Data Processing Agreement

Between Customer, as defined in the Commercial Agreement (hereinafter "Controller") and Compri, as defined in the Commercial Agreement (hereinafter "Processor").

1. A Commercial Agreement (hereinafter "Agreement") has been stipulated between the Controller and the Processor to which this Data Processing Agreement (hereinafter "DPA") is attached and of which it forms an integral and substantial part.
2. The object of the Agreement is the provision of the SaaS Compri (hereinafter "SaaS"), aimed at managing and streamlining the Customer's supply chain.
3. The use of the SaaS involves the processing of personal data, as defined pursuant to art. 4(1)(1) of Regulation (EU) 2016/679 (hereinafter "GDPR").
4. With respect to such processing, the Customer acts as Controller pursuant to Article 4(1)(7) of the GDPR and Compri acts as Processor pursuant to Article 28 of the GDPR.
5. The Processor certifies and guarantees that it possesses the experience, ability, and reliability necessary to adopt appropriate technical and organizational security measures to ensure a level of security appropriate to the risk.
6. The Parties intend to agree on the nature, purpose, duration, type of personal data, categories of data subjects, as well as their rights and obligations arising from the processing of personal data carried out through the SaaS.

1.1. In this DPA, the terms indicated below have the meanings attributed to them below. Terms not expressly defined herein shall have the meanings assigned to them in Article 4 of the GDPR.

1.2. "Applicable Law" means the GDPR, Legislative Decree n. 196/2003 and any other data protection law applicable from time to time to the processing of personal data.

1.3. "Persons in charge of processing" means employees, agents, or any other natural persons authorized by the Parties to carry out personal data processing operations pursuant to Article 29 of the GDPR.

1.4. "Sub-Processor" means any further processor to whom the Processor entrusts data processing activities described and regulated under this DPA.

1.5. "EEA" means the European Economic Area.

2.1. The purpose of this DPA is to ensure compliance with Article 28, paragraphs 3 and 4 of the GDPR.

2.2. This DPA applies to the processing operations listed and described in Annex C-bis.

3.1. The Controller undertakes to comply with Applicable Law and to process the data in accordance with any other applicable legal provision.

3.2. The Controller provides the Processor with instructions regarding the processing of personal data, verifying that these instructions comply with Applicable Law.

3.3. The Controller may issue new instructions with at least 15 days' written notice. The Processor has the right to terminate the Agreement if such new Instructions impose an excessive burden or are in conflict with Applicable Law.

3.4. The Processor may make changes to Annex C-bis with at least 5 days' notice.

3.5. Under no circumstances shall the Processor be held liable for any violation of Applicable Law resulting from the Controller's conduct.

3.6. The Controller undertakes to verify that the data entered into the SaaS is collected and processed on an appropriate legal basis.

3.7. The Controller undertakes to identify retention periods for each category of personal data and to remove them from the SaaS after the period has elapsed.

3.8. The Processor's obligations do not include determining the lawfulness of the data processing activities carried out on behalf of the Controller.

4.1. The Processor processes personal data in accordance with the Controller's Instructions, unless required by applicable law.

4.2. The Processor shall immediately inform the Controller if the Instructions violate Applicable Law.

4.3. The Processor maintains and updates the Register of Processing Activities pursuant to Art. 30(2) GDPR.

4.4. The Processor shall inform the Controller without undue delay of any request by a public authority to access personal data.

5.1. The Processor responds promptly to requests for information from the Controller.

5.2. The Processor may fulfil this obligation by making available informational materials on dedicated web pages or in the SaaS interface.

5.3. The Processor provides reasonable assistance for data protection impact assessments and prior consultations with Supervisory Authorities (Arts. 35-36 GDPR).

5.4. The Processor consents to audits with at least 2 months' notice.

5.5. The audit request must indicate the activities being verified and the reasons why the verification cannot be performed based on documentation.

6.1. The Processor communicates requests received from data subjects to the Controller.

6.2. The Processor assists the Controller by implementing appropriate technical and organisational measures.

6.3. The Processor processes requests in accordance with the Controller's written instructions.

7.1. The Processor implements the technical and organisational measures specified in Annex C-ter to ensure the security of personal data.

7.2. The Processor may make changes to Annex C-ter with at least five days' notice.

7.3. When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks to data subjects.

8.1. The Controller grants access to personal data only to the extent strictly necessary.

8.2. The Controller guarantees that persons in charge of processing have undertaken to maintain confidentiality and have received appropriate authorization.

9.1. The Processor has the general authorization of the Controller to use the Sub-processors listed in Annex C-quater.

9.2. The Processor has the right to unilaterally amend Annex C-quater with at least 5 days' notice.

9.3. The Processor undertakes to engage Sub-Processors who present sufficient guarantees and to sign agreements imposing substantially the same obligations.

10.1. The Processor undertakes to notify the Controller of any personal data breach within 48 hours of its discovery.

10.2. The notification includes a description of the breach and the nature and extent of the data involved.

10.3. The Processor may provide a partial notification pending technical investigations, followed by a supplementary notification.

10.4. The Controller shall notify the Processor of any security breaches that may compromise the SaaS infrastructure.

11.1. Any transfer of data to a third country or international organization by the Controller is carried out in compliance with Chapter V of the GDPR.

12.1. The DPA is effective from the date of signing the Agreement and applies for as long as personal data is being processed.

12.2. Upon termination, the Processor shall cease all processing or anonymize the personal data, unless otherwise instructed in writing.

12.3. Beyond the termination date, processing may continue for strictly technical purposes such as deletion operations, backup management, or legal obligations.

13.1. This DPA does not give the Processor any right to receive compensation beyond what is agreed in the Agreement.

13.2. In the event of conflict between the DPA and the Agreement, the DPA shall prevail with respect to data processing matters.

13.3. For anything not expressly provided for in this DPA, applicable Data Protection Legislation shall apply.

13.4. If any provision is held invalid, the remaining provisions will remain in full force.

13.5. The Processor may remove from documentation any information subject to industrial secrecy obligations.

14.1. The Parties submit this Agreement to the law and jurisdiction chosen in the Agreement.

Part 1 — General characteristics

Nature of processing: SaaS Provisioning Compri. Purpose: provision of functions associated with purchased modules; user account management; security management. Duration: until the SaaS is subscribed. Data subjects: employees of the Controller. Personal data: identification data (name, surname, job title); contact details (email).

Part 2 — Specific processing characteristics per module

Order Management & Visibility — analysis of orders and activities related to individual suppliers, through access to ERP and email inbox. Data subjects: employees of the Controller, employees of suppliers, freelance suppliers. Personal data: identification data, contact details, bank and tax details, email content.

Request for X — sending requests for quotations to multiple suppliers. Data subjects: employees of suppliers, freelance suppliers. Personal data: identification data, contact details.

Onboarding — centralized management of supplier onboarding and accreditation. Data subjects: employees of suppliers, freelance suppliers, directors and auditors of supplier companies, their family members. Personal data: identification data, contact details, anti-money laundering declarations.

Compliance — centralized management of processes for verifying supplier regulatory compliance. Data subjects: employees of suppliers, freelance suppliers. Personal data: identification data, contact details.

Documents — access and management of documents relating to the relationship with suppliers. Data subjects: employees and administrators of suppliers, freelance suppliers. Personal data: identification data, contact details, bank and tax details, email content, autographed signatures.

Analytics — aggregate analysis of supplier management information. Data subjects: freelance suppliers. Personal data: identification data, contact details.

Vendor Management — detailed management of activities. Data subjects: freelance suppliers. Personal data: identification data, contact details, creditworthiness.

Insights — analysis of managed expenses and supplier positions to identify savings opportunities. Data subjects: employees of suppliers, freelance suppliers. Personal data: identification data, contact details.

Intake Orchestration — management of purchase request submission and validation process. Data subjects: employees of suppliers, freelance suppliers. Personal data: identification data, contact details.

Contracts — contract management and analysis. Data subjects: employees and administrators of suppliers, freelance suppliers. Personal data: identification data, contact details, bank and tax details, autographed signatures.

DDT — management and analysis of transport documents. Data subjects: employees and administrators of suppliers, freelance suppliers. Personal data: identification data, contact details, autographed signatures.

Procurement AI Assistant — analysis and management of supplier-related activities via AI. Data subjects: employees and administrators of suppliers, freelance suppliers. Personal data: identification data, contact details.

Amazon Web Services — Cloud and host providing

MongoDB Limited — Database management

Clickhouse Inc — Database management

Microsoft Inc — Providing of generative AI Azure Service

Anthropic PBC — Providing of generative AI Claude API

Google Inc — Providing of generative AI Google Gemini API

Document updated on 27/10/2025