English
English
English

ANNEX C – DATA PROCESSING AGREEMENT

Between

Customer, as defined in the Commercial Agreement (hereinafter “ Owner ”);

And

You purchase, as defined in the Commercial Agreement (hereinafter “ Responsible ”);

(The Owner and the Data Controller are hereinafter also referred to individually as the “ Party ” and jointly as the “ Parties ”).

Given that:


  1. a Commercial Agreement (hereinafter “ Agreement ”) has been stipulated between the Data Controller and the Data Processor to which this Data Processing Agreement (hereinafter “ DPA ”) is attached and of which it forms an integral and substantial part;

  2. the object of the Agreement is the supply, according to the methods and terms defined in the Agreement itself, of the SaaS Compri (hereinafter “ SaaS ”), aimed at managing and streamlining the Customer's supply chain;

  3. the use of SaaS involves the processing of personal data, as defined pursuant to art. 4(1)(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “ GDPR ”);

  4. with respect to such processing, the Customer acts as data controller, as defined pursuant to Article 4(1)(7) of the GDPR and Compri acts as data processor, pursuant to Article 28 of the GDPR;

  5. The Data Processor certifies and guarantees that he or she possesses the experience, ability, and reliability necessary to adopt appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, so that the processing carried out in performance of the task referred to in the Agreement meets the requirements of the GDPR and, in general, of the legislation on personal data protection and guarantees the protection of the rights of data subjects;

  6. The Parties intend to agree, pursuant to and for the purposes of Article 28(2) of the GDPR, on the nature, purpose, duration, type of personal data, categories of data subjects, as well as their rights and obligations arising from the processing of personal data carried out through the SaaS.

In light of the above, the Parties agree as follows:

In light of the above, the Parties agree as follows:

  1. Definitions

    1. In this DPA, the terms indicated below have the meanings attributed to them below. For anything not expressly defined pursuant to this article, please refer to the definitions in Article 4 of the GDPR.

    2. The term “Applicable Law” means the GDPR, Legislative Decree 196/2003 and any other data protection law applicable from time to time to the processing of personal data;

    3. The term "Data Processors" means employees, agents, or any other natural person authorized by the Parties to carry out personal data processing operations pursuant to Article 29 of the GDPR and Article 2-quaterdecies of Legislative Decree 196/2003;

    4. The term “Sub-Processor” means any entity used by the data controller to carry out specific activities on behalf of the Data Controller or another entity appointed by the latter;

    5. the term “EEA” means the European Economic Area.

  1. Purpose and scope

    1. The purpose of this DPA is to ensure compliance with Article 28, paragraphs 3 and 4, of the GDPR.

    2. This DPA applies to the processing operations listed and described in the Annex "Description of Processing and Instructions" ( Annex C-bis ). The Parties acknowledge that the SaaS is modular in nature and that, therefore, the processing of personal data carried out by the Processor is as indicated:

      1. in Part 1 of the Annex “Description of treatment and instructions”;

      2. in Part 2 of the Annex “Description of the treatment and instructions”, relating to the modules covered by the Commercial Offer.


  1. Obligations of the DataController

    1. The Data Controller undertakes to comply with applicable legislation, as well as to process the data in accordance with any other applicable legal provision that has or may have binding effects on the methods and guarantees to be applied to the processing of personal data.

    2. The Data Controller provides the Processor with instructions regarding the processing of personal data (the "Instructions") entered into the SaaS, verifying that these instructions comply with the Data Protection Legislation. The Data Controller's Instructions as of the date of signing this DPA are described in Annex C-bis.

    3. The Data Controller may issue new instructions for the entire duration of the processing, notifying the Processor in writing at least 15 days before the effective date of the new instructions. Such new instructions must be documented in writing. The Processor has the right to terminate the Agreement pursuant to Article 1456 of the Italian Civil Code if such new Instructions impose an excessive burden or are deemed by the Processor to be in conflict with Applicable Law.

    4. The Data Controller may, with regard to the characteristics of the processing of personal data intrinsically linked to the functioning of Compri, make changes to Annex C-bis , giving notice of this to the Data Controller with at least 5 days' notice.

    5. Under no circumstances shall the Data Controller be held liable for any violation of the Applicable Regulations resulting from the Data Controller's conduct or from the application of the Instructions given by the Data Controller.

    6. The Data Controller undertakes to verify and demonstrate that the data entered into the SaaS is collected and processed on an appropriate legal basis, as well as in compliance with any other transparency obligations imposed by Applicable Law.

    7. The Data Controller undertakes to identify, for each category of personal data processed within the SaaS, the relevant retention periods and to remove the information from the SaaS after this period has elapsed.

    8. In any case, the Processor's obligations do not include determining the lawfulness of the data processing activities carried out on behalf of the Data Controller, nor any verification of the compliance of the processing carried out via the SaaS with the applicable legislation.

  1. Obligations of the Data Controller

    1. The Processor processes personal data in accordance with the Controller's Instructions, unless required by Union or national law to which the Processor is subject. The Processor processes personal data solely for the specific purposes set out in Annex C-bis and for the period of time indicated therein.

    2. Without prejudice to the provisions of Article 3.7. of this DPA, the Processor shall immediately inform the Data Controller if, in his opinion, the Instructions violate the Applicable Law.

    3. The Processor maintains and updates the Register of Processing Activities pursuant to Art. 30(2) GDPR, with specific reference to the activities performed on behalf of the Data Controller. The Processor, upon request of the Data Controller, provides a copy of the sections of the aforementioned register relating to the processing performed on behalf of the Data Controller.

    4. The Data Processor shall inform the Data Controller without undue delay of any obligation imposed by a public authority to consult and/or acquire the Data Controller's personal data, unless the aforementioned authority imposes different obligations due to investigative secrecy.

  1. Owner Assistance

    1. The Data Processor responds promptly and appropriately to requests for information from the Data Controller regarding the processing of data subject to this DPA and provides the Data Controller with appropriate documentation to demonstrate compliance with this DPA and the applicable legislation.

    2. The Data Controller may fulfill the obligation set forth in the previous Article 5.1 by making available informational materials and useful documentation on dedicated web pages and/or in the personal area available in the SaaS interface.

    3. The Processor provides reasonable assistance to the Controller in carrying out data protection impact assessments and in prior consultations with the Supervisory Authorities or other competent data protection authorities, as necessary for the Controller to comply with Articles 35 and 36 of the GDPR.

    4. The Processor consents to the Controller or an auditor appointed by the Controller conducting audits, including inspections, in relation to the Processing of Personal Data carried out by the Processor, provided that the Processor is given reasonable notice of at least 2 months.

    5. The audit request must contain an indication of the processing activities and obligations being verified, as well as indicate the reasons why the verification cannot be performed based on documentation.

  1. Requests from Interested Parties

    1. In the event that the Data Processor receives requests regarding the rights of Data Subjects, he or she is obliged to communicate such requests to the Data Controller, attaching a copy to the communication.

    2. The Data Processor undertakes to assist the Data Controller by implementing appropriate technical and organizational measures to respond to requests from Data Subjects.

    3. The Data Controller shall process requests to exercise rights in accordance with the instructions specifically provided by the Data Controller in writing.

  1. Data security

    1. The Processor implements at least the technical and organizational measures specified in the Annex "List of Security Measures" (" Annex C-ter ") to ensure the security of personal data. This includes protection against any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data, which may constitute a personal data breach pursuant to Article 33 of the GDPR.

    2. The Data Processor may make changes to Annex C-ter, providing the Data Controller with at least five days' notice. The Data Controller remains obligated to maintain an adequate level of security and protection of personal data.

    3. When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as the risks to the Data Subjects.

  1. Persons in charge of processing

    1. The Controller grants access to the personal data undergoing processing to members of its staff only to the extent strictly necessary for the implementation, management and supervision of the processing operations covered by this DPA.

    2. The Data Controller guarantees that the persons authorised to process the personal data received:

      1. have undertaken to maintain confidentiality or are under an appropriate legal obligation of confidentiality;

      2. have received appropriate authorization to process personal data.

  1. Sub-controllers

    1. The Processor has the general authorization of the Data Controller to use the Sub-processors listed in the Annex “List of Sub-processors” (“ Annex C-quater ”).

    2. The Processor has the right to unilaterally amend Annex C-quater. In this case, the Processor shall inform the Data Controller of the amendments at least 5 days in advance, thus giving the Data Controller sufficient time to object to such amendments before appealing to the Sub-Processor(s) for the processing in question.

    3. In any case, the Data Controller undertakes to engage Sub-Processors who present sufficient guarantees to guarantee an adequate level of protection of personal data and to sign a written agreement with each Sub-Processor which imposes on the Sub-Processor, in substance, the same obligations to which the Data Controller is subject towards the Data Controller.

  1. Personal data breach

    1. In the event of a security breach that may impact personal data processed by the Processor on behalf of the Data Controller, the Processor undertakes to notify the incident within 48 hours of its discovery.

    2. The notification contains summary information useful for the Data Controller to fulfill the obligations set forth in Articles 33 and 34 of the GDPR, including at least a description of the breach, including the nature and extent of the data breached.

    3. Pending the technical investigations necessary to determine the characteristics and extent of the violation, the Data Controller has the right to provide a partial notification of the incident. Upon completion of these technical investigations, the Data Controller must provide the Data Controller with a supplementary notification.

    4. The Data Controller shall notify the Data Processor of any security breaches, including those not involving personal data, that may compromise the security of the SaaS infrastructure, such as, but not limited to, the loss of control over the credentials assigned to users.

  1. Transfer of data outside the European Economic Area

    1. Any transfer of data to a third country or an international organization by the Controller is carried out in compliance with Chapter V of the GDPR.

  1. Personal data Duration and termination

    1. The DPA term is effective from the date of signing the Agreement and applies for as long as personal data is being processed by the Processor on behalf of the Controller.

    2. Upon termination, for any reason, of this DPA, the Processor shall be required, unless otherwise instructed in writing by the Data Controller, to either:

    1. cease all processing activities involving personal data;

    b. anonymize the personal data in its possession through the non-reversible deletion of the database rows associated with the Data Subjects.

    1. The Parties acknowledge and accept that beyond the termination date of the Agreement, personal data processing will still take place for strictly technical purposes such as, by way of example, the completion of personal data deletion operations, the management of backup copies, or the fulfillment of legal or regulatory obligations.

  1. Final Provisions

    1. The execution of the activities referred to in this DPA does not give rise to any right on the part of the Processor, or any Sub-Processor, to receive compensation other than that contractually agreed between the Parties in the Agreement.

    2. In the event of any conflict between this DPA and the Agreement, the DPA shall prevail with respect to matters relating to the processing of personal data.

    3. For anything not expressly provided for in this DPA, please refer to the applicable Data Protection Legislation.

    4. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect. The invalid or unenforceable provision will be (i) modified to the extent necessary to ensure its validity and enforceability, preserving to the greatest extent possible the original intentions of the Parties, or, if this is not possible, (ii) interpreted as if it had never been included in the body of the Agreement.

    5. The Data Controller has the right to remove from the documentation and information provided following requests made by the Data Controller pursuant to Articles 5, 6, 7, 8, 9, and 10 of this DPA, any information whose disclosure could lead, even theoretically, to a violation of the personal data protection obligations to which the Data Controller is subject or the disclosure of information subject to industrial secrecy or otherwise likely to harm the Data Controller's corporate know-how .

  1. Governing Law and Competent Court

  1. The Parties submit this Appointment Agreement to the law and jurisdiction chosen in the Agreement. Therefore, any disputes or claims that may arise under the terms of this Appointment Agreement, including disputes relating to its existence, validity or termination or the consequences of its invalidity, are subject to the forum chosen in the Agreement.

Annex C-bis – Description of treatment and instructions

Part 1 - General characteristics of the processing of personal data

The following information refers to all data processing carried out via the SaaS, regardless of the module purchased.

Nature of the treatment

SaaS Provisioning Compri

Purpose of the processing

Provision of functions associated with the modules purchased by the Owner

User account management

Security Management

Duration of treatment

Until the SaaS is subscribed by the Owner, in addition to any processing necessary for technical purposes

Categories of interested parties

Employees of the Owner

Categories of personal data

Identification data (name, surname, job title)

Contact details (email addresses)

Sensitive data

n/a

Part 2 - Specific processing characteristics for individual SaaS modules

The following information refers to data processing carried out through specific SaaS modules, to be verified based on those actually purchased by the Data Controller.

Order Mangement & Visibility

Nature of the treatment

Analysis of orders and activities related to individual suppliers, through access to the IRP and the email inbox of the employee linked to the Compri account

Categories of interested parties

Employees of the Owner

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Categorie di dati personali

Identification data (name, surname, job title, classification, and company department)

Contact details (email addresses, company mobile number)

Bank and tax details (VAT number, IBAN)

Content of email communications

Sensitive data

n/a

Request for X

Nature of the treatment

Sending requests for quotations to multiple suppliers

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Categories of personal data

Identification data (name, surname)

Contact details (email addresses)

Sensitive data

n/a

Onboarding

Nature of the treatment

Centralized management of the supplier onboarding and accreditation process

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Directors and mayors of supplier companies

Family members of directors and auditors of supplier companies

Categories of personal data

Identification data (name, surname, job title)

Contact details (email addresses)

Presence or absence of causes of incompatibility, declarations for the purposes of anti-money laundering legislation

Sensitive data

n/a

Compliance

Nature of the treatment

Centralized management of corporate processes for verifying supplier regulatory compliance

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Categories of personal data

Identification data (name, surname, job title)

Contact details (email addresses)

Sensitive data

n/a

Documents

Nature of the treatment

Access and management of documents relating to the relationship with suppliers

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Administrators of the Data Controller's suppliers

Categories of personal data

Identification data (name, surname, date of birth, job title, job description, and company department)

Contact details (email addresses, company mobile number)

Bank and tax details (VAT number, IBAN)

Content of email communications

Autographed signatures

Sensitive data

n/a

Analytics

Nature of the treatment

Aggregate analysis of supplier management information

Categories of interested parties

Freelance suppliers or individual companies

Categories of personal data

Identification data (name, surname)

Contact details (email addresses)

Sensitive data

n/a

Vendor management

Nature of the treatment

Detailed management of activities

Categories of interested parties

Freelance suppliers or individual companies

Categories of personal data

Identification data (name, surname)

Contact details (email addresses)

Creditworthiness

Sensitive data

n/a

Items

Nature of the treatment

n/a

Categories of interested parties

n/a

Categories of personal data

n/a

Sensitive data

n/a

Insights

Nature of the treatment

Analysis of managed expenses and supplier positions to identify savings or margin opportunities

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Categories of personal data

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Sensitive data

n/a

Intake Orchestration

Nature of the treatment

Internalized management of the purchase request submission and validation process

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Categories of personal data

Identification data (name, surname, date of birth, job title, job description, and company department)

Contact details (email addresses, company mobile number)

Sensitive data

n/a

Budget

Nature of the treatment

n/a

Categories of interested parties

n/a

Categories of personal data

n/a

Sensitive data

n/a

Contracts

Nature of the treatment

Contract management and analysis

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Administrators of the Data Controller's suppliers

Categories of personal data

Identification data (name, surname, date of birth, job title, job description, and company department)

Contact details (email addresses, company mobile number)

Bank and tax details (VAT number, IBAN)

Autographed signatures

Sensitive data

n/a

DDT

Nature of the treatment

Management and analysis of transport documents

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Administrators of the Data Controller's suppliers

Categories of personal data

Identification data (name, surname, date of birth, job title, job description, and company department)

Contact information (email addresses, business mobile number, business address)

Autographed signatures

Sensitive data

n/a

Procurement AI Assistant

Nature of the treatment

transport documents

Categories of interested parties

Employees of the Data Controller's suppliers

Freelance suppliers or individual companies

Administrators of the Data Controller's suppliers

Categories of personal data

Identification data (name, surname, date of birth, job title, job description, and company department)

Contact information (email addresses, business mobile number, business address)

Sensitive data

n/a

Annex C-ter – List of security measures

Parte 1 - Caratteristiche generali del trattamento dei dati personali

Le seguenti informazioni si riferiscono a tutti i trattamenti di dati effettuati tramite il SaaS, indipendentemente dal modulo acquistato

Procurement AI Assistant

Scope

Cataloging

Detail requirement

Data Center Security Measures

Access to the System or SW (authentication)

Adoption of measures aimed at ensuring that:
- administrative access by the Manager is reserved for personnel who are assigned the qualification (“role”) of system administrator, by virtue of high technical skills and characteristics of proven reliability and morality;
- administrative access to the systems by the Client's personnel will take place through multi-factor authentication (MFA) procedures.

Measures Data Center Security

Access to the System or SW (management policy)

For services that provide for an administrative management method of the infrastructure components, the following policies must be provided:
- users that allow the identification of the administrator who carries out the intervention; - activation of a log management process that identifies log ins, log outs and failed log ins ;
- storage of logs in a format that guarantees their integrity and readability over time; - storage of logs for at least six (6) months; - annual verification of the work of system administrators; - access to systems via VPN and MFA.

Measures Data Center Security

Log management

Features for tracking or recording (logging) user access and activity. Activity logs must be appropriately protected to ensure their integrity and confidentiality. These features must be activated by the customer's system administrator or the software house at the customer's request.

Measures Data Center Security

Auditing

Use of the log management and analysis system to monitor system administrator activity. Access to the log management system is reserved for auditors and is not permitted to system administration personnel.

Measures Data Center Security

Encryption of communication protocols

Application of secure and non-obsolete standard cryptographic communication protocols, in cases where access to the system is made via the Internet.

Measures Data Center Security

Threats and Vulnerabilities

Implement a threat and risk management program to continuously monitor SaaS platform vulnerabilities, as defined by international best practices, by planning and executing internal and external vulnerability scans and penetration tests. Identified vulnerabilities must be assessed to determine the associated risks and appropriate corrective actions established based on their assigned priority and detected severity.

Measures Data Center Security

Firewalling

Adoption of firewall systems aimed at filtering and containing traffic by identifying any anomalous traffic that could indicate potential cyber attacks.

Measures Data Center Security

Intrusion Prevention

Protection of the environment through which the Manager's service is provided through Intrusion Security Prevention Systems (IPS) that analyze all incoming traffic and immediately identify any ongoing attack attempts. Network traffic on significant segments of the platform passes through systems that inspect every packet in transit.

Measures Data Center Security

Malware protection

Adoption of measures to protect against malware infections, unauthorized actions, suspicious applications, and attempts to steal personal data (e.g., through constantly updated antivirus, anti-spam, anti-phishing systems, etc.).

Measures Data Center Security

Filesystem Antivirus

Adoption of filesystem antivirus modules on all servers used to provide services, with the option of configuring, on a project-by-project basis, specific antivirus products that are centrally managed in terms of updates, policy distribution, on-demand scan launches, notifications, and quarantine area management.

Measures Data Center Security

Incident monitoring and management

Adoption of policies and procedures for identifying, responding to, remediating, and reporting incidents that pose a risk to the integrity or confidentiality of personal data or other security breaches.

Measures Data Center Security

Security Patch Management

Subjecting the platform to a periodic verification process for available patches or fixes relating to the components of the delivery system and those deemed critical for the provision of the service or for security.

Measures Data Center Security

Physical security

Application of adequate physical security measures to the designed hardware/software platform (e.g., use of hosting providers/data center services equipped with adequate systems to prevent the risk of intrusion, fire, flooding, etc.).

Measures Data Center Security

Anti-flooding

Adoption of all necessary measures within the Data Center to prevent flooding (such as the presence of probes, alarm systems, etc.).

Measures Data Center Security

Anti-intrusion

Setting up an access control system in the data center that identifies those who access it and prevents unauthorized access. The procedure must also include change management , activating and deactivating access authorizations based on role changes.

Measures Data Center Security

Closed circuit cameras

Installation of CCTV cameras to monitor the building perimeter, entrances, interlocking doors, and any other critical areas.

Measures Data Center Security

Conditioning

Adoption of adequate air conditioning and cooling systems for rooms and equipment.

Measures Data Center Security

Continuity and emergency

Adoption of procedures and controls to ensure the necessary level of system/software continuity and availability (in the event of an incident/personal data breach). Procedures must include instructions for maintaining backup copies as well as a disaster recovery plan .

Measures Data Center Security

Data deletion

Provision of measures for the deletion of production data at the end of the service provision according to the contractual terms defined with the Customer.

Measures Data Center Security

Subcontractor management

Selection and verification of the requirements of the subcontractor who will manage the systems and infrastructure required to perform the Services, and signing a contract that binds the subcontractor to comply with the obligations regarding security measures.

Connectivity

Internet lines and bandwidth

Implementation of measures to ensure adequate connectivity in compliance with the service levels contractually defined with the Customer.

Connectivity

Firewalling

firewall measures .

Network security

AntiDDoS

Provision by the Data Center of a service capable of responding effectively to the problems created by attacks (“ DDoS ”)

Network security

IDS/IPS

Adoption of an IPS ( Intrusion Detection) system Prevention System) capable of automatically blocking detected attacks and IDS ( Intrusion Prevention System) Detection System) capable of intercepting threats, thus providing real-time protection to the services provided by the Data Center.

Governance

Training

Provision of periodic training courses on personal data security and protection to employees involved in data processing activities.

Governance

Geographic location

Declaration by SWH to the Customer of the geographical location of the DC and the data.

Governance

Data breach

Adoption of procedures for identifying, containing, and resolving risk situations (e.g., personal data breaches) for data and system security in the post-intrusion phase.

Governance

Logical security

Reassess the security measures and procedures in place at least annually to update them based on detected vulnerabilities, attacks, and technological developments.

Annex C-quater – List of sub-processors

Sub-Manager

Nature of the treatment

Termini di servizio

Amazon Web Services

Cloud and host providing

Mongo DB Limited

Database Management Service

Clickhouse Inc

Database Management Service

Microsoft Inc

Azure Generative AI Service Provision

Anthropic PBC

Providing Generative AI Service Claude API

Google Inc

Providing the Google Gemini API Generative AI Service via Google Studio

compri helps you handle your day to day procurement activities all in one place and 10x faster.

Compri’s newsletter

© compri S.r.l 2024

Viale Tunisia 42, 20124, Milan, Italy

VAT: 13568830965

© 2025 Compri UI. All rights reserved.

compri helps you handle your day to day procurement activities all in one place and 10x faster.

Compri’s newsletter

© compri S.r.l 2024

Viale Tunisia 42, 20124, Milan, Italy

VAT: 13568830965

© 2025 Compri UI. All rights reserved.

compri helps you handle your day to day procurement activities all in one place and 10x faster.

Compri’s newsletter

© compri S.r.l 2024

Viale Tunisia 42, 20124, Milan, Italy

VAT: 13568830965

© 2025 Compri UI. All rights reserved.