Data Processing Agreement
Easy4Cloud Spa
This Data Processing Agreement (“DPA”) is an integral part of the contract, hereinafter referred to as the “Contract,” concluded between Easy4Cloud Spa and the Customer, and which defines the terms and conditions applicable to the services offered by Easy4Cloud. The purpose of this DPA, stipulated between Easy4Cloud and the Customer, in compliance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), is to define the conditions under which Easy4Cloud, as Data Processor and as part of the Services defined in the Contract, is entitled to process personal data. The processing of Personal Data by Easy4Cloud as Data Controller is not included in this DPA. For the purposes of this DPA, Easy4Cloud Spa, headquartered in Milan at Via F. Sforza 14, Tax Code 03656750613, represented by the legal representative pro tempore, operates as the Data Processor and the Customer as the Data Controller.
Article 1 – Definitions
The following terms used in this contract shall have the meanings ascribed to them below:
PERSONAL DATA: Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, and/or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural, or social identity.
Special categories of personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning health or a person’s sex life or sexual orientation.
INFORMATION: Any data, including non-personal data, held by the Customer.
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation and/or alteration, retrieval, consultation, use, disclosure by transmission, dissemination and/or otherwise making available, alignment and/or combination, restriction, erasure, or destruction.
Data Controller
The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Authorized Personnel
Natural persons authorized to perform processing operations by the controller or the processor.
Data Subject
The natural person to whom the personal data relates.
Supervisory Authority
An independent public authority established by a Member State, charged with overseeing the application of Regulation (EU) 2016/679 to protect the fundamental rights and freedoms of natural persons in relation to processing.
Communication
Making personal data known to one or more specific entities other than the data subject, the controller’s representative in the State’s territory, the processor, and persons authorized to process data, in any form, including making them available or consulting them.
Dissemination
Making personal data known to indeterminate entities, in any form, including making them available or consulting them.
Security Measures
The set of technical, IT, organizational, logical, and procedural security measures aimed at ensuring an adequate level of security, taking into account risks from accidental or illegal destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Personal Data Breach
A security breach that accidentally or unlawfully results in the destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Article 2 – Subject Matter
1.1. This agreement regulates and governs the privacy roles of the Parties involved in the processing of personal data as well as the terms and conditions under which Easy4Cloud is authorized to process the personal data of which the Customer is the Data Controller in execution of the Contract.
1.2. The type of personal data and the categories of data subjects are determined and controlled by the Customer. Data processing activities are carried out by Easy4Cloud for the period specified in the Contract.
1.3. Processing will be carried out for operations necessary for the realization and management of the Services provided to the Customer without performing any processing beyond what is strictly necessary to fulfill the required activities.
1.4. All information processed on behalf of the Data Controller, or otherwise known incidentally, is deemed strictly confidential and remains the exclusive property of the latter. Therefore, the Provider, including through its personnel, cannot freely use confidential information, neither directly nor indirectly, for purposes other than those agreed upon. The use of such information remains exclusively for the proper execution of the assigned tasks or those that may be subsequently assigned.
Article 3 – Customer Obligations
3.1. For the processing of Personal Data, the Customer shall provide Easy4Cloud in writing (a) all necessary instructions and (b) any information necessary for creating the Processor’s records of processing activities.
3.2. The Customer remains solely responsible for the information processed and instructions communicated to Easy4Cloud. The Customer is responsible for ensuring that (a) the processing of Personal Data has an appropriate legal basis (e.g., consent of the data subject and Data Controller, legitimate interests, authorization by the relevant Supervisory Authority, etc.); (b) all required procedures and formalities (such as data protection impact assessments, notifications, and requests for authorization from the privacy authority or other competent entities, where required) have been duly completed; (c) data subjects are informed of the processing of their Personal Data concisely, transparently, intelligibly, and in an easily accessible form, using clear and plain language as required by the GDPR; (d) data subjects are informed and will at any time have the possibility to easily exercise their data rights, as provided by the GDPR, directly with the Customer or the Data Controller in case the Customer is the data processor.
3.3. The Customer is responsible for adopting appropriate technical and organizational measures to ensure the security of resources, systems, applications, and operations not under the responsibility of Easy4Cloud.
3.4. The Customer/Data Controller is fully responsible for informing data subjects of their rights and ensuring their compliance, including the rights of access, rectification, erasure, restriction, and portability.
Article 4 – Customer Obligations When Acting as a Data Processor
4.1. When the Customer acts as a Data Processor on behalf of third-party controllers, the Parties hereby expressly consent to the following conditions: The Customer will ensure that (i) all necessary authorizations to include in this DPA, including the appointment of Easy4Cloud by the Customer as a sub-processor, have been obtained from the Data Controller, (ii) an agreement fully consistent with the terms and conditions of the Contract, including this DPA, in compliance with Article 28 of the GDPR, has been signed with the Data Controller, (iii) any instructions received by Easy4Cloud from the Customer for the execution of the Contract and this DPA are fully aligned with those of the Data Controller, and (iv) all information communicated or made available by Easy4Cloud, in compliance with this DPA, is duly communicated to the Data Controller, if applicable.
4.2. Easy4Cloud will (i) process Personal Data solely on instructions from the Customer and (ii) not receive any instructions directly from the Data Controller.
4.3. The Customer, who is to be considered fully responsible towards Easy4Cloud for the correct execution of the Data Controller’s obligations, as provided by this DPA, will indemnify and keep Easy4Cloud harmless from (i) any non-compliance by the Data Controller in applying the current legislation, and (ii) actions, claims, or complaints by the Data Controller related to provisions of this Contract (including this DPA) or other instructions received by Easy4Cloud from the Customer.
Article 5 – Easy4Cloud Obligations
5.1. In executing this contract, Easy4Cloud undertakes to (a) process the Personal Data uploaded, stored, and used by the Customer solely as necessary to provide the Service, as defined in the Contract; (b) not access or use Personal Data for any purpose other than that strictly necessary for performing the Services; (c) adopt the necessary technical and organizational measures detailed below to ensure the security of Personal Data in the provision of the Service; (d) ensure that Easy4Cloud employees authorized to process Personal Data under the Contract are bound by an obligation of confidentiality and receive adequate training on data protection; (e) inform the Customer if, based on the information available, it believes that an instruction from the Customer violates the GDPR or other Union or Member State data protection provisions; (f) if it receives requests from a competent authority concerning the Personal Data processed hereunder, inform the Customer (unless prohibited by applicable laws or a competent authority order) and limit the data disclosure to what is expressly requested by the authority.
5.2. Upon written request from the Customer, Easy4Cloud will provide the Customer with reasonable assistance in conducting data protection impact assessments and consultations with competent supervisory authorities, solely when such assistance is necessary and relates to the processing of Personal Data by Easy4Cloud covered herein.
Article 6 – Location of Personal Data
6.1. Easy4Cloud guarantees that the processing of the Data Controller’s personal data will be carried out through the systematic and continuous use of IT infrastructures located in countries within the European Economic Area and that no transfers abroad will occur, meaning the transfer to countries outside the European Economic Area.
6.2. It is, in any case, understood that the Provider undertakes to notify the Data Controller in writing and with reasonable advance notice of any transfer of personal data to IT infrastructures located in countries within and/or outside the European Union.
Article 7 – Security Measures
7.1. Easy4Cloud commits to adopting the following technical and organizational security measures:
(a) physical security measures to prevent unauthorized access to the infrastructures where the Customer’s data is stored; (b) identity and access controls using an authentication system, as well as a password management policy; (c) an access management system that limits entry to the facilities to those for whom it is essential in the performance of their duties and within their responsibilities; (d) dedicated personnel responsible for monitoring the physical security of Easy4Cloud’s facilities; (e) authentication procedures for users and administrators to protect access to administrative functions; (f) an access management system for support and maintenance activities that operates on the principles of least privilege and need-to-know; and (g) procedures and measures to track actions performed on their IT system.
7.2. The security measures implemented by Easy4Cloud must, in any case, be appropriate to ensure on a permanent basis the confidentiality, integrity, availability, and resilience of the systems and data being processed.
Article 8 – Technical Specifications for Data Processing
8.1. Easy4Cloud Spa declares that, for the purposes of verifying the correct application of data protection regulations and in compliance with the provisions of the European Regulation 679/2016 on data tracking, the server hosting the EasyCall service is located within the European Community, and in the contractual agreement with the service provider, the latter undertakes to ensure the maximum security of its infrastructures.
8.2. Regarding the service provided, Easy4Cloud declares that once access credentials to the service have been provided, only the final Customer is authorized to view the contents of the space. The final Customer may request assistance from Easy4Cloud. Assistance is provided remotely through screen sharing with the Customer, who monitors and shares the intervention in real-time. Upon completion of the work session, the Easy4Cloud representative exits the computer and cannot re-enter without a new authorization from the same Customer. In exceptional cases, when the maintenance intervention cannot be performed as described, the final Customer may provide access credentials with a temporary authorization to allow the review activity. Once the intervention is completed, the final Customer will reconfigure the passwords, and Easy4Cloud assumes no responsibility if the Customer does not reconfigure the passwords.
8.3. For data security in transit, EasyCall is configured with an HTTPS protocol, which allows data encryption with some of the most secure standards available on the market. In implementing the HTTPS protocol, the TLS 1.2 protocol is used, with ECDHE key exchange, RSA authentication, 256-bit AES encryption in Galois/Counter mode, and SHA384 hashing.
8.4. The only processing activity performed on the final Customer’s database by Easy4Cloud is backup. The backup activity is carried out directly on the server of the provider hosting the service referred to in point 8.1 and is fully automated. In particular, the database containing the final Customer’s data is subjected to a periodic backup procedure, in “snapshot” mode, with an interval of 12 hours. The backup is compressed and encrypted with 256-bit AES encryption. The processed file is then stored offsite on the provider’s backup infrastructure. Upon completion of the procedure, backups that are 0 to 120% older than 24 hours are automatically deleted. After 48 hours, all backups are unconditionally deleted. Upon contract expiration, all data, both backup and operational, are deleted.
Article 9 – Security Standards for EasyCall Platform Authentication Credentials
9.1. In accordance with the provisions of Reg. 679/2016, access to the EasyCall platform is granted exclusively to personnel designated by the final Customer who have authentication credentials. Authentication credentials consist of a public component and a private component (password). The password is chosen by the designated personnel who have exclusive possession of it. In the “Call Center Settings” section, authentication settings can be managed through 6 options:
- Allow the operator to change the password
- Only allow secure passwords
- Force password change at first login
- Password expiration every 6 months
- Request password upon returning from a break
- Inactivity limit for accounts
If the option “Only allow secure passwords” is selected, the password entry system checks that the password is at least eight characters long and contains at least two of the following characteristics: (i) contains at least one numeric character; (ii) contains at least one lowercase character; (iii) contains at least one numeric digit; (iv) contains at least one non-alphanumeric character. Additionally, the password cannot contain: a) the name of the designated personnel; b) the surname of the designated personnel; c) the email of the designated personnel; d) the identification code of the designated personnel; e) a sequence of 3 or more numerical characters in order (e.g., 123…); f) a sequence of 3 or more alphabetical characters in order (e.g., abc…); g) a sequence of 3 or more repeated characters (e.g., aaa…, 111…); h) a sequence of 3 or more characters in close proximity on the keyboard (e.g., qwerty…).
9.2. The identification code, if used, cannot be assigned to other designated personnel, even at different times. Option number 4, “Password expiration every 6 months,” requires changing the personal password at least once every 6 months to continue accessing the service.
Option number 5, “Request password upon returning from a break,” requires re-entering the personal password upon returning from a break to prevent unauthorized access to the unattended workstation.
Option number 6, “Inactivity limit for accounts,” automatically deactivates credentials that have not been used for a configurable period.
9.3. System users are profiled to allow access exclusively to the data set relevant to their role within the organizational structure.
Article 10 – Personal Data Breach
10.1. If events occur that involve the breach of personal data or information managed by Easy4Cloud, the latter will immediately notify the Data Controller within 24 hours of discovery (if not simultaneous with the breach).
10.2. Easy4Cloud undertakes to maintain absolute confidentiality regarding the breaches that have occurred. In this regard, such information will not be disclosed in any form, including by making it available and/or consultable.
Article 11 – Duration of the Agreement
11.1. This Agreement is valid from the date of its signing and is considered valid for the entire period during which the service provided by Easy4Cloud is entrusted.
Article 12 – Governing Law and Jurisdiction
12.1. It is expressly agreed between the Parties that this Agreement shall be governed exclusively by Italian law.
12.2. In the event of a dispute between the Parties regarding the execution and/or interpretation of this Agreement, the Parties undertake to find an amicable solution to the dispute. If a solution is not reached within three (3) business days, the Parties will exchange observations and proposals regarding a possible solution to the dispute. If a solution is not reached within an additional six (6) business days, the issue will be brought to the attention of the Parties’ legal representatives or their delegates.
12.3. If the procedure described in the previous paragraph cannot be activated, any dispute regarding the validity, interpretation, execution, and termination of this Agreement will be subject to the exclusive jurisdiction of the courts of North Naples, except for contracts signed with consumers, for which the competent court is, in accordance with Legislative Decree 206/2005, the court of the consumer’s residence.