of the legislation on personal data protection and guarantees the protection of the rights of data subjects.
The Parties, pursuant to and for the purposes of Article 28(2) of the GDPR, intend to agree on the nature, purpose, duration type of personal data, categories of data subjects, as well as their rights and obligations arising from the processing of personal data carried out through the SaaS.
In light of the above, the Parties agree as follows:
Definitions
In this DPA, the terms indicated below have the meanings attributed to them below. Terms not expressly defined herein shall have the meanings assigned to them in Article 4 of the GDPR.
The term “Applicable Law” means the GDPR, Legislative Decree n. 196/2003 and any other data protection law applicable from time to time to the processing of personal data.
The term "Persons in charge of processing” means employees, agents, or any other natural persons authorized by the Parties to carry out personal data processing operations pursuant to Article 29 of the GDPR and Article 2-quaterdecies of Legislative Decree 196/2003.
The term “Sub-Processor” means any further processor to whom the Processor entrusts data processing activities arising from the data processing activities described and regulated under this DPA.
The term “EEA” means the European Economic Area.
Purpose and scope
The purpose of this DPA is to ensure compliance with Article 28, paragraphs 3 and 4 of the GDPR.
This DPA applies to the processing operations listed and described in the Annex "Description of Processing and Instructions”( Annex C-bis). The Parties acknowledge that the SaaS is provided by means of separate and independent modules and that, therefore, the processing of personal data carried out by the Processor is as indicated:
in Part 1 of the Annex “Description of processing and instructions”
in Part 2 of the Annex “Description of the processing and instructions”, relating to the modules covered by the Agreement.
Obligations of the Controller
The Controller undertakes to comply with Applicable Law, as well as to process the data in accordance with any other applicable legal provision that has or may have binding effects on the methods and guarantees to be applied to the processing of personal data.
The Controller provides the Processor with instructions regarding the processing of personal data (the "Instructions"), entered into the SaaS, verifying that these instructions comply with the Data Protection Legislation. The Controller's Instructions as of the date of signing this DPA are described in Annex C-bis.
The Controller may issue new instructions for the entire duration of the processing, notifying the Processor in writing at least 15 days before the effective date of the new instructions. Such new instructions must be documented in writing. The Processor has the right to terminate the Agreement pursuant to Article 1456 of the Italian Civil Code if such new Instructions impose an excessive burden or are deemed by the Processor to be in conflict with Applicable Law.
The Processor may, with regard to the characteristics of the processing of personal data intrinsically linked to the functioning of the SaaS, make changes to Annex C-bis, giving notice of this to the Controller with at least 5 days' notice.
Under no circumstances shall the Processor be held liable for any violation of the Applicable Law resulting from the Controller's conduct or from the application of the Instructions given by the Controller.
The Controller undertakes to verify and demonstrate that the data entered into the SaaS is collected and processed on an appropriate legal basis, as well as in compliance with any other transparency obligations imposed by Applicable Law.
The Controller undertakes to identify, for each category of personal data processed within the SaaS, the relevant retention periods and to remove the information from the SaaS after this period has elapsed.
In any case, the Processor's obligations do not include determining the lawfulness of the data processing activities carried out on behalf of the Controller, nor any verification of the compliance of the processing carried out via the SaaS with the applicable legislation.
Obligations of the Processor
The Processor processes personal data in accordance with the Controller's Instructions, unless required by Union or national law to which the Processor is subject. The Processor processes personal data solely for the specific purposes set out in Annex C-bis and for the period of time indicated therein.
Without prejudice to the provisions of Article 3.7. of this DPA, the Processor shall immediately inform the Controller if, in its opinion, the Instructions violate the Applicable Law.
The Processor maintains and updates the Register of Processing Activities pursuant to Art. 30(2) GDPR, with specific reference to the activities performed on behalf of the Controller. The Processor, upon request of the Controller, provides a copy of the sections of the aforementioned register relating to the processing performed on behalf of the Controller.
The Processor shall inform the Controller without undue delay of any request or obligation imposed by a public authority to access or obtain the Controller's personal data, unless the aforementioned authority imposes different obligations due to investigative secrecy.
Controller Assistance
The Processor responds promptly and appropriately to requests for information from the Controller regarding the processing of data subject to this DPA and provides the Controller with appropriate documentation to demonstrate compliance with this DPA and the applicable legislation.
The Processor may fulfill the obligation set forth in the previous Article 5.1 by making available informational materials and useful documentation on dedicated web pages and/or in the personal area available in the SaaS interface.
The Processor provides reasonable assistance to the Controller in carrying out data protection impact assessments and in prior consultations with the Supervisory Authorities or other competent data protection authorities, as necessary for the Controller to comply with Articles 35 and 36 of the GDPR.
The Processor consents to the Controller or an auditor appointed by the Controller conducting audits, including inspections, in relation to the Processing of Personal Data carried out by the Processor, provided that the Processor is given reasonable notice of at least 2 months.
The audit request must contain an indication of the processing activities and obligations being verified, as well as indicate the reasons why the verification cannot be performed based on documentation.
Requests from Data subjects
In the event that the Processor receives requests regarding the rights of data subjects, it is obliged to communicate such requests to the Controller, attaching a copy to the communication.
The Processor undertakes to assist the Controller by implementing appropriate technical and organizational measures to respond to requests from data subjects.
The Processor shall process requests to exercise rights in accordance with the instructions specifically provided by the Controller in writing.
Data security
The Processor implements at least the technical and organizational measures specified in the Annex "List of Security Measures” (“Annex C-ter") to ensure the security of personal data. This includes protection against any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data, which may constitute a personal data breach pursuant to Article 33 of the GDPR.
The Processor may make changes to Annex C-ter, providing the Controller with at least five days' notice. The Controller remains obligated to maintain an adequate level of security and protection of personal data.
When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as the risks to the data subjects.
Persons in charge of processing
The Controller grants access to the personal data undergoing processing to members of its staff only to the extent strictly necessary for the implementation, management and supervision of the processing operations covered by this DPA.
The Controller guarantees that the Persons in charge of processing the personal data:
have undertaken to maintain confidentiality or are under an appropriate legal obligation of confidentiality
have received appropriate authorization to process personal data.
Sub-controllers
The Processor has the general authorization of the Controller to use the Sub-processors listed in the Annex “List of Sub-processors” (“Annex C-quater”).
The Processor has the right to unilaterally amend Annex C-quater. In this case, the Processor shall inform the Controller of the amendments at least 5 days in advance, thus giving the Controller sufficient time to object to such amendments before engaging to the Sub-Processor(s) for the processing in question.
In any case, the Processor undertakes to engage Sub-Processors who present sufficient guarantees to guarantee an adequate level of protection of personal data and to sign a written agreement with each Sub-Processor which imposes on the Sub-Processor, in substance, the same obligations to which the Controller is subject towards the Controller.
Personal data breach
In the event of a personal data breach that may impact personal data processed by the Processor on behalf of the Controller, the Processor undertakes to notify the incident within 48 hours of its discovery.
The notification contains summary information useful for the Controller to fulfill the obligations set forth in Articles 33 and 34 of the GDPR, including at least a description of the breach, including the nature and extent of the data breached.
Pending the technical investigations necessary to determine the characteristics and extent of the violation, the Processor has the right to provide a partial notification of the incident. Upon completion of these technical investigations, the Processor must provide the Controller with a supplementary notification.
The Controller shall notify the Processor of any security breaches, including those not involving personal data, that may compromise the security of the SaaS infrastructure, such as, but not limited to, the loss of control over the credentials assigned to users.
Transfer of data outside the European Economic Area
Any transfer of data to a third country or an international organization by the Controller is carried out in compliance with Chapter V of the GDPR.
Personal data Duration and termination
The DPA term is effective from the date of signing the Agreement and applies for as long as personal data is being processed by the Processor on behalf of the Controller.
Upon termination, for any reason, of this DPA, the Processor shall be required, unless otherwise instructed in writing by the Controller, to either:
cease all processing activities involving personal data
anonymize the personal data in its possession through the non-reversible deletion of the database rows associated with the Data Subjects.
The Parties acknowledge and accept that beyond the termination date of the Agreement, personal data processing will still take place for strictly technical purposes such as, by way of example, the completion of personal data deletion operations, the management of backup copies, or the fulfillment of legal or regulatory obligations.
Final Provisions
The execution of the activities referred to in this DPA does not give rise to any right on the part of the Processor, or any Sub-Processor, to receive compensation other than that contractually agreed between the Parties in the Agreement.
In the event of any conflict between this DPA and the Agreement, the DPA shall prevail with respect to matters relating to the processing of personal data.
For anything not expressly provided for in this DPA, the applicable Data Protection Legislation shall apply.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect. The invalid or unenforceable provision will be (i) modified to the extent necessary to ensure its validity and enforceability, preserving to the greatest extent possible the original intentions of the Parties, or, if this is not possible, (ii) interpreted as if it had never been included in the body of the Agreement.
The Processor has the right to remove from the documentation and information provided following requests made by the Controller pursuant to Articles 5, 6, 7, 8, 9, and 10 of this DPA, any information whose disclosure could lead, even theoretically, to a violation of the personal data protection obligations to which the Controller is subject or the disclosure of information subject to industrial secrecy or otherwise likely to harm the Controller's corporate know-how .
Governing Law and Competent Court
The Parties submit this Appointment Agreement to the law and jurisdiction chosen in the Agreement. Therefore, any disputes or claims that may arise under the terms of this Appointment Agreement, including disputes relating to its existence, validity or termination or the consequences of its invalidity, are subject to the forum chosen in the Agreement.
Annex C-bis – Description of treatment and instructions
Part 1 - General characteristics of the processing of personal data
The following information refers to all data processing carried out via the SaaS, regardless of the module purchased.
Nature of the processing
SaaS Provisioning Compri
Purpose of the processing
Provision of functions associated with the modules purchased by the Controller
User account management
Security Management
Duration of treatment
Until the SaaS is subscribed by the Owner, in addition to any processing necessary for technical purposes
Categories of data subjects
Employees of the Owner
Categories of personal data
Identification data (name, surname, job title)
Contact details (email addresses)
Sensitive data
n/a
Part 2 - Specific processing characteristics for individual SaaS modules
The following information refers to data processing carried out through specific SaaS modules, to be verified based on those actually purchased by the Data Controller.
Order Mangement & Visibility
Nature of the processing
Analysis of orders and activities related to individual suppliers, through access to the ERP and the email inbox of the employee linked to the Compri account
Categories of data subjects
Employees of the Controller
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Content of email communications
Categories of personal data
Identification data (name, surname, job title, classification, and company department)
Contact details (email addresses, company mobile number)
Bank and tax details (VAT number, IBAN)
Sensitive data
n/a
Request for X
Nature of the processing
Sending requests for quotations to multiple suppliers
Categories of data subjects
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname)
Contact details (email addresses)
Sensitive data
n/a
Onboarding
Nature of the processing
Centralized management of the supplier onboarding and accreditation process
Categories of interested parties
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Directors and mayors of supplier companies
Family members of directors and auditors of supplier companies
Categories of personal data
Identification data (name, surname, job title)
Contact details (email addresses)
Presence or absence of causes of incompatibility, declarations for the purposes of anti-money laundering legislation
Sensitive data
n/a
Compliance
Nature of the processing
Centralized management of corporate processes for verifying supplier regulatory compliance
Categories of data subjects
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname, job title)
Contact details (email addresses)
Sensitive data
n/a
Documents
Nature of the processing
Access and management of documents relating to the relationship with suppliers
Categories of data subjects
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Controller's suppliers
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact details (email addresses, company mobile number)
Bank and tax details (VAT number, IBAN)
Content of email communications
Autographed signatures
Sensitive data
n/a
Analytics
Nature of the processing
Aggregate analysis of supplier management information
Categories of data subjects
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname)
Contact details (email addresses)
Sensitive data
n/a
Vendor management
Nature of the processing
Detailed management of activities
Categories of data subjects
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname)
Contact details (email addresses)
Creditworthiness
Sensitive data
n/a
Items
Nature of the processing
n/a
Categories of data subjects
n/a
Categories of personal data
n/a
Sensitive data
n/a
Insights
Nature of the processing
Analysis of managed expenses and supplier positions to identify savings or margin opportunities
Categories of data subjects
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Sensitive data
n/a
Intake Orchestration
Nature of the processing
Internalized management of the purchase request submission and validation process
Categories of data subjects
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact details (email addresses, company mobile number)
Sensitive data
n/a
Budget
Nature of the processing
n/a
Categories of data subjects
n/a
Categories of personal data
n/a
Sensitive data
n/a
Contracts
Nature of the processing
Contract management and analysis
Categories of data subjects
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Controller's suppliers
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact details (email addresses, company mobile number)
Bank and tax details (VAT number, IBAN)
Autographed signatures
Sensitive data
n/a
DDT
Nature of the processing
Management and analysis of transport documents
Categories of data subjects
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Controller's suppliers
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact information (email addresses, business mobile number, business address)
Autographed signatures
Sensitive data
n/a
Procurement AI Assistant
Nature of the processing
transport documents
Categories of data subjects
Employees of the Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Controller's suppliers
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact information (email addresses, business mobile number, business address)
Sensitive data
n/a
Annex C-ter – List of security measures
Procurement AI Assistant
Area
Cataloging
Detail requirement
Data Center Security Measures
Access to the System or SW (authentication)
Adoption of measures aimed at ensuring that: - administrative access by the System Administrators is reserved for personnel who are assigned the qualification (“role”) of system administrator, by virtue of high technical skills and characteristics of proven reliability and morality; - administrative access to the systems by the Controller's personnel will take place through multi-factor authentication (MFA) procedures.
Data Center Security Measures
Access to the System or SW (management policy)
For services that provide for an administrative management method of the infrastructure components, the following policies must be provided: - users that allow the identification of the administrator who carries out the intervention; - activation of a log management process that identifies log ins, log outs and failed log ins ; - storage of logs in a format that guarantees their integrity and readability over time; - storage of logs for at least six (6) months; - annual verification of the work of system administrators; - access to systems via VPN and MFA.
Data Center Security Measures
Log management
Features for tracking or recording (logging) user access and activity. Activity logs must be appropriately protected to ensure their integrity and confidentiality. These features must be activated by the customer's system administrator or the software house at the customer's request.
Data Center Security Measures
Auditing
Use of the log management and analysis system to monitor system administrator activity. Access to the log management system is reserved for auditors and is not permitted to system administration personnel.
Data Center Security Measures
Encryption of communication protocols
Application of secure and non-obsolete standard cryptographic communication protocols, in cases where access to the system is made via the Internet.
Data Center Security Measures
Threats and Vulnerabilities
Implement a threat and risk management program to continuously monitor SaaS platform vulnerabilities, as defined by international best practices, by planning and executing internal and external vulnerability scans and penetration tests. Identified vulnerabilities must be assessed to determine the associated risks and appropriate corrective actions established based on their assigned priority and detected severity.
Data Center Security Measures
Firewalling
Adoption of firewall systems aimed at filtering and containing traffic by identifying any anomalous traffic that could indicate potential cyber-attacks.
Data Center Security Measures
Intrusion Prevention
Protection of the environment through which the Manager's service is provided through Intrusion Prevention Systems (IPS) that analyse all incoming traffic and immediately identify any ongoing attack attempts. Network traffic on significant segments of the platform passes through systems that inspect every packet in transit.
Data Center Security Measures
Malware protection
Adoption of measures to protect against malware infections, unauthorized actions, suspicious applications, and attempts to steal personal data (e.g., through constantly updated antivirus, anti-spam, anti-phishing systems, etc.).
Data Center Security Measures
Filesystem Antivirus
Adoption of filesystem antivirus modules on all servers used to provide services, with the option of configuring, on a project-by-project basis, specific antivirus products that are centrally managed in terms of updates, policy distribution, on-demand scan launches, notifications, and quarantine area management.
Data Center Security Measures
Incident monitoring and management
Adoption of policies and procedures for identifying, responding to, remediating, and reporting incidents that pose a risk to the integrity or confidentiality of personal data or other security breaches.
Data Center Security Measures
Security Patch Management
Subjecting the platform to a periodic verification process for available patches or fixes relating to the components of the delivery system and those deemed critical for the provision of the service or for security.
Data Center Security Measures
Physical security
Application of adequate physical security measures to the designed hardware/software platform (e.g., use of hosting providers/data center services equipped with adequate systems to prevent the risk of intrusion, fire, flooding, etc.).
Data Center Security Measures
Anti-flooding
Adoption of all necessary measures within the Data Center to prevent flooding (such as the presence of probes, alarm systems, etc.).
Data Center Security Measures
Anti-intrusion
Setting up an access control system in the data center that identifies those who access it and prevents unauthorized access. The procedure must also include change management, activating and deactivating access authorizations based on role changes.
Data Center Security Measures
Closed circuit cameras
Installation of CCTV cameras to monitor the building perimeter, entrances, interlocking doors, and any other critical areas.
Data Center Security Measures
Conditioning
Adoption of adequate air conditioning and cooling systems for rooms and equipment.
Data Center Security Measures
Continuity and emergency
Adoption of procedures and controls to ensure the necessary level of system/software continuity and availability (in the event of an incident/personal data breach). Procedures must include instructions for maintaining backup copies as well as a disaster recovery plan.
Data Center Security Measures
Data deletion
Provision of measures for the deletion of production data at the end of the service provision according to the contractual terms defined with the Customer.
Data Center Security Measures
Subcontractor management
Selection and verification of the requirements of the subcontractor who will manage the systems and infrastructure required to perform the Services, and signing a contract that binds the subcontractor to comply with the obligations regarding security measures.
Connectivity
Firewalling
Firewall measures
Network security
AntiDDoS
Provision by the Data Center of a service capable of responding effectively to the problems created by attacks (“DDoS ”).
Network security
IDS/IPS
Adoption of an IPS capable of automatically blocking detected attacks and IDS capable of intercepting threats, thus providing real-time protection to the services provided by the Data Center.
Governance
Training
Provision of periodic training courses on personal data security and protection to employees involved in data processing activities.
Governance
Geographic location
Declaration by SWH to the Customer of the geographical location of the DC and the data.
Governance
Data breach
Adoption of procedures for identifying, containing, and resolving risk situations (e.g., personal data breaches) for data and system security in the post-intrusion phase.
Governance
Logical security
Reassess the security measures and procedures in place at least annually to update them based on detected vulnerabilities, attacks, and technological developments.
Annex C-quater – List of sub-processors
Sub-processor
Nature of the processing
Contractual terms
Amazon Web Services
Cloud and host providing
Mongo DB Limited
Database management
Clickhouse Inc
Database management
Microsoft Inc
Providing of generative AI Azure Service
Anthropic PBC
Providing of generative AI Claude API
Google Inc
Providing of generative AI Google Gemini API by Google Studio
Document updated on the 27/10/2025