DPA – Data Processor Appointment

This agreement for the appointment as Data Processor is an integral and substantial part of the contract (hereinafter referred to as the Contract), entered into between movingWords Srl (hereinafter the Company) and the Customer, which defines the terms and conditions applicable to the services offered by movingWords Srl through the AnyLetters platform (the "Services").

With reference to data processing, in case of discrepancy between this document and the Contract, this agreement shall prevail.

Within the scope of services provided to the Customer, the Company is required to perform personal data processing operations on behalf of the Customer. These processing operations are carried out for the entire duration of the contractual relationship between the parties.

The Company commits to managing the Processing of Personal Data in full and exclusive compliance with the instructions regularly issued by the Customer, including in the case of transfer of Personal Data to a third country or international organization, and to ensure the security and confidentiality of processing in accordance with the principles, requirements and provisions of Art. 28 of Regulation EU 2016/679.

The Customer has previously assessed that the Company possesses the requirements of experience, capacity and reliability required by Regulation EU 2016/679, also based on the guarantees provided by the latter.

The Company shall be required to promptly communicate to the Customer any supervening situations that, due to changes in acquired knowledge, based on technical progress or for any other reason, may affect its suitability for performing the assignment.

This appointment as data processor shall have the same duration established by the contract(s) entered into by the Customer.

The type of Personal Data and categories of data subjects are determined and controlled at the sole discretion of the Customer, based on the services covered by the Contract and the personal data shared or processed by the Company for the execution of the Service and of which the Customer is the Controller.

The Company, in executing the assignment entrusted to it, shall perform Personal Data processing operations on behalf of the Customer solely for the provision of the Services covered by the Contract, which for the purposes of this article must be understood as documentation containing data processing instructions.

In order to ensure correct and effective processing of Personal Data, the Company commits to:

• prepare the processing register containing the categories of Personal Data processed, data subjects, purposes and methods of Personal Data processing, where required;
• identify and appoint any processing officers and provide them with detailed operational instructions as well as supervise compliance with the instructions given;
• promptly fulfill information requests from the Supervisory Authority and cooperate in implementing any of its prescriptions;
• comply with the indications and prescriptions of EU Regulation no. 679/2016;
• as far as possible, assist and cooperate with the Customer and ensure compliance with its obligations in accordance with current regulations in this sector, and in particular contribute to ensuring the security of Personal Data, respect its obligations in case of security vulnerabilities, to facilitate the implementation of all necessary measures before processing, such as carrying out an impact analysis;
• inform, without undue delay, the Customer of any violations of which it becomes aware, even if it is an instruction received from the Customer that constitutes a violation of applicable law;
• not carry out on its own initiative any processing operation other than the instructions received, except for express legal provisions that legitimize the exception or the occurrence of supervening, unforeseeable circumstances, or force majeure, which in any case do not eliminate the obligation of prompt communication to the Customer;
• monitor each related application phase in compliance with current regulations on Personal Data protection.

The Company, in relation to risk assessment, nature, object, context and purpose of processing, undertakes to set up, organize and maintain a data processing system that complies with the provisions of EU Regulation 2016/679, in particular to implement all technical and organizational measures necessary to ensure an adequate level of security of processed data including:

• physical security measures: aimed at preventing access by unauthorized persons to the Infrastructures within which Customer data is stored;
• identity and access controls: using an authentication system, as well as a password management policy;
• access management system: that limits entry to facilities to those for whom it is essential in carrying out their tasks and within their responsibilities;
• containment system: that depending on services physically or logically isolates customers from each other;
• authentication procedures: for user and administrator, as well as to protect access to administrator functions;
• an access management system: for support and maintenance activities that operates on the principles of least privilege and need to communicate;
• procedures and measures: to track actions performed on its computer system.

The Company commits to making available to the Customer all information and documentation necessary to demonstrate compliance with the obligations provided for in this act and instructions given.

The Company authorizes the Customer or any other appointee to inspect and control Personal Data processing activities and commits to accepting all reasonable requests from the Customer in order to verify that the Company has complied with the contractual obligations imposed by this act.

In all cases, the Customer must notify the Company with a minimum notice of 15 days and the inspection must not in any way disturb its activity and will be limited exclusively to Personal Data processing activities by the Company.

The Customer will monitor data processing activities by the Company. For this purpose, at the Customer's request, the Company must send a report concerning data processing by the Company and also containing the following elements:

• changes to implemented security measures;
• management of data subject requests and any anomalies found;
• inspections or requests for clarification from Authorities towards the Company.

The Company is authorized to use or delegate one or more Sub-Processors who will have access to and process Personal Data entrusted by the Customer in connection with the performance of the activity.

The Company guarantees that all appointed Sub-Processors must offer sufficient guarantees in relation to the requirements imposed by EU Regulation 2016/679.

Sub-Processors will act in compliance with the provisions of EU Regulation 2016/679 and the instructions given by the Customer. It is understood that the Company will always be responsible to the Customer for non-compliance or violations caused by the activity of Sub-Processors.

The Company also guarantees that the Sub-Processor possesses the requirements provided for by EU Regulation 2016/679 and any replacements or additions to its figure must be promptly communicated in writing to the Customer, who will have the broadest right to contest and oppose the presented changes.

The Company commits to sending the updated list of Sub-Processors upon Customer request.

The Company will process Personal Data only for the time necessary to fulfill the Processing purposes related to the relationship between the parties, committing to their deletion and any copies at the end of the service.

Upon expiration of the Contract or a single Service (particularly in case of termination or non-renewal), the Company commits to deleting according to the conditions provided for in the Contract all information (data, files, systems, applications, websites and other material) that are reproduced, stored, hosted or otherwise used by the Customer for the purposes of the Services, except in the presence of a request issued by a competent judicial authority, or when the applicable legislation of the European Union and an EU Member State provides otherwise.

The Customer is solely responsible for data processing through the use of the Service (backup, etc.). With reference to the termination of Services, for any reason (including, but not limited to, non-renewal), the Customer is aware that the Company will automatically and irreversibly delete from its computer systems all information (including information, data, files, systems, applications, websites and other material) that are reproduced, stored, hosted or otherwise used by the Customer.

The possibility of data retention is reserved in the presence of legal provisions or orders from an authority that provide for retention obligations for extended periods.

The parties commit to cooperating with the Supervisory Authority in the execution of their tasks if requested, in addition to having the obligation to notify, without undue delay, any data breaches and ensure that anyone acting under their authority with access to Personal Data cannot carry out processing unless instructed to do so except in cases where legal provisions provide otherwise.

If the Customer operates as a Processor on behalf of third-party controllers, it guarantees the Company the following:

• to have received the necessary authorizations from the third party (controller);
• to have informed the third party that the Company has been appointed as sub-processor;
• an agreement fully consistent with the terms and conditions of this DPA and the Contract has been signed with the third party;
• all information communicated or made available by the Company, in compliance with this DPA, is duly communicated to the third party.

The Customer is responsible for ensuring the following:

a) the processing of personal data, within the execution of the Contract, has an appropriate legal basis (e.g. data subject consent, legitimate interests, etc.);

b) data subjects are informed of the processing of their personal data in a concise, transparent, understandable and easily accessible manner, using clear and simple language as required by GDPR;

c) data subjects are informed and have at any time the possibility to easily exercise their data rights, as required by GDPR.

The Customer is responsible for adopting appropriate technical and organizational measures to ensure the security of resources, systems, applications and operations not under the Company's responsibility.

In particular, the Customer declares to be aware that access to the service is guaranteed upon authentication with their own credentials.

Credentials are strictly personal and cannot be transferred to third parties. Maintaining the confidentiality of credentials is the exclusive responsibility of the customer, who will be solely responsible for any activity carried out through their use.

All operations carried out through the use of credentials result in the automatic attribution to the Customer of the operations conducted. Therefore, the Customer acknowledges and accepts that the Company may use any information obtainable from its computer systems to monitor access to the Services to prove operations carried out by the Customer.

The Company may be held liable only for damages caused by processing when:

(I) it has not complied with GDPR obligations specifically related to Processors.

(II) it has acted against validly written instructions from the Customer.

In such cases, what is provided for in the Contract regarding the Company's liability will apply.

If the Company and the Customer are involved in a procedure under this Contract that causes damage to a data subject, the Customer will initially bear the entire compensation (or other compensation) due to said data subject and, secondarily, will recover from the Company the part of compensation corresponding to the Company's liability, provided that a limitation of liability provided for in the Contract is not applicable.