Data Processing Agreement

1. Premise

This document, annexed and integral part of the license agreement for the “Tech Away” program, is considered transcribed at the bottom of the same and, therefore, all definitions and clauses are deemed to be known by all parties of the Agreement.

2. Agreements

In compliance with the provisions of EU Regulation 2016/679 regarding personal data protection (hereinafter also referred to as “GDPR”), it is communicated that, concerning personal data processing activities related to the use of the Program, such activities are carried out by Cosmobile on behalf of the Client, as the data controller, and therefore Cosmobile assumes the role of data processor.

It is particularly noted that the use of the Program may involve the processing of personal data described in this document.

By signing the Agreement, Cosmobile is appointed as the data processor in light of the sufficient guarantees provided to implement appropriate technical and organizational measures so that the processing meets the requirements of GDPR and ensures the protection of the fundamental and inviolable rights and freedoms of data subjects.

The Parties agree to hold each other harmless and indemnified from any damage, burden, cost, expense, and/or third-party claims arising from violations of current data protection regulations attributable to each Party, namely the Client as data controller, on one hand, and Cosmobile as data processor, on the other hand, including in relation to the activities of personal data processing carried out by any additional authorized processors (sub-processors).

Pursuant to Article 30(2)(a) of GDPR, the contact details of the data controller to be indicated in the processing activities register are those already provided by the Client at the time of registration and activation of the trial period or Subscription; if the Client has appointed a Data Protection Officer (DPO), they must communicate the name and contact details to Cosmobile within 5 (five) days of signing the Agreement.

The data controller undertakes to promptly notify any changes or modifications to their contact details and those of the Data Protection Officer, in a traceable manner.

3. Treatments

3.1. Nature and Purpose of Processing

Personal data will be processed solely for the proper use of the Program.

Specifically, the purpose of processing is to: collect and store for contractual, commercial, and/or fiscal purposes; process and communicate for contractual, commercial, fiscal, and contact purposes; collect, store, and profile for statistical purposes.

3.2. Processing Methods

Processing will be carried out in an automated, semi-automated, and manual form, exclusively in electronic format.

3.3. Categories of Data Subjects

The personal data processed may concern the Client, their legal representatives, employees, collaborators, suppliers, customers, and potential customers, as well as contacts previously collected directly by the Client.

3.4. Types of Personal Data

The processing performed by Cosmobile on behalf of the Client concerns only common personal data (name, surname, tax code, bank details, salary data, etc.). Cosmobile assumes no responsibility for any processing – unauthorized or not provided for in this Agreement – of data belonging to the special categories referred to in Articles 9 and 10 of GDPR.

3.5. Duration of Processing

This Agreement has the same duration and effectiveness as the Contract; therefore, upon termination of the Contract, this document will also cease to be valid, provided that, even after the end of the Contract, Cosmobile guarantees the utmost confidentiality regarding personal data and information acquired during the Contract.

If the Client obtains a new license for the use of the Program without interruption, this Agreement will be considered extended, and personal data processing will continue unchanged.

At the natural expiration of the Agreement, unless extended, Cosmobile will retain personal data for a period of 60 (sixty) days, after which it will proceed with secure destruction; personal data may be retained beyond this term upon explicit request from the Client or where required by law, a judicial authority request, or another valid reason justifying further retention.

4. Obbligations of Cosmobile

4.1. General Obligations

As the data processor, Cosmobile undertakes to:

• Process the personal data communicated or made available by the Client, or otherwise acquired during the performance of the Contract solely for the provision and use of the Program;
• Process personal data only based on the documented instructions provided by the Client, including in the event of transferring personal data to entities established in countries outside the European Union, which may only be carried out with the Client’s authorization and based on the relevant instructions, adopting appropriate safeguards according to current European and national regulations and the Client’s instructions, maintaining adequate documentation to be provided if requested;
• Not disclose or make personal data acquired through the use of the Program known to third parties and take necessary measures to ensure maximum confidentiality of the acquired data;
• Implement appropriate and necessary measures to ensure the highest level of security, according to Article 32 of GDPR, for the data processed as a result of using the Program, as detailed in section 4.2;
• Identify individuals authorized to process personal data, including system administrators, who operate under Cosmobile’s authority, and adopt measures to (i) ensure that such individuals undertake appropriate confidentiality obligations regarding the processed personal data, (ii) provide them with adequate and documented instructions on compliance with data security measures, and (iii) monitor the compliance of authorized individuals with the instructions given for data processing and current data protection regulations;
• Adopt all required measures in the data protection authority’s provisions regarding system administrators until their eventual modification, replacement, and repeal, as detailed in section 4.3;
• Ensure, in relation to the use of the Program, proper compliance with GDPR provisions, according to the methods, procedures, and forms indicated by the Client;
• Assist the Client with adequate technical and organizational measures, to the extent possible, in fulfilling the Client’s obligation to respond to requests for the exercise of data subjects’ rights under Chapter III of GDPR;
• Assist the Client in ensuring compliance, to the extent of Cosmobile’s competence, with obligations regarding data security, impact assessments on data protection, and possible prior consultations, according to Articles 32, 35, and 36 of GDPR, considering the nature of the processing and the information available to Cosmobile, as well as the documented instructions given by the Client in relation to fulfilling these obligations;
• Assist the Client in ensuring compliance, to the extent of Cosmobile’s competence, with obligations to notify the authority of any personal data breaches and, if necessary, communicate them to data subjects, according to Articles 33 and 34 of GDPR, as detailed in section 4.4;
• Promptly inform the Client if receiving requests for information or documents, inspections, or audits from the data protection authority, as the competent control authority, or other judicial or law enforcement authorities, concerning personal data processing related to the use of the Program, and collaborate with the Client in preparing the related responses, acts, documents, or communications;
• Delete or return to the Client, at the Client’s request, all personal data after the license period for the Program has ended and delete any existing copies, unless European or national regulations or the Contract provide for data retention by Cosmobile;
• Provide the Client with all necessary information to demonstrate compliance with the obligations under this document and the applicable data protection regulations;
• Allow and contribute to verification and inspection activities by the Client or their appointed representatives, even on-site (at the locations where processing takes place), following reasonable notice and during normal working hours, without interrupting ongoing work activities.

Regarding the processing of personal data related to the use of the Program, Cosmobile is also authorized, from now on, to use additional data processors (sub-processors), whose complete list will be made available to the Client upon request.

This list will be periodically updated by the data processor, who will notify any changes, particularly regarding additions and/or replacements, within 30 (thirty) days of the change.

The Client will have the right to object to changes (addition and/or replacement of one or more sub-processors) by sending a written notice via registered mail with return receipt to Cosmobile’s legal address or certified email to Cosmobile’s digital address, within 15 (fifteen) days from the date of notification of the change. It is understood that if this term expires without a response, the updated list will be considered definitively accepted and approved by the Client, even if the sub-processors have been removed and reintroduced in the future.

Cosmobile declares and guarantees that sub-processors provide sufficient guarantees to implement technical and organizational measures to ensure compliance with GDPR provisions and undertakes, within the contracts and agreements with sub-processors, to:

Assume responsibility towards the Client for the sub-processors’ compliance with the aforementioned obligations.

Bind them to comply with the same personal data protection obligations assumed by Cosmobile towards the Client, where applicable and relevant to the activities entrusted to them;

Keep a copy of the contracts, agreements, or documents governing personal data protection obligations signed by sub-processors and provide a copy to the Client upon request;

4.2. Security of Processing

Considering the state of the art and implementation costs, the nature, scope, context, and purposes of processing, as well as the risk of varying probability and severity for the rights and freedoms of individuals, and the confidentiality, integrity, and availability of data, Cosmobile defines and implements technical and organizational measures to ensure an adequate level of security for personal data processed, which may include, if applicable and at the discretion of the data controller:

• A procedure to regularly test, verify, and evaluate the effectiveness of the technical and organizational measures defined and implemented, in order to ensure the security of processing.

In assessing the adequate level of security, special consideration is given to risks presented by the processing, which include destruction, loss, alteration, unauthorized disclosure, or accidental or unlawful access to personal data transmitted, stored, or otherwise processed.

According to Articles 40 and 42 of the Regulation, adherence to a code of conduct or certification mechanism can be utilized as evidence of compliance with the GDPR provisions.

The data controller also guarantees that anyone acting under their authority and having access to personal data does not process such data unless instructed to do so, unless required by EU or Member State law.

Regarding technical and organizational measures, Cosmobile commits to providing the list and documentation proving the adoption of such measures upon explicit request by the Client.

4.3. System Administrators

The data controller identifies and appoints system administrators in writing, considering the tasks performed, their skills, and professional profiles, as well as after careful evaluation of their subjective characteristics.

Cosmobile will maintain and update a list of system administrators at least annually and/or whenever necessary (e.g., due to organizational changes).

All accesses by system administrators must be tracked using appropriate logs (access logs), recorded, and retained according to regulatory requirements, taking into account completeness, immutability, and the ability to verify their integrity.

4.4. Data Breach

The data controller commits to informing the Client promptly and no later than 48 hours from the moment they become aware of any personal data security breach, providing necessary assistance to the Client for compliance with notification requirements to the supervisory authority within 72 hours and, if necessary, to the data subjects.

5. Client’s Obligations

5.1. General Obligations

The Client, under this agreement, commits to actively collaborating with the data controller to ensure proper compliance with personal data protection obligations.

In particular, the Client commits to:

• Provide written instructions, within 7 days of signing the contract, necessary for processing personal data in accordance with applicable data protection laws, including any transfers of personal data to entities outside the European Union;
• Not obstruct the activities carried out by the data controller, respecting the contractual autonomy granted and in compliance with applicable regulations;
• Indemnify and hold Cosmobile harmless from any charges, actions, disputes, damages, or consequences arising from compliance with the provided instructions;
• Reimburse Cosmobile for any additional costs incurred as a result of the instructions provided and compliance with GDPR provisions and Client requests;
• Indemnify Cosmobile from adopting any measures—and the associated responsibilities for failure to adopt—required by current regulations and/or requested by the Client, if the Client does not provide the estimated cost for adjustments within 7 days of notification;
• Ensure that personal data has been collected and processed in compliance with one or more legal bases, potentially including explicit consent from data subjects.

The Client acknowledges that, in the absence of specific and documented instructions, Cosmobile will process personal data in accordance with current laws and principles established by Regulation (EU) 2016/679, confirming the data controller’s actions, including any transfers of personal data outside the European Union.

In particular, unless otherwise indicated by the Parties, the technical and organizational choices, as well as the security measures adopted by the data processor and communicated at the time of signing the Contract, will be considered full compliance with the instructions provided by the Client, unless proven otherwise, for which the Client will bear the burden of proof.