Data Processing Agreement
Between
the Customer, as defined in the Commercial Agreement;
and
Compri, as defined in the Commercial Agreement (hereinafter also the “Processor”);
(the Customer and Compri are hereinafter also referred to individually as a “Party” and jointly as the “Parties”).
Whereas
- a Commercial Agreement (hereinafter the “Agreement”) has been entered into between the Customer and Compri, of which this Data Processing Agreement (hereinafter the “DPA”) forms an integral and essential part;
- the subject matter of the Agreement is the provision, in the manner and on the terms defined in the Agreement itself, of the Compri SaaS (hereinafter the “SaaS”), aimed at managing and improving the efficiency of the Customer’s supply chain, as well as the provision of ancillary consultancy services;
- the use of the SaaS entails the processing of personal data, as defined under Article 4(1)(1) of Regulation (EU) 2016/679 (hereinafter the “GDPR”);
- the Parties intend to agree, pursuant to and for the purposes of Article 28(2) of the GDPR, on the nature, purpose and duration of the processing, the type of personal data, the categories of data subjects, as well as their respective rights and obligations arising from the processing of personal data carried out by means of the SaaS.
Now, therefore, the Parties agree as follows:
1. Definitions and Language of the DPA
In this DPA, the terms indicated below have the meaning attributed to them hereafter. For anything not expressly defined under this clause, reference is made to the definitions set out in Article 4 of the GDPR.
“Applicable Legislation”: the GDPR, Legislative Decree no. 196/2003 and any other data protection legislation from time to time applicable to the processing of personal data;
“Controller”: the controller of personal data, i.e. the entity that actually determines the means and methods of the processing, irrespective of whether it is a party to this Agreement;
“Authorised Persons”: the employees, appointees or any other natural person authorised by the Parties to carry out personal data processing operations pursuant to Article 29 of the GDPR and Article 2-quaterdecies of Legislative Decree no. 196/2003;
“Sub-processor”: means the third parties authorised under this Data Processing Agreement to process the Customer’s Personal Data in order to provide, in whole or in part, the Processor’s Services and/or any related technical support;
“EEA”: the European Economic Area;
“Modules”: the modules of which the SaaS is composed, which the Customer purchases and implements also individually; each Module has its own functioning and its use entails the processing of separate and distinct categories of personal data, connected to the purposes pursued through it.
“Instructions”: the instructions issued by the Controller and detailed in clause 3.2 of this DPA.
If this DPA is translated into another language and there is any discrepancy between the Italian text and the translated text, the Italian text shall prevail.
2. Purpose and scope
2.1 The purpose of this DPA is to ensure compliance with Article 28 of the GDPR, as interpreted by the European Data Protection Board in Opinion 14/2019.
2.2 Within the scope of the activities described, the parties agree and accept that:
- Compri acts as Processor for the Customer’s Personal Data pursuant to the Applicable Legislation;
- the Customer acts as controller or processor, as the case may be, of the Customer’s Personal Data pursuant to the Applicable Legislation;
- each party shall comply with the obligations applicable to it under European and national legislation in respect of the processing of the Customer’s Personal Data.
2.3 This DPA applies to the processing operations listed and described in Annex 1. The Parties acknowledge that the SaaS is modular in nature and that, therefore, the processing of personal data carried out by the Processor is that indicated in Annex 1:
- in Part 1, in any event and in relation to any provision of the SaaS;
- in Part 2, in relation only to the modules that are the subject of the Commercial Offer;
- in Part 3, in the event that Compri’s consultancy services are activated.
3. Customer’s obligations and instructions
3.1 The Customer undertakes to comply with the Applicable Legislation, as well as to process the data in accordance with any other applicable provision of law that has or may have binding effects as to the methods and safeguards to be applied to the processing of personal data.
3.2 By this Data Processing Agreement, the Customer instructs Compri to process the personal data covered by this DPA: (a) only in accordance with applicable law; (b) to provide the SaaS and any related technical support, without prejudice to the Processor’s right to process them in anonymised and/or aggregated form for statistical purposes and for the improvement of the services; (c) as further specified/indicated by the Customer through its use of the Processor’s Services (including changes to the settings and/or features of the Processor’s Services) and of any related technical support; (d) as documented in the Agreement, including this DPA; and (e) as further documented in any written communication provided by the Customer to Compri, to be understood as a further instruction for the purposes of this Data Processing Agreement.
3.3 In no event shall the Processor be liable for any breach of the Applicable Legislation arising from conduct of the Customer or of the Controller, or from the application of the Instructions issued by them.
3.4 The Customer undertakes to verify and demonstrate that the data entered into the SaaS are collected and processed in compliance with every other obligation imposed by the Applicable Legislation and with every other provision of law.
3.5 Where the Customer acts as processor, the Customer warrants to Compri that the Customer’s instructions and actions in relation to the personal data, including the appointment of Compri as a further Processor, have been authorised by the respective Controller.
4. Compri’s obligations
4.1 Compri processes the personal data in accordance with the Instructions, unless required to do otherwise by Union or national law to which the Processor is subject.
4.2 The Processor shall immediately inform the Customer if, in its opinion, the Instructions infringe the Applicable Legislation. In no event shall the Processor be under any obligation to carry out an exhaustive legal review of the written instructions issued by the Customer or the Controller.
4.3 The Processor keeps and updates the Record of Processing Activities referred to in Article 30(2) of the GDPR, with particular reference to the activities carried out on behalf of the Controller. The Processor, at the Controller’s request, makes available a copy of the sections of the aforesaid record concerning the processing carried out on behalf of the Controller.
4.4 The Processor informs the Controller without undue delay of any obligation to consult and/or acquire the Controller’s personal data imposed by a public Authority, save for different constraints imposed by the aforesaid Authority due to investigative secrecy.
5. Assistance to the Customer and audits
5.1 The Processor responds promptly and adequately to the Customer’s requests for information relating to the processing covered by this DPA and makes available to the Customer the documentation suitable to demonstrate compliance with this DPA and the Applicable Legislation.
5.2 The Processor may fulfil the obligation referred to in clause 5.1 above by making informational material and useful documentation available within dedicated web pages and/or the personal area available in the SaaS interface.
5.3 The Processor offers reasonable assistance to the Customer in carrying out data protection impact assessments and in prior consultations with the supervisory authorities or other authorities competent in matters of personal data protection, where these become necessary in order for the Controller to comply with Articles 35 and 36 of the GDPR.
5.4 The Processor consents to the Customer, or an auditor mandated by the Customer, carrying out audits, including inspections, in relation to the processing of personal data carried out by the Processor, provided that the Processor is given reasonable prior notice of at least 30 days. The audit request must contain the identity of the auditor, the start date as well as the scope and duration, and the security and confidentiality controls in relation to each audit.
6. Data subjects’ requests
6.1 In the event that the Processor receives requests concerning the rights of data subjects in respect of the processing, it is obliged to communicate such requests to the Customer, attaching a copy to the communication.
6.2 The Processor undertakes to assist the Customer by implementing appropriate technical and organisational measures in order to give effect to the requests of data subjects.
6.3 The Processor gives effect to requests for the exercise of rights in accordance with the instructions specifically issued in writing by the Controller.
7. Data security
7.1 The Processor implements at least the technical and organisational measures specified in Annex 2 to ensure the security of personal data.
7.2 In assessing the appropriate level of security, the Parties take due account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks to data subjects.
7.3 Compri shall adopt appropriate measures to ensure compliance with the Security Measures by all those acting under its authority, including its employees, agents, contractors and Sub-processors, to the extent applicable to them according to the service actually performed, including by ensuring that all persons authorised to process the Customer’s Personal Data have committed themselves to confidentiality or are under an appropriate confidentiality obligation in accordance with European and national legislation.
8. Persons authorised to process
8.1 The Processor grants access to the personal data being processed to members of its staff only to the extent strictly necessary for the implementation, management and control of the processing operations covered by this DPA.
8.2 The Processor ensures that the persons authorised to process the personal data received:
- have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- have received appropriate authorisation to process the personal data.
9. Sub-processors
9.1 The Processor has general authorisation to engage the Sub-processors listed in Annex 3.
9.2 The Processor is entitled to engage new Sub-processors. In that case, the Processor informs the Customer of the changes at least 15 days in advance, thereby giving the Customer sufficient time to object to such changes before engaging the Sub-processor(s) in question.
9.3 Compri undertakes to engage Sub-processors that provide sufficient guarantees to ensure an adequate level of protection of personal data, and to enter into a written agreement with each Sub-processor imposing on the Sub-processor, in substance, the same obligations by which the Processor is bound under the DPA.
9.4 In the event of the Customer’s objection to any of the new Sub-processors, the Parties undertake to cooperate in good faith to identify suitable solutions to allow the continuation of the Agreement and, where this is not possible, each Party’s right to withdraw from the Agreement and from the Data Processing Agreement is reserved, by giving written notice to the other Party within 30 days of the Customer’s objection to the use of the new Sub-processors.
10. Personal data breach
10.1 In the event of a security breach that may have an impact on personal data processed by Compri on behalf of the Customer, Compri shall: (a) notify the Customer within 48 hours of discovery; (b) promptly take reasonable measures to minimise the consequences and protect the Customer’s personal data.
10.2 The notification contains the summary information useful to the Customer to fulfil the obligations referred to in Articles 33 and 34 of the GDPR, including at least a description of the breach comprising an indication of the nature of the breached data and of their extent.
10.3 Pending the technical investigations necessary to determine the characteristics and extent of the breach, Compri is entitled to make a partial notification of the incident. Upon completion of such technical investigations, the Processor shall provide the Customer with a supplementary notification.
10.4 The Customer is solely responsible for compliance with the incident notification obligations applicable to the Customer and for the fulfilment of any notification/communication obligation towards third parties in relation to any Incident.
10.5 Compri’s notification of, or response to, an Incident under this clause shall not be construed as an acknowledgement by Compri of any fault or liability in relation to the Incident.
10.6 The Customer notifies Compri of any security breaches, including those not concerning personal data, that may compromise the security of the SaaS infrastructure, such as, by way of example only, the loss of control over the credentials assigned to users.
11. Transfers of data outside the European Economic Area
11.1 The Customer accepts and authorises that Compri may process (including through Sub-processors) the Customer’s Personal Data within and outside the EEA, provided that such processing is supported by appropriate transfer mechanisms pursuant to Chapter V of the GDPR.
11.2 Should Compri intend to make use of one or more Sub-processors established outside the EEA and no transfer mechanisms other than the Standard Contractual Clauses referred to in Article 46(2)(c) of the GDPR and Commission Implementing Decision (EU) 2021/914 are available, the Parties agree that: (a) the Processor and its Sub-processor(s) shall be regarded as “parties” within the meaning of “MODULE THREE: Transfer processor to processor” of the Standard Contractual Clauses; (b) Annexes 1-3 of this DPA shall replace, or be substantially reflected in, the annexes to the Standard Contractual Clauses.
12. Term and termination
12.1 The term of the DPA takes effect from the date of entry into force of the Agreement and applies for as long as personal data processing carried out by the Processor on behalf of the Customer is ongoing.
13. Deletion and export of data
13.1 Compri guarantees, for the entire term of this DPA, the possibility for the Customer to export and/or delete the data automatically or upon request to be submitted by email. In the latter case, Compri shall give effect to the Customer’s request as soon as reasonably possible.
13.2 Compri may retain the Customer’s Personal Data that have been stored through regular backup operations in compliance with its own or its Sub-processors’ disaster recovery and business continuity protocols, provided that Compri — without prejudice to clause 3.2(b) — does not process, and does not allow its Sub-processors to process, such personal data actively or intentionally for any purpose beyond those covered by this DPA.
13.3 Upon termination, for any reason, of this DPA, the Processor shall be required, unless otherwise instructed in writing by the Customer, alternatively to:
- cease all processing activity concerning the personal data;
- anonymise the personal data in its possession through the irreversible deletion of the database rows associated with the data subjects.
13.4 The Parties acknowledge and accept that, beyond the date of termination of the Agreement, the personal data processing necessary for strictly technical purposes shall in any event take place, such as, by way of example only, the carrying out of personal data deletion operations, the management of backup copies, or compliance with legal or regulatory obligations.
14. Amendments
14.1 The Processor is entitled to amend the DPA in order to:
- reflect the technical changes within the SaaS and the relevant Modules so as to keep the content of Annex 1 up to date and accurate (e.g. in the case of the introduction of new features within a module or the inclusion of a new Module in Compri’s commercial offer);
- update or amend the list of security measures referred to in Annex 2, provided that security levels appropriate to the state of the art and suitable to reduce the risks to the rights and freedoms of data subjects are maintained;
- update or amend the list of Sub-processors referred to in Annex 3, without prejudice to compliance with the notification obligations and the Customer’s right of objection referred to in clause 9.
14.2 The Amendments shall be communicated to the Customer with at least 30 days’ notice prior to their entry into force, with the exception of those referred to in clause 14.1(b), which shall be immediately effective upon expiry of the objection period granted to the Customer pursuant to clause 9.2.
15. Liability
15.1 The Parties acknowledge and accept that, where a natural person concerned by the processing claims, against the Parties, to have suffered damage — material or non-material — caused by an infringement of European and national legislation:
- the Party to which liability for the infringement is directly attributable, pursuant to Article 82(2) of the GDPR, shall be fully liable for the material or non-material damage caused to the data subject, hereby declaring that it shall indemnify and hold harmless the other Party, where the latter has not failed to comply with the obligations of European and national legislation specifically directed at it;
- where Compri and the Customer are involved in the same processing and are both responsible for the damage caused, pursuant to paragraphs 2 and 3 of Article 82 of the GDPR, each of the two shall be jointly and severally liable for the entire amount of the damage, without prejudice, for both, to the right of recourse against the other for the share of compensation due to it on the basis of the damage caused, as defined in clause 15.2;
- in the event that the damage caused to the Injured Party is due to the infringement of the provisions of this Data Processing Agreement or of European and national legislation and is wholly attributable to the Processor, Compri shall fully compensate the Customer, where the latter has compensated, in whole or in part, the damage to the Injured Party;
- each Party shall indemnify or compensate the other Party where and to the extent that it has contributed to causing the damage claimed by the Injured Party, or has failed to adopt appropriate mitigation measures, or has infringed provisions of this Data Processing Agreement or of European and national legislation.
15.2 In the case referred to in clause 15.1(c), the measure of the indemnity or compensation, calibrated to the share of liability with respect to the extent of the damage caused, is established jointly by the Parties by means of an agreement negotiated in good faith.
16. Governing Law and Jurisdiction
16.1 The Parties submit the DPA to the law and jurisdiction chosen in the Agreement. Accordingly, any disputes or claims that may arise under this DPA, including disputes relating to its existence, validity or termination or to the consequences of its nullity, are subject to the forum chosen in the Agreement.
17. Final Provisions
17.1 In the event of conflict between this DPA and the Agreement, the former prevails on matters concerning the processing of personal data.
17.2 For anything not expressly provided for in this DPA, reference is made to the Applicable Legislation.
17.3 Any invalidity or unenforceability of a provision of this DPA does not affect the remaining provisions, which remain fully valid and in force. The invalid or unenforceable provision shall be (i) amended to the extent necessary to ensure its validity and enforceability, preserving as far as possible the original intentions of the Parties or, if this is not possible, (ii) interpreted as if it had never been included in the body of the agreement.
17.4 The Processor is entitled to redact, from the documentation and information provided in response to requests made by the Customer under the DPA, that information whose disclosure could entail, even in the abstract, a breach of the personal data protection obligations to which the Processor is subject, or the disclosure of information subject to industrial secrecy or otherwise liable to harm the Processor’s business know-how.
Annex 1 – Description of the processing
Part 1 – General characteristics of the processing of personal data
The following information refers to all data processing carried out through the SaaS, irrespective of the module purchased.
| Field | Details |
|---|---|
| Nature of the processing | Provision of the Compri SaaS |
| Purpose of the processing | Provision of the service and of the basic IT infrastructure |
| Duration of the processing | For the entire period of use of the SaaS by the Customer, in addition to any processing necessary for technical purposes |
| Categories of data subjects | Customer’s employees |
| Categories of personal data | Identification data (first name, surname, job position); contact data (email addresses); data inherent in the management of the electronic communication system (IP address, HTTPS protocol data); navigation data; data associated with the user account |
| Special categories of data | n/a |
Part 2 – Processing characteristics specific to the individual SaaS modules
The following information refers to the data processing carried out through specific SaaS modules, to be verified on the basis of those actually purchased by the Customer, and must be considered additional to that indicated in Part 1.
| Field | Details |
|---|---|
| Module | Order Management & Visibility |
| Nature of the processing | Analysis of orders and of the activities relating to individual suppliers, through access to the ERP and to the email inbox (of the individual employee or shared) linked to the Compri account |
| Categories of data subjects | Customer’s employees; employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships |
| Categories of personal data | Identification data (first name, surname, job position, corporate role and department); contact data (email addresses, company mobile number); banking and tax data (VAT number, IBAN); content of email communications |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Request For X |
| Nature of the processing | Sending requests for quotation to multiple suppliers |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships |
| Categories of personal data | Identification data (first name, surname); contact data (email addresses) |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Onboarding |
| Nature of the processing | Centralised management of the supplier onboarding and accreditation process |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships; directors and statutory auditors of supplier companies; family members of directors and statutory auditors of supplier companies |
| Categories of personal data | Identification data (first name, surname, job position); contact data (email addresses); presence or absence of grounds for incompatibility; declarations for anti-money-laundering purposes |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Compliance |
| Nature of the processing | Centralised management of the corporate processes for verifying suppliers’ regulatory compliance |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships |
| Categories of personal data | Identification data (first name, surname, job position); contact data (email addresses) |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Documents |
| Nature of the processing | Access to and management of the documents relating to the relationship with suppliers |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships; directors of the Customer’s suppliers |
| Categories of personal data | Identification data (first name, surname, date of birth, job position, corporate role and department); contact data (email addresses, company mobile number); banking and tax data (VAT number, IBAN); content of email communications; handwritten signatures |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Analytics |
| Nature of the processing | Analysis in aggregated form of the information relating to supplier management |
| Categories of data subjects | Self-employed suppliers or sole proprietorships |
| Categories of personal data | Identification data (first name, surname); contact data (email addresses) |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Vendor Management |
| Nature of the processing | Detailed management of activities |
| Categories of data subjects | Self-employed suppliers or sole proprietorships |
| Categories of personal data | Identification data (first name, surname); contact data (email addresses); creditworthiness |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Insights |
| Nature of the processing | Analysis of managed spend and supplier positions to identify savings or margin opportunities |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships |
| Categories of personal data | Identification data (first name, surname, date of birth, job position, corporate role and department); contact data (email addresses, company mobile number) |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Intake Orchestration |
| Nature of the processing | Internalised management of the process for submitting and validating purchase requests |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships |
| Categories of personal data | Identification data (first name, surname, date of birth, job position, corporate role and department); contact data (email addresses, company mobile number) |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Contracts |
| Nature of the processing | Management and analysis of contracts |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships; directors of the Customer’s suppliers |
| Categories of personal data | Identification data (first name, surname, date of birth, job position, corporate role and department); contact data (email addresses, company mobile number); banking and tax data (VAT number, IBAN); handwritten signatures |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | DDT (transport documents) |
| Nature of the processing | Management and analysis of transport documents |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships; directors of the Customer’s suppliers |
| Categories of personal data | Identification data (first name, surname, date of birth, job position, corporate role and department); contact data (email addresses, company mobile number, business address); handwritten signatures |
| Special categories of data | n/a |
| Field | Details |
|---|---|
| Module | Procurement AI Assistant |
| Nature of the processing | Analysis of documentation and support via an AI-enhanced chatbot |
| Categories of data subjects | Employees of the Customer’s suppliers; self-employed suppliers or sole proprietorships; directors of the Customer’s suppliers |
| Categories of personal data | Identification data (first name, surname, date of birth, job position, corporate role and department); contact data (email addresses, company mobile number, business address); other information constituting personal data contained within the documentation entered by the user |
| Special categories of data | n/a |
Items: the use of the “Items” module does not entail the processing of personal data.
Budget: the use of the “Budget” module does not entail the processing of personal data.
Part 3 – Additional consultancy services
The following information refers to the data processing carried out where the Customer activates the consultancy and support services.
| Field | Details |
|---|---|
| Module | Customer Success support premium |
| Nature of the processing | Analysis of documentation and support via an AI-enhanced chatbot |
| Purpose of the processing | Provision of the consultancy services |
| Duration of the processing | For the entire duration of the consultancy activity |
| Categories of data subjects | All categories of data subjects involved within the Modules purchased by the Customer |
| Categories of personal data | All categories of personal data processed within the Modules purchased by the Customer |
| Special categories of data | n/a |
Annex 2 – Security Measures
Section 1 – Certifications
- ISO/IEC 27001 Information security, cybersecurity and privacy protection — Information security management systems — Requirements
Section 2 – List of the security measures in place
| Scope | Classification | Detailed requirement |
|---|---|---|
| Data Center security measures | System or SW access (authentication) | Adoption of measures aimed at ensuring that: administration access by the Processor is reserved to staff assigned the qualification (“role”) of system administrator, by virtue of high technical capabilities and characteristics of proven reliability and integrity; administrative access to the systems by the Customer’s staff takes place through multi-factor authentication (MFA) procedures. |
| Data Center security measures | System or SW access (management policy) | For services that provide for an administrative management mode of the infrastructure components, the following policies must be provided: user accounts that allow identification of the administrator carrying out the intervention; activation of a log-management process that identifies log-in, log-out and failed log-in; retention of logs in a format that ensures their integrity and readability over time; retention of logs for at least six (6) months; annual review of the system administrators’ activity; access to the systems through VPN and MFA. |
| Data Center security measures | Log management | Functionality for the tracking or recording (logging) of the accesses and activities carried out by Users. The logs concerning the activities carried out must be appropriately protected to ensure their integrity and confidentiality. Such functionality can be activated by the Customer’s system administrator or by Compri House at the Customer’s request. |
| Data Center security measures | Auditing | Use of the log management and analysis system also for monitoring the activities of the system administrators. Access to the log management system is reserved to staff having the role of auditor and is not permitted for staff in charge of system administration. |
| Data Center security measures | Encryption of communication protocols | Application of standard, secure and non-obsolete cryptographic communication protocols, in cases where access to the system is carried out via the Internet. |
| Data Center security measures | Threats and Vulnerabilities | Adoption of a threat and risk management programme to continuously monitor the vulnerabilities of the SaaS Platforms indicated by international best practices, through the planning and execution of internal and external vulnerability scans and penetration tests. The identified vulnerabilities must be assessed to determine the associated risks, and appropriate corrective actions established on the basis of the assigned priority and the severity detected. |
| Data Center security measures | Firewalling | Adoption of firewall systems aimed at filtering and containing traffic, identifying any anomalous traffic indicative of possible cyber attacks. |
| Data Center security measures | Intrusion Prevention | Protection of the environment through which the Processor’s service is provided by means of an Intrusion Prevention System (IPS) that allows all incoming traffic to be analysed, immediately identifying attack attempts in progress. Network traffic, on significant segments of the platform, passes through systems that inspect every packet of traffic in transit. |
| Data Center security measures | Malware protection | Adoption of measures to protect against malicious-software infections, to defend against unauthorised actions and suspicious applications, and to protect against attempts to misappropriate personal data (e.g. through antivirus, anti-spam, anti-phishing systems, etc., kept constantly updated). |
| Data Center security measures | Filesystem Antivirus | Adoption of Antivirus modules on the filesystem on all servers used for the provision of the services, with the possibility of configuring, on a project basis, specific antivirus products centrally managed in terms of updating, policy distribution, launching of on-demand scans, notifications and management of the quarantine area. |
| Data Center security measures | Monitoring and incident management | Adoption of policies and procedures for the identification, intervention, remediation and reporting of incidents that give rise to a risk to the integrity or confidentiality of personal data or to other security breaches. |
| Data Center security measures | Security Patch Management | Subjecting the platform to a periodic process of verifying the patches or fixes available in relation to the components of the delivery infrastructure and to those deemed critical for the provision of the service or for security. |
| Data Center security measures | Physical security | Application of appropriate physical security measures to the designed hardware/software platform (e.g. use of hosting providers / data-center services equipped with appropriate systems for preventing the risk of intrusion, fire, flooding, etc.). |
| Data Center security measures | Anti-flooding | Adoption, within the Data Center, of all measures necessary to prevent flooding (such as the presence of probes, alarm systems, etc.). |
| Data Center security measures | Anti-intrusion | Setting up, in the Data Center, of an access-control system that identifies those who enter and prevents access by unauthorised persons. The procedure must also provide for Change management, with the activation and deactivation of access authorisation according to changes of role. |
| Data Center security measures | Closed-circuit cameras | Installation of cameras (CCTV) for monitoring the building perimeter, the entrances, the interlocking doors and any other critical areas. |
| Data Center security measures | Air conditioning | Adoption of appropriate air-conditioning and cooling systems for the premises and equipment. |
| Data Center security measures | Continuity and emergency | Adoption of procedures and controls to be carried out in order to ensure the necessary level of continuity and availability of the system/SW (in the event of an incident / personal data breach). The procedures must include the instructions for the retention of backup copies as well as a disaster recovery plan. |
| Data Center security measures | Data deletion | Provision of measures for the deletion of production data at the end of the provision of the service, in accordance with the contractual terms defined with the Customer. |
| Data Center security measures | Sub-supplier management | Selection and verification of the requirements of the sub-supplier that takes over the systems management of the servers and infrastructure necessary for the performance of the Services, and signing of a contract binding that sub-supplier to compliance with the obligations concerning the security measures. |
| Connectivity | Internet lines and bandwidth | Provision of measures aimed at ensuring adequate connectivity in accordance with the service levels contractually defined with the Customer. |
| Connectivity | Firewalling | Protection of access to the systems against the risk of intrusion through appropriate firewalling measures. |
| Network security | AntiDDoS | Provision by the Data Center of a service capable of responding effectively to the problems created by attacks (“DDoS”). |
| Network security | IDS/IPS | Adoption of an IPS (Intrusion Prevention System) capable of automatically blocking detected attacks and an IDS (Intrusion Detection System) capable of intercepting threats, thereby providing real-time protection to the services provided by the Data Center. |
| Governance | Training | Periodic provision of training courses on security and personal data protection to its employees involved in processing activities. |
| Governance | Geographic location | Declaration by Compri to the Customer of the geographic location of the DC and of the data. |
| Governance | Data breach | Adoption of procedures for the identification, containment and resolution of risk situations (e.g. personal data breaches) for the security of data and systems in the post-intrusion phase. |
| Governance | Logical security | Re-evaluation, at least annually, of the security measures and procedures applied, so as to update them in relation to the vulnerabilities detected, the attacks suffered and the evolution of technology. |
Annex 3 – List of Sub-processors
| Sub-processor | Nature of the processing | Terms of service |
|---|---|---|
| Amazon Web Services | Cloud and host providing | https://aws.amazon.com/it/service-terms/ |
| Mongo DB Limited | Database management service | https://www.mongodb.com/legal/terms-and-conditions/cloud |
| Microsoft Inc | Provision of the Azure Service generative-AI service | https://www.microsoft.com/licensing/terms/product/ForOnlineServices/MCA |
| Anthropic PBC | Provision of the Claude API generative-AI service | https://www.anthropic.com/legal/data-processing-addendum |
| Google Inc | Provision of the Google Gemini API generative-AI service via Google Studio | https://business.safety.google/processorterms/ |
| DataDog | Observability and Security service on the SaaS | https://www.datadoghq.com/legal/data-processing-addendum/ |