Data Processing Agreement
For business customers who use Noemie to process data on behalf of their organisation.
1. Scope
This Data Processing Agreement ("DPA") applies when you use Noemie in a business context and personal data of your employees, clients, or contacts is processed through the service. It supplements the Terms of Service and forms part of the agreement between you and [Ragione sociale].
2. Roles
You (the customer) act as the data controller for the personal data you input into Noemie.
[Ragione sociale] acts as the data processor, processing data solely on your instructions and for the purpose of delivering the service.
3. Processing instructions
We process personal data only as instructed by you through your use of the service. We will not process data for any other purpose, including model training, unless you explicitly instruct us to and we agree in writing.
4. Sub-processors
We may engage sub-processors to deliver parts of the service. All sub-processors are bound by data processing terms no less protective than this DPA.
Current sub-processors: [elenca qui i tuoi fornitori — es. hosting provider, email provider]. We will notify you at least 30 days before adding or replacing a sub-processor.
5. Security measures
We implement appropriate technical and organisational measures to protect personal data, including: TLS 1.3 encryption in transit, AES-256 encryption at rest, per-customer data isolation, access controls with least-privilege principles, and regular security reviews.
We will notify you without undue delay (and in any case within 72 hours) if we become aware of a personal data breach affecting your data.
6. Data subject rights
We will assist you in responding to data subject requests (access, erasure, portability, rectification) within [X giorni lavorativi] of receiving a request from you.
7. Deletion on termination
Upon termination of your account or upon your written request, we will delete or return all personal data within [X giorni] and confirm in writing that deletion is complete.
8. Audits
You may audit our compliance with this DPA by providing at least 30 days' written notice. Audits must be conducted during business hours and at your expense, unless an audit reveals material non-compliance.