Data Processing Agreement

APPOINTMENT AS DATA PROCESSOR
This appointment as Data Processor (hereinafter referred to as “Appointment”) is added to and attached to the terms and conditions of Tuurbo, a product of Tuurbo Srl (hereinafter referred to as the “Contract”).

Whereas:

• – The client acknowledges being qualified as the controller (hereinafter referred to as the “Controller”) of the processing (hereinafter referred to as “Processing”) of personal data (hereinafter referred to as “Data”).
• – Tuurbo Srl assumes the role of data processor (hereinafter referred to as the “Processor”) under the provisions of Article 28 GDPR, for the purpose of processing data on behalf of the Controller.
• – The execution of the Contract requires the processing of data of natural persons (hereinafter referred to as “Data Subjects”) and information not attributable to individual natural persons.
• – Both the Data and the information must be considered as confidential information of the Controller and are subject to confidentiality between the Controller and the Processor.
• – The Contract binds the Processor to the Controller, who decides the duration of the processing, the nature and purpose of the processing, the type of data, and the categories of data subjects.
• – The Processor provides sufficient guarantees to implement appropriate technical and organizational measures so that the processing complies with GDPR requirements and confidentiality.
• – The Processor commits to processing the Data and information related to the subject matter of the Contract lawfully and correctly, in compliance with the GDPR, the Controller’s procedures, and the underlying obligations and further instructions.
• – The Controller and the Processor will be jointly referred to as the Parties.

Therefore, the Controller and the Processor agree as follows:

Purpose and Processed Data
The preambles are an integral part of the Appointment.
The processing of the Data must be carried out by the Processor solely for the purpose of executing the Contract and the Appointment.

The processing of the Data must be strictly necessary to execute the Contract and must be performed in compliance with confidentiality and GDPR, as well as the obligations set out in this Appointment.

If necessary for the execution of the Contract, the processing also extends to special categories of data or data relating to criminal convictions and offenses, as indicated in Articles 9 and 10 GDPR.

The Data processed includes the following:

• – First and last name
• – Email address
• – Phone number

Security Measures
The Processor must adopt all security measures required by Article 32 of the EU Regulation, implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risks, particularly concerning accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data transmitted, stored, or otherwise processed.

Authorized Persons and any System Administrators appointed must be instructed accordingly.

Specifically, the Controller acknowledges that the Processor implements the following security measures:

Physical Access Controls
The Processor adopts measures to prevent unauthorized access to workstations and devices where personal data is stored, both during working hours by ensuring the presence of at least one person monitoring the workplace, and during non-working hours when the office is locked and the building is secured, and an alarm is activated during non-working hours.

Virtual Access Controls
The Processor adopts measures to prevent unauthorized access to virtual environments where personal data is stored, using antivirus software, firewalls, and proxy servers.

Furthermore, the Processor ensures that access to virtual work environments is granted only to individuals with whom a relationship has been established, such as Authorized Persons, Sub-Processors, and System Administrators.

Data Integrity Controls
The Processor adopts measures to prevent unauthorized access, copying, alteration, or loss of the Data.

Specifically, the Controller’s electronic devices are encrypted, and employees are bound by confidentiality obligations. In addition, access log files are maintained.

Data Availability Controls
The Processor adopts measures to prevent accidental loss or destruction of the Data.

Specifically, the Processor implements a cloud-based backup and disaster recovery policy, ensuring that the provider has adequate security measures in accordance with Article 32 of the GDPR.

Technical and Organizational Measures
The Processor continuously updates its organizational documentation and regulates any internal or external relationships with an appropriate document.

Additionally, the Processor performs ongoing checks on its technical infrastructure to ensure compliance with the GDPR.

Engagement of Other Processors
For the execution of the Contract’s data processing activities, the Controller grants the Processor general authorization to engage another external processor (“Sub-Processor”). The Controller acknowledges that this activity may involve the transfer of Data to countries outside the European Union.

The Processor commits to providing the Controller with a list of Sub-Processors upon request.

The Processor must guarantee that these Sub-Processors comply with the provisions of paragraphs 3, 4, and 5 of Article 28 of the EU Regulation.

If a Sub-Processor fails to fulfill its data protection obligations, the initial Processor will remain fully responsible to the Controller for the fulfillment of the Sub-Processor’s obligations.

Authorized Persons
Before initiating any processing operations, the Processor must identify each individual acting under its direct authority, engaged in executing the Contract (hereinafter referred to as the “Authorized Person”).

For each Authorized Person, the Processor must specify the scope of data access, the permitted processing, particularly with regard to processing special categories of data or data related to criminal convictions and offenses, and provide instructions (both written and verbal) that must be consistent with those set out in this document.

Authorized Persons must receive detailed instructions, specifically regarding the following:

• – Confidentiality of information: Authorized Persons must be obligated to maintain the confidentiality of the Data and information.
• – Compliance with the principles set forth in Article 5 of the EU Regulation concerning lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality, as well as the instructions to be followed for data retention and processing security.

Impact Assessment, Prior Consultation, Data Subject Requests, and Data Breach

Taking into account the nature of the processing and the information at its disposal, the Processor must assist the Controller in ensuring compliance with the impact assessment and prior consultation obligations prescribed by Articles 35 and 36 of the EU Regulation.

The Processor must not, on its own initiative, use new technologies, tools, or methods, or in any case, perform processing requiring an impact assessment or prior consultation without notifying the Controller and obtaining its prior written authorization.

The Processor must assist the Controller with appropriate technical and organizational measures, promptly providing the information in its possession needed to allow the Controller to comply with its obligation to respond, within the timeframe prescribed by the EU Regulation, to requests from data subjects based on the rights granted to them by Chapter III of the EU Regulation, such as access to data, rectification, erasure, the right to be forgotten, restriction of processing, and data portability.

The Processor must assist the Controller in ensuring compliance with security obligations and, in the event of a personal data breach, inform the Controller without undue delay, providing the necessary information prescribed by Articles 33 and 34 of the EU Regulation to allow the Controller to meet its obligation to notify the Data Protection Authority and, where applicable, inform data subjects of the breach.

Right to Monitoring by the Controller

The Processor must maintain constant control to ensure that data is processed lawfully, fairly, and in compliance with the GDPR, including security aspects.

Furthermore, the Processor must immediately inform the Controller of any situation it becomes aware of that may expose the Controller to legal violations or may lead to unlawful processing or compromise the confidentiality and integrity of the data or otherwise pose a risk to data protection.

The Controller may carry out, either directly or through another appointed party, review activities to verify that the Data is processed by the Processor in accordance with the GDPR, the obligations, and instructions provided, including on-site inspections at the Processor’s facilities.

The Processor will contribute to the review activities and make available to the Controller all necessary information to demonstrate compliance with the applicable GDPR, the obligations and instructions under the Contract, and this supplementary document.

Exclusion of Liability

The Processor will not be held responsible for events beyond its control, such as, but not limited to, impediments, malfunctions, or difficulties related to technical tools, cables, electronics, hardware, transmission and connection, telephone lines, server malfunctions, omissions, or errors contained in the information and images inserted during development at the request of the Controller, non-compliance and/or obsolescence of the equipment used by the Controller.

Similarly, the Processor will not be held responsible for delays caused by events beyond its control.

Conclusion of Processing and Data Deletion

This Appointment will be considered concluded if the Contract between the Parties is no longer in force. The conclusion will immediately apply to this Appointment.

Upon conclusion, Tuurbo Srl will no longer be considered responsible. The same principle applies to the Sub-Processors appointed to fulfill the obligations of the Contract and Appointment.

Upon conclusion of the Processing, the Processor will return the Data to the Controller and delete any copies. The same action will be taken if expressly requested by the Controller.

The Data must not be deleted if there is a legal obligation to retain it imposed by national or international law, requiring the Processor to retain the Data.

Final Provisions

This Contract constitutes the entire agreement between the Parties regarding its subject matter and supersedes any prior agreements between the Parties.

Each Party is independent and autonomous from the other and, as such, will not have the authority to bind or commit the other Party except as provided by this Contract.

The Contract cannot be interpreted as establishing any other relationship between the Parties other than that provided for in this Contract.

The Parties mutually acknowledge that the provisions of this Contract that violate legal requirements will only be effective within the limits of such violations, without invalidating the remaining provisions or the Contract as a whole.

Any express or implied waiver by a Party of any provision contained in this Contract, or acquiescence to a breach or non-compliance with a provision, shall not be considered a waiver of that provision and shall not prevent that Party from enforcing compliance with it or any other provision, or from acting upon any other breach or violation at any time.

The Controller reserves the right to modify this Policy at any time.
It is therefore recommended that the Data Subject periodically review this page to stay updated on the latest legislative changes and the current policy. By continuing to use the Site after modifications, the Data Subject accepts these changes and consents to the data processing as indicated.

The Parties may not assign the Contract, or the rights and obligations deriving from it, in whole or in part, without the prior written consent of both Parties.

The Controller may communicate with the Processor through the following contact: [email protected].

Applicable Law and Jurisdiction
This Contract is governed by Italian law.

All disputes arising from or in connection with this Contract, including those relating to its interpretation, execution, and/or termination, will be submitted to the exclusive jurisdiction of the Court of Catania.

Changes to the Policy
The Controller reserves the right to modify this Policy at any time.

This document, published at the following address:
www.tuurbo.ai/dpa constitutes the appointment as the data processor for this site.

In case of changes, the Controller will upload the new policy to this page, and previous versions of the document will still be available on this page.

The Data Subject can view the history of the policies by checking the date indicated, and for this reason, it is recommended that the Data Subject periodically review this page to stay updated on the latest legislative changes.

By continuing to use the Site after modifications, the Data Subject accepts these changes and consents to the modified data processing.