invytly

Data Processing Agreement (DPA)

Last updated: January 12, 2026

Preamble

In compliance with Article 28 of the General Data Protection Regulation (GDPR), this agreement defines the terms and conditions under which

  • The Client, acting as Data Controller (hereinafter the “Controller”)

appoints

  • Damiano Carradori (hereinafter the “Processor”)

for the execution of personal data processing activities necessary for the provision of services.

1. Purpose of the Agreement

1.1. The purpose of this agreement is to appoint the Processor and provide instructions regarding the processing of personal data in the context of the use of the Platform. The processing activities that the Processor may carry out are limited to those strictly necessary for the provision of services related to each active Project, and in accordance with the documented instructions of the Controller. The processing may include, upon the Data Controller’s documented instructions, the collection and management of copies of identity documents uploaded by data subjects, solely for the purposes determined by the Data Controller and strictly limited to what is necessary for the provision of the Services.

2. Duration

2.1. This agreement shall remain valid and binding for the entire duration of the contractual relationship between the Parties and shall apply to each Project activated by the Controller through the Platform. For each Project, data processing shall begin on the activation date and end upon its expiration, as set forth in the Terms and Conditions.

3. Types of Data and Categories of Data Subjects

3.1. The categories of personal data processed are:

  • Identification data (name, surname, email, etc.)
  • Statistical and navigation data
  • Data contained in identity documents uploaded by data subjects, including, by way of example and not limitation: document type, document number, issuing authority, date of issue and expiry date, photograph, signature, place and date of birth
  • Any additional personal data voluntarily provided by data subjects that may be requested by the Controller during the use of the Platform

The processed data do not include special categories of personal data pursuant to Article 9 GDPR, unless otherwise instructed in writing by the Data Controller and in compliance with the applicable legal basis.

3.2. The personal data processed under this Agreement relate exclusively to the guests of the events organised by the Controller and to any third parties whose data are entered by the Controller within the scope of the Projects, in respect of whom the Processor acts solely on behalf of the Controller.

3-bis. Processing of Identity Documents

3-bis.1. The Processor shall process identity documents solely on behalf of the Data Controller and in accordance with documented instructions, for purposes related to identity verification, compliance with contractual or legal obligations, or other purposes strictly connected to the provision of the Services.

3-bis.2. Access to identity documents shall be restricted exclusively to authorized personnel of the Processor and shall be subject to access control measures and logging of processing activities.

3-bis.3. Identity documents shall be retained only for the period strictly necessary to fulfil the purposes determined by the Data Controller and, in any case, shall be deleted or rendered permanently inaccessible upon the expiration of the relevant Project, unless retention is required by applicable law.

3-bis.4. The Processor is expressly prohibited from using identity documents for its own purposes or for any purpose other than those documented by the Data Controller.

3-bis.5. The processing of identity documents is carried out in compliance with the principles of data security and data minimization and on the basis of a risk assessment conducted by the Processor, in accordance with applicable data protection laws.

4. Data Transfers

4.1. The Processor processes personal data primarily within the European Economic Area (EEA). Where, for technical and operational reasons related to the provision of the Services, the Processor makes use of authorised sub-processors or infrastructures located outside the EEA, such transfers shall take place exclusively in compliance with Articles 44 et seq. of the GDPR.

4.2. In such cases, the Processor ensures that the transfer of personal data to third countries is based on appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission, as well as the implementation of any supplementary measures required under applicable data protection laws.

4.3. The Controller expressly authorises such transfers, to the extent that they are necessary for the provision of the Services under this Agreement and in accordance with the provisions of this Article.

5. Technical and Organizational Measures

5.1. Before carrying out the processing under this appointment, the Processor shall implement all appropriate technical and organizational measures to ensure the protection of personal data. Upon the Controller’s request, the Processor shall provide a document describing in detail the security measures adopted in relation to the execution of this agreement. Should the Controller, by means of inspection or audit, deem that modifications are necessary, such changes shall be agreed upon by both Parties.

5.2. The Processor guarantees the security of processing pursuant to Articles 28(3)(c) and 32 of the GDPR, in particular with reference to Articles 5(1) and 5(2). These measures shall ensure an adequate level of protection and security appropriate to the risk, ensuring the confidentiality, integrity, availability, and resilience of systems. According to Article 32(1) GDPR, in assessing the adequacy of the security level, account shall be taken of the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risk probability and severity for the rights and freedoms of natural persons.

5.3. The technical and organizational measures are subject to technological evolution and development. Therefore, the Processor may adopt alternative appropriate measures in light of technological advancements. In such cases, the level of data protection must not be reduced.

5.4. With specific regard to the processing of identity documents, the Processor shall implement enhanced technical and organisational security measures, including, by way of example: encryption of data at rest and in transit, logical data segregation, strict access limitation, activity logging, and secure deletion procedures.

5.5. The technical and organizational measures adopted by the Processor are consistent with the risk assessment performed pursuant to Article 35 of the GDPR and are periodically reviewed and updated.

6. Data Subject Rights and Assistance

6.1. The Processor undertakes to cooperate with the Controller and provide full assistance, to the extent that it is reasonable or possible, in order to help the Controller respond to data subject requests in the exercise of their rights.

6.2. In particular, the Processor undertakes to (i) immediately forward to the Controller any request received from data subjects concerning the exercise of their rights and, where feasible or appropriate, (ii) assist the Controller in designing and implementing all technical and organizational measures necessary to respond to such requests.

6.3. Without prejudice to the fact that responsibility for responding to and fulfilling data subject requests lies exclusively with the Controller, the Processor may be instructed to fulfil specific requests, provided such tasks do not require disproportionate effort and are based on written instructions from the Controller.

7. Sub‑processors

7.1. The Controller hereby authorizes the Processor to engage third‑party sub‑processors. Such sub‑processors must be bound by the same contractual obligations set forth in this agreement, pursuant to Article 28(4) of the GDPR.

7.2. As of the date of execution of this agreement, the Parties acknowledge that the Processor makes use of the following sub‑processor, with whom it undertakes to enter into appropriate agreements in compliance with Article 28(4) of the GDPR:

  • Anna Corniani, Piazza 1° Maggio 9, 13900 Biella (BI), Italy, VAT No. 02646050027

    7.3. The transfer of data to a third‑party processor may only take place once all conditions for the appointment referred to in point 7.1 above have been met.

    7.4. The Processor must maintain an up‑to‑date list of sub‑processors. Any change to such list must be communicated to the Controller without undue delay, granting the Controller the right to object. In the event of an objection, the Processor shall have the right to terminate the contract with the Controller without notice.

    7.5. The Processor remains fully liable to the Controller for the actions and omissions of any sub‑processors.

    7.6. Where a sub‑processor operates outside the EU/EEA, the Processor must ensure that the transfer of data is lawful, as described in Article 4 of this agreement.

8. Controller’s Audit Rights

8.1. The Controller has the right to conduct inspections or have them carried out by an appointed auditor. The auditor shall assess the Processor’s compliance with this agreement as part of their audit activities, by means of periodic or random checks, which shall generally be notified in advance.

8.2. The Processor shall allow the Controller to verify compliance with its obligations as required under Article 28 of the GDPR. Upon request, the Processor shall provide the Controller with all necessary information and, in particular, evidence demonstrating the adoption of appropriate technical and organizational measures.

8.3. Evidence of compliance with such measures — which may also relate to activities not covered by this agreement — may be provided by:

  • adherence to approved codes of conduct under Article 40 of the GDPR;

  • certifications issued under an approved certification mechanism in accordance with Article 42 of the GDPR;

  • current audit certifications, reports, or excerpts of reports prepared by independent entities (e.g., auditors, data protection officers, IT security departments, or data protection auditors);

  • relevant certifications issued by IT security or data protection auditors.

    8.4. The Processor may charge the Controller a reasonable fee for conducting such inspections.

9. Assistance to the Controller

9.1. The Processor shall assist the Controller in fulfilling its obligations regarding personal data security, reporting of data breaches, data protection impact assessments, and prior consultations as described in Articles 32 through 36 of the GDPR, including by:

  • maintaining appropriate standards of protection through technical and organizational measures that take into account the nature, circumstances, and purposes of the processing, the likelihood of data breaches, and the severity of potential risks for natural persons;

  • ensuring the immediate detection of data breaches;

  • reporting any data breaches to the Controller without undue delay;

  • assisting the Controller in responding to data subject requests to exercise their rights.

    9.2. The Processor may request a reasonable fee from the Controller for assistance services that are not included in the description of the core services and that are not required due to errors, violations, or misconduct attributable to the Processor.

10. Controller’s Authority

10.1. The Processor shall not process any personal data under this appointment except on the documented instructions of the Controller, unless processing is required by European Union or Member State law.

10.2. If the Controller requests a modification to the processing of personal data, the Processor shall immediately inform the Controller if it believes such modification could result in a breach of data protection provisions. In such a case, the Processor may refrain from carrying out any activity that could lead to such a violation.

11. Liability

11.1. Each Party agrees to indemnify and hold the other Party harmless from any damages or expenses arising from its own negligent breach of this agreement, including any negligent breach committed by its legal representatives, subcontractors, employees, or other agents. Each Party also agrees to indemnify the other Party against any claims made by third parties due to or in connection with any negligent violation committed by the other Party.

11.2. The provisions of Article 82 of the GDPR remain unaffected.

12. Deletion and Return of Personal Data

12.1. The Processor shall not create copies or duplicates of the data without the knowledge and consent of the Controller, except for backup copies to the extent necessary to ensure proper data processing, and for data retention required by law.

12.2. Upon completion of each Project for which personal data have been processed, the Processor shall, at the Controller’s choice, either securely delete or return all personal data collected and processed under this agreement, unless applicable law requires further retention.

12.3. In any case, the Processor may retain information necessary to demonstrate the proper and lawful execution of the processing activities, even after the termination of the contract.

12.4. The documentation referred to in point 12.3 must be retained by the Processor in compliance with applicable statutory retention periods or as otherwise required. The Processor may deliver such documentation to the Controller upon termination of the contract to discharge its contractual retention obligations.