Data Processing Agreement

This Data Processing Agreement (“Agreement”) is entered into by and between
you, as the Controller and

Twproject s.r.l.
Via Don Giulio Facibeni, 8A
50141, Florence
Italy

as the Processor.

1. Subject matter, main contract, and term

The subject matter of the Agreement results from the main contract signed by the parties for the provision of the Twproject services (“Contract”). The Processor shall carry out the processing activities described therein,

with respect to the following categories of Personal Data:

  • contact and communication data;
  • data provided by the user when using the application, such as company details, Personal Data of key officers and employees;
  • data referring to the use of the Twproject support site, such as data relating to support;

and referring to the following categories of Data Subjects totwithstanding the Controller’s location, unless otherwise stated herein – in particular with regard to Subprocessors pursuant to sec. 7 below – all data processing activities carried out by the Processor shall be executed within the territories of the European Union / European Economic Area (EU/EEA).

2. Definitions

In this Agreement, unless otherwise required by the context, the following terms shall have the meaning set forth below:

a. “Agreement” refers to this Data Processing Agreement and all its corresponding Schedules, and any amendments thereto.

b. “Applicable Data Protection Laws” refers to – as the case may be – any applicable privacy and data protection laws and regulations, such as, for instance, the: (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”);

c. “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

d. “Data Subject(s)” means the individual to whom Personal Data relates.

e. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

f. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

g. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

h. “Subprocessor” means any Processor engaged by the Processor who agrees to receive from the Processor Personal Data exclusively intended for the Processing activities to be carried out on behalf of the Controller after the latter has authorized such subcontracting.

i. “Technical and Organisational Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing.

All capitalized terms not defined herein shall have the meaning set forth in the GDPR and any Applicable Data Protection Laws.

3. Processing on instruction

With regard to transfers of Personal Data to a third country or an international organization unless required to do so by Applicable Data Protection Laws to which the Processor is subject, The Processor agrees to process the Personal Data only on documented instructions from the Controller.

4. Technical and organizational measures

The Processor commits to adopt and implement all necessary technical and organizational measures that provide a level of security appropriate to the risk involved in the Processing and the nature of the Personal Data to be protected. These measures shall, amongst others, safeguard Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Specific details of these measures are laid out in Appendix I.

5. Exercise of rights

The Processor is committed to supporting the Controller in ensuring compliance with the rights of Data Subjects under Applicable Data Protection Laws.

The rights granted to the Controller under this agreement, including but not limited to the right to rectification, restriction, and erasure or return of data, can be exercised through the ticketing system or by contacting the Processor at the email address support@twproject.com.

6. Compliance assurance and other duties of the Processor

The Processor ensures the compliance of its data Processing activities and strict adherence to its obligations under the Applicable Data Protection Laws. This includes:

a. Data Availability, Integrity and Confidentiality: the Processor shall carry out its processing activities ensuring the security of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, damage, or interruption, using appropriate Technical and organizational measures.

b. Cooperation with Controller: the Processor shall assist the Controller in ensuring compliance with the obligations concerning the security of processing, the notification of Personal Data breaches to the supervisory authority, the communication of Personal Data breaches to the Data Subject, the data protection impact assessments, and prior consultation in relation to high-risk processing.

c. Employee confidentiality: the Processor shall ensure that its employees engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are bound by confidentiality obligations and use restrictions in respect of the Personal Data.

d. Response to Data Subjects: if the Processor receives a request from a Data Subject under any Applicable Data Protection Law in respect of Personal Data, the Processor shall advise the Data Subject to submit their request to the Controller and the Processor will notify the Controller of the request as soon as practicable.

7. Subprocessors

The Controller acknowledges and accepts that the Processor may engage Subprocessors to carry out processing activities under this Agreement. The currently engaged Subprocessors are hereby deemed as accepted by the Controller.

A list of Subprocessors can be requested by using the ticketing system or the email address support@twproject.com

The Processor commits to notify the Controller in advance about any planned change of Subprocessors and to collect the Controller’s approval before performing such change. The Processor shall in any case impose on Subprocessors the same data protection obligations as set out in this Agreement.

8. Audits

The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits.

9. Data Breaches

The Processor shall implement and maintain appropriate procedures and technologies to detect, prevent, and respond to data breaches.

In the event of a Personal Data breach, the Processor will promptly and without undue delay notify the Controller upon becoming aware of it. This notification will include:

a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of data records concerned;

the name and contact details of the Processor’s data protection officer or another contact point where more information can be obtained;

a description of the likely consequences of the breach;

a description of the measures taken or proposed to be taken by the Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall document any Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects, and the remedial actions taken. The Processor will also assist the Controller in ensuring compliance with the Controller’s obligations under Applicable Data Protection Laws concerning security breach notifications to the authorities and affected individuals.

The Processor shall not communicate the Personal Data breach to any third party or to the affected Data Subject without the prior written consent of the Controller, unless such communication is required by Applicable Data Protection Laws.
The Processor understands and accepts that any failure to assist the Controller as set out in this Article may lead to penalties and fines, for which the Processor will be held responsible.

This Article is without prejudice to any rights or remedies the Controller may have under this Agreement or Applicable Data Protection Laws.

10. Termination, deletion and return of personal data
After the provision of the services has been completed, or sooner if so directed by the Controller, the Processor shall, at the Controller’s discretion, delete or return all personal data collected and processed pursuant to this agreement, unless the Processor is required to retain such personal data under any applicable legal provision.

Unless otherwise directed by the Controller, the Processor will retain the personal data for a period of 15 days, after the termination of the contract and the completed provision of the services solely for the purpose of allowing the Controller to export it. After the expiration of the retention period, the Processor shall delete all personal data.

Notwithstanding the foregoing, the Processor shall be entitled to retain, even after the provision of the services has been completed and the termination of the contract, all information necessary to demonstrate orderly and compliant processing, in accordance with statutory retention periods.

Latest update: April 22, 2024