Data Processing Agreement

This draft Data Processing Agreement («DPA») governs the processing of personal data carried out by File system on behalf of business customers using the Rivadesk service, pursuant to Article 28 of Regulation (EU) 2016/679 («GDPR»). It forms an integral part of the service contract between the customer and File system and applies to the extent that File system processes personal data as data processor on behalf of the customer.

1. Roles of the parties, scope and duration

In relation to personal data processed within the Rivadesk service, the customer acts as data controller and File system as data processor. Where the customer in turn processes data on behalf of third parties, it may act as processor and File system as sub-processor: in that case these provisions apply accordingly.

The subject matter of processing is the provision of the Rivadesk service under the contract. The duration of processing coincides with the duration of the service contract, subject to legal retention obligations and section 9 (deletion and return).

2. Nature and purpose of processing, categories of data subjects and data

The nature and purpose of processing consist of the operations necessary to provide the Rivadesk features requested by the customer (e.g. collection, recording, organisation, storage, consultation and erasure of data), solely in accordance with the controller's instructions.

Categories of data subjects and personal data are determined by the customer depending on their use of the service and may include, by way of example:

• categories of data subjects: the customer's users and staff, its customers or contacts and other persons whose data the customer enters or manages in the service;

• categories of data: identification and contact data, account and credential data, content and documents uploaded by the customer, usage data and technical logs necessary to provide the service.

Processing of special categories of data (Art. 9 GDPR) is not a purpose of the service; if the customer chooses to enter them, it remains responsible as controller and must assess the legal basis.

3. Documented instructions of the controller

File system processes personal data only on the basis of documented instructions from the controller, including those relating to transfers to third countries, unless Union or Member State law requires otherwise; in that case File system informs the controller before processing, unless the law prohibits such information for important reasons of public interest. The service contract, product configuration and technical documentation constitute the controller's initial documented instructions. File system informs the controller if it considers that an instruction violates the GDPR or other applicable data protection provisions.

4. Confidentiality of authorised personnel

File system ensures that persons authorised to process personal data are bound by confidentiality or have an adequate legal duty of confidentiality, and that access to data is limited to personnel who need it to provide the service (need-to-know principle).

5. Security measures (Art. 32 GDPR)

File system implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, pursuant to Article 32 GDPR, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing. Such measures may include, where appropriate, access control, encryption of data in transit, backup and recovery procedures, event logging and periodic assessment of measure effectiveness. Updated details of measures are described in security documentation made available to the customer. The hosting and data storage area is indicated in —.

6. Sub-processors

The controller generally authorises File system to engage sub-processors (e.g. hosting and infrastructure providers) to provide the service. File system imposes on each sub-processor, by contract, data protection obligations equivalent to those under this agreement and remains fully liable to the controller for the acts of its sub-processors.

The list of sub-processors is available, where published, at —. File system informs the controller of any changes regarding the addition or replacement of sub-processors, giving the controller the opportunity to object for legitimate and reasonable data protection reasons.

7. Assistance to the controller

Taking into account the nature of processing, File system assists the controller with appropriate technical and organisational measures, to the extent possible, to:

• respond to requests for exercise of data subject rights (Arts. 12–23 GDPR);

• ensure compliance with security obligations (Art. 32), notification of personal data breaches to the supervisory authority (Art. 33) and communication to data subjects (Art. 34), as well as data protection impact assessments (DPIA, Art. 35) and prior consultation (Art. 36).

File system informs the controller without undue delay after becoming aware of a personal data breach affecting data processed on behalf of the controller, providing reasonably available information to enable the controller to fulfil its obligations.

8. Transfers outside the EU/EEA

Any transfer of personal data to countries outside the European Union or the European Economic Area takes place only where appropriate safeguards under Chapter V GDPR are in place, in particular Standard Contractual Clauses (SCCs) approved by the European Commission, or on the basis of an adequacy decision or other mechanism provided by law. Processing areas are indicated in —, consistently with the Privacy Notice.

9. Deletion and return of data

Upon termination of the service, at the controller's choice, File system deletes or returns to the controller all personal data processed on its behalf and deletes existing copies, unless Union or Member State law requires retention. Methods and timing of deletion or return are described in service documentation, in accordance with the data minimisation principle (Art. 5 GDPR).

10. Audits and inspections

File system makes available to the controller the information necessary to demonstrate compliance with Article 28 GDPR obligations and permits and contributes to audit activities, including inspections, carried out by the controller or another person mandated by the controller, under reasonable arrangements agreed between the parties (e.g. provision of documentation, certifications or third-party audit reports, where available), respecting the confidentiality and security of other customers.

11. Execution, amendments and contacts

This draft is an informational template and does not replace a signed agreement: the applicable version is the one referenced in the order or in a separate agreement concluded between the customer and File system, which prevails in case of discrepancy. File system may update this template to reflect regulatory, technical or organisational changes; the last update is indicated below. Last updated: —.

For execution of the DPA, for the updated list of sub-processors or for requests relating to data processing, business customers may contact File system at allbrand.italia@gmail.com; where appointed, the Data Protection Officer is — (allbrand.italia@gmail.com). Data subjects retain the right to lodge a complaint with the competent supervisory authority (Garante per la protezione dei dati personali).