ANNEX C – DATA PROCESSING AGREEMENT
Between
Customer, as defined in the Commercial Agreement (hereinafter “ Owner ”);
And
You purchase, as defined in the Commercial Agreement (hereinafter “ Responsible ”);
(The Owner and the Data Controller are hereinafter also referred to individually as the “ Party ” and jointly as the “ Parties ”).
Given that:
a Commercial Agreement (hereinafter “ Agreement ”) has been stipulated between the Data Controller and the Data Processor to which this Data Processing Agreement (hereinafter “ DPA ”) is attached and of which it forms an integral and substantial part;
the object of the Agreement is the supply, according to the methods and terms defined in the Agreement itself, of the SaaS Compri (hereinafter “ SaaS ”), aimed at managing and streamlining the Customer's supply chain;
the use of SaaS involves the processing of personal data, as defined pursuant to art. 4(1)(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “ GDPR ”);
with respect to such processing, the Customer acts as data controller, as defined pursuant to Article 4(1)(7) of the GDPR and Compri acts as data processor, pursuant to Article 28 of the GDPR;
The Data Processor certifies and guarantees that he or she possesses the experience, ability, and reliability necessary to adopt appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, so that the processing carried out in performance of the task referred to in the Agreement meets the requirements of the GDPR and, in general, of the legislation on personal data protection and guarantees the protection of the rights of data subjects;
The Parties intend to agree, pursuant to and for the purposes of Article 28(2) of the GDPR, on the nature, purpose, duration, type of personal data, categories of data subjects, as well as their rights and obligations arising from the processing of personal data carried out through the SaaS.
In light of the above, the Parties agree as follows:
In light of the above, the Parties agree as follows:
Definitions
In this DPA, the terms indicated below have the meanings attributed to them below. For anything not expressly defined pursuant to this article, please refer to the definitions in Article 4 of the GDPR.
The term “Applicable Law” means the GDPR, Legislative Decree 196/2003 and any other data protection law applicable from time to time to the processing of personal data;
The term "Data Processors" means employees, agents, or any other natural person authorized by the Parties to carry out personal data processing operations pursuant to Article 29 of the GDPR and Article 2-quaterdecies of Legislative Decree 196/2003;
The term “Sub-Processor” means any entity used by the data controller to carry out specific activities on behalf of the Data Controller or another entity appointed by the latter;
the term “EEA” means the European Economic Area.
Purpose and scope
The purpose of this DPA is to ensure compliance with Article 28, paragraphs 3 and 4, of the GDPR.
This DPA applies to the processing operations listed and described in the Annex "Description of Processing and Instructions" ( Annex C-bis ). The Parties acknowledge that the SaaS is modular in nature and that, therefore, the processing of personal data carried out by the Processor is as indicated:
in Part 1 of the Annex “Description of treatment and instructions”;
in Part 2 of the Annex “Description of the treatment and instructions”, relating to the modules covered by the Commercial Offer.
Obligations of the DataController
The Data Controller undertakes to comply with applicable legislation, as well as to process the data in accordance with any other applicable legal provision that has or may have binding effects on the methods and guarantees to be applied to the processing of personal data.
The Data Controller provides the Processor with instructions regarding the processing of personal data (the "Instructions") entered into the SaaS, verifying that these instructions comply with the Data Protection Legislation. The Data Controller's Instructions as of the date of signing this DPA are described in Annex C-bis.
The Data Controller may issue new instructions for the entire duration of the processing, notifying the Processor in writing at least 15 days before the effective date of the new instructions. Such new instructions must be documented in writing. The Processor has the right to terminate the Agreement pursuant to Article 1456 of the Italian Civil Code if such new Instructions impose an excessive burden or are deemed by the Processor to be in conflict with Applicable Law.
The Data Controller may, with regard to the characteristics of the processing of personal data intrinsically linked to the functioning of Compri, make changes to Annex C-bis , giving notice of this to the Data Controller with at least 5 days' notice.
Under no circumstances shall the Data Controller be held liable for any violation of the Applicable Regulations resulting from the Data Controller's conduct or from the application of the Instructions given by the Data Controller.
The Data Controller undertakes to verify and demonstrate that the data entered into the SaaS is collected and processed on an appropriate legal basis, as well as in compliance with any other transparency obligations imposed by Applicable Law.
The Data Controller undertakes to identify, for each category of personal data processed within the SaaS, the relevant retention periods and to remove the information from the SaaS after this period has elapsed.
In any case, the Processor's obligations do not include determining the lawfulness of the data processing activities carried out on behalf of the Data Controller, nor any verification of the compliance of the processing carried out via the SaaS with the applicable legislation.
Obligations of the Data Controller
The Processor processes personal data in accordance with the Controller's Instructions, unless required by Union or national law to which the Processor is subject. The Processor processes personal data solely for the specific purposes set out in Annex C-bis and for the period of time indicated therein.
Without prejudice to the provisions of Article 3.7. of this DPA, the Processor shall immediately inform the Data Controller if, in his opinion, the Instructions violate the Applicable Law.
The Processor maintains and updates the Register of Processing Activities pursuant to Art. 30(2) GDPR, with specific reference to the activities performed on behalf of the Data Controller. The Processor, upon request of the Data Controller, provides a copy of the sections of the aforementioned register relating to the processing performed on behalf of the Data Controller.
The Data Processor shall inform the Data Controller without undue delay of any obligation imposed by a public authority to consult and/or acquire the Data Controller's personal data, unless the aforementioned authority imposes different obligations due to investigative secrecy.
Owner Assistance
The Data Processor responds promptly and appropriately to requests for information from the Data Controller regarding the processing of data subject to this DPA and provides the Data Controller with appropriate documentation to demonstrate compliance with this DPA and the applicable legislation.
The Data Controller may fulfill the obligation set forth in the previous Article 5.1 by making available informational materials and useful documentation on dedicated web pages and/or in the personal area available in the SaaS interface.
The Processor provides reasonable assistance to the Controller in carrying out data protection impact assessments and in prior consultations with the Supervisory Authorities or other competent data protection authorities, as necessary for the Controller to comply with Articles 35 and 36 of the GDPR.
The Processor consents to the Controller or an auditor appointed by the Controller conducting audits, including inspections, in relation to the Processing of Personal Data carried out by the Processor, provided that the Processor is given reasonable notice of at least 2 months.
The audit request must contain an indication of the processing activities and obligations being verified, as well as indicate the reasons why the verification cannot be performed based on documentation.
Requests from Interested Parties
In the event that the Data Processor receives requests regarding the rights of Data Subjects, he or she is obliged to communicate such requests to the Data Controller, attaching a copy to the communication.
The Data Processor undertakes to assist the Data Controller by implementing appropriate technical and organizational measures to respond to requests from Data Subjects.
The Data Controller shall process requests to exercise rights in accordance with the instructions specifically provided by the Data Controller in writing.
Data security
The Processor implements at least the technical and organizational measures specified in the Annex "List of Security Measures" (" Annex C-ter ") to ensure the security of personal data. This includes protection against any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data, which may constitute a personal data breach pursuant to Article 33 of the GDPR.
The Data Processor may make changes to Annex C-ter, providing the Data Controller with at least five days' notice. The Data Controller remains obligated to maintain an adequate level of security and protection of personal data.
When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as the risks to the Data Subjects.
Persons in charge of processing
The Controller grants access to the personal data undergoing processing to members of its staff only to the extent strictly necessary for the implementation, management and supervision of the processing operations covered by this DPA.
The Data Controller guarantees that the persons authorised to process the personal data received:
have undertaken to maintain confidentiality or are under an appropriate legal obligation of confidentiality;
have received appropriate authorization to process personal data.
Sub-controllers
The Processor has the general authorization of the Data Controller to use the Sub-processors listed in the Annex “List of Sub-processors” (“ Annex C-quater ”).
The Processor has the right to unilaterally amend Annex C-quater. In this case, the Processor shall inform the Data Controller of the amendments at least 5 days in advance, thus giving the Data Controller sufficient time to object to such amendments before appealing to the Sub-Processor(s) for the processing in question.
In any case, the Data Controller undertakes to engage Sub-Processors who present sufficient guarantees to guarantee an adequate level of protection of personal data and to sign a written agreement with each Sub-Processor which imposes on the Sub-Processor, in substance, the same obligations to which the Data Controller is subject towards the Data Controller.
Personal data breach
In the event of a security breach that may impact personal data processed by the Processor on behalf of the Data Controller, the Processor undertakes to notify the incident within 48 hours of its discovery.
The notification contains summary information useful for the Data Controller to fulfill the obligations set forth in Articles 33 and 34 of the GDPR, including at least a description of the breach, including the nature and extent of the data breached.
Pending the technical investigations necessary to determine the characteristics and extent of the violation, the Data Controller has the right to provide a partial notification of the incident. Upon completion of these technical investigations, the Data Controller must provide the Data Controller with a supplementary notification.
The Data Controller shall notify the Data Processor of any security breaches, including those not involving personal data, that may compromise the security of the SaaS infrastructure, such as, but not limited to, the loss of control over the credentials assigned to users.
Transfer of data outside the European Economic Area
Any transfer of data to a third country or an international organization by the Controller is carried out in compliance with Chapter V of the GDPR.
Personal data Duration and termination
The DPA term is effective from the date of signing the Agreement and applies for as long as personal data is being processed by the Processor on behalf of the Controller.
Upon termination, for any reason, of this DPA, the Processor shall be required, unless otherwise instructed in writing by the Data Controller, to either:
cease all processing activities involving personal data;
b. anonymize the personal data in its possession through the non-reversible deletion of the database rows associated with the Data Subjects.
The Parties acknowledge and accept that beyond the termination date of the Agreement, personal data processing will still take place for strictly technical purposes such as, by way of example, the completion of personal data deletion operations, the management of backup copies, or the fulfillment of legal or regulatory obligations.
Final Provisions
The execution of the activities referred to in this DPA does not give rise to any right on the part of the Processor, or any Sub-Processor, to receive compensation other than that contractually agreed between the Parties in the Agreement.
In the event of any conflict between this DPA and the Agreement, the DPA shall prevail with respect to matters relating to the processing of personal data.
For anything not expressly provided for in this DPA, please refer to the applicable Data Protection Legislation.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect. The invalid or unenforceable provision will be (i) modified to the extent necessary to ensure its validity and enforceability, preserving to the greatest extent possible the original intentions of the Parties, or, if this is not possible, (ii) interpreted as if it had never been included in the body of the Agreement.
The Data Controller has the right to remove from the documentation and information provided following requests made by the Data Controller pursuant to Articles 5, 6, 7, 8, 9, and 10 of this DPA, any information whose disclosure could lead, even theoretically, to a violation of the personal data protection obligations to which the Data Controller is subject or the disclosure of information subject to industrial secrecy or otherwise likely to harm the Data Controller's corporate know-how .
Governing Law and Competent Court
The Parties submit this Appointment Agreement to the law and jurisdiction chosen in the Agreement. Therefore, any disputes or claims that may arise under the terms of this Appointment Agreement, including disputes relating to its existence, validity or termination or the consequences of its invalidity, are subject to the forum chosen in the Agreement.
Annex C-bis – Description of treatment and instructions
Part 1 - General characteristics of the processing of personal data
The following information refers to all data processing carried out via the SaaS, regardless of the module purchased.
Nature of the treatment
SaaS Provisioning Compri
Purpose of the processing
Provision of functions associated with the modules purchased by the Owner
User account management
Security Management
Duration of treatment
Until the SaaS is subscribed by the Owner, in addition to any processing necessary for technical purposes
Categories of interested parties
Employees of the Owner
Categories of personal data
Identification data (name, surname, job title)
Contact details (email addresses)
Sensitive data
n/a
Part 2 - Specific processing characteristics for individual SaaS modules
The following information refers to data processing carried out through specific SaaS modules, to be verified based on those actually purchased by the Data Controller.
Order Mangement & Visibility
Nature of the treatment
Analysis of orders and activities related to individual suppliers, through access to the IRP and the email inbox of the employee linked to the Compri account
Categories of interested parties
Employees of the Owner
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Categorie di dati personali
Identification data (name, surname, job title, classification, and company department)
Contact details (email addresses, company mobile number)
Bank and tax details (VAT number, IBAN)
Content of email communications
Sensitive data
n/a
Request for X
Nature of the treatment
Sending requests for quotations to multiple suppliers
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname)
Contact details (email addresses)
Sensitive data
n/a
Onboarding
Nature of the treatment
Centralized management of the supplier onboarding and accreditation process
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Directors and mayors of supplier companies
Family members of directors and auditors of supplier companies
Categories of personal data
Identification data (name, surname, job title)
Contact details (email addresses)
Presence or absence of causes of incompatibility, declarations for the purposes of anti-money laundering legislation
Sensitive data
n/a
Compliance
Nature of the treatment
Centralized management of corporate processes for verifying supplier regulatory compliance
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname, job title)
Contact details (email addresses)
Sensitive data
n/a
Documents
Nature of the treatment
Access and management of documents relating to the relationship with suppliers
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Data Controller's suppliers
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact details (email addresses, company mobile number)
Bank and tax details (VAT number, IBAN)
Content of email communications
Autographed signatures
Sensitive data
n/a
Analytics
Nature of the treatment
Aggregate analysis of supplier management information
Categories of interested parties
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname)
Contact details (email addresses)
Sensitive data
n/a
Vendor management
Nature of the treatment
Detailed management of activities
Categories of interested parties
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname)
Contact details (email addresses)
Creditworthiness
Sensitive data
n/a
Items
Nature of the treatment
n/a
Categories of interested parties
n/a
Categories of personal data
n/a
Sensitive data
n/a
Insights
Nature of the treatment
Analysis of managed expenses and supplier positions to identify savings or margin opportunities
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Sensitive data
n/a
Intake Orchestration
Nature of the treatment
Internalized management of the purchase request submission and validation process
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact details (email addresses, company mobile number)
Sensitive data
n/a
Budget
Nature of the treatment
n/a
Categories of interested parties
n/a
Categories of personal data
n/a
Sensitive data
n/a
Contracts
Nature of the treatment
Contract management and analysis
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Data Controller's suppliers
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact details (email addresses, company mobile number)
Bank and tax details (VAT number, IBAN)
Autographed signatures
Sensitive data
n/a
DDT
Nature of the treatment
Management and analysis of transport documents
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Data Controller's suppliers
Categories of personal data
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact information (email addresses, business mobile number, business address)
Autographed signatures
Sensitive data
n/a
Procurement AI Assistant
Nature of the treatment
transport documents
Categories of interested parties
Employees of the Data Controller's suppliers
Freelance suppliers or individual companies
Administrators of the Data Controller's suppliers
Identification data (name, surname, date of birth, job title, job description, and company department)
Contact information (email addresses, business mobile number, business address)
Sensitive data
n/a
Annex C-ter – List of security measures
Parte 1 - Caratteristiche generali del trattamento dei dati personali
Le seguenti informazioni si riferiscono a tutti i trattamenti di dati effettuati tramite il SaaS, indipendentemente dal modulo acquistato
Procurement AI Assistant
Scope
Cataloging
Detail requirement
Data Center Security Measures
Access to the System or SW (authentication)
Adoption of measures aimed at ensuring that:
- administrative access by the Manager is reserved for personnel who are assigned the qualification (“role”) of system administrator, by virtue of high technical skills and characteristics of proven reliability and morality;
- administrative access to the systems by the Client's personnel will take place through multi-factor authentication (MFA) procedures.
Measures Data Center Security
Access to the System or SW (management policy)
For services that provide for an administrative management method of the infrastructure components, the following policies must be provided:
- users that allow the identification of the administrator who carries out the intervention; - activation of a log management process that identifies log ins, log outs and failed log ins ;
- storage of logs in a format that guarantees their integrity and readability over time; - storage of logs for at least six (6) months; - annual verification of the work of system administrators; - access to systems via VPN and MFA.
Measures Data Center Security
Log management
Features for tracking or recording (logging) user access and activity. Activity logs must be appropriately protected to ensure their integrity and confidentiality. These features must be activated by the customer's system administrator or the software house at the customer's request.
Measures Data Center Security
Auditing
Use of the log management and analysis system to monitor system administrator activity. Access to the log management system is reserved for auditors and is not permitted to system administration personnel.
Measures Data Center Security
Encryption of communication protocols
Application of secure and non-obsolete standard cryptographic communication protocols, in cases where access to the system is made via the Internet.
Measures Data Center Security
Threats and Vulnerabilities
Implement a threat and risk management program to continuously monitor SaaS platform vulnerabilities, as defined by international best practices, by planning and executing internal and external vulnerability scans and penetration tests. Identified vulnerabilities must be assessed to determine the associated risks and appropriate corrective actions established based on their assigned priority and detected severity.
Measures Data Center Security
Firewalling
Adoption of firewall systems aimed at filtering and containing traffic by identifying any anomalous traffic that could indicate potential cyber attacks.
Measures Data Center Security
Intrusion Prevention
Protection of the environment through which the Manager's service is provided through Intrusion Security Prevention Systems (IPS) that analyze all incoming traffic and immediately identify any ongoing attack attempts. Network traffic on significant segments of the platform passes through systems that inspect every packet in transit.
Measures Data Center Security
Malware protection
Adoption of measures to protect against malware infections, unauthorized actions, suspicious applications, and attempts to steal personal data (e.g., through constantly updated antivirus, anti-spam, anti-phishing systems, etc.).
Measures Data Center Security
Filesystem Antivirus
Adoption of filesystem antivirus modules on all servers used to provide services, with the option of configuring, on a project-by-project basis, specific antivirus products that are centrally managed in terms of updates, policy distribution, on-demand scan launches, notifications, and quarantine area management.
Measures Data Center Security
Incident monitoring and management
Adoption of policies and procedures for identifying, responding to, remediating, and reporting incidents that pose a risk to the integrity or confidentiality of personal data or other security breaches.
Measures Data Center Security
Security Patch Management
Subjecting the platform to a periodic verification process for available patches or fixes relating to the components of the delivery system and those deemed critical for the provision of the service or for security.
Measures Data Center Security
Physical security
Application of adequate physical security measures to the designed hardware/software platform (e.g., use of hosting providers/data center services equipped with adequate systems to prevent the risk of intrusion, fire, flooding, etc.).
Measures Data Center Security
Anti-flooding
Adoption of all necessary measures within the Data Center to prevent flooding (such as the presence of probes, alarm systems, etc.).
Measures Data Center Security
Anti-intrusion
Setting up an access control system in the data center that identifies those who access it and prevents unauthorized access. The procedure must also include change management , activating and deactivating access authorizations based on role changes.
Measures Data Center Security
Closed circuit cameras
Installation of CCTV cameras to monitor the building perimeter, entrances, interlocking doors, and any other critical areas.
Measures Data Center Security
Conditioning
Adoption of adequate air conditioning and cooling systems for rooms and equipment.
Measures Data Center Security
Continuity and emergency
Adoption of procedures and controls to ensure the necessary level of system/software continuity and availability (in the event of an incident/personal data breach). Procedures must include instructions for maintaining backup copies as well as a disaster recovery plan .
Measures Data Center Security
Data deletion
Provision of measures for the deletion of production data at the end of the service provision according to the contractual terms defined with the Customer.
Measures Data Center Security
Subcontractor management
Selection and verification of the requirements of the subcontractor who will manage the systems and infrastructure required to perform the Services, and signing a contract that binds the subcontractor to comply with the obligations regarding security measures.
Connectivity
Internet lines and bandwidth
Implementation of measures to ensure adequate connectivity in compliance with the service levels contractually defined with the Customer.
Connectivity
Firewalling
firewall measures .
Network security
AntiDDoS
Provision by the Data Center of a service capable of responding effectively to the problems created by attacks (“ DDoS ”)
Network security
IDS/IPS
Adoption of an IPS ( Intrusion Detection) system Prevention System) capable of automatically blocking detected attacks and IDS ( Intrusion Prevention System) Detection System) capable of intercepting threats, thus providing real-time protection to the services provided by the Data Center.
Governance
Training
Provision of periodic training courses on personal data security and protection to employees involved in data processing activities.
Governance
Geographic location
Declaration by SWH to the Customer of the geographical location of the DC and the data.
Governance
Data breach
Adoption of procedures for identifying, containing, and resolving risk situations (e.g., personal data breaches) for data and system security in the post-intrusion phase.
Governance
Logical security
Reassess the security measures and procedures in place at least annually to update them based on detected vulnerabilities, attacks, and technological developments.
Annex C-quater – List of sub-processors
Sub-Manager
Nature of the treatment
Termini di servizio
Amazon Web Services
Cloud and host providing
Mongo DB Limited
Database Management Service
Clickhouse Inc
Database Management Service
Microsoft Inc
Azure Generative AI Service Provision
Anthropic PBC
Providing Generative AI Service Claude API
Google Inc
Providing the Google Gemini API Generative AI Service via Google Studio