This Data Processing Agreement ("Agreement") is entered into by and between
you, as
and
iubenda s.r.l.
Via San Raffaele, 1
20121 Milan
Italy
legal representative, Andrea Giannangelo
The subject matter of the Agreement results from the main contract signed by the parties for the provision of the iubenda services (“Contract”). The Processor shall carry out the processing activities described therein,
with respect to the following categories of Personal Data:
and referring to the following categories of Data Subjects:
Notwithstanding the Controller's location, unless otherwise stated herein - in particular with regard to Subprocessors pursuant to sec. 7 below - all data processing activities carried out by the Processor shall be executed within the territories of the European Union / European Economic Area (EU/EEA).
In this Agreement, unless otherwise required by the context, the following terms shall have the meaning set forth below:
a. "Agreement" refers to this Data Processing Agreement and all its corresponding Schedules, and any amendments thereto.
b. "Applicable Data Protection Laws" refers to - as the case may be - any applicable privacy and data protection laws and regulations, such as, for instance, the: (i) EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); (ii) Federal Act on Data Protection of Switzerland ("FADP"); (iii) Lei Geral de Proteção de Dados of Brazil No. 13,709/2018 ("LGPD"); and (iv) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) ("UK GDPR").
c. "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
d. "Data Subject(s)" means the individual to whom Personal Data relates.
e. "ISO 27001 certification" refers to a widely recognized international standard for information security management systems. It specifies the requirements for establishing, implementing, maintaining, and continually improving an organization's information security management system (ISMS). ISO 27001 certification demonstrates that the Processor has implemented a comprehensive set of security controls and measures to protect the confidentiality, integrity, and availability of information assets, and has undergone an independent assessment and audit by a certification body to verify compliance with the ISO 27001 standard.
f. "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
g. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
h. "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
i. "Subprocessor" means any Processor engaged by the Processor who agrees to receive from the Processor Personal Data exclusively intended for the Processing activities to be carried out on behalf of the Controller after the latter has authorized such subcontracting.
l. "Technical and Organisational Measures" means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing.
All capitalized terms not defined herein shall have the meaning set forth in the GDPR, FADP, LGPD, UK GDPR and any Applicable Data Protection Laws.
The Processor agrees to process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization unless required to do so by Applicable Data Protection Laws to which the Processor is subject.
The Processor commits to adopt and implement all necessary technical and organizational measures that provide a level of security appropriate to the risk involved in the Processing and the nature of the Personal Data to be protected. These measures shall, amongst others, safeguard Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Specific details of these measures are laid out in Appendix I.
The Processor is committed to supporting the Controller in ensuring compliance with the rights of Data Subjects under Applicable Data Protection Laws.
The rights granted to the Controller under this agreement, including but not limited to the right to rectification, restriction, and erasure or return of data, can be exercised through the ticketing system or by contacting the Processor at the email address info@iubenda.com.
The Processor ensures the compliance of its data Processing activities and strict adherence to its obligations under the Applicable Data Protection Laws. This includes:
a. Documentation and implementation of specific procedures: the Processor shall keep a record of the processing activities carried out on behalf of the Controller, inclusive of the information required under Applicable Data Protection Laws.
b. Data Minimization: the Processor shall ensure that Personal Data is adequate, relevant, and limited to what is strictly necessary in relation to the purposes for which they are processed.
c. Data Accuracy: the Processor shall take every reasonable step to ensure that Personal Data that is inaccurate, considering the purposes for which it is processed, is erased or rectified without delay.
d. Data Availability, Integrity and Confidentiality: the Processor shall carry out its processing activities ensuring the security of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, damage, or interruption, using appropriate Technical and organizational measures.
e. Cooperation with Controller: the Processor shall assist the Controller in ensuring compliance with the obligations concerning the security of processing, the notification of Personal Data breaches to the supervisory authority, the communication of Personal Data breaches to the Data Subject, the data protection impact assessments, and prior consultation in relation to high-risk processing.
f. Employee confidentiality: the Processor shall ensure that its employees engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are bound by confidentiality obligations and use restrictions in respect of the Personal Data.
g. Response to Data Subjects: if the Processor receives a request from a Data Subject under any Applicable Data Protection Law in respect of Personal Data, the Processor shall advise the Data Subject to submit their request to the Controller and the Processor will notify the Controller of the request as soon as practicable.
h. Data Protection Impact Assessment (DPIA): upon the Controller's request, the Processor shall provide the Controller with the necessary information to carry out a DPIA as required by Applicable Data Protection Laws.
The Controller acknowledges and accepts that the Processor may engage Subprocessors to carry out processing activities under this Agreement. The currently engaged Subprocessors are hereby deemed as accepted by the Controller.
A list of Subprocessors can be requested by using the ticketing system or the email address info@iubenda.com.
The Processor commits to notify the Controller in advance about any planned change of Subprocessors and to collect the Controller’s approval before performing such change. The Processor shall in any case impose on Subprocessors the same data protection obligations as set out in this Agreement.
The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Inspections and audits shall be agreed upon in advance with the Processor and take place without impairing the Processor's regular business operations. The Processor may charge the costs of such audits or inspections to the Controller.
The Processor shall implement and maintain appropriate procedures and technologies to detect, prevent, and respond to data breaches.
In the event of a Personal Data breach, the Processor will promptly and without undue delay notify the Controller upon becoming aware of it. This notification will include:
a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of data records concerned;
the name and contact details of the Processor's data protection officer or another contact point where more information can be obtained;
a description of the likely consequences of the breach;
a description of the measures taken or proposed to be taken by the Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Processor shall document any Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects, and the remedial actions taken. The Processor will also assist the Controller in ensuring compliance with the Controller's obligations under Applicable Data Protection Laws concerning security breach notifications to the authorities and affected individuals.
The Processor shall not communicate the Personal Data breach to any third party or to the affected Data Subject without the prior written consent of the Controller, unless such communication is required by Applicable Data Protection Laws.
The Processor understands and accepts that any failure to assist the Controller as set out in this Article may lead to penalties and fines, for which the Processor will be held responsible.
This Article is without prejudice to any rights or remedies the Controller may have under this Agreement or Applicable Data Protection Laws.
After the provision of the services has been completed, or sooner if so directed by the Controller, the Processor shall, at the Controller’s discretion, delete or return all personal data collected and processed pursuant to this agreement, unless the Processor is required to retain such personal data under any applicable legal provision.
Unless otherwise directed by the Controller, the Processor will retain the personal data for a period of six months after the termination of the contract and the completed provision of the services solely for the purpose of allowing the Controller to export it. After the expiration of the six-month retention period, the Processor shall delete all personal data.
Notwithstanding the foregoing, the Processor shall be entitled to retain, even after the provision of the services has been completed and the termination of the contract, all information necessary to demonstrate orderly and compliant processing, in accordance with statutory retention periods.
In accordance with the Processor's UNI CEI EN ISO/IEC ISO 27001:2017 certification, the following key elements are implemented as technical and organizational measures:
a. Information Security Policies: The Processor has established and regularly reviews an information security policy that provides direction and support for information security in accordance with business requirements and relevant laws and regulations.
b. Organization of Information Security: The Processor assigns responsibilities for specific tasks to ensure effective management of information security.
c. Human Resource Security: The Processor has implemented security practices for employees and contractors throughout the course of their employment and job assignment.
d. Asset Management: The Processor maintains an inventory of assets and has defined appropriate protection responsibilities.
e. Access Control: The Processor ensures that employees and contractors have access only to the information and the assets associated with their job function.
f. Cryptography: The Processor uses encryption and key management for the protection of information.
g. Physical and Environmental Security: The Processor secures offices, rooms, and facilities to prevent unauthorized physical access, damage, and interference to the Processor's premises and information.
h. Operations Security: The Processor ensures correct and secure operations of information processing facilities.
i. Communications Security: The Processor implements networks and information transfers securely.
l. System Acquisition, Development, and Maintenance: The Processor ensures that information security is an integral part of the systems throughout their lifecycle.
m. Supplier Relationships: The Processor protects assets that are accessible to suppliers.
n. Incident Management: The Processor manages information security incidents and improvements.
o. Business Continuity Management: The Processor ensures the continuity of information security management in the event of business disruption.
p. Compliance: The Processor adheres to legal, statutory, regulatory, and contractual requirements, and to the Processor's policies and procedures.
q. Cloud Security: The Processor has implemented additional cloud security measures to protect data integrity, accessibility, and confidentiality. These measures include, but are not limited to, secure data transfer, secure software interfaces, secure data storage, user identity and access management, and infrastructure security. The Processor also conducts regular security audits of their cloud environment to identify and address potential vulnerabilities.
Further details regarding the Processor's ISO 27001 certification, including a copy of the certificate itself, can be requested through the Processor's ticketing system or via email.