This Data Processing Agreement ("DPA") forms an integral part of the MSA and governs the Processing of Personal Data by Claresia S.r.l. ("Claresia", "Processor") on behalf of the Customer ("Controller") in connection with Customer's use of the Claresia Agent Operations Platform (the "Service"). It is drafted to comply with Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 ("Codice della Privacy"), the binding provvedimenti of the Garante per la Protezione dei Dati Personali ("Garante"), Directive (EU) 2022/2555 transposed in Italy by D.Lgs. 138/2024 ("NIS2"), and the Schrems II ruling of the Court of Justice of the European Union (Case C-311/18).
Capitalised terms not defined in this DPA take their meaning from the GDPR. For clarity:
This DPA applies to all Processing of Personal Data carried out by Claresia in providing the Service to Customer. It enters into force on the Effective Date of the MSA and remains in force until termination of the MSA and completion of the data return / deletion obligations in Article 14.
Customer is the Controller of Customer Data. Claresia is the Processor and acts only on documented instructions from Customer. Where Claresia engages Sub-processors to perform specific Processing activities, those Sub-processors act as sub-processors of Claresia and the Customer.
Customer warrants it has obtained all necessary consents and notifications from Data Subjects and that its instructions to Claresia comply with applicable law. Claresia shall inform Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.
Categories of Data Subjects: Customer's employees, contractors, partners, and other Authorised Users; end users to whom Customer's services are provided; individuals referenced in business records ingested into the Service.
Categories of Personal Data: identification data (name, email, employee ID, organisational role, manager hierarchy); professional data (skills, certifications, work outputs); communication metadata (timestamps, channels, device fingerprints to the extent strictly necessary for security); content of business artefacts ingested or generated through the Service. Claresia does not Process Special Categories of Personal Data (Article 9 GDPR) by design; Customer warrants it will not submit Special Categories without prior written agreement establishing additional safeguards.
Claresia Processes Personal Data only as necessary to (a) provide the Service per the MSA, (b) comply with Customer's documented instructions including those set out in this DPA and the Onboarding Portal configuration, (c) comply with applicable law (with prior notice to Customer where lawful). Customer's MSA, this DPA, and the configurations Customer makes through the Service constitute the complete documented instructions.
Claresia ensures that all personnel authorised to Process Personal Data are bound by appropriate written confidentiality obligations or are under a statutory duty of confidentiality. Access to Personal Data is granted on a strict need-to-know basis and is logged in the Claresia governance audit chain (see SCUDO framework, Pillar C — Catena di custodia).
Claresia implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing. The full inventory is set out in Annex II. In summary:
Customer authorises Claresia to engage the Sub-processors listed at https://claresia-trust.netlify.app/sub-processors. Claresia maintains the list current with the deployment status (active / planned), data categories Processed, processing region, and applicable data-protection agreement.
Claresia provides Customer with thirty (30) days' prior written notice of any intended additions or replacements to the Sub-processor list. Customer may object in writing within that period on reasonable, documented data-protection grounds; if no resolution is reached, Customer may terminate the affected portion of the Service without penalty.
Claresia imposes on each Sub-processor data-protection obligations no less protective than those in this DPA and remains fully liable to Customer for the performance of each Sub-processor.
Customer is responsible for responding to Data Subject requests under Articles 12-23 GDPR. Claresia shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond. Claresia provides self-service Data Subject request tooling in the Command Center for export, rectification, and erasure of Personal Data tied to a single Data Subject.
Claresia provides Customer with all reasonably available information necessary for Customer to carry out a Data Protection Impact Assessment under Article 35 GDPR and, where applicable, a prior consultation under Article 36 GDPR. The Claresia EU AI Act Annex IV technical documentation (auto-generated per tenant under SCUDO Pillar U — Uso conforme) constitutes one such input.
Claresia shall notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Data. The notification shall describe (a) the nature of the breach, including the categories and approximate number of Data Subjects and records concerned, (b) the likely consequences of the breach, (c) the measures taken or proposed to address the breach and mitigate adverse effects, and (d) the name and contact details of Claresia's Data Protection Officer (DPO).
Where Italian or other Member State law requires direct notification of supervisory authorities (Garante under Article 33 GDPR and Article 34 NIS2), Customer remains responsible for that notification; Claresia shall cooperate as required and shall, upon Customer's request, provide a draft notification narrative.
Default Processing region is the European Economic Area, with Italy (eu-south-1 Milano) as the primary region for Italian Customers. Where Personal Data is transferred to a third country outside the EEA without an adequacy decision under Article 45 GDPR, Claresia and Customer rely on the Standard Contractual Clauses, incorporated by reference into this DPA as follows:
Claresia conducts and documents a Transfer Impact Assessment ("TIA") for every third-country Sub-processor and applies supplementary technical measures (including pseudonymisation, encryption with keys held in the EEA, and per-tenant gateway egress restrictions under SCUDO Pillar D — Dati controllati). Claresia aligns its third-country transfer posture with the Garante's interpretation of Schrems II and the Italian Codice della Privacy.
Claresia makes available to Customer the most recent SOC 2 Type 2 report, ISO 27001:2022 certificate, ISO 42001:2023 certificate (when issued), and Annex II Technical and Organisational Measures. Customer accepts these reports as sufficient evidence of compliance for routine audit purposes.
Where Customer's regulator or applicable law requires a specific on-site or remote audit beyond the standard reports, Customer shall provide Claresia with sixty (60) days' written notice. The audit shall occur during business hours, shall not unreasonably interfere with Claresia operations, and shall be subject to confidentiality.
Upon termination or expiration of the MSA, Claresia shall, at Customer's choice, return all Customer Data to Customer or delete all Customer Data within thirty (30) days, except to the extent applicable law requires retention. A Certificate of Destruction shall be issued upon Customer's request. Backup copies are erased on the rolling backup-rotation schedule documented in Annex II §5 (no longer than ninety (90) days).
The aggregate liability of each Party under this DPA is governed by, and subject to, the limitations of liability set out in the MSA. Nothing in this DPA limits liability that cannot be excluded under applicable law.
The following provisions apply to Italian Customers and to Processing that triggers Italian regulatory obligations.
Claresia acknowledges that the Service includes per-employee skill telemetry (cc-064 Telemetry Pipeline) which constitutes indirect monitoring of workers under Italian law. Customer represents and warrants that, prior to deploying the Service to Italian-based employees, it has either (a) entered into a written agreement with the Rappresentanze Sindacali Unitarie (RSU) or Rappresentanze Sindacali Aziendali (RSA), or (b) obtained authorisation from the Ispettorato Territoriale del Lavoro. Claresia provides a "Telemetry Suppression" mode toggle in the Command Center under which per-employee data is hashed and aggregated to cohort metrics; Customer may enable this mode at any time at no additional cost.
Claresia commits to monitor and align its processing posture with binding provvedimenti of the Garante, including but not limited to: provvedimento n. 232/2024 (employee monitoring in workplace AI systems), the 2023 ChatGPT ruling and subsequent guidance, the 2024 biometric AI rulings, and the cookie-consent provvedimento. Material updates are reflected in this DPA with thirty (30) days' notice.
Claresia's DPO can be reached at dpo@claresia.com and at the registered office of Claresia S.r.l. in Milan, Italy.
Where Italian law is elected under Article 17, the courts of Milan (Tribunale Ordinario di Milano) shall have exclusive jurisdiction over disputes arising under this DPA.
This DPA is governed by the law of Italy where the Customer is established in Italy. For other Customers, this DPA is governed by the law elected in the MSA, provided that for matters of GDPR enforcement, the law of the EEA Member State of the affected Data Subject(s) applies.
Aligned to ENISA's recommended TOM checklist and ISO/IEC 27001:2022 Annex A.
Live list maintained at https://claresia-trust.netlify.app/sub-processors with the following columns per entry: name, category, purpose, processing region, data categories, contract status (active / planned), DPA URL, zero-retention flag, last reviewed.
The Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference. Module 2 applies to the Customer-to-Claresia transfer; Module 3 applies to Claresia-to-Sub-processor transfers. Docking Clause is enabled. Optional Clause 7 (Docking) and Optional Clause 11 (Independent Resolution) are accepted by both parties. The UK International Data Transfer Addendum is incorporated where UK Personal Data is in scope.
Claresia commits to the binding interpretive force of Garante provvedimenti applicable to AI Processing in workplace, marketing, and consumer contexts, including but not limited to the matters listed in Article 16.2. Where a new provvedimento materially affects the Service, Claresia notifies Customer through the Trust Center within thirty (30) days and updates this DPA on the next quarterly version cycle.
Signed at:
Date:
For Customer (Controller):
Name:
Title:
For Claresia S.r.l. (Processor):
Name:
Title: