This agreement was last updated on June 8, 2023.

Data Processing Addendum

between Controller and Processor

This is an addendum to, is incorporated into, and forms part of the End User License Agreement between the customer and its affiliates (“Controller”) and Presago (“Processor”) (together, the “Parties”) entering into the “Main Agreement”.

Background

The Parties wish to amend the Main Agreement on the agreed terms set out below in order to specify the data protection obligations of the Parties arising from the data processing that is part of the Main Agreement. It applies to all activities related to the Main Agreement in which employees or agents of the Processor process the personal data of the Controller.

Where Controller is subject to EU data protection laws, this Data Processor Addendum shall apply to the extent that Processor processes personal data on Controller’s behalf.

1. Definitions

1.1 The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;

1.2 “Addendum” means this Data Processing Addendum/DPA;

1.3 “Authorized Sub-processors” means (i) those Sub-processors set out in Annex 3 and (ii) any additional Sub-processors involved pursuant to sections 6 and 10;

1.4 “Data Protection Laws” means in relation to any Personal Data which is processed in the performance of the Main Agreement the (i) General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) EU Directive 2002/58/EC on privacy and electronic communications, as transposed into domestic legislation of each Member State; (iii) any other applicable statutory provisions regarding data protection law; and (iv) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities;

1.5 “EEA” means the European Economic Area;

1.6 “Personal Data” means the personal data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by the Processor on behalf of the Controller pursuant to or in connection with the Main Agreement;

1.7 “Services” means the services described in the Main Agreement;

1.8 “Sub-processor” means any data processor (including any affiliate of the Processor) appointed by the Processor to process Personal Data on behalf of the Controller;

1.9 “Supervisory Authority” means (i) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (ii) any similar regulatory authority responsible for the enforcement of Data Protection Laws;

1.10 “Processor” means the Licensor under the Main Agreement.

1.11 In consideration of the mutual promises set out in this Addendum, the parties agree to amend the Main Agreement as set out below.

1.12 Except as set out in this Addendum, all other provisions of the Main Agreement remain in full force and effect.

2. Processing of the Personal Data

2.1 The subject matter, duration, scope and type of data processing and confidentiality arise from the Main Agreement. The purpose of the data processing is to enable the provision of the Services in accordance with the Main Agreement.

2.2 Each party shall at all times in relation to processing connected with the Main Agreement comply with Data Protection Laws.

2.3 The types of Personal Data and the categories of data subjects are set out in Annex 1 (Details of Processing of Personal Data) to this Addendum.

2.4 The processing and use of the personal data shall take place in the territory of Italy, in a member state of the European Union or in EEA. Any relocation to a third country is governed by the provisions of this DPA as well as the statutory provisions.

3. Rights and Obligations of the Controller

3.1 The Controller is the responsible person within the meaning of Article 4 No. 7 GDPR. The assessment of the permissibility of the data processing is the sole responsibility of the Controller. According to section 4.6, the Processor shall be entitled to inform the Controller of any data processing operations that are illegal in his opinion.

3.2 The Controller must check that the technical and organizational data security measures taken by the Processor are complied with before data processing begins and regularly afterwards. The Controller shall be responsible that these measures to provide an appropriate level of protection for the risks of the data to be processed.

3.3 The Controller shall be entitled to issue instructions on the type, scope and procedure of data processing. All instructions shall be documented. The Processor shall be entitled to refuse the execution of an oral instruction until it has been confirmed in writing. The Controller will not instruct the Processor to process any Personal Data in a manner that would constitute a breach of the Data Protection Law.

3.4 The persons authorized by the Controller to give instructions are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number). Instructions are to be transmitted by opening a ticket on our Customer Support at: https://presago.atlassian.net/servicedesk/customer/portals. In the event of changes to the persons authorized to issue instructions or extended incapacitation for work of such persons, the Controller shall notify the Processor accordingly in writing and without undue delay.

3.5 The Controller shall inform the Processor immediately if it detects errors or irregularities in an examination of the data processing.

3.6 The Controller warrants that has all the necessary rights to provide the Personal Data to the Processor for the processing to be performed in relation to the services. The Controller is also responsible for ensuring that any necessary data subject consent to this processing is obtained, and for ensuring that a record of such consents is maintained. Should consent be revoked by the data subject, the Controller is responsible for communicating the fact of such revocation to the Processor, and the Processor remains responsible for implementing any Controller instruction with respect to the further processing of that Personal Data in accordance with this Addendum and the Main Agreement.

4. General Obligations of the Processor

4.1 The Processor processes personal data exclusively within the scope of the Main Agreement made and in compliance with documented instructions issued by the Controller. The purpose, type and scope of data processing shall be governed exclusively by this Addendum, the Main Agreement and/or documented instructions of the Processor. The Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Addendum.

4.2 The Processor shall inform the Controller immediately if, in the Processor’s opinion, an instruction issued by the Controller violates Data Protection Laws. The Processor shall be entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the responsible person of the Controller.

4.3 If the Services are made impossible or substantially impeded by an instruction of the Controller or if the Customer requests the deletion of Personal Data before the end of the Main Agreement and the Processor is prevented in whole or in part from the further provision of the Services on the basis of the deletion, the Processor shall be released from its obligations to provide the Services to this extent. The Processor’s claim to the agreed remuneration shall remain unaffected.

4.4 If the Processor’s expenditure necessary for the provision of the Services increases due to an instruction of the Controller, the contractor can demand a corresponding adjustment of the agreed remuneration. The Processor shall inform the Controller of the additional costs prior to the execution of such instruction. The Controller shall be entitled to withdraw the instruction so that no additional costs are incurred.

4.5 Taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk compliant with the legal requirements. With regard to the protection purposes of the data processed, the Controller has checked the measures set forth in Annex 2 before the conclusion of this Addendum contract and assessed them as sufficient.

4.6 The Processor shall comply with all applicable Data Protection Laws in the Processing of Company Personal Data and not Process Company Personal Data other than on the relevant Company’s documented instructions.

5. Processor Personnel

5.1 The Processor shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.

5.2 The Processor shall take reasonable steps to ensure the reliability of any employee, agent and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purpose set out in section 2.1 above in the context of that person’s or party’s duties to the Processor.

5.3 The Processor shall ensure that all such persons or parties involved in the processing of Personal Data are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality.

5.4 The Contractor warrants that it will familiarise its employees processing the Controller’s Personal Data with the Data Protection Laws.

6. Sub-Processing

6.1 As at the date of the conclusion of this Addendum, the companies listed in Annex 3 are acting as subcontractors for partial services for the Processor and, in this context, may also have access to the Personal Data. The Controller hereby authorizes the Processor to engage these subcontractors.

6.2 The Controller agrees that the Processor may engage other subcontractors. The Controller generally authorizes the engagement of subprocessors in connection with the provision of the Services. The Processor will enter into an agreement with all subprocessors containing obligations that are equivalent to those applicable to the Processor in this DPA. The Processor shall inform the Controller at least 30 days before the subcontractors are engaged. The Controller shall be entitled to object to the engagement of further subcontractors till the end of this time period, provided that there is an important data protection reason for such objection. If there is no objection, consent to the engagement of the subcontractor shall be deemed to have been given. In case of objection, the Processor retains the right to terminate the Contract with the Controller.

6.3 If the Processor engages subcontractors with the Controller’s consent, the Processor shall be obliged to transfer its obligations under this Addendum to the subcontractor. This shall apply to confidentiality, data protection and security requirements. The Processor undertakes to obligate the subcontractors to secrecy and confidentiality with regard to the Personal Data.

6.4 Controller agrees that when the Processor engages a Subprocessor for the provision of Services and those involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the Subprocessor can ensure compliance with Chapter V of the GDPR e.g. by using the SCCs.

7. Data Subject rights

7.1 If and to the extent the Controller is obliged to provide a data subject with information on the collection, processing or use of its personal data pursuant to Data Protection Laws, the Processor shall support the Controller in providing this information. This presupposes a written request by the Controller, and If additional costs are incurred by the Processor, the Customer shall reimburse the Contractor for the costs incurred by this support.

7.2 If a data subject turns to the Processor with claims for information, correction, deletion or blocking of its personal data, the Processor shall refer the data subject to the Controller.

8. Deletion or return of Controller Personal Data

8.1 The Processor corrects, deletes or blocks the Personal Data if the Controller instructs so. The destruction of data carriers and other materials in accordance with Data Protection Laws shall be undertaken by the Processor on the basis of an individual order by the Controller unless already agreed in the Main Agreement.

8.2 Personal Data, data carriers and all other materials shall either be surrendered or deleted at the Controller’s request at the end of this Addendum. This does not apply to Personal Data and other materials for which statutory provisions or contractual agreements between the Parties require retention or to documentation which serves as proof for the Processor's compliance with the contractual agreements between the Parties and Data Protection Laws. If additional costs are incurred by the Processor as a result of deviating specifications for the surrender or deletion, these shall be borne by the Controller.

8.3 Irrespective of other provisions on deletion, the Personal Data in the backup systems and files will be deleted in accordance with the regular deletion cycle of these backups.

9. Audit rights

9.1 The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Addendum and Data Protection Laws.

9.2 The Processor shall allow for and contribute to audits by the Controller or an auditor mandated by the Controller in relation to the Processing of the Controller’s Personal Data by the Contracted Processors. Any audit by the Controller shall only take place in coordination with the Processor.

9.3 The audit may only be performed by a person who is under a special obligation towards the Processor as well as the Controller to maintain secrecy, in particular with regard to information about the Processor’s operations, its equipment, the Processor’s business secrets and security measures. If the audit is not carried out by a person, whose compliance with this requirement is already known to the Processor, this person must prove its legitimation in writing at least 7 working days before the audit is to be carried out.

9.4 The audit shall be conducted during regular business hours, subject to the Processor’s policies and may not unreasonably interfere with the Processor’s business activities. The Processor may charge the costs of such audits or inspections to the Controller.

9.5 The audit, any audit materials and the audit report shall be confidential, and the Controller will share a copy of the audit report with the Processor.

9.6 The Controller may not conduct an audit more than once in any calendar year unless there has been a Personal Data breach or a request by a data protection supervisory authority.

9.7 Other contractual or statutory control rights of the Controller shall remain unaffected.

10. International transfers of Personal Data

10.1 The Controller agrees that the Processor may transfer Personal Data processed under this DPA outside the European Economic Area (EEA) as necessary to provide the Services. As at the date of this Addendum, the Controller hereby authorizes the Processor to engage those sub-processors set out in Annex 3.

10.2 The Processor shall not process the Personal Data nor permit any Authorized Sub-processor to process the Personal Data in a country outside of the EEA without an adequate level of protection and compliance with Data Protection Laws.

10.3 If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately
protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

11. Liability

The Processor shall be liable in accordance with the statutory provisions of Art. 82 GDPR.

12. Costs

Each party bears its own costs in meeting the Controller’s requests made under this addendum.

13. Term and termination

13.1 The term and periods of notice correspond to the Main Agreement.

13.2 Upon termination of the Main Agreement, this Addendum shall terminate automatically without the need for separate notice. The obligations arising from this Addendum shall, in any case, also apply after termination of the Main Agreement until complete destruction or return of all Personal Data by the Processor.

13.3 Upon termination of this Addendum in accordance with this section 8, the Processor’s activities on behalf of the Controller shall end.

14. Data breaches

14.1 The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR, including

• ensuring adequate protection standards through technical and organizational measures, taking into account the type, circumstances, and purposes of the processing, the likelihood of data breaches and the severity of the risk to natural persons possibly resulting thereof

• ensuring immediate detection of infringements

• reporting data breaches without undue delay to the Controller

• assisting the Controller in answering data subjects' requests or the exercise of their rights

15. Miscellaneous

15.1 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Main Agreement and any provision of this Addendum, the provision of this Addendum shall prevail.

15.2 Should individual parts of this Addendum be invalid, this shall not affect the validity of the remainder of this Addendum.

15.3 Italian law shall apply to the exclusion of its conflict of laws provisions.

15.4 The exclusive place of jurisdiction for all disputes arising from or in connection with this agreement shall be the registered office of the Processor.

15.5 The Annexes are an integral part of this Addendum:

Annex 1 – Types of Personal Data and categories of data subjects

Annex 2 – Technical and organizational measures

Annex 3 – Authorized Sub-processors

Annex 1 – Types of Personal Data and categories of data subjects

The types of Personal Data to be processed:

The Controller may submit personal data to the Services, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to the following categories of personal data:

• Key personal data

• Contact and communication data (e.g. company, email, phone, physical home address, physical business address)

• Session data (e.g. IP address, date and time of requests)

• Data provided by the user when using our apps, like company details, personal data of key officers and employees and every other personal data.

The categories of data subjects to whom the Personal Data relates:

The Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

• Customers

• Interested Parties

• Employees

• Suppliers

• Agents

Annex 2 – Technical and organizational measures

The Processor shall implement appropriate technical and organizational measures to protect against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures are to be maintained and reviewed regularly by the Processor as necessary to keep such measures up-to-date, efficient, and appropriate with respect to the sensitivity of the Personal Data of all customers.

The technical procedures adopted by the processor can be found on the Security Statement page. The Processor is committed to continuously updating the Security statement according to the technical measures adopted in order to maintain or increase the data protection standards.

Annex 3 – Authorized Sub-processors