MASTER DATA PROCESSING AGREEMENT
(ex art. 28 of EU Regulation 2016/679)

BETWEEN

This agreement for the protection of personal data is concluded between Deasoft s.r.l.s. with registered office in via Vittoria 23G, San Lazzaro di Savena (BO), VAT Number IT03339021200, as defined below, and the costumer who accepts this agreement.

AND

the person indicated in the Contract as customer (hereinafter the “Customer”), jointly, the “Parties” or severally the “Part”

PREMISE THAT

The Customer has signed one ore more contracts with the Provider (hereinafter the “Contract”);
The Parties intend to regulate in this “main agreement for the processing of personal data – Master Data Processing Agreement” (hereinafter referred to as “MDPA” or “Agreement”) the terms and conditions for the processing of personal data carried out by the Provider under the Contract and the performance of the Services and the responsibilities related to the processing itself, including the commitment made by the Provider as Responsible for data processing pursuant to art.28 of the European General Data Protection Regulation (Eu) 2016/679 (hereinafter “GDPR”);
The specific characteristcs of the processing of Personal Data are described, with reference to each Service, in the “Special conditions for the processing of Personal Data” available on the website www.docurity.com/gdpr_eng.htm (hereinafter DPA “DPA - Special Conditions”) which form an integral and essential part of this Agreemen.

All the foregoing Parties agree as follows:

1. DEFINITIONS AND INTERPRETATION

1.1. This premises shall form an integral part of this Agreement. In the Agreement the following terms and expression shall have the meanings associated with them below:

“Date of commencement of the Agreement” indicates the date on which the Customer signs or accepts this Agreement;

“Personal Data” has the meaning of the Data Protection Legislation and will include, but is not limited to, all data provided, stored, sent, received or otherwise processed, or created by the Customer, or by the End-User in connection with the use of the Services, to the extent that they are subject to the treatment by the Provider, on the basis of the Contract. A list of categories of Personal Data is listed in the DPA Special Conditions;

“Adequacy decision” indicates a decision of the European Commission based on the Article 45(3) of GDPR regarding the fact that the laws of a certain country ensure an adequate level of protection, as provided for in the Legislation on the Protection of Personal Data;

“Email Notification” means the email adress provided by the Customer at the Service subscription time or provided through other official channel to the Supplier, to which the Customer intends to receive notifications from the Provider;

“Instructions” indicate the written instruction given by the Owner in this Agreement (including the relevant DPA Special Conditions) and, where applicabile, in the Agreement;

“Legislation on the Protection of Personal DataIndicates the GDPR, and any possible further regulation and/or implementing regulations issued prusuant to the GDPR or in any case in force in Italy regarding the protection of Personal Data, as well ass any binding provision that is issued by the competent supervisory authorities in the filed of protection of Personal Data (e.g Italian Authority "Garante Privacy", guidelines on Online Examination Records, Annex to a Decision by the Italian DPA dated 19 November 2009) and retains binding effect (including the requirements of the General Authorisation for the Processing of Sensitive and Judicial Data, if applicable, and where they retain their binding effect after 25 May 2018).

“Provider's Staff” indicates the Provider's managers, employees, consultants, and other staff excluding the Additional Processors's staff;

“Request” indicates a request for the access by an Interested Party, a request for cancellation of correction of Personal Data, or a request to exercise one of the rights provided by the GDPR;

“Additional Data Processor” means any subcontractor to which the Provider has subcontracted any of the obligations assumed contractually and which, in fulfilling these obligations, may have to collect, access, receive, store or otherwise process Personal Data;

“Service\s” means the service or services covered by the Contracts signed time by time between the Customer and the Provider;

“End User” means the eventual end user of the Service, the Data Controller;

“Breach of Personal Data Security” means the security breach which involves accidental or unlawful destruction, loss, modification, unauthorised disclosure or access to Personal Data on systems operated by the Provider or otherwise over which the Provider has control.

1.2. The terms "including" and "included" shall be interpreted as "purely by way of example", in order to provide a non-exhaustive list of example.

1.3. For the purposes of this Agreement, the terms "Data Subject", "Processing", "Data Controller","Data Processor", "Transfer" and "Appropriate Organizational Technical Measures", will be interpretedin accordance with the applicable Personal Data Protection Legislation.

2. ROLE OF THE PARTIES

2.1. The Parties acknowledge and agree that the Provider acts as Data Processor in realtion to Personal Data and the Customer normally acts as Data Controller;

2.2. If the Customer carries out processing operations on behalf of another Data Controller, the Customer may act as Data Processor. In this case, the Customer guarantees that the instructions given and the activities undertaken in relation to the processing of Personal Data, including the appointement, by the Customer, of the Provider as a further Data Processor resulting from the conclusion of this Agreement has been authorized by the relevant Data Controller and undertakes to present to the Provider, upon its simple written request, the documentation showing what is mentioned above;

2.3. Each part undertakes to comply, in the processing of Personal Data, with the respective obligations arising from the applicable of Personal Data Protection Legislation;

2.4. The Provider has appointed a Data Protection Officer (DPO), domiciled at the registered office Deasoft SRLS, in Via Vittoria 23G , San Lazzaro di Savena (BO), who can be contacted at the following adress: privacy@docurity.com or at +390510402763.

3. PROCESSING OF PERSONAL DATA

3.1. With the conclusion of this Agreement (including each DPA - Special Conditions Applicable), the Customer entrusts the Provider with the task od processing Personal Data with the purpose of providing the Services, as well as better detailed in the Contract and in the DPA - Special Conditions; DPA - Special Conditions are avaiable at this link: www.docurity.com/gdpr_eng.htm.

3.2. The Provider undertakes to comply with the instructions, it being understood that, if the Customer demands for changes from the Initial Instruction, the Suppliers will assess the feasibility aspects and agree with the Customer the aforementioned changes and the related costs;

3.3. In the cases referred to in art 3.2 and in the case of requests from the Customer that involve the processing of Personal Data that are, in the Provider's opinion, in violation of the Legislation on the Protection of Persinal Data, the Provider is authorized to refrain from executiong these Instructions and will promptly inform the Customer. In such cases, the Customer may evaluate ny changes to the Instructions given or contact the Supervisory Authority to verify the lawfulness of the requests made.

4. LIMITATIONS ON THE USE OF PERSONAL DATA

4.1. In carring out the processing of Personal DATAfor the purpose of providing the Services, the Provider undertakes to perform the processing of Personal Data:

4.1.1. only in the extent, and in the manner necessary, to provide the Services or to adequately fulfil its obligations under the Contract and this Agreement or imposed by law or by a competent supervisory body. In such last circumstance the Provider will inform the Customer (unless this is prohibited by law for reasons of public interest) by communication sent to the notification email;
4.1.2. in accordance with the Customer's instruction.

4.2 The Provider's Staff that accesses, or in any case processes Personal Data, is in charge of processing or such data on the basis of appropriate authorisations and has also received the necessary training on the processing of personal data. Such staff is also bound by confidentiality obligations and the Company Code of Ethics, and must comply with the Privacy and the protection of the personal data Policy adopted by the Provider.

5. ASSIGNMENT TO THIRD PARTIES

5.1. In relation to the entrustment to Additional Data Processor of the Processing of Personal Data the Parties agree as follows:

5.1.1. The Customer expressly agrees that certain processing operations of Personal Data are entrusted by the supplier to third parties identified in the DPA Special Conditions;
5.1.2. The Customer also consents to the entrustment of Personal Data Processing operations to other third parties in the manner provided for in article 5.1.4 below;
5.1.3. It is understood that the signing of the Standard Contractual Clauses (provided for in point 7 below in case of transfer of Personal Data abroad) by the Customer with a Additional Data Processor shall be understood as consent to the entrustment to the third party of the processing operations;
5.1.4. In cases where the Provider uses Additional Data Processors for the execution of specific processing activities of Personal Data, the Provider:
- 5.1.4.1. undertakes to make use of Additional Data Processor that guarantee adequate technical and organizational measures and guarantees that access to Person Data, and the related processing, will be carried out only to the extent necessary for the provision of subcontracted services;
- 5.1.4.2. At least 15 (fifteen) days prior to the start date of the processing of Personal Data by the Additional Data Processor informs the Customer of the reliance on the third party (as well as the identification data of the third party its location and where approrpiate, the location of the server on which the data will be stored, if applicable - and of the entrusted activities) by sending an email notification or other means deemed suitable by the Provider. The Customer may withdraw from the Contract within 15 (fifteen) days of receipt of the communication, withiut prejuice to the obligation to pay the Provider any amounts due on the date of termination of the Contract.

5.1.5. Any additional information on the list of Additional Data Processors, the processing entrusted to them and their location are contained in the DPA Special Conditions relating to the Services activated by the Customer.

6. SECURITY PROVISIONS

6.1. SECURITY MEASURES OF THE PROVIDER - In carrying out the processing of Personal Data for the purposes of the provision of the Services, the Provider undertakes to take appropriate technical and organizational measures to avoid unlawful or unauthorized processing, accidental or unlawful destruction, damage, accidental loss, alternation and unauthorised disclosure of, or access to, Personal Data, as described in Annex 1 to this Agreement ("Security Measures").

6.1.1. Annex 1 to the Agreement contains data files protection measures commensurate with the level of the risks present in relation to the Personal Data to allow confidentiality, integrity, availability and resilience of the Provider's system and services, as well as measures to allow timely restoration of access to Personal Data in the event of a Security Breach of Personal Data, and measures to test the effectiveness over time of such measures. The Customer acknowledges and accepts that, taking into account the state of the art, the implementation costs, and the nature, scope, context and purposes of the processing of Personal Data, the procedures and security criteria implemented by the Provider ensure a level of protection appropriate to the risk regarding Customer's Personal Data.
6.1.2. The Provider may update and change over time the Security Measures mentioned above, provided that such updates and changes can not result in a reduction in the overall security level of the Services. Such updates and changes will be notified to the Customer by an email notification.
6.1.3. The Customer ackowledges and acceots that the Provider, taking into the account the nature of the Personal Data and the information available to the Provider as specifically stated in the relevant DPA - Special Conditions, will assist the Customer in ensuring compliance with security obligations under Arts.32-34 of the GDPR in the following ways:
- 6.1.3.1. Implementing and maintaining the Security Measures in accordance with paragraphs 6.1.1, 6.1.2, 6.1.3 above;
- 6.1.3.2. by complying with the obligations set out in point 6.3.
6.1.4. If the product allows integration with third-party applications, the Supplier will not be responsible for the application of the Security Measures relating to the components of the third parties or the methods of operation of the product deriving from the integration carried out by the third parties.

6.2. CUSTOMER SECURITY MEASURES - Without prejudice to the obligations of the Supplier referred to in point 6.1 above, the Customer acknowledges and accepts that, in the use of the Services, the Customer remains solely responsible for the adoption of adequate security measures in relation to the use of the Services.

6.2.1. To this End, the Customer undertakes to use the Services and the Personal Data processing functions in order to guarantee a level of protection adequate to the actual risk.
6.2.2. The Customer also undertakes to take all suitable measures to protect the authentication credentials, systems and devices used by the Customer or by the users at the End User to access the Services, and to save and backup Personal Data in order to guarantee the restoration of Personal Data in compliance with the law.

6.3. SECURITY BREACHES - If the Provider becomes aware of a Breach of Security of Personal Data, the Provider itself:

6.3.1. will inform the Customer without undue delay by communication to the Email notification;
6.3.2. will take reasonable steps to limit possible damages and security of Personal Data;
6.3.3. It will provide to the Customer, as far as possible, a description of the Security Breach of Personal Data including the measures taken to avoid or mitigate the potential risks and activities recommended by the Provider to the Customerfor the management of the Security Breach;
6.3.4. will consider confidential information, within the meaning of the provisions of the Contract, the information relating to any Security Breaches, related documents, notices and will not disclose information to third parties, out of strictly necessary cases for the fulfilment of the obligations of the Customer arising from the Legislation on the Protection of Personal Data without the prior written consent of the Data Controller.

6.4. In the cases referred to in the paragraph 6.3 mentioned above, it is the exclusive responsibility of the Customer, in the cases provided for by the Legislation on the Processing of Personal Data, to comply with the obligations to notify the breach of security to third parties (to the end user if the customer is a Data Processor) and, if the Customer is the Data Controller, to the Supervisory Authority and to the Data Subject.

6.5. It is understootd that the notification of a Security Breach or the adopyion of measures to manage a Security Breach does not constitute Provider's liability or default recognition in relation to that Security Breach.

6.6. The Customer shall promply notify the Provider of any misuse of accounts or authenticaion credentials or any Security Breaches regarding thr Service of which he has had knowledge.

7. RESTRICTIONS ON THE TRANSFER OF PERSONAL DATAOUTSIDE THE EUROPEAN ECONONOMIC AREA (SEE)

7.1. The Supplier will not trasnfer Personal Data outside the EEA execpt in accordance with the Customer.

7.2. If, for the purposes of storage or processing of Personal Data by an Additional Data Processor, it is necessary to transfer Personal Data outside the EEA to a country that does not have an adequacy decision by the European Commission pursuant to art 45 of the GDPR, the Provider:

7.2.1. will ensure that the Data Controller enters into the contractual clauses of the type provided for in European Commission Decision 2018/87/EU of 5 February 2010 for the transfer of personal data to Data Controller established in third countries (the “Standard Contractual Clauses”), or their equivalent, if modified over time. Copy of the Standard Contractual Clauses subscribed by the Provider on behalf of the Customer will be made available to the Customer; and/or
7.2.2. may propose the Customer other methods of transfer of Personal Data in accordance with the provisions of the Legislation on the Protection of Personal Data (e.g Privacy Shield in case of Additional Data Processor located in the United States and for which adherence is verifiable through official channels and records, or intra- group transfers of the Additional Data Processor that is part of a corporate group that has obtained the approval of the BCR for the Data Processors).

7.3. In the cases referred to in paragraph 7.2.1 mentioned above, the Customer gives expressly the Provider a mandate to subsribe the Standard Contractual Clauses with the Additional Data Processor listed in the relevant DPA - Special Conditions.

QIf the Data Controller is the End User, the Customer undertakes to inform the End User of this transfer and declares that the authorization to use the Additional Data Processor located outide the EEA is equivalent to the mandate above.

8. CHECK AND CONTROLS

8.1. The Provider shall prediodically audit the security of the Personal Data processing systems and environments used by the Provider itself for the provision of the Services and the locations where such security treatment takes place. The Provider shall have the right to appoint indipendent professionals selected by the Provider itself for carrying out audits according to international standards and/or best practice, the result of which shall be reported in specific reports ("Report"). These Reports, which constitute a confidential information of the Provider, may be made available to the Customer to enable it to verifiy the Provider's compliance with the security obligations under this Agreement.

9. ASSISTANCE FOR COMPLIANCE

9.1. The Provider will assist the Customer and will cooperate in the following ways in order to enable the Customer to comply with its obligations under Personal Data Protection Law.

9.2. If the Provider receives Requests or Complaints from a Data Subject in relation to Personal Data, the Provider will advise the Data Subject to contact the Customer or the End User, if the latter is the Data Controller. In such cases, the Provider will promptly inform the Customer or the receipt of the Request by sending an email notification and will provide the Customer with the information available to it togheter with a copy of the Request or complaint. It is understood that such cooperation will be carried out exceptionally, as the management of relationship with the Data Sujects remains excluded from the Services and it is the Customer's responsibility to handle any complaints directly and ensure that the point of contant for the excercise of rights by the Data Subjects is the Customer itself, or the End User if is the Data Controller. It will be Customer's responsibility or the End-User's responsibility if it is the Data Controller, to respond to such requests or complaints.

9.3. The Provider shall promptly inform the Custome, unless forbidden by law, with notice to the Email Notification of any inspections or requests for information submitted by control authorities and police forces regarding profiles concerning the processing of Personal Data.

9.4. If for the purpose of fulfilment of the Requests referred to in the prvious points, the Customer needs to receive information from the Provider about the processing of Personal Data, the Provider will provide the necessary assistance as far as reasonably possible, provided that such requests are made at reasonable notice.

9.5. The Provider, taking into account the nature of the Personal Data and the information available to it, provide reasonable assistance to the Custmer in making available useful information to enable the Customer to carry out impact assessments on the protection of Personal Data in the cases provided by law. In this case, the Provider will make general information available on the basis of the Service, such as information contained in the Contract, in this Agreement and in the DPA- Special Conditions relating to the Services concerned. Any requests for personalized assistance may be subject to payment of a fee by the Customer. It is understood that it is the responsibility and exclusive burden of the Customer, or of the End User if it is the Data Controller, proceed with the impact assessment based on the characteristics of the processing of Personal Data from the same place in being in the context of the Services.

9.6. The Provider undertakes to make Services based on the principles of minimization of treatment (privacy by design & by default), it being understood that it is the exclusive responsibility of the Customer, or of the End User if it is the Data Controller, ensure that the processing is carried out in compliance with these principles and verify that the technical and organizational measures of a Service meet the Company's compliance requirements, including those under Personal Data Protection Law.

9.7. The Customer acknowledges that, in the case of Requests for portability of Personal Data made by the respective Data Subjects, and only in relation to the Services that generate Personal Data relevant for this purpose, the Provider will assist the Customer by providing the information necessary to extrat the requested data in format that complies with the provision of the Legislation on the Protection of Personal Data.

10. OBLIGATIONS OF THE CUSTOMER AND LIMITATIONS

10.1. The Customer undertakes to issue Instructions in accordance with the regulations and to use the Services in accordance with the Legislation on the Protection of Personal Data and only to process Personal Data that have been collected in accordance with the Legislation of Protection of Personal Data.

10.2. Any processing of Personal Data referred to in art, 9 and 10 of the GDPR will be allowed only where expressly provided for in the DPA - Special Conditions; out such cases, any processing of such Persoanl Data will be permitted only with the prior written agreement of the Parties pursuant to point 3.2

10.3. The Customer undertakes to fulfil all the obligations on the Data Controller (and in cases where such obligations are on the End User, the Customer guarantees that equivalent obligations are imposed at the expense of the End User) by the Legislation on the Protection of Personal Data, including the information obligations towards the Data Subject. The Customer also undertakes to ensure that the processing of Personal Data carried out through the use of the Services takes place only in the presence of a suitable legal basis.

10.4. If the release of the information and the obtaining of the consent must take place through the product object of the Contract, the Customer declares to have evaluated the product and that it meets the need of the Customer. It is also up to the Customer to assess whether any forms made available by the Provider to facilitate the fulfilment of the obligations of information and consent (e.g privacy policy model for apps or information in applications), when available, is in compliance with Personal Data Protection Legislation and adapt it where deemed appropriate.

10.5. It is also Customer's exclusive responsibility to rpovide for the Personal Data management in accordance with the requests made by the interested parties, and therefore provide for any updates, additions, corrections and cancellations of Personal Data.

10.6. It is Customer's responsibility to keep it account linked to the Email Notification active and updated.

10.7. Pursuant to art. 30 of the GDPR, the Customer acknlowledges that the Provider is required to maintain a register of the processing activities carried out on behalf of the Data Controller (or Data Processor) and to collect for this purpose the identification and contact data of each Data Controller (and/or Data Processor) on behalf of which the Provider acts and that such information must be made available to the competent authority, upon request. Therefore, when requested, the Customer undertakes to give the Provider identification and contact details indicated above in the manner identified by the Provider over time and keep this information updated through the same channels.

10.8. The Customer hereby declares that the processing of Personal Data, as described in the Contracts, in this Agreement and in the relevant DPA-Special Conditions, are lawful.

11. DURATION

11.1. This Agreement shall take effect from the Date of Effect of the Agreement and shall automatically cease, on the date of cancellation of all Personal Data by the Provider, as provided for in this Agreement and, if applicable, in the relevant DPA - Special Conditions.

12. PERSONAL DATA RETURN OR DELETION PROVISIONS

12.1. Upon termination of the Service, the Provider will discontinue any processing of Personal Data, for whatever reason, and 12.1.1 will delete the Personal Data (including any copies) from the Provider's systems or form the systems over which the Provider has control whitin the term provided in the Contract, except where the retention of data by the Provider is necessary in order to comply with a provision of Italian or Europian law;

12.1.2. It will erase any Personal Data sotred in paper format in its possession, unless the retention of data by the Provider is necessary for the purposes of compliance with Italian or European law; and
12.1.3. It will keep available to the Customer the Personal Data for the extraction for the period of 12 (twelve) months following the termination of the Contract. During this period, the processing will be limited to the sole purpose of keeping the Personal Data available to the Customer for the extraction referred to in point 12.2.

12.2. Subject to the provisions of this Agreement,upon the termination of the Service, the Customer acknlowledges that it is its responsibility to provide for the total or partial extraction of the Personal Data that it deems useful to retain and also acknlowledges that such extraction must be carried outbefore the expiry of the period refferred to in point 12.1.3.

12.3. Any further or different provisions regarding the deletion of the data covered by the relevant DPA - Special Conditions shall hold firm.

13. RESPONSIBILITY

13.1. Each party is responsible for complying with their respective obligation under this Agreement and under the relevant DPA-Special Conditions and under the data protection Legislation;

13.2. Subject to the mandatory legal limits, the Provider shall indemnify the Customer in the event of a breach of this Agreement and/or the relevant DPA - Special Conditions within the maximum limits agreed in the Agreement.

14. MISCELLANEOUS PROVISIONS

14.1. The present Agreement supersedes any other Agreement, Contract or Agreement between the Parties with regard to his subject matter any instructions provided in any form by the Customer to the Provider prior to the date of this Agreement regarding the Personal Data processed in the context of the execution of the Contract.

14.2. This Agreement may be amanded by the Provider by giving written notice (also by e-mail or with the help of computer programs) to the Customer. In this case, the Customer shall have the right to withdraw from the Contract by written communication sent to the Provider by registered mail, attested by an acknowledgment of receipt within 15 days of recepit of the Provider's communication. In the absence of exercise of the right of withdrawal by the Customer, in the terms and in the manner mentioned above, the amendments to the present Agreement shall be understood by these definitively known and accepted and shall become definitively effective and binding.

14.3. In the event of a conflict between the provisions of this Agreement and the provisions of the Contract for the provision of the Services, or in documents of the Customer not expressly accepted by the Provider in derogation from this Agreement and/to the respective DPA-Special Conditions, the provisions of the present Agreement and the provisions of the relevant DPA- Special Conditions shall prevail.

Annex 1

Technical and organizational measures

In addition to the security measures provided for in the Contract and in the MDPA, the Data Processor applies the following organizational security measures depending on the type of Service whereby the Product is provided or licensed

CLOUD SaaS

Organizational security measures

User Policy and Disciplinary - The Provider applies detailed policies and disciplinary to which all Users with access to informations systems have the obligation to comply and these ones are aimed to guarantee forms of behavior suitable for ensuring the compliance with the principles of confidentiality, availability and integrity of data in the use of IT resources.

Logical Access Authorisation - The Provider defines the access profiles in compliance with theleast privilege necessary for the executionof the assigned tasks. In order to limit the access to the only data necessary to carry out the processing operations, authorisation profiles shall be identified and configured before the star of the processing.

Management of the interventions Assistance- Interventions of Assistanceare are regulated with the aim of ensuring the execution of the only activities contractually and preventing the excessive processing of personal data whose ownership is in the hands of the Customer or the End User.

Data Protection Impact Assessments(DPIA)- In accordance with the art. 35 and 36 of the GDPR and based on WP248- Guidelines on Data Protection Impact Assessment adopted by the Working Group pursuant to art. 29, the Provider has prepared its own methodology for the analysis and for the evaluation of processing operations which, having regart to the nature, the subject matter, the context and the purposes of the processing, present a high risk to the rights and freedom of natural persons with a view to proceeding with the assessment of the impact on the protection of personal data before starting the processing.

Incident Management - The Provider has implemented a specific Incident Management procedure to ensure the restoration of normal service operations as quickly as possible, guaranteeing the maintenance of the highest level of service.

Data Breach - The Provider has implemented a special procedure aimed at the management of events and incidents with a potential impact on personal data that defines the roles and responsibilities, the detection process (assumed or confirmed), the application of enforcement actions, the response and containment of the incident / breach as well as the methods by which to communicate the breach of personal data to the Customer.

Technical Security Measures

Firewall, IDPS - Personal Data are protected against the risk of intrusion referred to in art 615 - quinquies of the penal code through Intrusion Detection & Prevention systems kept up to date in relation to the best available technologies.

Safety communication lines- The Provider, for its part, adopts secure communication protocols in line whit what the technology makes available.

Protection from malware- Systems are protected against the risk of intrusion and they are also protected of the actions of programs through the activation of appropriate electronic instruments updated on a regular basis.

Authentication Credentials- Systems are configured in a way that allows access on to entities with authenticaion credentials that allow their unique identification. Among these, code associated with a keyword, confidential and known only by the same; authentication device in possession and exclusive use of the user, possibily associated with an identificaiton code or a keyword.

Keyword- With regard to the basic features as the obligationto change at first access, minimum lenght, absence of elements easily treaceable to the subject, rules of complexity, expiryt, history, contextual assessment of robustness, visualization and storage, the keyword is managed in accordance with best practices. The person to whom the credentials are attributed shall be given precise instructions in relation to the procedures to be adopted to ensure their secrecy .

Logging - Systems are configurable with ways that allow access tracking and, where appropriate, the tracking of the activities carried out by different types of users protected by appropriate security measures that guarantee their integrity.

Backup & Restore - Appropriate measures are taken to ensure the restoration of data access in case of damage to the same or in case of damage of the electronic instruments, in times compatible with the rights of the data subject. Where laid down in the contractual agreement, an operational continuity plan is used and, where necessary, it is integrated with the disaster recovery plan; both of them shall ensure availability and the access to the systems also in case of significant adverse events which may persist in time.

Vulnerability Assessment & Penetration Test - The Provider periodically performs vulnerability analysis aimed at detecting the state of exposure to known vulnerabilities, both in relation to infrastructure and application environments, considering systems in operation or under development. In relation to the potential risks identified, where deemed appropriate, such verifications shall be periodically supplemented with appropriate penetration test techniques, through intrusion simulations using different attack scenarios, with the aim of verifying the security level of application/systems/networks through activities aimed to exploiting the vulnerabilities detected to circumvent the mechanism if physical /logical security and have access to them. The results of the verifications are in detail and regularly examined in order to identify and put in place the points of improvement necessary to guarantee the required safety performance.

Data Center - Physical access to the Data Center is limited to authorized subjects only. For the detail of the security measures taken with reference to the data center services provided by the Additional Data Processor, as well as identified in the DPA - Special Conditions, refers to the security measures described by the same Additional Processors and made available in the relevant institutional sites to the following adresses (or to those that will subsequently be made available by Additional Processors).

For Data Center services provided by Google Cloud Platform:
https://cloud.google.com/security/compliance/