Data Processing Agreement

Last updated: 12 April 2026

Effective date: 12 April 2026

1. Preamble

This Data Processing Agreement (hereinafter the "DPA") governs the processing of personal data carried out by Gitogi Srl, with registered office at Piazza IV Novembre 4, 20124 Milan, Italy, VAT No. IT14288420962 (hereinafter the "Data Processor" or "Processor"), on behalf of the client subscribing to Gitogi services (hereinafter the "Data Controller" or "Controller").

This DPA forms an integral and substantial part of the Terms of Service and the service agreement for the provision of Gitogi services (hereinafter the "Main Agreement"). The DPA applies insofar as Gitogi processes personal data on behalf of the Controller in the context of delivering AI Adoption & Governance services.

This DPA is drawn up pursuant to and for the purposes of Art. 28 of Regulation (EU) 2016/679 (hereinafter the "GDPR") and Art. 28 of Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (hereinafter the "Privacy Code").

2. Definitions

• "Personal Data": any information relating to an identified or identifiable natural person, within the meaning of Art. 4(1) GDPR.
• "Processing": any operation or set of operations performed on personal data, whether or not by automated means, within the meaning of Art. 4(2) GDPR.
• "Data Controller": the client who determines the purposes and means of the processing of personal data, within the meaning of Art. 4(7) GDPR.
• "Data Processor": Gitogi Srl, which processes personal data on behalf of the Controller, within the meaning of Art. 4(8) GDPR.
• "Sub-processor": any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller, within the meaning of Art. 28(2) and 28(4) GDPR.
• "Personal Data Breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, within the meaning of Art. 4(12) GDPR.
• "Supervisory Authority": the Italian Data Protection Authority (Garante per la protezione dei dati personali), within the meaning of Art. 51 GDPR.
• "Data Subject": the natural person to whom the personal data being processed relate, within the meaning of Art. 4(1) GDPR.

3. Subject matter and duration

This DPA governs the processing of personal data that the Processor carries out on behalf of the Controller in the context of delivering the services provided for in the Main Agreement, including but not limited to: the e-learning platform (Academy), AI assistant, AI maturity assessments, AI governance consulting, document templates, and compliance tools.

This DPA enters into force on the date of execution of the Main Agreement and remains effective for its entire duration, as well as for the period necessary for the return or deletion of personal data pursuant to Section 13.

4. Nature and purpose of the processing

The Processor processes personal data exclusively for the following purposes, all strictly necessary for the provision of the services under the Main Agreement:

• User account management: registration, authentication (magic link OTP), profile and preference management.
• Delivery of training services: tracking learning progress, quizzes, certifications, competency passport.
• AI assistance: processing conversations with the AI assistant to provide contextualised responses, extraction of lead signals from messages voluntarily provided by the user.
• Assessment and consulting: processing data entered in AI maturity assessments, generating personalised reports and recommendations.
• Subscription and payment management: processing billing data and transactions through the Stripe payment gateway.
• Service communications: sending transactional emails (confirmations, notifications, reminders) and, with consent, commercial communications.

5. Types of personal data

In the context of service delivery, the Processor may process the following categories of personal data:

• Identification data: first name, last name, email address, PEC email address (where provided).
• Professional data: firm/company name, professional role, business sector, organisational size.
• Billing data: company name, VAT number, fiscal code, billing address, SDI/PEC code.
• Platform usage data: learning progress, quiz results, certifications obtained, study time, AI assistant interactions.
• Technical data: IP address, session data, browser user-agent, access logs.
• User-generated content: messages sent to the AI assistant, assessment responses, notes and annotations.

The Processor does not process special categories of personal data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR). The Controller undertakes not to input such data into the platform.

6. Categories of data subjects

The personal data processed relate to the following categories of data subjects:

• Employees and collaborators of the Controller registered on the platform
• Professionals and partners of the Controller's firm
• Administrative and billing contacts of the Controller
• Clients of the Controller whose data are entered into the platform for consulting purposes

7. Obligations of the Data Processor

Pursuant to Art. 28(3) GDPR, the Processor undertakes the following obligations:

7.1 Documented instructions — Art. 28(3)(a)

The Processor shall process personal data only on the basis of documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are set out in the Main Agreement, this DPA, and any subsequent written instructions.

7.2 Confidentiality — Art. 28(3)(b)

The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All Gitogi personnel with access to the Controller's personal data are bound by confidentiality agreements and receive regular training on personal data protection.

7.3 Security measures — Art. 28(3)(c) and Art. 32

The Processor shall implement all technical and organisational measures necessary to ensure a level of security appropriate to the risk, pursuant to Art. 32 GDPR. Security measures are described in detail on the Security Measures.

• Data encryption: data encrypted in transit (TLS 1.3) and at rest (AES-256). Sensitive data (tokens, API keys) encrypted at application level.
• Access control: multi-factor authentication, principle of least privilege (Row Level Security), role separation.
• System resilience: automated daily backups, disaster recovery, continuous monitoring with alerting.
• Incident management: documented incident response procedure, immutable audit logs.
• Data minimisation: collection limited to what is strictly necessary, pseudonymisation where technically feasible, retention policy with automatic deletion.
• Regular testing: regular assessment and evaluation of the effectiveness of technical and organisational measures, pursuant to Art. 32(1)(d) GDPR.

7.4 Sub-processors — Art. 28(2) and 28(4)

The Controller grants the Processor a general authorisation to engage other processors (sub-processors), pursuant to Art. 28(2) GDPR. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes with at least 30 days' notice. The up-to-date list of sub-processors is available on the Sub-processor list.

7.5 Assistance with data subject rights — Art. 28(3)(e)

The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). The Processor shall promptly notify the Controller of any request received directly from a data subject, without responding to the request independently unless otherwise instructed by the Controller.

7.6 Assistance with breach notification — Art. 28(3)(f), Art. 33 and 34

The Processor shall assist the Controller in ensuring compliance with the obligations of notification of personal data breaches to the Supervisory Authority (Art. 33 GDPR) and communication to data subjects (Art. 34 GDPR), taking into account the nature of the processing and the information available to the Processor. The notification procedures are set out in Section 11 of this DPA.

7.7 Deletion or return — Art. 28(3)(g)

At the end of the provision of services relating to processing, the Processor shall, at the choice of the Controller, delete or return all the personal data and delete existing copies, unless Union or Member State law requires storage of the personal data. The procedures are set out in Section 13 of this DPA.

7.8 Audit — Art. 28(3)(h)

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The procedures are set out in Section 14 of this DPA.

8. Obligations of the Data Controller

The Controller undertakes to:

• Lawfulness of processing: ensure that the processing of personal data entrusted to the Processor complies with the GDPR, the Privacy Code, and applicable law, and is based on a valid legal basis.
• Documented instructions: provide documented, lawful, and reasonable processing instructions. The Controller is responsible for ensuring that the instructions given comply with applicable law.
• Data subject information: ensure that data subjects have been adequately informed about the processing of their personal data, including the engagement of processors and sub-processors, pursuant to Art. 13 and 14 GDPR.
• Special categories of data: not input special categories of personal data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR) into the platform, unless by prior written agreement with the Processor.
• Cooperation: cooperate with the Processor in fulfilling obligations arising from the GDPR, including responding to data subject requests and requests from the Supervisory Authority.

9. Sub-processors

The Controller grants the Processor a general prior authorisation to engage sub-processors, pursuant to Art. 28(2) GDPR. The Processor shall impose on each sub-processor, by way of a contract or other legal act under Union or Member State law, the same data protection obligations as set out in this DPA, pursuant to Art. 28(4) GDPR.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors with a minimum notice period of 30 days, to allow the Controller to raise any objections. In the absence of objections within the specified period, the change shall be deemed approved. In the event of a reasoned objection, the parties shall negotiate in good faith to find a solution. Should agreement prove impossible, the Controller shall have the right to terminate the Main Agreement with respect to the affected services.

The complete and up-to-date list of sub-processors is available on the Sub-processor list.

10. International data transfers

The Processor stores primary personal data in the European Union (Supabase, eu-central-1 region, Frankfurt). Certain sub-processors may process personal data outside the European Economic Area, strictly to the extent necessary for service delivery.

For all transfers to third countries, the Processor ensures the application of one or more of the following transfer mechanisms provided for in Chapter V of the GDPR:

• Adequacy decision: EU-US Data Privacy Framework (DPF), pursuant to Art. 45 GDPR and Commission Implementing Decision (EU) 2023/1795 of 10 July 2023.
• Standard Contractual Clauses (SCCs): modules approved by the Commission under Implementing Decision (EU) 2021/914, supplemented where necessary by additional measures pursuant to the Schrems II judgment (C-311/18) and EDPB Recommendations 01/2020.
• Transfer Impact Assessment (TIA): the Processor carries out a documented assessment of the level of protection afforded by the third country for each non-EU sub-processor, pursuant to EDPB Recommendations 01/2020.

11. Notification of personal data breaches

In the event of a personal data breach affecting the data processed on behalf of the Controller, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware thereof, in order to enable the Controller to fulfil its obligation to notify the Supervisory Authority within 72 hours pursuant to Art. 33 GDPR. The notification shall contain at least:

• Description of the breach: the nature of the breach, the categories and approximate number of data subjects and personal data records concerned.
• Point of contact: the name and contact details of the Processor's privacy contact.
• Likely consequences: a description of the likely consequences of the breach.
• Measures taken: a description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
• Timeline: the chronological sequence of events known at the time of notification.
• Data involved: the types of personal data involved in the breach.

The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and resolution of the breach. The Processor shall document every breach in an internal register pursuant to Art. 33(5) GDPR.

12. Assistance with Data Protection Impact Assessment (DPIA)

The Processor shall assist the Controller in carrying out the Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR and, where applicable, in prior consultation with the Supervisory Authority pursuant to Art. 36 GDPR, taking into account the nature of the processing and the information available to the Processor.

Assistance includes providing information on the technical and organisational security measures adopted, the sub-processors involved, the categories of data processed, and any other element useful for the Controller's conduct of the DPIA.

13. Return and deletion of data

Upon termination of the provision of processing services or termination of the Main Agreement, the Processor shall, within 30 days of the Controller's request and at the Controller's choice:

• Return all personal data to the Controller in a structured, commonly used and machine-readable format (CSV, JSON) and delete all existing copies.
• Delete all personal data and existing copies, certifying the deletion in writing.

In the absence of written instructions from the Controller within 30 days of service termination, the Processor shall proceed with the automatic deletion of personal data and all copies within an additional 30 days. Any retention obligation under applicable Union or Member State law shall be preserved, in which case the Processor shall inform the Controller and limit processing to storage only, protecting the data with appropriate security measures.

14. Audit rights

Pursuant to Art. 28(3)(h) GDPR, the Controller or an independent third-party auditor mandated by the Controller shall have the right to conduct audits to verify the Processor's compliance with the obligations set out in this DPA, subject to the following conditions:

• Notice: the Controller shall provide at least 30 working days' written notice of a request for an audit.
• Frequency: one routine audit per year, unless a data breach or a request from the Supervisory Authority necessitates an extraordinary audit.
• Methods: the audit may consist of a documentary review (questionnaires, certifications, third-party audit reports) or, if deemed necessary by the Controller and with reasonable justification, an on-site inspection at the Processor's premises.
• Confidentiality: the auditor shall be bound by confidentiality obligations. The audit must not compromise the security of the systems or the confidentiality of other clients' data.

The Processor shall make available to the Controller relevant certifications and audit reports from its sub-processors (where available), such as SOC 2 Type II, ISO 27001, and third-party penetration tests, in order to reduce the need for on-site inspections.

15. Liability

Each party shall be liable to the other for damages resulting from a breach of this DPA, in accordance with Art. 82 GDPR. The Processor shall be exempted from liability under Art. 82(3) GDPR if it proves that it is not in any way responsible for the event giving rise to the damage.

Any limitations of liability provided for in the Main Agreement shall also apply to this DPA, unless applicable law does not permit the limitation of liability for breaches of data protection legislation.

16. Term and termination

This DPA enters into force simultaneously with the Main Agreement and remains effective for the entire duration of the Main Agreement and for the additional period necessary to complete the data return or deletion operations referred to in Section 13.

Termination of the Main Agreement shall automatically result in the termination of this DPA, without prejudice to the obligations of return, deletion, and confidentiality that survive termination.

17. Governing law and jurisdiction

This DPA is governed by Italian law and Regulation (EU) 2016/679 (GDPR). In all matters not expressly covered, the provisions of the Italian Civil Code and Legislative Decree 196/2003 (Privacy Code) as amended by Legislative Decree 101/2018 shall apply.

For any dispute arising from the interpretation or performance of this DPA, the parties shall first endeavour to reach an amicable settlement. Failing settlement, the Courts of Milan shall have exclusive jurisdiction.

18. Contact

For any questions relating to this DPA or the processing of personal data:

• Company: Gitogi Srl — IT14288420962
• Registered office: Piazza IV Novembre 4, 20124 Milano
• Email: privacy@gitogi.com
• PEC: pec@pec.gitogi.com

Related documents:

• Privacy Policy
• Sub-processor list
• Technical and organisational security measures
• Terms of Service
• AI Transparency