DPA - Data Processing Agreement

Definitions

• This Agreement is an integral part of the General Terms and Conditions for the provision of the Vantevo Analytics service (hereinafter, Service or Main Agreement).
• This Data Processing Agreement (hereafter, DPA) describes the specific duties, tasks and requirements so that the processing of personal data carried out by Netforce Srl on behalf of the Data Controller complies with the requirements imposed by the privacy legislation in force to date, national and EU;
• With respect to data processing, in case of any discrepancy between this document and the Master Agreement, this agreement shall prevail.
• Any breach of this agreement will constitute a material breach of the Main Contract.
• The Customer assumes, pursuant to Article 4 GDPR, the title of Data Controller and that Netforce S.r.l. assumes the title of Data Processor/Service Provider (hereinafter, the Parties).

That being the case and deemed an integral part of this agreement, the Parties stipulate the following:

The Data Controller appoints the Service Provider as the Data Processor for the duration set forth in the Master Agreement, as reasonably necessary for the provision of the services and in accordance with the obligations imposed by this DPA. Through the acceptance of this document by the Data Controller, Netforce Srl undertakes to carry out the processing activities on personal data in a lawful, transparent and fair manner as well as in full compliance with all regulatory provisions on the processing of personal data, as well as with the following and specific instructions:

A. Subject

The subject of this agreement is the definition of the terms and conditions related to the data processing carried out by the Data Processor on behalf of the Controller with reference to the service contract referred to in the foregoing. By accepting this agreement, the Parties undertake to comply with the applicable national or supra-national legislation on the protection of personal data of individuals. The Parties acknowledge and agree that any breach of this Agreement by the Processor or the Controller shall constitute a breach of the Service Agreement and that, in such event and without prejudice to any other right or remedy available to them, the Controller or the Processor may elect to terminate the Master Agreement immediately in accordance with the termination provisions therein.

B. Duration

This Agreement shall be effective between the Parties for the duration of the Vantevo Analytics Service Agreement and shall cease to be effective when the Customer terminates the Master Agreement.

C. Data origin

The Data Controller shall ensure that the data covered by this agreement have been collected lawfully and in accordance with applicable regulations, and that the information transmitted to the data controller does not violate the rights of the data subjects in any way.

In this sense, the Owner indemnifies the Manager from any liability resulting from any unlawful processing by the Owner inherent in the use and data contained in Vantevo Analytics.

D. Privacy and security of your visitors data

The Vantevo Analytics service will collect information about visitors to the websites and/or software applications on which it is configured.

The purpose of Vantevo Analytics is to track the use of a website or software application in general without resorting to identifying and saving personal information, without using cookies, and respecting the privacy of visitors.

Using Vantevo Analytics, all site measurements and/or software applications are performed absolutely anonymously.

Vantevo Analytics does not generate some persistent identifiers in the source device because they are considered personal data under the GDPR. It does not use cookies, browser cache or local memory.

.

Every HTTP request sends data to our servers. To generate a unique identifier that changes daily we take into account the IP address, User-Agent and domain, of the user. A rotating "salt" is added to this data and the hash function is applied to anonymize it. The output is a code that is generated every 24 hours based on the time zone selected by the user.

Formula used for unique identifier calculation:

HASH (<SALT> + <DOMAIN> + <IP> + <USER-AGENT>);

The hash function generates a random string of numbers that is used to get the unique visitor count for the day. Once the key is generated with the function, which is the real output we have access to, the IP address and User-Agent are completely inaccessible to anyone, including ourselves at Vantevo Analytics. In addition, the IP address and User-Agent are NEVER stored in our databases or anywhere else on our servers.

.

This technique ensures complete anonymization of archived data.

E. Types and nature of personal data

Netforce Srl will not process personal data other than that necessary for the performance of the Main Agreement, unless the further processing is required by Data Protection laws and regulations to which the Data Processor is obligated. The Controller instructs the Processor to process only such personal data as is reasonably necessary for the performance of the Service and in accordance with the terms and conditions of the Main Contract and this Agreement. The type of personal data required for the implementation of the Vantevo Analytics service is master data, as well as contact information. The nature of operations performed on personal data pertains to maintenance, support and updating of the service and securing the data (backup). For the execution of the Main Contract, the Owner makes available to the Manager any necessary information required.

F. Personnel of the Data Processor

The processing of data will be carried out only by Netforce Srl personnel previously authorized to process them, in accordance with Article 29 GDPR, as well as duly instructed on their responsibilities. The Data Processor guarantees that the personnel dedicated to the execution of the Main Contract have been made aware of the confidential nature of the information received by the Data Controller. The Processor shall also ensure that access to personal data is limited to personnel who have a need to access relevant personal data, to the extent strictly necessary, for the purposes under the Master Contract and this Agreement.

G. Obligations of the Responsible Person

• Holder's Instructions

  The Responsible party shall process the data for the purposes stated above and for the performance of the contractual services undertaken. Netfprce Srl will process the data in accordance with the terms and conditions document.

• Place of processing

  Data will be stored and processed by the Data Processor within the European territory.

  Personal data will be stored on behalf of the data controller at the OVH Datacenter Roubaix datacenter and AWS datacenter (Amazon Web Services).

• Confidentiality

  The Processor guarantees the confidentiality of personal data processed in the performance of the Main Contract. The Processor shall ensure that its authorized personnel have signed a legal obligation of confidentiality and have received the necessary training on the processing and protection of personal data.

• Security

  Netforce Srl has taken appropriate technical and organizational measures to protect the security, confidentiality and integrity of personal data. These measures include, where appropriate:

  - assessment of the appropriate level of security, in particular all risks associated with the processing, e.g. due to accidental or unlawful destruction, loss, or alteration, storage, unauthorized or unlawful access or disclosure of personal data;

  - the pseudonymization and encryption of personal data;

  - the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services;

  - the ability to restore availability and access to personal data, in a timely manner, in the event of a physical or technical incident;

  - a procedure for testing, determining and periodically evaluating the effectiveness of technical and organizational measures to ensure the security of personal data processing;

  - measures to identify vulnerabilities related to the processing of personal data in the systems used to provide the service to the Controller.

  Netforce Srl has taken into account the risks regarding the processing of personal data, in particular to prevent any security breaches or other substantially similar events, as defined by data protection laws and regulations.

• Information

  The Processor shall immediately inform the Controller if, in its opinion, any further instructions provided by the Controller may be inconsistent with the GDPR or other data protection provisions of the Member States or any other applicable legislation.

• Rights of data subjects

  The Processor will promptly and in any case without undue delay notify the Controller in case of any request received from a data subject inherent in his/her right of access, rectification, restriction of processing, erasure ("right to be forgotten"), data portability, right to object to processing, or any other request inherent in his/her personal data processed by the Processor.

  At the request of the Data Controller, the Data Processor will provide the fullest assistance to the Data Controller in dealing with such requests from the data subject. In this sense, taking into account the nature of the processing, the Data Processor shall assist the Controller, by means of appropriate technical and organizational measures, in fulfilling the Controller's obligations to respond to the data subject's requests inherent to the exercise of the rights provided for in the current legislation on the protection of personal data.

H. Data breach

The Data Processor, taking into account the nature of the processing and the information available, will assist the Data Controller in ensuring compliance with the obligations under Articles 32 - 36 GDPR. The Processor shall send a notification to the Data Controller without undue delay and, in any case, within twenty-four (24) hours of becoming aware of or reasonably suspecting a personal data breach.

The Data Processor shall notify the Data Controller, without undue delay and, in any case, within forty-eight (48) hours from the time when the Data Controller became aware of it, of a security incident or breach of security measures that led to the use, destruction, loss, unauthorized, accidental or unlawful disclosure, alteration, unlawful access to personal data or any other breach of security resulting in a loss of confidentiality, integrity or availability of the processed personal data. The Data Processor must indicate, in the communication to the Data Controller, detailed information to enable the Data Controller to fulfill the consequent obligations to notify the competent Supervisory Authority or to inform the data subjects involved in the Data Breaches.

The Data Processor shall provide the Data Controller with sufficient information to enable the Data Controller to comply with any obligation to report a Data Breach under applicable law.

As soon as practicable and following an actual Data Breach, the Data Processor shall perform a detailed analysis of the causes that resulted in a Breach and, upon request from the Controller, shall share with the Controller the results of its analysis and related remediation plan

I. Disclosure of data

The Processor shall process the Processor's personal data only for the purpose of the performance of the Main Contract. The Data Processor shall not process, transfer, amend, correct or alter the Data Controller's personal data or disclose or allow disclosure to third parties except in accordance with the Data Controller's documented instructions, unless the processing is required by the EU and/or the laws of the Member State to which the Data Controller is subject and/or any legislation including supranational legislation to which the Data Controller is subject. The Processor shall, to the extent permitted by such laws, inform the Data Controller of such legal requirements before further processing personal data and comply with the Data Controller's instructions to minimize, as far as possible, the scope of disclosure.

L. Deletion or return of personal data

The Data Processor, in the event of termination of the provision of the services referred to in the Main Contract or termination of the same, shall return or delete all personal data it has come into possession of as well as delete any copies, digital or hard copies, that exist. The data in the possession of the Data Processor shall be returned upon request of the Data Controller through the delivery of the backup of the database or files on which the personal data reside of a file in a structured format in common use and readable by a machine device. The data will be returned (in JSON/CSV format) or deleted from the data center no later than 60 days from the date of termination of the contract. The Data Controller is aware that at any time it can proceed on its own to delete the data through the dedicated function 'Delete Domain'' present within the software application. For security reasons of its own information systems, the Processor specifies that the data of the Controller. Processor may further retain data only to the extent and for the period required by Union or Member State law, and always provided that the Processor guarantees the confidentiality of all personal data and ensures that it is processed only as necessary for the purposes specified in Union or Member State laws and for no other purpose.

M. Privacy contacts

For the exercise of one's rights and for other communications inherent to privacy regulations, it is possible to contact Netforce Srl by writing to privacy@vantevo.io

N. Final Provisions

The signing of this DPA does not provide for any additional compensation in favor of the Manager over and above that already agreed upon in the Main Contract. For anything not expressly provided for, please refer to the general provisions in force regarding the protection of Personal Data.