invytly

Data Processing Agreement

Last updated: March 21, 2025

Preamble

In compliance with Article 28 of the General Data Protection Regulation (GDPR), this agreement defines the terms and conditions under which

  • The Client, acting as Data Controller (hereinafter the “Controller”)

appoints

  • Damiano Carradori (hereinafter the “Processor”)

for the execution of personal data processing activities necessary for the provision of services.

1. Purpose of the Agreement

1.1. The purpose of this agreement is to appoint the Processor and provide instructions regarding the processing of personal data in the context of the use of the Platform. The processing activities that the Processor may carry out are limited to those strictly necessary for the provision of services related to each active Project, and in accordance with the documented instructions of the Controller.

2. Duration

2.1. This agreement shall remain valid and binding for the entire duration of the contractual relationship between the Parties and shall apply to each Project activated by the Controller through the Platform. For each Project, data processing shall begin on the activation date and end upon its expiration, as set forth in the Terms and Conditions.

3. Types of Data and Categories of Data Subjects

3.1. The categories of personal data processed are:

  • Identification data (name, surname, email, etc.)
  • Statistical and navigation data
  • Other sensitive data that may be requested by the Controller during the use of the Platform

3.2. The personal data collected and processed relate to:

  • Clients
  • Potential clients
  • Internet users

4. Data Transfers

4.1. The Processor undertakes not to transfer personal data outside the European Economic Area (EEA), unless previously authorized in writing by the Controller, or for specific activities requiring such transfer, always in compliance with the lawful bases provided under the GDPR.

4.2. The Parties acknowledge that the processing of personal data covered by this agreement shall not take place outside the EEA.

5. Technical and Organizational Measures

5.1. Before carrying out the processing under this appointment, the Processor shall implement all appropriate technical and organizational measures to ensure the protection of personal data. Upon the Controller’s request, the Processor shall provide a document describing in detail the security measures adopted in relation to the execution of this agreement. Should the Controller, by means of inspection or audit, deem that modifications are necessary, such changes shall be agreed upon by both Parties.

5.2. The Processor guarantees the security of processing pursuant to Articles 28(3)(c) and 32 of the GDPR, in particular with reference to Articles 5(1) and 5(2). These measures shall ensure an adequate level of protection and security appropriate to the risk, ensuring the confidentiality, integrity, availability, and resilience of systems. According to Article 32(1) GDPR, in assessing the adequacy of the security level, account shall be taken of the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risk probability and severity for the rights and freedoms of natural persons.

5.3. The technical and organizational measures are subject to technological evolution and development. Therefore, the Processor may adopt alternative appropriate measures in light of technological advancements. In such cases, the level of data protection must not be reduced.

6. Data Subject Rights and Assistance

6.1. The Processor undertakes to cooperate with the Controller and provide full assistance, to the extent that it is reasonable or possible, in order to help the Controller respond to data subject requests in the exercise of their rights.

6.2. In particular, the Processor undertakes to (i) immediately forward to the Controller any request received from data subjects concerning the exercise of their rights and, where feasible or appropriate, (ii) assist the Controller in designing and implementing all technical and organizational measures necessary to respond to such requests.

6.3. Without prejudice to the fact that responsibility for responding to and fulfilling data subject requests lies exclusively with the Controller, the Processor may be instructed to fulfil specific requests, provided such tasks do not require disproportionate effort and are based on written instructions from the Controller.

7. Sub‑processors

7.1. The Controller hereby authorizes the Processor to engage third‑party sub‑processors. Such sub‑processors must be bound by the same contractual obligations set forth in this agreement, pursuant to Article 28(4) of the GDPR.

7.2. As of the date of execution of this agreement, the Parties acknowledge that the Processor makes use of the following sub‑processor, with whom it undertakes to enter into appropriate agreements in compliance with Article 28(4) of the GDPR:

  • Anna Corniani, Piazza 1° Maggio 9, 13900 Biella (BI), Italy, VAT No. 02646050027

7.3. The transfer of data to a third‑party processor may only take place once all conditions for the appointment referred to in point 7.1 above have been met.

7.4. The Processor must maintain an up‑to‑date list of sub‑processors. Any change to such list must be communicated to the Controller without undue delay, granting the Controller the right to object. In the event of an objection, the Processor shall have the right to terminate the contract with the Controller without notice.

7.5. The Processor remains fully liable to the Controller for the actions and omissions of any sub‑processors.

7.6. Where a sub‑processor operates outside the EU/EEA, the Processor must ensure that the transfer of data is lawful, as described in Article 4 of this agreement.

8. Controller’s Audit Rights

8.1. The Controller has the right to conduct inspections or have them carried out by an appointed auditor. The auditor shall assess the Processor’s compliance with this agreement as part of their audit activities, by means of periodic or random checks, which shall generally be notified in advance.

8.2. The Processor shall allow the Controller to verify compliance with its obligations as required under Article 28 of the GDPR. Upon request, the Processor shall provide the Controller with all necessary information and, in particular, evidence demonstrating the adoption of appropriate technical and organizational measures.

8.3. Evidence of compliance with such measures — which may also relate to activities not covered by this agreement — may be provided by:

  • adherence to approved codes of conduct under Article 40 of the GDPR;
  • certifications issued under an approved certification mechanism in accordance with Article 42 of the GDPR;
  • current audit certifications, reports, or excerpts of reports prepared by independent entities (e.g., auditors, data protection officers, IT security departments, or data protection auditors);
  • relevant certifications issued by IT security or data protection auditors.

8.4. The Processor may charge the Controller a reasonable fee for conducting such inspections.

9. Assistance to the Controller

9.1. The Processor shall assist the Controller in fulfilling its obligations regarding personal data security, reporting of data breaches, data protection impact assessments, and prior consultations as described in Articles 32 through 36 of the GDPR, including by:

  • maintaining appropriate standards of protection through technical and organizational measures that take into account the nature, circumstances, and purposes of the processing, the likelihood of data breaches, and the severity of potential risks for natural persons;
  • ensuring the immediate detection of data breaches;
  • reporting any data breaches to the Controller without undue delay;
  • assisting the Controller in responding to data subject requests to exercise their rights.

9.2. The Processor may request a reasonable fee from the Controller for assistance services that are not included in the description of the core services and that are not required due to errors, violations, or misconduct attributable to the Processor.

10. Controller’s Authority

10.1. The Processor shall not process any personal data under this appointment except on the documented instructions of the Controller, unless processing is required by European Union or Member State law.

10.2. If the Controller requests a modification to the processing of personal data, the Processor shall immediately inform the Controller if it believes such modification could result in a breach of data protection provisions. In such a case, the Processor may refrain from carrying out any activity that could lead to such a violation.

11. Liability

11.1. Each Party agrees to indemnify and hold the other Party harmless from any damages or expenses arising from its own negligent breach of this agreement, including any negligent breach committed by its legal representatives, subcontractors, employees, or other agents. Each Party also agrees to indemnify the other Party against any claims made by third parties due to or in connection with any negligent violation committed by the other Party.

11.2. The provisions of Article 82 of the GDPR remain unaffected.

12. Deletion and Return of Personal Data

12.1. The Processor shall not create copies or duplicates of the data without the knowledge and consent of the Controller, except for backup copies to the extent necessary to ensure proper data processing, and for data retention required by law.

12.2. Upon completion of each Project for which personal data have been processed, the Processor shall, at the Controller’s choice, either securely delete or return all personal data collected and processed under this agreement, unless applicable law requires further retention.

12.3. In any case, the Processor may retain information necessary to demonstrate the proper and lawful execution of the processing activities, even after the termination of the contract.

12.4. The documentation referred to in point 12.3 must be retained by the Processor in compliance with applicable statutory retention periods or as otherwise required. The Processor may deliver such documentation to the Controller upon termination of the contract to discharge its contractual retention obligations.