ANNEX C – DATA PROCESSING AGREEMENT FOR THE SUPPLY OF COMPRI'S SOFTWARE AS A SERVICE IN TRIAL
Between
Customer, as defined in the Commercial Agreement (hereinafter “ Owner ”);
And
You purchase, as defined in the Commercial Agreement (hereinafter “ Responsible ”);
(The Owner and the Data Controller are hereinafter also referred to individually as the “ Party ” and jointly as the “ Parties ”).
Given that:
a Commercial Agreement (hereinafter “ Agreement ”) has been stipulated between the Data Controller and the Data Processor to which this Data Processing Agreement (hereinafter “ DPA ”) is attached and of which it forms an integral and substantial part;
the object of the Agreement is the initial supply of the SaaS Compri (hereinafter “ SaaS ”), aimed at managing and streamlining the Customer's supply chain;
the execution of the Agreement involves the processing of personal data;
with respect to said processing, the Customer acts as data controller, and Compri acts as data processor;
The Parties intend to agree, pursuant to and for the purposes of art. 28(2) of EU Regulation 2016/679 (“ GDPR ”), on the nature, purpose, duration, type of personal data, categories of data subjects, as well as their rights and obligations arising from the processing of personal data carried out through the SaaS.
In light of the above, the Parties agree as follows:
Purpose and description of the treatment
The purpose of this DPA is to ensure compliance with Article 28, paragraphs 3 and 4, of the GDPR.
The processing object of this agreement consists in the provision of the SaaS in trial mode, to be carried out for the purpose of providing the service and, specifically, for the purpose of:
implement the trial version of the SaaS on the Client's systems,
perform testing and analysis activities related to the testing activity,
manage SaaS IT infrastructure, user accounts, and security.
The data subjects are the persons to whom the personal data entered into the SaaS by the Customer refers.
The categories of personal data processed are those determined by the Customer through input into the SaaS.
The processing lasts for the same period as the Agreement, except for processing activities technically necessary to ensure the correct deletion or return of data, as well as the management of backup copies and other activities related to the security and ordinary administration of the SaaS. If the final agreement is signed, the clauses for processing personal data set forth therein shall apply, and this DPA shall cease to have effect.
Obligations of the Owner
The Data Controller undertakes to comply with applicable legislation, as well as to process the data in accordance with any other applicable legal provision that has or may have binding effects on the methods and guarantees to be applied to the processing of personal data.
The Data Controller undertakes to verify the data processing methods best suited to carrying out the testing activities, taking care to ensure compliance with the principle of personal data minimization, providing, where possible, for the use of synthetic, pseudonymous data, or, in any case, information specifically identified for the testing activities.
The Data Controller undertakes to verify and demonstrate that the data entered into the SaaS is collected and processed on an appropriate legal basis, as well as in compliance with any other transparency obligations imposed by Applicable Law.
The Data Controller undertakes to process personal data in compliance with the principle of legality and, in particular, to ensure that applicable provisions of labor law are complied with.
Under no circumstances shall the Data Controller be held liable for any violation of the Applicable Regulations resulting from the Data Controller's conduct or from the application of the Instructions given by the Data Controller.
The Data Controller is responsible for demonstrating compliance with applicable legislation and related industry obligations.
In any case, the Processor's obligations do not include determining the lawfulness of the data processing activities carried out on behalf of the Data Controller, nor any verification of the compliance of the processing carried out via the SaaS with the applicable legislation.
Obligations of the Data Controller
The Controller processes personal data exclusively for the purposes and according to the methods described in Article 1 of this DPA, unless required by Union or national law to which the Controller is subject.
The Processor shall immediately inform the Data Controller if the processing methods determined by the Data Controller violate the Applicable Law.
The Processor maintains and updates the Register of Processing Activities pursuant to Art. 30(2) GDPR, with particular reference to the activities carried out on behalf of the Data Controller.
Owner Assistance
The Processor provides reasonable assistance to the Controller in carrying out data protection impact assessments and in prior consultations with the Supervisory Authorities or other competent data protection authorities, as necessary for the Controller to comply with Articles 35 and 36 of the GDPR.
The Parties agree that any inspections of the Controller will be carried out only in paper form, without the Controller being able to access the Controller's premises .
The request for assistance must contain an indication of the processing activities and obligations being verified.
Requests from Interested Parties
In the event that the Data Processor receives requests regarding the rights of Data Subjects, he or she is obliged to communicate such requests to the Data Controller, attaching a copy to the communication.
The Data Processor undertakes to assist the Data Controller by implementing appropriate technical and organizational measures to respond to requests from Data Subjects.
Data security
The Controller implements the technical and organizational measures specified in the Annex "List of Security Measures" to ensure the security of personal data.
When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as the risks to the Data Subjects.
Persons in charge of processing
The Controller grants access to the personal data undergoing processing to members of its staff only to the extent strictly necessary for the implementation, management and supervision of the processing operations covered by this DPA.
The Data Controller ensures that the persons authorized to process the personal data received have committed to confidentiality or are under an appropriate legal obligation of confidentiality and have received appropriate authorization to process the personal data.
Sub-controllers
The Processor has the general authorization of the Data Controller to use the Sub-processors listed in the Annex "List of Sub-processors".
In any case, the Data Controller undertakes to engage Sub-Processors who present sufficient guarantees to guarantee an adequate level of protection of personal data and to sign a written agreement with each Sub-Processor which imposes on the Sub-Processor, in substance, the same obligations to which the Data Controller is subject towards the Data Controller.
Personal data breach
In the event of a security breach that may impact personal data processed by the Processor on behalf of the Data Controller, the Processor undertakes to notify the incident within 48 hours of its discovery.
The notification contains summary information useful for the Data Controller to fulfill the obligations set forth in Articles 33 and 34 of the GDPR, including at least a description of the breach, including the nature and extent of the data breached.
Pending the technical investigations necessary to determine the characteristics and extent of the violation, the Data Controller has the right to provide a partial notification of the incident. Upon completion of these technical investigations, the Data Controller must provide the Data Controller with a supplementary notification.
The Data Controller shall notify the Data Processor of any security breaches, including those not involving personal data, that may compromise the security of the SaaS infrastructure, such as, but not limited to, the loss of control over the credentials assigned to users.
Transfer of data outside the European Economic Area
Any transfer of data to a third country or an international organization by the Controller is carried out in compliance with Chapter V of the GDPR.
Duration and termination
The DPA term is effective from the date of signing the Agreement and applies for as long as personal data is being processed by the Processor on behalf of the Controller.
Upon termination, for any reason, of this DPA, the Processor shall be required, unless otherwise instructed in writing by the Data Controller, to either:
a) cease all processing activities involving personal data;
b) anonymize the personal data in its possession through the non-reversible deletion of the database rows associated with the Data Subjects.
Final Provisions
The execution of the activities referred to in this DPA does not give rise to any right on the part of the Processor, or any Sub-Processor, to receive compensation other than that contractually agreed between the Parties in the Agreement.
In the event of any conflict between this DPA and the Agreement, the DPA shall prevail with respect to matters relating to the processing of personal data.
For anything not expressly provided for in this DPA, please refer to the applicable Data Protection Legislation.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect. The invalid or unenforceable provision will be (i) modified to the extent necessary to ensure its validity and enforceability, preserving to the greatest extent possible the original intentions of the Parties, or, if this is not possible, (ii) interpreted as if it had never been included in the body of the Agreement.
Governing Law and Competent Court
The Parties submit this DPA to the law and jurisdiction chosen in the Agreement. Therefore, any disputes or claims arising under this DPA , including disputes relating to its existence, validity, or termination or the consequences of its invalidity, shall be subject to the forum chosen in the Agreement.
List of safety measures
Procurement AI Assistant
Scope
Cataloging
Detail requirement
Data Center Security Measures
Access to the System or SW (authentication)
Adoption of measures aimed at ensuring that:
- administrative access by the Manager is reserved for personnel who are assigned the qualification (“role”) of system administrator, by virtue of high technical skills and characteristics of proven reliability and morality;
- administrative access to the systems by the Client's personnel will take place through multi-factor authentication (MFA) procedures.
Measures Data Center Security
Access to the System or SW (management policy)
For services that provide for an administrative management method of the infrastructure components, the following policies must be provided:
- users that allow the identification of the administrator who carries out the intervention; - activation of a log management process that identifies log ins, log outs and failed log ins ;
- storage of logs in a format that guarantees their integrity and readability over time; - storage of logs for at least six (6) months; - annual verification of the work of system administrators; - access to systems via VPN and MFA.
Measures Data Center Security
Log management
Features for tracking or recording (logging) user access and activity. Activity logs must be appropriately protected to ensure their integrity and confidentiality. These features must be activated by the customer's system administrator or the software house at the customer's request.
Measures Data Center Security
Auditing
Use of the log management and analysis system to monitor system administrator activity. Access to the log management system is reserved for auditors and is not permitted to system administration personnel.
Measures Data Center Security
Encryption of communication protocols
Application of secure and non-obsolete standard cryptographic communication protocols, in cases where access to the system is made via the Internet.
Measures Data Center Security
Threats and Vulnerabilities
Implement a threat and risk management program to continuously monitor SaaS platform vulnerabilities, as defined by international best practices, by planning and executing internal and external vulnerability scans and penetration tests. Identified vulnerabilities must be assessed to determine the associated risks and appropriate corrective actions established based on their assigned priority and detected severity.
Measures Data Center Security
Firewalling
Adoption of firewall systems aimed at filtering and containing traffic by identifying any anomalous traffic that could indicate potential cyber attacks.
Measures Data Center Security
Intrusion Prevention
Protection of the environment through which the Manager's service is provided through Intrusion Security Prevention Systems (IPS) that analyze all incoming traffic and immediately identify any ongoing attack attempts. Network traffic on significant segments of the platform passes through systems that inspect every packet in transit.
Measures Data Center Security
Malware protection
Adoption of measures to protect against malware infections, unauthorized actions, suspicious applications, and attempts to steal personal data (e.g., through constantly updated antivirus, anti-spam, anti-phishing systems, etc.).
Measures Data Center Security
Filesystem Antivirus
Adoption of filesystem antivirus modules on all servers used to provide services, with the option of configuring, on a project-by-project basis, specific antivirus products that are centrally managed in terms of updates, policy distribution, on-demand scan launches, notifications, and quarantine area management.
Measures Data Center Security
Monitoring and management accidents
Adoption of policies and procedures for identifying, responding to, remediating, and reporting incidents that pose a risk to the integrity or confidentiality of personal data or other security breaches.
Measures Data Center Security
Security Patch Management
Subjecting the platform to a periodic verification process for available patches or fixes relating to the components of the delivery system and those deemed critical for the provision of the service or for security.
Measures Data Center Security
Physical security
Application of adequate physical security measures to the designed hardware/software platform (e.g., use of hosting providers/data center services equipped with adequate systems to prevent the risk of intrusion, fire, flooding, etc.).
Measures Data Center Security
Anti-flooding
Adoption of all necessary measures within the Data Center to prevent flooding (such as the presence of probes, alarm systems, etc.).
Measures Data Center Security
Anti-intrusion
Setting up an access control system in the data center that identifies those who access it and prevents unauthorized access. The procedure must also include change management , activating and deactivating access authorizations based on role changes.
Measures Data Center Security
Closed circuit cameras
Installation of CCTV cameras to monitor the building perimeter, entrances, interlocking doors, and any other critical areas.
Measures Data Center Security
Conditioning
Adoption of adequate air conditioning and cooling systems for rooms and equipment.
Measures Data Center Security
Continuity and emergency
Adoption of procedures and controls to ensure the necessary level of system/software continuity and availability (in the event of an incident/personal data breach). Procedures must include instructions for maintaining backup copies as well as a disaster recovery plan .
Measures Data Center Security
Data deletion
Provision of measures for the deletion of production data at the end of the service provision according to the contractual terms defined with the Customer.
Measures Data Center Security
Subcontractor management
Selection and verification of the requirements of the subcontractor who will manage the systems and infrastructure required to perform the Services, and signing a contract that binds the subcontractor to comply with the obligations regarding security measures.
Connectivity
Internet lines and bandwidth
Implementation of measures to ensure adequate connectivity in compliance with the service levels contractually defined with the Customer.
Connectivity
Firewalling
firewall measures .
Network security
AntiDDoS
Provision by the Data Center of a service capable of responding effectively to the problems created by attacks (“ DDoS ”)
Network security
IDS/IPS
Adoption of an IPS ( Intrusion Detection) system Prevention System) capable of automatically blocking detected attacks and IDS ( Intrusion Prevention System) Detection System) capable of intercepting threats, thus providing real-time protection to the services provided by the Data Center.
Governance
Training
Provision of periodic training courses on personal data security and protection to employees involved in data processing activities.
Governance
Geographic location
Declaration by SWH to the Customer of the geographical location of the DC and the data.
Governance
Data breach
Adoption of procedures for identifying, containing, and resolving risk situations (e.g., personal data breaches) for data and system security in the post-intrusion phase.
Governance
Logical security
Reassess the security measures and procedures in place at least annually to update them based on detected vulnerabilities, attacks, and technological developments.
Annex C-quater – List of sub-processors
Sub-Manager
Nature of the treatment
Termini di servizio
Amazon Web Services
Cloud and host providing
Mongo DB Limited
Database Management Service
Clickhouse Inc
Database Management Service
Microsoft Inc
Azure Generative AI Service Provision
Anthropic PBC
Providing Generative AI Service Claude API
Google Inc
Providing the Google Gemini API Generative AI Service via Google Studio