{
  "metadata": {
    "framework": "Garante per la Protezione dei Dati Personali — Vendor Due-Diligence (Italian DPA)",
    "version": "v1.0",
    "publisher": "Claresia (mapped to GDPR + Codice della Privacy + Garante provvedimenti)",
    "language": "en",
    "respondent": "Claresia S.r.l.",
    "respondent_contact": "dpo@claresia.com, security@claresia.com",
    "as_of": "2026-04-27",
    "status": "DRAFT — Pending Italian outside-counsel legal review. The Italian version is the primary; this English translation is provided as convenience for international customers' lawyers. The Italian version controls in case of conflict for parties subject to Italian law.",
    "context": "This questionnaire reflects Italian-specific GDPR enforcement and binding Garante provvedimenti. Reference version for Italian customers."
  },
  "questions": [
    {"id": "GAR-01", "topic": "Automated decision-making (Art. 22 GDPR + Italian guidance)", "question": "Can customers using your Service be subject to decisions based solely on automated processing producing legal or significant effects?", "claresia_answer": "No by default. SCUDO Pillar U (Uso conforme) classifies every skill IR at deploy time per Annex III risk category; skills touching employment, credit, or healthcare matters explicitly require human-in-the-loop and carry an Article 22 GDPR 'Decision reserved to a human' reservation in their output. Fully automated mode can only be enabled by the customer for specific skills with double admin + DPO approval and recording in the audit chain.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "GAR-02", "topic": "Provv. n. 232/2024 — Employee monitoring", "question": "Does the Service entail (even indirect) monitoring of workers? How is Italian Statuto dei Lavoratori art. 4 respected?", "claresia_answer": "Yes — per-employee telemetry (cc-064 Telemetry Pipeline) constitutes indirect monitoring under Italian law. DPA Art. 16.1 expressly commits the customer to prior conclusion of an RSU/RSA agreement or authorization from the Ispettorato Territoriale del Lavoro. Claresia provides, customer-toggleable at any time at no additional cost, a 'Telemetry Suppression' mode that hash-aggregates per-employee data into cohort metrics, eliminating individual identification. Provv. n. 232/2024 is expressly adopted.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-03", "topic": "AI in workplace contexts — 2024 biometric AI rulings", "question": "Does the Service use biometric recognition, emotion recognition, or biometric categorization of workers?", "claresia_answer": "No by default — prohibited by the default Italian restricted-topics policy (see site/src/data/restricted-topics-italy-default.json). SCUDO Pillar S (Scansione) blocks at runtime any skill attempting biometric inference, emotion recognition, or biometric categorization in workplace context. Garante 2024 ruling (n. 9978728) is implemented as a block trigger.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "GAR-04", "topic": "2023 ChatGPT ruling — Transparency to user", "question": "What measures ensure transparency of AI outputs to the end user?", "claresia_answer": "SCUDO Pillar U (Uso conforme) automatically appends the EU AI Act Article 50 transparency stamp in Italian on every output meeting trigger criteria (interaction with a natural person, AI-generated content, etc.). The stamp identifies the AI system, the provider (Claresia), and the type of processing. The 2023 ChatGPT ruling and subsequent guidance are adopted.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "GAR-05", "topic": "Cookies — 2021 Garante ruling + 2024 guidelines", "question": "Are the public surfaces of the Service (e.g., claresia.com, trust.claresia.com) compliant with the Garante cookie ruling?", "claresia_answer": "Yes — claresia.com and trust.claresia.com use cookie banners compliant with the Garante: technical cookies active without consent, profiling cookies blocked by default, granular choice via cookie banner compliant with 2024 guidelines (no dark patterns, equivalent burden for accept and reject). Cookie categories and purposes documented in the cookie policy.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-06", "topic": "Non-EU transfers — Schrems II + Italian interpretation", "question": "How do you handle transfers of personal data to third countries without an adequacy decision?", "claresia_answer": "Default: no extra-EEA transfer. For necessary transfers to third countries: SCC Module 2 (Customer-Claresia) + Module 3 (Claresia-Sub-processor) per EU Decision 2021/914 (DPA Annex IV); UK IDTA for the United Kingdom. TIA documented per third-country sub-processor. Supplementary technical measures: pseudonymization, encryption with keys held in EEA, region pinning under SCUDO Pillar D. Explicit alignment with the Garante's post-Schrems II interpretation.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-07", "topic": "Italian fiscal codes and identifiers", "question": "Does the Service process codice fiscale, partita IVA, or other Italian identifiers? What protection measures apply?", "claresia_answer": "Only if the Customer deliberately submits them. The default Italian restricted-topics policy classifies codice fiscale as Restricted; SCUDO Pillar D (LLM Gateway) applies bidirectional PII redaction via Microsoft Presidio + custom NER — codice fiscale is redacted both at the prompt going to the LLM and at the response. Egress without redaction requires explicit customer sign-off for specific skills.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "GAR-08", "topic": "Italian DPO Role", "question": "Have you designated a DPO under Article 37 GDPR and are you registered with the Garante's DPO directory?", "claresia_answer": "Yes — DPO designated, contactable at dpo@claresia.com and at the registered office of Claresia S.r.l. in Milan. Registration with the Garante DPO directory in flight (target Q3 2026 with first customer signature).", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "planned"},
    {"id": "GAR-09", "topic": "Data-breach notification to the Garante", "question": "Do you cooperate with the notification of personal data breaches to the Garante under Article 33 GDPR?", "claresia_answer": "Yes — DPA Art. 11 commits to 72-hour notification to the Customer. Claresia provides the Customer with a draft technical narrative for the Garante notification, which remains the Customer's responsibility as Controller. Full cooperation upon Garante request.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-10", "topic": "Data Subject rights — access, rectification, erasure, portability (Articles 15-21 GDPR)", "question": "How do you support the exercise of Data Subject rights for data processed in the Service?", "claresia_answer": "Self-service in Command Center cc-059 for export (Art. 20), rectification (Art. 16), erasure (Art. 17) of Personal Data linked to a single Data Subject. SLA: Controller response within 30 days; Claresia technical support within 5 business days.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-11", "topic": "Data retention — minimization principle (Art. 5(1)(c) GDPR)", "question": "How do you apply the data minimization principle and what are the retention periods?", "claresia_answer": "Customer Data retained for MSA term + 30-day deletion (DPA Art. 14). Audit chain retained 7 years (Art. 12 EU AI Act). Telemetry retained 13 months default. Per-tenant retention configurable in Mode B/C. SCUDO Pillar D applies automatic PII redaction to minimize exposure.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-12", "topic": "Marketing and profiling (D.Lgs. 196/2003 art. 130 + GDPR)", "question": "Does the Service perform direct marketing or profiling? How is consent managed?", "claresia_answer": "The Service performs no direct marketing toward the Customer's data subjects. The only marketing is the Claresia website (claresia.com) which requires explicit opt-in for the newsletter, compliant with art. 130 D.Lgs. 196/2003 + GDPR. Profiling internal to Customer workflows is configurable by the Customer in compliance with their own privacy notices.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-13", "topic": "Sub-processors — transparency under Art. 28 GDPR", "question": "Is the sub-processor list public and current? How are changes notified?", "claresia_answer": "Yes — public list at https://claresia-trust.netlify.app/sub-processors with category, purpose, region, data categories, contract status, DPA URL, zero-retention flag, last review date. Customer notified with 30-day prior notice for any new sub-processor or material change (DPA Art. 8).", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active"},
    {"id": "GAR-14", "topic": "Garante audits and inspections", "question": "Do you cooperate with possible Garante inspections at the Customer?", "claresia_answer": "Yes — DPA Art. 13 commits Claresia to providing the Customer with the evidence needed to cooperate with Garante inspections. Available: SOC 2 Type 2 (Q1 2027), ISO 27001:2022 (Q3 2026), ISO 42001:2023 (Q4 2026), Annex II TOM, SCUDO audit chain export.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "planned"},
    {"id": "GAR-15", "topic": "ROPA — Records of Processing Activities (Art. 30 GDPR)", "question": "Do you maintain ROPA for your Processor role and support the Customer's ROPA as Controller?", "claresia_answer": "Yes — Claresia ROPA maintained and available on Customer request. For the Customer's ROPA: DPA documentation + Annex I (Description of Processing) + Annex II (TOM) + sub-processor list contain all elements required by Art. 30 GDPR.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-16", "topic": "DPIA — Data Protection Impact Assessment (Art. 35 GDPR)", "question": "Do you provide DPIA support to the Customer, particularly for high-risk AI processing?", "claresia_answer": "Yes — DPA Art. 10. EU AI Act Annex IV technical documentation (auto-generated per tenant under SCUDO Pillar U) constitutes a key DPIA input. DPIA template for AI scenarios (automated decision, profiling, worker-data processing) also provided via Trust Center.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "planned"},
    {"id": "GAR-17", "topic": "Minors (Art. 8 GDPR + Italian Privacy Code)", "question": "Does the Service process minors' data?", "claresia_answer": "Default no. The Service is intended for B2B and workplace contexts; the Terms of Service expressly exclude use by minors. Any educational-context use requires a dedicated DPA addendum and specific restricted-topics configuration.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-18", "topic": "Technical security — Art. 32 GDPR", "question": "What technical security measures do you ensure under Art. 32 GDPR?", "claresia_answer": "AES-256 at rest + TLS 1.3 in transit + per-tenant CMEK in Mode B/C. SSO + MFA via WorkOS. SHA-256 audit chain retained 7 years. Annual penetration test (Q2 2026). ISO 27001:2022 in flight (Q3 2026). Full detail in DPA Annex II.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-19", "topic": "EU AI Act + Garante interpretation", "question": "How do you manage EU AI Act compliance in line with Garante guidance?", "claresia_answer": "SCUDO Pillar U (Uso conforme) implements the Article 50 transparency stamp, the Article 11 + Annex IV technical documentation (auto-generated per tenant), Annex III classification of skill IRs at deploy time. The Garante's interpretation (in particular for AI in workplace contexts) is incorporated in the default restricted-topics policies.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "GAR-20", "topic": "Jurisdiction and governing law", "question": "What is the competent forum and applicable law for the Italian Customer?", "claresia_answer": "DPA Art. 17 + Art. 16.4 — where Italian law is elected (default for Customers established in Italy), the Tribunale Ordinario di Milano shall have exclusive jurisdiction. For GDPR matters, the law of the Member State of the Data Subject continues to apply.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-21", "topic": "Privacy notice (Articles 13-14 GDPR)", "question": "Is the privacy notice available in Italian and does it cover all required elements?", "claresia_answer": "Yes — privacy notice at claresia.com/privacy in IT + EN. Covers: controller, DPO, purposes, legal bases, data categories, recipients, extra-EU transfers, retention, Data Subject rights, right to lodge a complaint with the Garante, data sources.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-22", "topic": "Codice della Privacy art. 122 — Information stored on user devices", "question": "What measures do you adopt for placing information on user devices (cookies, local storage, fingerprinting)?", "claresia_answer": "Cookie banner compliant with Garante 2021 ruling + 2024 guidelines. Local storage used only for SSO session state (technical cookie, excluded from consent under art. 122 D.Lgs. 196/2003). No fingerprinting for profiling. Session telemetry strictly necessary for security.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "GAR-23", "topic": "Workers' rights — Trade union representations", "question": "Do you provide an operational guide for the Customer to obtain RSU/RSA agreement before deployment?", "claresia_answer": "Yes — the Trust Center will host (Q3 2026) a one-pager 'Guide to RSU/RSA agreement for Claresia deployment' that the Customer can present to its trade-union representations. Includes: telemetry description, 'Telemetry Suppression' option (cohort-only), template contractual schema. Available on request at security@claresia.com in the meantime.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "planned"},
    {"id": "GAR-24", "topic": "Garante emergency provvedimenti", "question": "How do you react to Garante emergency provvedimenti (e.g., provisional limitation of processing)?", "claresia_answer": "Emergency-response procedure documented in incident-response.md. In case of a Garante provvedimento limiting or suspending a processing activity, Claresia disables the affected functionality via Command Center toggle within 24 business hours from written notification + full cooperation in restoring compliance.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "GAR-25", "topic": "Italian regulatory updates", "question": "How do you track Italian regulatory updates (Garante provvedimenti, ACN guidelines, evolution of D.Lgs. 138/2024)?", "claresia_answer": "Continuous monitoring: Garante newsletter subscription, CSIRT-IT participation, Gazzetta Ufficiale monitoring, ACN working-group participation. Material updates incorporated in the DPA with 30-day notice (Art. 16.2) and in the SCUDO framework at the next quarterly cycle.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"}
  ]
}