Open demo

Subscription terms and conditions

Subscription terms and conditions
Reviso Cloud Accounting Limited

DEFINITIONS

In these general terms and conditions of agreement (the “Terms”), the following words and phrases, when used with capital initial, shall have the meaning defined in this section.

The meaning of the words herein described in the singular shall be applicable to the plural; the same is true for the plural to singular form.

Access Credentials: means the authentication system through which Customer is allowed to access and use the Software in order to enjoy the Cloud Services, including the identification code and access keys provided by Reviso to the Customer and associated to each User as well as the tokens (if any).

Agreement: means these Terms, the relevant attachments, the Subscription, the technical documentation (if any) delivered to the Customer, the subscription forms (if any) and any online instructions for the use of the Software products.

Cloud Infrastructure: means the cloud system, in the property of Reviso or of third parties, which hosts the Software products.

Cloud Services: means the services provided by Reviso to the Customer through the access and use by this latter of the Software products.

Connectivity: means the connection to the Data Centre that is implemented by the Customer by connecting to a telecommunications network or to the internet.

Controlled Companies: means any companies directly or indirectly controlled by the Customer and possibly listed in the Subscription.

Customer: means the company specified in the Subscription.

Data Centre: means the service centres hosting the interconnected servers, belonging to Reviso or to third parties, on which the Cloud Infrastructure resides.

Data Protection Law: means the GDPR and any other implementing law and/or regulation (if any) which is effective under the GDPR or otherwise in Italy and UK with respect to the protection of Personal Data, including any decision issued by a supervisory authority having jurisdiction in the subject matter that is, and remains, binding and effective.

Fees: means the amounts specified in the Subscription and payable to Reviso or, if so specified in the Subscription, to the Reviso Distributor, by the Customer as a consideration for the provision of Cloud Services.

GDPR: means the General Data Protection Regulation on the protection of data No. 679 of 27 April 2016.

Intellectual Property Rights: means all intellectual and/or industrial property rights, whether registered or unregistered, in full or in part, anywhere in the world, including, without limitation, trademarks, patents, utility models, designs and models, domain names, know-how, works of authorship covered by copyright, databases and software products (including, without limitation, the relevant derivative works, source code, object code and interfaces).

License: has the meaning specified in paragraph 2.5.

MDPA: means the Master Data Protection Agreement and the applicable DPA – Special Terms document, which are attached to this Agreement.

New Product: has the meaning specified in letter (b) of paragraph 12.1.

Notice of Recall: has the meaning specified in letter (b) of paragraph 12.1.

Obsolete Product: has the meaning specified in paragraph 12.1

Subscription: means the form or coupon, in electronic or paper form, filled in and accepted (online or otherwise) by the Customer and including certain terms and conditions applicable to the Cloud Services specified in the same Subscription. It is hereby agreed between Reviso and the Customer that, in case of conflict between the terms and conditions specified in the Subscription and the provisions of the Terms, the terms and conditions of the Subscription shall prevail. 

Parties: means Reviso and the Customer together.

Partner: means the person(s)/entity(ies) to be selected (also among Reviso Distributors) by Reviso and collaborating with this latter in order to provide Cloud Services and/or Support.

Saas: means software-as-a-service.

Software: means the software products in the property of Reviso or of any company belonging to the Reviso Group or of any third party and hosted on the Cloud Infrastructure, as updated and/or amended by means of the Updates and Upgrades.

Sub-License: has the meaning specified in paragraph 2.9.

Support: means the technical support aimed to suggest to the Customer, upon request by this latter and where possible, technical solutions to ensure the correct enjoyment of the Cloud Services. 

Reviso Group: means Reviso and all the companies that are directly or indirectly controlling, controlled by, or affiliated with, Reviso, including Reviso Cloud Accounting Limited, 1st Floor, Healthaid House Marlborough Hill Harrow Middlesex HA1 1UD.

Reviso: means Reviso International APS (Denmark business register No. 37098477), with registered seat at No. 3, Ewaldsgade (2200) Copenhagen N, Denmark (which is owner of any and all Intellectual Property Right on the Software) or any other company of the Reviso Group indicated in the Subscription.

Reviso Distributor: means the person/entity entitled to carry out the marketing of Cloud Services based on a valid agreement entered into with Reviso.

Updates and Upgrades: means all the updates, supplements, adjustments, upgrades, enhancements and, in general, all amendments made by Reviso, and/or by any third-party owner, to the Software products. Updates and Upgrades shall not include amendments that may became necessary due to any amendment, supplement, repeal or enactment of an EU or any country’s law, decree, regulation, directive, order or decision which, at the discretion of Reviso, will significantly impact the operation and/or the costs of Reviso and/or the structure of the Software or imply substantial or structural amendments of the laws in force at the date of the Agreement.

User: means each and every employee and/or collaborator of the Customer, duly authorized by this latter to use the Access Credentials in order to access and use the Software required to enjoy the Cloud Services.

1.           Scope and acceptance of Terms

1.1.        These Terms shall govern the use, by the Customer, of the Software products as well as the provision, by Reviso, of the Cloud Services specified in the Subscription, by means of allowing the Customer to access and use each Software product referred to in the Subscription. These Terms shall govern all Updates and Upgrades as well, unless differently provided.

1.2.        These Terms are accepted by the Customer by ticking off "I have read and accept the subscription terms and conditions" in the Subscription, or by using the Software or the Cloud Services and apply between Reviso and the Customer. If the Customer is a legal person, these Terms are accepted on behalf of the Customer. This is a business to business service only and there is no intention to create a contract with any consumer, if you are a consumer and wish to use the Software then first contact us on help@reviso.com.

1.3.        Accounting firms, management agencies and the like may also accept these Terms on behalf of the Customer, for example in relation to new subscriptions, and in doing so they represent that they have the necessary authority to do so and that the Customer has been duly informed of these Terms prior to acceptance.

2.           Cloud Services

2.1.        By this Agreement, in return for the timely payment of the Fees, Reviso shall provide to the Customer, who accepts, the Cloud Services specified in the Subscription. The Customer shall be entitled to enjoy the Cloud Services exclusively through accessing and using the Software in SaaS mode.

2.2.        The Software allows Customer to manage various features of business accounting. In particular, the Software allows the Customer to avail of the specific Cloud Services associated to each package and enable additional features composing the Software (“Modules”), as specifically identified and described in the relevant section of the web page devoted to the Software in the Reviso internet site (“Site”). There are different packages (“Packages”), each having different contents and economic value, whose specific features are also identified and described in the Site. In order to use the Software, activation of at least one Package is required. Upon activation of the selected Package, the Customer will be allowed to request activation of further Modules not included in the originally purchased Package, being it understood that activation of each add-on Module will imply the payment of supplementary Fees as specified in the Site.

2.3.        Though the Software, the Customer may reduce the services subscribed and remove additional Modules each with effect from the last day of the current calendar quarter (unless otherwise stated in the description or terms and conditions applying to the specific service or module).

2.4.        Depending on the selected Package, the number of accounting lines that may be registered through the Software (“Transactions”) may be limited. Transactions exceeding (if any) the maximum number of Transactions allowed by each Package will imply the payment of supplementary Fees as specified in the Site.

2.5.        Upon execution of the Agreement Reviso grants the Customer, who accepts, a non exclusive, non transferable, non-perpetual license to use the Software, limited to the activated Modules and for an undefined number of Users (the “License”), without prejudice to the right of the Customer to use the Software in the form of SaaS through the Access Credentials provided by Reviso, or the Reviso Distributor, to the Customer.

2.6.        Regardless from the purchased Package, the Customer might be entitled to use the selected Package during a free trial having the duration specified in the Site (“Free Trial Period”). The Customer intending to keep using the Software following expiration of the Free Trial Period shall request activation of a Package according to the provisions of previous paragraph 2.2.

2.7.        The Software is provided with specific APIs allowing to exchange data and information between Software and applications of third parties (“Related Software”). Without prejudice to the limitations of the Reviso’s liability that have been set forth in article 14 Reviso and the companies of the Reviso Group, to the maximum extent allowed by applicable law, shall not be held liable for direct or indirect damages and/or losses, of any kind or seriousness, that may be suffered by the Customer or by third parties due to Software malfunctioning and/or improper processing arising from (i) errors and/or malfunctioning during processing and/or transmission of data and information that are due to each Related Software and/or (ii) improper use of the API by the Customer.

2.8.        The Customer may, through a specially designed Software feature, allow third parties who -on their turn- are also Users of the Software (“Authorized Third Parties”), including –without limitation– persons registered with the register of accountants and accounting experts, to access the Customer’s profile in order to search data and documents stored in it and/or to use the Software on behalf of the Customer. The Customer acknowledges and represents to be exclusively liable for the authorizations granted to Authorized Third Parties to use the Software on behalf of the Customer. Therefore, without prejudice to the limitations of the Reviso’s liability that have been set forth in article 14, Reviso and the companies of the Reviso Group, to the maximum extent allowed by applicable law, shall not be liable for direct or indirect damages and/or losses of any nature or extent that may be suffered by the Customer or by third parties due to the use or lack of use of the Software by any Authorized Third Party that is not compliant with the Agreement, the laws in force and/or the directions of the Customer.

2.9.        Without prejudice to the provisions of paragraph 2.5, in return for the payment of any supplementary Fees individually specified in the Subscription or that may be determined in separate written agreements, Reviso undertakes to provide the Cloud Services specified in the Subscription, also in favor of the Controlled Companies pursuant to the granting by the Customer to the Controlled Companies of a sub-license for the use of the Software (the “Sub-License”). Each Controlled Company shall be entitled to enjoy the Cloud Services exclusively through accessing and using the relevant Software product in Saas mode.

3.           Obligations of the Customer

3.1.        By virtue of the Agreement, the Customer undertakes to:

(a)          Pay to Reviso or, if so specified in the Subscription, to the Reviso Distributor the Fees payable pursuant to article 7;

(b)          Obtain, from independent sources, hardware and software equipment and adequate Connectivity in order to be able to access the Data Centre and use the Software products required to enjoy the Cloud Services;

(c)          Independently adjust the features of its own computer systems and of the Connectivity in case of amendments, replacements and corrections (if any) that may be introduced to the Software products and to the Cloud Services after the time of execution of the Agreement;

(d)          Use the Software products and/or Cloud Services in compliance with the License and solely for their intended purposes;

(e)          Provide Reviso with all information required in order to allow the same Reviso to properly and fully execute its obligations under this Agreement as well as with immediate notice of any relevant modification, including changes concerning the Users and/or Controlled Companies;

(f)           Have every User examine these Terms;

(g)          Have every Controlled Company examine these Terms and agree upon them.

3.2.        The Customer shall ensure that the Software is not used in any manner which reflects adversely upon the name, reputation and/or goodwill of Reviso or in breach of any applicable law or regulation.

3.3.        Only the Customer is entitled to use the Software, and the Software may not be used for or on behalf of any other parties or for data processing or the provision of services for other parties than the Customer. The Customer agrees to be fully responsible and liable for any third parties (including Users and Controlled Companies) that are given access to the Software by the Customer or who use the Customer’s log in details.

4.           Access Credentials

4.1.        The Customer and/or every User and/or every Controlled Company will access the Software and enjoy the Cloud Services upon their activation by means of the Access Credentials provided by Reviso and/or a company of the Reviso Group.

4.2.        The Customer is aware that should the Access Credentials become known to other persons, these latter would have the possibility to use the Software and enjoy the Cloud Services without authorization as well as to have unauthorized access to any information stored therein. The Customer shall be deemed exclusively liable for any (authorized or unauthorized) use of the Software made through its Access Credentials.

4.3.        The Customer must keep, and have each User and/or Controlled Company keep, Access Credentials strictly confidential and with the highest care, and hereby undertakes not to transfer them and not to allow third parties to use them unless such third parties are expressly authorized to receive or use such Access Credentials.

4.4.        In no event shall Reviso and/or any Partner of this latter be deemed liable of any direct and/or indirect, incidental or consequential damages that may be suffered by the Customer, any of the Users and/or any third parties as a consequence of the breach by the Customer and/or by any of the Users of any provisions established in this article 4.

5.           Support

5.1.        In return for the timely payment of the Fees, Reviso undertakes to make a Support service available to the Customer, in compliance with the times and manners specified in the website of Reviso.

5.2.        The Customer is aware and agrees that the Support service shall be provided remotely only, being it expressly agreed that no direct action shall be carried out on the computer systems of the Customer and/or of the Controlled Companies.

6.           Updates and Upgrades

6.1.        The Customer is aware and agrees that, should Reviso -at its own discretion- deem it necessary, the Updates and Upgrades may: (i) cause the alteration or removal of certain features of the Software products or (ii) consist in the replacement or migration (in full or in part) of the Software products and the relevant Cloud Services.

6.2.        The Customer releases Reviso from any and all liability in connection with any damages arising from any implemented Updates and Upgrades, unless due to gross negligence or willful misconduct of Reviso.

6.3.        Updates and Upgrades shall not include the updates, supplements, adjustments, upgrades, enhancements and, in general, all amendments that may became necessary due to any amendment, supplement, repeal or enactment of EU or any country’s law, decree, regulation, directive, order or decision which, at the exclusive discretion of Reviso, will significantly impact the operation and/or the costs of Reviso and/or the structure of the Software or imply substantial or structural amendments of the laws in force at the date of the Agreement.

7.           Fees

7.1.        In consideration of the provision of Cloud Services, the Customer undertakes to pay the Fees specified in the Subscription, according to the formalities and within the terms specified therein, to Reviso or, if specified in the Subscription, to the Reviso Distributor. If not explicitly established in the Subscription, the Fees must be paid within 8 (eight) days from receipt of a formal invoice issued by Reviso or, if otherwise specified in the Subscription, by the relevant Reviso Distributor.

7.2.        The first invoicing period runs from the Subscription date to the last day of a calendar quarter or year. After that, invoicing takes place quarterly or annually in advance, unless otherwise set out in the Subscription or a separate agreement.

7.3.        All Fees shall be specified net of VAT and of any other charge payable by virtue of the applicable law.

7.4.        The Customer acknowledges and accepts that the Software and the relevant Cloud Services are subject, by their very nature, to constant development, from both the technological and the legal point of view, implying the need of continual and expensive updating and development activities, or –in certain cases– replacement, in order to ensure operation. As a consequence, Reviso shall have the right to increase the Fees, according to the rules set forth in following art. 15.

7.5.        Without prejudice to the provisions of previous paragraph 7.4, if unforeseen circumstances arise during the term of the Agreement that place an increased burden on Reviso with respect to the provision of Cloud Services, this latter shall have the right to receive a one-off remuneration, to be determined on an equitable basis, or to unilaterally adjust the Fees according to the rules set forth in following art. 15.

7.6.        In case of failure to pay or of late payment of any amount payable pursuant to this Agreement, the Customer shall automatically lose the benefit of time limit and on the amounts due by the Customer it shall be applied an interest for late payment at the rate provided by the applicable laws. In this case, without prejudice to the provisions of par. 19.1 and 19.2 below, Reviso shall have the further right to (i) suspend the performance of other agreements (if any) existing with the Customer (including the right to prevent the use of the software licensed under any such agreements and to suspend the provision of any related services) and/or (ii) to withdraw at any time from any such agreements.

7.7.        If the Fees are not paid when due, reminder 1 will be sent 7 days after the invoice due date without a reminder fee. If the Fee remains unpaid, reminder 2 will be sent 7 days later and a reminder fee of £7.50 will be charged.

7.8.        The Customer hereby waives its right to delay fulfilment of the payment obligations contemplated in this art. 7 upon prior filing of pleas and defences.

7.9.        The Customer is aware that the contract relationship between Reviso and the Reviso Distributor concerning the marketing of Cloud Services may come to an end during the term of this Agreement and agrees that in such case:

(a)          Reviso shall inform the Customer of the termination of the contractual relationship between Reviso and the Reviso Distributor;

(b)          As from the date of receipt of the notice under previous letter (a) the Customer shall be under the duty to pay the Fees to Reviso directly, in compliance with the terms and formalities specified in the same notice;

(c)          Any and all agreement existing between the Customer and the Reviso Distributor and relating to the Cloud Services shall be assigned by the Reviso Distributor to Reviso, in accordance with applicable laws;

(d)          The Customer hereby gives its consent to the assignment referred to in previous letter (c).

8.           Confidentiality

8.1.        Communication and/or disclosure as well as the use in any way, directly or through another person and/or entity, of any news, information and documents of which the Parties have become aware or of which have come into possession in any way in connection with performance of this Agreement and that Reviso has classified as “confidential” or “private” is strictly prohibited, whether or not they represent an industrial secret and regardless of whether they concerns the Parties or any of their clients and/or suppliers, unless such communication and/or disclosure:

(a)          Is explicitly required for the performance of this Agreement

(b)          has been explicitly authorized in writing by the other Party

(c)          Is required by virtue of a legal provision and/or of an order of the administrative and/or judicial authorities binding the Parties to do so.

8.2.        Except for the information and/or documents contemplated in paragraph 8.1 that constitute a secret pursuant to applicable laws, the prohibition established under paragraph 8.1 above shall unreservedly remain into force even after termination, for any reason, of this Agreement and for a period, which both Parties hereby declare as appropriate, of 3 (three) year, unless such information falls into the public domain throughout no fault of the Parties.

9.           Partners

9.1.        When performing its obligations under the Agreement, Reviso shall have the right, at its exclusive discretion, to avail itself of the technical, organizational and commercial cooperation of its Partners and therefore to entrust them with the performance (in full or in part) of the activities listed in these Terms and/or in the Subscription.

10.         Intellectual Property Rights

10.1.      All Intellectual Property Rights, including relevant economic exploitation rights, on the Cloud Infrastructure, the Software, the Cloud Services, the relevant documentation, the Updates and Upgrades and on the relating preparatory material and derivative works shall remain, in full or in part and everywhere in the world, exclusively with Reviso and/or with any third party owning them and which may be specified in the Subscription, or in the supporting technical documentation.

10.2.      The Customer undertakes, also by promising the obligation or act of every User and Controlled Companies, to use the Software as well as the Updates and Upgrades strictly to the extent that it is allowed by the License (or the Sub-License if Controlled Companies are concerned). Therefore, without limitation, and in any case without exceeding the limits established by mandatory law provisions, the Customer is not allowed to:

(a)          Circumvent technical restrictions and technological protective measures existing in the Software and/or in the Updates and Upgrades, including the authentication system;

(b)          Reverse engineer, decompile or disassemble the Software and/or the Updates and Upgrades;

(c)          Make copies, or allowing others to make copies of the Software and/or of the Updates and Upgrades;

(d)          Make the Software and/or the Updates and Upgrades public, or allowing others to do so;

(e)          use the Software and/or the Updates and Upgrades outside the Cloud Infrastructure;

(f)           market the Software and/or the Updates and Upgrades in any manner and under any form whatsoever.

10.3.      Furthermore, all rights in trademarks, logos, names, domain names and other distinctive signs however associated with the Cloud Infrastructure, the Software, the Updates and Upgrades and/or the Cloud Services, shall remain with Reviso (and/or, if applicable, with any third parties owning them as referred to in previous paragraph 10.1). As a consequence, the Customer shall not be allowed to use such rights in any manner unless prior written consent of Team System and/or any third party owning them.

11.         Representations of Customer and its Liability

11.1.      Upon acceptance of these Terms, the Customer represents and warrants to be duly empowered to execute and perform – effectively and in full – this Agreement.

11.2.      The Customer undertakes to have each and every User and Controlled Company, including the relevant employees and/or collaborators, complying with the provisions of this Agreement. The Customer shall be exclusively liable for the acts of such persons/entities and hereby represents and warrants that all the regulations in force, including those in the field of tax and private law, will be complied with.

11.3.      It is strictly forbidden to use the Software, the Cloud Services and/or the Updates and Upgrades for the purpose of depositing, keeping, sending, publishing, transmitting and/or sharing data, applications or electronic documents that:

(a)          Infringe, or are in conflict with, the Intellectual Property Rights of Reviso and/or of third parties;

(b)          Include discriminatory, defamatory, threatening contents or false accusations;

(c)          Include pornography, child pornography, indecent material or material that is however in conflict with public morals;

(d)          Include viruses, worms, trojan horses or any other contaminating or disruptive computer component;

(e)          Represent spamming, phishing and/or similar activities;

(f)           Are however in conflict with the applicable provisions of the law and/or regulations.

11.4.      Reviso reserves the right to suspend the provision of the Cloud Services and the right of any User and/or any Controlled Company to access the Software, or to prevent their access to the data stored therein, in the event that it becomes aware of a breach to any provisions contemplated in this article and/or if a judicial or administrative body expressly requires to do so, based on applicable provisions. In such event, Reviso must inform the Customer about the grounds of the suspension, without prejudice to the right to terminate the Agreement pursuant to following article 19.

11.5.      The Customer declares to be aware of the fact that the Software, the Updates and Upgrades and/or the Cloud Services may include, and/or require to use, certain open-source software and hereby undertakes, also on behalf of every User and every Controlled Company, to comply with all the terms and conditions applicable to it. If necessary, such conditions will be disclosed by Reviso to the Customer as appropriate.

12.         Recall and replacement

12.1.      The Customer is aware that the Software, the Cloud Services, as well as the environment in which they operate, undergo, by their very nature, constant technological development. This implies that such Software and environment may become obsolete and, in certain cases, it may be expedient to recall them from the market and possibly replace them with new technological solutions. Therefore, Reviso may decide at any time during the term of this Agreement, at its exclusive discretion, to recall the Cloud Services and/or the relevant Software from the market (by replacing them, in certain cases, with new technological solutions, if any). In such a case:

(a)          Reviso will inform the Customer, by not less than 6 month notice in writing (including email), about its will to recall from the market one or more Cloud Services and/or the relevant Software (each of them being referred to as an “Obsolete Product”).

(b)          The notice under letter (a) above (the “Notice of Recall”) will include a description of the new Cloud Service and/or Software (if any, hereinafter referred to as the “New Product”) which will replace the Obsolete Product. It is hereby acknowledged that such New Product may be based on different technologies than those of the Obsolete Product.

(c)          In the event that the Obsolete Product will not be replaced by a New Product, the Agreement shall be terminated with respect to the Obsolete Product with effect from the date to be specified by Reviso in the Notice of Recall (this being not prior to six months, on the last day of the month, following the date of the Notice of Recall); as of this date the Obsolete Product will cease to be provided and the Customer will be entitled to receive reimbursement, on a pro-rata basis, of the Fees paid, if any, for the period when the Customer will not be able to enjoy the Obsolete Product.

(d)          In the event that the Obsolete Product is replaced, instead, by a New Product, the Customer shall be entitled, within 15 days from the date of the Notice of Recall, to withdraw from the Agreement with exclusive respect to the Obsolete Product, with effect from the last day of the sixth month following the date of the Notice of Recall (this being the date when the Obsolete Product will cease to be provided). Failing withdrawal, the Agreement shall remain effective (but for what that is expressly specified in the Notice of Recall) with respect to the New Product and any reference to the Obsolete Product shall be deemed to be addressed to the New Product.

13.         Indemnification

13.1.      The Customer undertakes to indemnify and hold Reviso harmless from any damages, claims, liabilities and/or charges, direct or indirect, incidental or consequential and including the reasonable legal expenses suffered, or incurred in, by Reviso due to the breach, by the Customer and/or any User and/or any Controlled Companies, of any obligations set forth in this Agreement and, notably, of the provisions set forth in article 1.3 (acceptance of the Terms); 3 (Obligations of the Customer), article 4 (Access Credentials), article 8 (Confidentiality), article 10 (Intellectual Property Rights), article 11 (Representations of Customer and its Liability), article 12 (Recall and replacement), article 23 (Assignment of the Agreement).

14.         Liability of Reviso

14.1.      Reviso makes no representations or warranties, expressed or implied, relating to the Cloud Services, the Software and/or the Updates and Upgrades being fit for the specific needs of the Customer or free from errors or to the availability of any features that are not expressly mentioned in the technical specifications or relevant documentation.

14.2.      Reviso shall not be held liable for any direct or indirect, incidental or consequential damages, of any kind or gravity, suffered by the Customer and/or any User and/or any Controlled Company and/or by third party, due to the use of the Cloud Services, the Software product and/or the Updates and Upgrades that does not comply with the provisions of the Agreement and/or of the laws in force.

14.3.      Reviso shall not be held liable for any malfunction and/or unavailability of the Cloud Services, the Software and/or the Updates and Upgrades that arise from the Connectivity not being adequate to their technical features.

14.4.      Reviso shall not be held liable for any damages or losses, of any kind or seriousness, arising from the processing of data that is carried out through the Cloud Services, the Software products and/or the Updates and Upgrades, by the Customer and/or any User and/or any Controlled Company, which remain under the obligation to check at any time that such processing is correct.

14.5.      Unless it is required by a law provision and/or by and order of the court, Reviso shall not be bound to check or control in any manner the data and contents input in the Cloud Infrastructure through the Cloud Services by the Customer, and/or any User and/or any Controlled Company. As a consequence, Reviso shall not be held liable for any direct or indirect, incidental or consequential damages and/or losses of any nature, arising from errors and/or omission of such data and contents and/or in connection with the relevant nature and/or features.

14.6.      In no event, to the maximum extent permitted by law, shall Reviso be held liable for any direct or indirect, incidental or consequential damages, costs, losses and/or expenses suffered by the Customer and/or any third party as a consequence of cyber-attacks, hacking activities and, more in general, of third parties gaining illegal or unauthorized access to the Data Centre, the Cloud Infrastructure, the Software and more in general the computer systems of the Customer and/or of Reviso giving rise, without limitation, to any of the following situations: (i) inability to use the Cloud Services; (ii) loss of data that are in the property –or however in the availability– of the Customer, and (iii) damages to the hardware and/or software systems and/or to the Connectivity of the Customer.

14.7.      In no event, but in case of wilful misconduct or serious negligence, shall Reviso’s maximum liability exceed the yearly Fees paid by the Customer under this Agreement during the year in which the event giving rise to liability occurred. Reviso shall not be held liable for any damages arising from lost profits, loss of income or indirect damages, loss or corruption of data, stop of production, loss of business opportunities or of any other benefit of any kind, penalties payable, delays or other liabilities of the Customer and/or the Controlled Companies towards third parties.

14.8.      Nothing in this Agreement excludes or limits either party's liability for fraud, fraudulent misrepresentation, or death or personal injury caused by its negligence.

15.         Reviso’s Right to Amend the Agreement

15.1.      In view of the high level of technical and regulatory complexity of Reviso’s operating field as well as of the products and services offered by this latter, taking also into consideration that this field is subject to a constant development, from both the technological and the regulatory point of view, and to continuously changing market needs, and finally considering that, as a consequence of the above, Reviso is periodically required to readjust its own organization and/or the technical and functional structure of its products and services (also in the customers’ interest), the Customer hereby acknowledges and accepts that this Agreement may be amended by Reviso at any time on providing written notice (which may also be sent via email or through software programs) to Customer. Amendments may include: (i) amendments relating to the readjustments of the technical and functional structure of Reviso’s products and services; (ii) amendments relating to the modification of Reviso’s organizational structure; (iii) amendments relating to the fees due by the Customer in consideration of readjustments and modifications under (i) and (ii) above.

15.2.      In such event, the Customer shall be entitled to withdraw from the Agreement on providing written notice to Reviso by registered mail within 15 days from receipt of the Reviso’s notice contemplated in previous paragraph.

15.3.      Failing its exercise of the right of withdrawal according to the formalities and within the terms specified above, the Customer shall be deemed to have become aware of, and have agreed upon, the amendments to the Agreement, which shall then enter into force and become finally binding.

16.         Suspension and cancellation

16.1.      Reviso shall do every reasonable effort to ensure the widest availability of the Cloud Services. However, the Customer acknowledges that Reviso shall be entitled to suspend and/or cancel the provision of Cloud Services, upon written notice to Customer, in case that the need arises for ordinary or extraordinary maintenance of the Data Centre, the Cloud Infrastructure and/or the Software products. In such cases, Reviso undertakes to restore availability of the Cloud Services within the shortest possible delay.

16.2.      Furthermore, without prejudice to the provisions under paragraph 11.4 and 19.2, Reviso reserves the right to suspend or cancel provision of the Cloud Services in case of:

(a)          Full or partial failure to pay, or late payment of, the Fees; or

(b)          Safety and/or confidentiality reasons; or

(c)          Customer and/or any User and/or any Controlled Company failure to comply with the obligations of the law concerning the use of computer services and of the internet

(d)          Troubles affecting the Data Centre and/or the Cloud Infrastructure and /or the Software which cannot be remedied without suspending access to them or without full or partial replacement and/or migrating of them upon prior written notice to Customer of the reasons for the suspension and of the estimated timing to remedy.

17.         Duration

17.1.      Unless otherwise specified in the Subscription, the Agreement shall have a duration of 365 (three hundred sixty-five) days from the signature of the Subscription, and shall be automatically renewed for further successive periods of the same duration, unless the Customer withdraws from that Agreement upon notice to Reviso, or –whenever applicable– to the Reviso Distributor, to be given through the relevant software feature or, if not otherwise specified, through registered mail prior to expiration of the then current term. Such notice shall prevent the renewal of the Agreement effective as from the first expiration date following the notice, without prejudice to the obligation to pay the Fees for the period from the date of the withdrawal’s notice to the date of termination of the Agreement.

18.         Withdrawal

18.1.      After placement of Subscription, new Customers are entitled to cancel the Subscription free of charge within a period of 14 days from the signature of the Subscription.

18.2.      Reviso shall be entitled to withdraw from this Agreement at any time upon notice to Customer to be provided at least 6 (six) months prior to the effect of withdrawal.

18.3.      Should Reviso exercise its right of withdrawal for a reason other than one of those under paragraph 18.4 below, the Customer shall be entitled to reimbursement, on a pro-rata basis, of the Fees dues, and actually paid, for the Cloud Services and relating to the period of non-enjoyment.

18.4.      Reviso further reserves the right to withdraw from this Agreement upon written notice with immediate effect also in the case of a breach by the Customer of any obligations under any other contract that may be in force between the same Customer and Reviso (or any company of the Reviso’s Group or authorized distributor of Reviso) if such a breach is a reason for terminating any such contract.

19.         Termination for cause and suspension of the provision of Cloud Services

19.1.      Without prejudice to its right to receive compensation for all suffered damages, Reviso shall be entitled to immediately terminate this Agreement, upon merely providing written notice, if the Customer and/or any Controlled Company and/or any Users fail(s) to comply with at least one (or more) of the following provisions: 1.2 (Business to business service); article 2 (Cloud Services); article 3 (Obligations of the Customer), paragraph 4.3 (Access Credentials), 7 (Fees), 8 (Confidentiality), 10 (Intellectual Property Rights), 11 (Representations of Customer and its Liability), 12 (Recall and replacement), 13 (Indemnification), and 23 (Assignment of the Agreement).

19.2.      Without prejudice to the Customer’s obligation to pay the Fees, Reviso reserves the right to suspend, at any time, the provision of Cloud Services in favour of the Customer and/or of any Controlled Company in case (i) of a breach by the Customer and/or any User and/or any Controlled Company of any obligations contemplated in paragraph 19.1 (in case of lack of payment of the Fees when due, the Cloud Services will be suspended after reminder 2 as provided by article 7.7); (ii) of a breach by the Customer of any obligations laid down in any other contract that may be in force between the same Customer and Reviso (or any company of the Reviso’s Group or official distributor of Reviso) if such a breach is a reason for terminating any such contract. In any such event, Reviso will inform the Customer about its intent to suspend the provision of the Cloud Services and invite Customer to remedy, if possible, the non-compliance within a specified term. This shall be without prejudice to the Customer’s obligation to pay the amounts payable under the Agreement even in case that the provision of the Cloud Services is suspended.

20.         Effects of Termination - Returns

20.1.      In case of termination of the Agreement, for any reason whatsoever, Reviso will immediately and finally cease to provide the Cloud Services to the Customer and to any Controlled Company and/or User.

20.2.      Without prejudice to the provisions of paragraph 20.1, following termination of the Agreement, for any reason whatsoever, the Customer, upon its specific request, may be allowed to shall download a copy of its own data, documents and/or contents through the Software’s features.

20.3.      Unless otherwise agreed upon between the Parties, upon termination of the Agreement Reviso will be entitled to permanently delete Customer’s data.

20.4.      The following provisions shall in any case survive termination, for any reason whatsoever, of the Agreement: 1 (Scope of the Terms), 7(Fees), 8 (Confidentiality), 10 (Intellectual Property Rights), 11 (Representations of Customer and its Liability), 12 (Recall and Replacement), 13 (Indemnification), 14 (Liability of Reviso), 21 (Notices), 22 (Applicable law and exclusive venue), 24 (Complete Agreement), 25 (No waiver and relationship), 26 (Severability).

21.         Notices

21.1.      All the notices to be served to the Customer in connection with the Agreement will be transmitted to the email address that the same Customer has specified in the Subscription. It will be the responsibility of the Customer to provide notice of any changes of the email address that the Customer has specified for the reception of all notices. The Customer accepts that invoices and reminders sent by email to the email address provided by the Customer shall be deemed delivered when sent by Reviso.

22.         Applicable law and exclusive venue

22.1.      These terms and conditions shall be construed in accordance with the laws of Italy and each party hereby irrevocably submits to the exclusive jurisdiction of the courts of Milan (Italy), without application of any conflicts of law provisions.

23.         Assignment of the Agreement

23.1.      Unless prior written consent of Reviso, the Customer shall not be allowed to assign, in full or in part, this Agreement.

23.2.      The Customer hereby accepts that in the event that a Reviso Distributor has ceased –for any reason whatsoever – to be an authorized distributor of Reviso, such Reviso Distributor may assign any agreement concerning the provision of Cloud Services existing between the Customer and the same Reviso Distributor to Reviso or any other Reviso Distributor designated by Reviso.

24.         Complete agreement

24.1.      All prior agreements and understandings, if any, between the Parties with reference to the subject matter of this Agreement shall be hereby cancelled and repealed and they shall be deemed as included herein and superseded by the clauses of this Agreement.

25.         No waiver and relationship

25.1.      Failure to enforce, if any, one or more of the rights conferred on either Party under the Agreement shall not be deemed as representing a final waiver concerning such rights and, as a consequence, shall not prevent either Party from requiring, at any other time, timely and strict performance of any such right.

25.2.      Nothing in this Agreement shall be deemed to create a partnership or joint venture or contract of employment of any kind between the parties nor shall it be deemed to grant any authority not expressly set out in the Agreement or create any agency between the parties.

26.         Severability

26.1.      Should any provisions of these Terms be or become invalid or unenforceable, this will not affect the validity and enforceability of other provisions that are –both from the legal and the functional point of view– not dependent on the first.

27.         Processing of personal data

27.1.      The Parties hereby acknowledge and accept that the execution of this Agreement as well as the performance of Cloud Services may imply the collection and processing by Reviso of personal data of the Customer (or of third parties in relation with the Customer, such as agents, legal representatives, etc.) for the purposes that are necessary to perform the Agreement and in compliance with the Data Protection Law and other applicable law provisions (if any). Reviso, in its position as the controller, undertakes to process these data in compliance with the information notice issued by Reviso pursuant to art. 13 of the GDPR, which is available on the company’s website.

27.2.      However, the Parties hereby agree that Reviso shall in any case be entitled to process, on an aggregate basis and upon prior pseudonymization, the data that will be available to Reviso in connection with the Customer’s use of the Cloud Services for the purposes of statistical research, including when its aim is the enhancement of the services offered through the Agreement. 

27.3.      The Parties hereby acknowledge that the Customer is the controller in the meaning specified in the GDPR as far as concerns personal data of third parties (“Third Parties’ Personal Data”) held by Reviso in order to provide the Cloud Services. With reference to these data, Reviso shall act as the processor pursuant to art. 28 of the GDPR (“Processor”) and the Parties hereby agree to comply with the provisions of the MDPA that is attached to this Agreement (Attachment A). Should the Customer act, on its turn, as the processor on behalf of a third party acting as the controller, the Customer hereby ensures that such controller has authorized Reviso to act as a delegated processor (the “Delegated Processor”) pursuant to sec. 28 and 29 of the GDPR.

27.4.      With reference to Third Parties’ Personal Data the Customer will remain fully liable for complying with all the obligations towards third parties that are established in the GDPR and in the Data Protection Law as applicable to the Customer as the controller. In no event shall Reviso be liable in any manner for any consequence arising from failure to comply with the obligations incumbent upon the Customer as the controller, unless – and to the limited extent that - such consequences are due to a breach by Reviso of its obligations as the processor or a breach of the MDPA.

28.         Validity

28.1.      These Terms become effective on 30 November 2020 and supersede all previous terms and conditions.


MASTER DATA PROCESSING AGREEMENT (pursuant to Article 28 of Regulation EU 2016/679)

BETWEEN

This agreement for the protection of personal data is entered into between the Provider, as indicated below, and the client, who accepts the agreement. “Provider” indicates the following entity:

Reviso Cloud Accounting Limited, 1st Floor, Healthaid House Marlborough Hill Harrow Middlesex HA1 1UD, United Kingdom

AND

the entity referred to in the Agreement as the client (hereinafter the “Client”)

hereinafter collectively referred to as the “Parties” or individually as the “Party”.

WHEREAS:

a)           The Client has entered into an agreement (or agreements) with the Provider (hereinafter referred to as the “Agreement”).

b)           In this “master data protection agreement” (hereinafter referred to as the “Master Agreement” or “MDPA”) the Parties wish to establish how and upon which conditions the Provider will process personal data in connection with the Agreement and the provision of the Services, as well as its obligations relating to such processing, including the duty of the Provider as a Data Processor under Article 28 of the General Regulation on Data Protection No. 679 of 27 April 2016 (hereinafter “GDPR”).

c)            The specific characteristics of the processing activity in respect to each of the Services are detailed in the “special terms and conditions for the processing of Personal Data” that are available on the website: https://www.reviso.com/gdpr/(hereinafter “DPA - Special Terms”) and are incorporated herein by this reference.

NOW THEREFORE, the Parties hereto agree as follows:

1.           DEFINITIONS AND INTERPRETATION

1.1.        The above recitals are hereby incorporated into this MDPA by this reference. As used in this MDPA the following words and expressions shall have the meanings set forth below:

“Adequacy Decision” means a decision of the European Commission, based on Article 45(3) of the GDPR, assessing that the laws of a certain country ensure an adequate level of protection, as required by the Applicable Data Protection Law.

“Applicable Data Protection Law” means applicable data protection legislation as amended, which includes i.a. the GDPR and any other implementing law and/or regulation (if any) which is effective under the GDPR or otherwise with respect to the protection of Personal Data, including any decision issued by a supervisory authority having jurisdiction in the subject matter  that is and remains binding and effective (including the requirements established in any General Authorizations Issued for the Processing of Sensitive and Judicial Data, to the extent that they are applicable and remain effective and binding after 25 May 2018).

“Data Sub-Processor” means any sub-contractor engaged by the Provider to perform, in full or in part, its contractual obligations and which, during such performance, may be required to collect, access, receive, store, or otherwise process Personal Data.

“E-mail Address” means the e-mail address(es) provided by the Client upon subscription of the Services or communicated via other official means to the Provider, at which the Client wishes to receive communications from the Provider.

“Final User” means the person (if any) benefiting of the Services in the last resort, acting as Data Controller.

“Instructions” means the written instructions given by the Data Controller in this MDPA (including the relevant DPA – Special Terms) and, if any, in the Agreement.

“MDPA Effective Date” means the date when the Client signs or accepts the MDPA or the effective date of the MDPA to which this Agreement is related, whichever is earlier.

“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data occurred on the systems operated by the Provider or however under its control.

“Personal Data” has the meaning construed according to the Applicable Data Protection Law and include, without limitation, all personal data provided, stored, transmitted, received or otherwise processed, or created, by the Client, or by the Final User in relation to the provision of the Services, to the extent that they are processed by the Provider under the Agreement. A list of the categories of Personal Data is included in DPA – Special Terms.

“Personnel of the Provider” means the officers, employees, consultants, and other personnel of the Provider but not the personnel of a Data Sub-Processor.

“Request” means a request lodged by a Data Subject for access, erasure or rectification in relation to his/her Personal Data or for the exercise of another of his/her rights laid down in the GDPR.

“Service(s)” means the service or services contemplated in the Agreements executed from time to time between the Client and the Provider.

“Working Days” means every calendar day other than a Saturday, Sunday and a Bank or Public Holiday in the UK.

1.2.        The words “including” or “included” shall be construed as if they were accompanied by the expression “without limitation” so that any list that follows any of these words will consequently be composed of mere examples and will not be exhaustive.

1.3.        For the purposes of this MDPA, the terms “Data Subject”, “Processing”, “Data Controller”, “Data Processor”, “Transfer” and “Appropriate Technical and Organizational Measures” shall be construed in compliance with the Applicable Data Protection Law.

2.           ROLES OF THE PARTIES

2.1.        The Parties acknowledge and agree that, in relation to the processing of Personal Data, the Provider acts as the Data Processor and, as a general rule, the Client acts as the Data Controller.

2.2.        If the Client is carrying out the processing on behalf of another Data Controller, the same Client may act as a Data Processor. In such event, the Client hereby represents and warrants that all instructions given and activities carried out in relation to the processing of Personal Data, including the appointment of the Provider as a Data Sub-Processor, arising from the execution by the Provider of this MDPA, has been authorized by the relevant Data Controller. The Client shall give evidence to the Provider, upon written request by this latter, of the above.

2.3.        In the processing of Personal Data, either Party undertakes to comply with their obligations under the Applicable Data Protection Law.

3.           PROCESSING OF PERSONAL DATA

3.1.        By entering into this Agreement (and into any incorporated DPA – Special Terms), the Client entrusts the Provider with the processing of Personal Data for the purposes of providing the Services, as better detailed in the Agreement and in the DPA – Special Terms. The DPA – Special Terms are available at a link on the following website: www.reviso.com/gdpr .

3.2.        The Provider may only process Personal Data on behalf of the Client based on its Instructions, unless required to do so by EU law or EU member state law to which the Provider is subject; in such a case, the Provider shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Should the Client make a request for amendments to any initially given Instructions, the Provider will examine the relevant feasibility and will then arrange with the Client how to handle such amendments and the associated costs.

3.3.        The Provider shall immediately inform the Client if, in its opinion, an Instruction infringes Applicable Data Protection Law, and the Provider shall be released from any obligations to perform such unlawful Instructions. In such case, the Client may consider whether amending the Instructions given or addressing the Supervisory Authority to have its requests be declared lawful.

4.           RESTRICTIONS TO THE USE OF PERSONAL DATA

4.1.        While processing Personal Data for the purposes of providing the Services, the Provider undertakes that such processing shall be carried out:

4.1.1.    Only to the extent and with the manners that are necessary to provide the Services, or to properly perform its obligations under the Agreement and this MDPA, or laid down by the law or by a competent supervisory or controlling authority. In this last case, the Provider must inform the Client (unless prevented to do so by the applicable law based on the public interest) by a notice to the E-mail Address.

4.1.2.    In compliance with the Instructions of the Client.

4.2         The Personnel of the Provider having access to, or however carrying out the processing of, Personal Data has been entrusted with such processing based on appropriate authorizations and has also received training as necessary with respect to such processing. In addition, this Personnel is bound to comply with confidentiality obligations and with the Provider’s Code of Ethics and must abide by the policies on confidentiality and personal data protection that have been adopted by the Provider.

5.           PROCESSING ACTIVITIES ENTRUSTED TO THIRD PARTIES

5.1.        As far as concerns the processing activities entrusted to Data Sub-Processors, the Parties agree as follows:

5.1.1.    The Client expressly agrees that the Provider may entrust certain processing operations in relation to Personal Data to other companies belonging to the TeamSystem group and/or to those third parties that are specified in the DPA – Special Terms, provided the requirement in para. 5.1.4.3 is complied with.

5.1.2.    The Client further agrees that the Provider may entrust certain processing operations in relation to Personal Data also to other third parties, according to the requirements specified in the par. 5.1.4.             

5.1.3.    It is noted that the execution of Standard Contractual Clauses (as required by the following Article 7 for the case of transfer of Personal Data abroad) between the Client and a Data Sub-Processor shall be deemed as a consent to engaging that party for the processing activities.

5.1.4.    If the Provider changes or engages Data Sub-Processors for performing specific processing activities in relation to Personal Data under the MPDA, the Provider: 

5.1.4.1. Undertakes to engage exclusively Data Sub-Processors granting implementation of appropriate technical and organizational measures and ensures that the access to Personal Data, and the relevant processing, shall be limited only to that extent that it is necessary for the purposes of providing the sub-delegated services.

5.1.4.2. Shall inform the Client of such changes or engagement, by giving not less than 15 (fifteen) days’ notice prior to the start of the processing activities by the Data Sub-Processor (including details concerning the identity of the concerned third party, its location with –if applicable- specification of the location of the servers for the storage of data, and the entrusted activities) by means of the E-mail Address or such other means as deemed appropriate by the Provider. The Client shall be entitled to terminate from the Agreement within 15 (fifteen) days from receipt of the notice, without prejudice to the obligations of the Client to pay any amounts due at the date of termination of the Agreement.

5.1.4.3. enters into a written agreement with each Data Sub-Processor which imposes the same obligations on the Data Sub-Processor's as are imposed on the Provider under this MDPA. 

5.1.5.    Additional information concerning the list of Data Sub-Processors, the processing activities entrusted to such parties and the place where they are located are available in the DPA – Special Terms relating to the Services activated by the Client.

5.1.6.    The Provider shall remain fully liable to the Client for the performance of the Data Sub-Processor's delegated data protection obligations related to this MDPA.

6.           SECURITY

6.1.        SUPPLIER’S SECURITY MEASURES – When processing Personal Data for the purposes of performing the Services, the Provider undertakes to implement appropriate technical and organizational measures to prevent unlawful or unauthorized processing, accidental or unlawful destruction, damages, accidental loss, alteration and unauthorized disclosure of, or access to, Personal Data, as described in Exhibit 1 to this MDPA (“Security Measures”).

6.1.1.    Exhibit 1 to the MDPA sets forth appropriate measures for the protection of filing systems that are proportionate to the level of risk in relation to Personal Data, in order to ensure the confidentiality, integrity, availability and resilience of the systems and of the Services of the Provider, appropriate measures aimed at enabling restoration of access to Personal Data in a timely manner in the event of a Personal Data Breach, and measures aimed at regularly testing the effectiveness of such measures in the course of time. The Client acknowledges and accepts that, account taken of the state of the art, the costs of implementation and the nature, scope, context and purposes of Personal Data processing, the security procedures and principles that have been adopted by the Provider ensure a level of protection that is appropriate to the risk in relation to Personal Data.

6.1.2.    The Provider may update and amend the Security Measures specified above from time to time, provided that such updating and amendments do not imply a reduction of the overall level of security of the Services. The Client shall be informed of any such update and amendment by notice transmitted to the E-mail Address.

6.1.3.    If the Client requests additional measures for the security, other than Security Measures, the Provider reserves the right to assess the relevant feasibility and may charge additional costs of implementation to the Client.

6.1.4.    The Client acknowledges and accepts that the Provider, account taken of the nature of Personal Data and information that is available to the Provider itself based on the specific provisions established in the relevant DPA – Special Terms, shall assist the Client in ensuring compliance with the obligations set forth in Articles from 32 to 36 of the GDPR, including e.g. by:

6.1.4.1. By implementing and keeping Security Measures updated according to the provisions set forth in previous paragraphs 6.1.1, 6.1.2, 6.1.3.

6.1.4.2. By complying with the obligations specified in paragraph 6.3.

6.1.5.    The Parties hereby agree that, with reference to the Agreements concerning products to be installed on the premises of the Client or of any suppliers of the Client (hereinafter “On-premises Products”), the above Security Measures shall only apply in connection with Services that require the processing of Personal Data by the Provider or by any Data Sub-Processors engaged by this latter (e.g. remote support and assistance, migration services).

6.1.6.    In case that the product admits integration with applications of third parties, the Provider shall not be liable for the implementation of the Security Measures in relation to the components of such third parties or for any product’s operating manner consequent to such integration.

6.2.        CLIENT’S SECURITY MEASURES – Without prejudice to the obligations of the Provider under paragraph 6.1 above, the Client acknowledges and accepts that, when using the Services, it remains an exclusive duty of the Client to have its personnel, and those authorized by the same Client to access the Services, implement appropriate security measures in connection with the use of the Services.

6.2.1.    To this purpose, the Client undertakes to use the Services and the features for the processing of Personal Data by always ensuring a level of security appropriate to actual risk.

6.2.2.    The Client further undertakes to implement all appropriate measures for ensuring the protection of authentication credentials, systems, and devices used by the Client, or by the users of the Final User, to gain access to the Services. The Client also undertakes to save and make backup copies of Personal Data in order to ensure their restoration in compliance with the provisions of the laws.

6.2.3.    The Provider shall have no obligation and shall bear no liability in relation to the protection of Personal Data that the Client, or –if applicable- the Final User, store or transfer outside the systems used by the Provider or by the Data Sub-Processors engaged by the Provider (for instance in paper archives, or in data centres belonging to the Client or the Final User, as it may occur in case of Agreements concerning On-premises Products).

6.3.        DATA BREACHES – Save for the Agreements concerning On-premises Products, to which this paragraph 6.3 shall not apply, the Provider, after having become aware of a Personal Data Breach, shall:

6.3.1.    Inform the Client without undue delay via the E-mail Address.

6.3.2.    Adopt reasonable measures to mitigate any damages possibly arising from it and protect Personal Data.

6.3.3.    Provide the Client with a description of the Personal Data Breach, to the extent possible, including the measures taken to prevent or mitigate its possible adverse effects and the activities recommended by the Provider to the Client in order to address the Personal Data Breach.

6.3.4.    Keep all information concerning Personal Data Breaches, the relevant documents, communications and notices, confidential as provided for in the Agreement and abstain from disclosing any data and information to third parties without the prior written authorization of the Data Controller, save and to the extent that such disclosure may be strictly necessary to perform any Client’s obligations arising from the Applicable Data Protection Law;

6.3.5.           Provide such other information and assistance as are required in relation to Personal

      Data Breaches by Applicable Data Protection Law.

6.3.6.    In the cases contemplated under previous paragraph 6.3, the Client shall be exclusively liable for the performance, when required by the Applicable Data Protection Law, of any obligations to inform third parties (or the Final User if the Client is the Data Processor) in case of a Personal Data Breach and of any obligations to inform the Supervisory Authority and the Data Subjects (if the Client is the Data Controller).

6.4.        The Parties acknowledge and accept that a communication about a Personal Data Breach or the implementation of measures aimed at addressing such a Personal Data Breach do not imply acknowledgment by the Provider of a default or a liability in relation to the Personal Data Breach.

6.5.        The Client shall timely inform the Provider of any abuse or misuse of the accounts or authentication credentials or of any Personal Data Breaches of which it may have become aware in relation to the Services.

7.           RESTRICTIONS TO THE TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

7.1.        The Provider shall not transfer Personal Data to countries that are outside the EEA unless the Client gives its consent and Instruction to such a transfer.

7.2.        If the Client gives its consent and Instruction to process Personal Data outside EEA pursuant to para. 7.1, and in the absence of a decision of adequacy by the European Commission on that country pursuant to Article 45 of the GDPR, the Provider:

7.2.1.    Shall make the Data Sub-Processor execute the Standard Contractual Clauses contemplated in the Commission Decision 2010/87/EU of 5 February 2010, for the transfer of personal data to processors established in third countries (“Standard Contractual Clauses”), or equivalent text, as it may be lately amended. A copy of such Standard Contractual Clauses executed by the Provider on behalf of the Client pursuant to para. 7.3 shall be provided to this latter. And/or

7.2.2.    May submit alternative ways to the Client for the transfer of Personal Data that are compliant with the requirements of the Applicable Data Protection Law (e.g.  intragroup transfer if the Data Sub-Processor belongs to a group of companies whose BCRs have been approved in relation to the Processors).

7.3.        In the events under previous paragraph 7.2.1, by execution of this MDPA the Client expressly grants the Provider with the authority to execute Standard Contractual Clauses or others approved by Client pursuant to clause 7.1 or similar to cater for future third country transfers with the Data Sub-Processors mentioned in the relevant DPA – Special Terms. If the Final User acts as a Data Controller, the Client undertakes to inform such Final User of the transfer and hereby represents and warrants that the authorization given by such Final User to engage Data Sub-Processors outside the EEA represents an authority equivalent to that above.

8.           AUDITS AND CONTROLS

8.1.        The Provider shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this MDPA. In this context, the Provider shall regularly audit the security of the Personal Data processing systems and environments used by it to perform the Services as well as the premises where the processing is carried out. The Provider may decide to select and entrust certain independent consultants with performing such audits, which shall be made according to international standards and/or best practices and whose outcome shall be described in special reports (“Reports”). The Reports, to be deemed as confidential information of the Provider, may be made available to the Client for allowing verification by this latter of the Provider’s compliance with the security obligations set forth in this MDPA.

8.2.        In the cases contemplated in paragraph 8.1, the Client hereby accepts to exercise its right to verification simply by accessing the Reports made available to it by the Provider.

8.3.        Despite para. 8.2, the Provider acknowledges that the Client is entitled, with the manners and to the extent specified below, to carry out independent audits in order to verify the compliance of the Provider with the obligations of this MDPA and the relevant DPA – Special Terms, and with the provisions of the Applicable Data Protection Law. For performing such auditing activities, the Client may decide to avail of specialized employees or, at its choice, of external consultants provided that these latter shall be previously bound by appropriate confidentiality obligations.

8.4.        In the cases contemplated in paragraph 8.2 above, the Client must address a prior request to the Data Protection Officer (DPO) of the Provider. Upon such a request for an audit or an inspection, the Provider and the Client shall agree, prior to the start of the activities, the details of the verification activities (starting date and duration), the types of controls and the scope of verification, the confidentiality obligations by which the Client and those performing the activities must be bound, and the costs, to be established based on the width and length of the verification activities, which the Provider is entitled to charge for such activities.

8.5.        The Provider is entitled to object, by means of written notice, in the event that the external auditors appointed by the Client, in the exclusive opinion of the Provider, do not meet adequate qualification or independence requirements, are competitors of the Provider, or are clearly unfit. In any such event, the Client must appoint new auditors or directly carry out the audits on its own.

8.6.        The Client undertakes to bear the costs, if any, as they may be determined by the Provider and communicated to the Client according to paragraph 8.4 above, in the manners and within the terms established therein. All costs relating to any verification activities entrusted by the Client to third parties shall remain fully and exclusively at the charge of the Client.

8.7.        All the above is without prejudice to the rights of the Data Controller and of the supervisory authorities as established in the Standard Contractual Clauses executed under previous Article 7 (if any), which shall not be affected by any provisions set forth in this MDPA or in the relevant DPA – Special Terms.

8.8.        This Article 8 shall not apply to the Agreements concerning On-premises Products.

8.9.        Verification activities involving any Data Sub-Processors shall be carried out in compliance with the rules on access and with the security policies established by such Data Sub-Processors.

9.           ASSISTANCE IN ENSURING COMPLIANCE

9.1.        The Provider shall assist the Client and provide cooperation as specified below to enable the Client to comply with its obligations under the Applicable Data Protection Law, including e.g. in relation to responding to Requests pursuant to GDPR Chapter III.

9.2.        In case that the Provider receives a Request or a claim concerning Personal Data from a Data Subject, it shall invite this latter to address the Request or claim to the Client or the Final User (if this latter is the Data Controller). In any such event, the Provider shall timely inform the Client of the reception of the Request via the E-mail Address and provide the same Client with all available information, together with a copy of the Request or claim. This cooperation will be carried out by way of an exception to the general rule that the relationships with the Data Subjects fall outside the scope of the Services and that the responsibility to handle claims (if any) and to serve as a contact for Data Subjects in the exercise of their rights lies exclusively and directly with the Client or with the Final User (if this latter is the Data Controller). The Client, or Final User (if this latter is the Data Controller) shall be exclusively responsible for any response to such Requests or claims (if any).

9.3.        The Provider shall promptly inform the Client, unless it is prohibited by the law to do so, by means of a notice via the E-mail Address, of any inspections or requests to provide information that it receives from any supervisory or police authorities in relation to the processing of Personal Data.

9.4.        If in order to comply with any such Request the Client needs to receive some information from the Provider about the processing of Personal Data, the Provider shall provide assistance to the extent that is reasonably possible, provided that the requests have been filed upon adequate notice.

9.5.        The Provider, account taken of the nature of the Personal Data and of the information available to him, shall give reasonable assistance to the Client in making available useful information to enable the Client to carry out the impact assessments on the protection of Personal Data when so required by the law. In such cases the Provider shall make general information available, based on the Service, such as information included in the Agreement, in this MDPA and in the DPA – Special Terms relating to the concerned Services. In case of requests for customized assistance, the Client may be required to pay a charge. It is the exclusive responsibility of the Client, or the Final User (if this latter is the Data Controller), to carry out the impact assessment based on the characteristics of Personal Data processing performed by the same with respect to the Services.

9.6.        The Provider undertakes to provide the Services based on the principles of minimization of the processing (privacy by design & by default), without prejudice to the fact that it is the responsibility of the Client, or of the Final User (if this latter is the Data Controller), to ensure that the processing is actually carried out in compliance with such principles and to verify that the technical and organizational measures of a Service will meet the compliance requirements of the Client, or if the Final User (if this latter is the Data Controller), including requirements established by the Applicable Data Protection Law.

9.7.        The Client acknowledges and accepts that, in case of a Request by a Data Subject for the portability of Personal Data, and with exclusive reference to the Services generating Personal Data that are relevant in this respect, the Provider shall assist the Client by making available the information needed for retrieval of the required data in a format that is compliant with the Applicable Data Protection Law.

9.8.        Paragraph 9.5 and 9.7 shall not apply with respect to any Agreements concerning On-premises Products.

10.                        OBLIGATIONS OF THE CLIENT AND RESTRICTIONS

10.1.      The Client undertakes to give Instructions in compliance with the regulations and to use the Services in compliance with the Applicable Data Protection Law and for the exclusive purpose of processing Personal Data that have been collected in compliance with the Applicable Data Protection Law.

10.2.      The processing of Personal Data (if any) under Article 9 and Article 10 of the GDPR shall be allowed only if expressly established in the DPA – Special Terms. But for such cases, the processing of Personal Data contemplated in the articles mentioned above shall be made exclusively upon prior written agreement between the Parties made in compliance with the provisions of paragraph 3.2.

10.3.      The Client undertakes to fulfil all the obligations placed upon the Data Controller pursuant to the Applicable Data Protection Law (and, in the event that such obligations are placed upon the Final User, it ensures that an equivalent commitment is taken on by such Final User), including the obligations to provide certain information to the Data Subjects (and it ensures that equivalent obligations are placed upon the Final User if this latter is the Data Controller). The Client further undertakes to ensure that the processing of Personal Data by availing of the Services shall always be made upon a suitable legal basis.

10.4.      If the information notice must be given and the consent must be collected by means of the product contemplated in the Agreement, the Client declares to have considered the product and that such product meets the needs of the Client. The Client shall also bear the responsibility to assess whether the forms made available by the Provider (if any) to help the Client in meeting its obligations to inform and to collect the consent (e.g. model privacy policy for Apps or information notices accompanying applications), when made available, complies with the Applicable Data Protection Law and amend such forms if deemed appropriate.

10.5.      The Client shall further bear full and exclusive responsibility for handling the Personal Data in compliance with the Requests (if any) submitted by the Data Subjects and, therefore, to carry out –for instance- any amendments, integration, rectification and erasure of Personal Data.

10.6.      The Client has the duty to keep the account associated with the E-mail Address always active and updated.

10.7.      The Client acknowledges that, according to Article 30 of the GDPR, the Provider has the duty to maintain a record of the processing activities carried out on behalf of the Data Controllers (or Processors) and that for this purpose it collects the identification and contact data of each Data Controller (and/or Processor) on behalf of which it acts and that such information must be made available to the competent authority, upon request. Therefore, whether so requested, the Client undertakes to give the Provider the identification and contact data mentioned above, with the manner specified by the Provider from time to time, and to maintain updated such information through the same means.

10.8.      Therefore, the Client states and declares that the processing of Personal Data, as described in the Agreements, in this MDPA and in the relevant DPA – Special Terms, is lawful.

11.         DURATION

11.1.      This MDPA shall enter into force on the Effective Date of the MDPA and will automatically terminate at the date of return/erasure of all Personal Data by the Provider, as provided for in this MDPA and, if so provided for, in the relevant DPA – Special Terms or the Agreement.

12.         PROVISIONS ON THE RETURN OR ERASURE OF PERSONAL DATA

12.1.      Upon termination, for whatever reasons, of the Service, the Provider will cease the processing of Personal Data and

12.1.1.  Erase Personal Data (including the relevant copies, if any) from the systems of the Provider or that are under the Provider’s control, within the term established in the Agreement, unless retention of such data is required or permitted in order to comply with any provisions of European laws.

12.1.2.  Destroy any Personal Data that may have been stored on paper by the same Provider, unless retention of such data is required in order to comply with any provisions of European laws.

12.1.3.  Keep at the Client's disposal the Personal Data for the extraction for the period of the Contract. If the Contract does not provide for a specific time limit, the Supplier shall keep the Personal Data available to the Client for the period of 60 (sixty) days after the termination of the Contract.

12.2 Unless otherwise provided for in this MDPA, the Client acknowledges that it is allowed, after termination of the Service, to retrieve Personal Data in the manners specified in the Agreement and agrees on its duty to retrieve Personal Data, in full or in part, to the exclusive extent that it deems retention appropriate, and that such retrieval must be completed within the term specified in paragraph 12.1.3.

12.3       The Parties agree that the provisions in paragraphs 12.1 and 0 shall not apply to Agreements concerning On-premises Products. In these cases, the Client has the duty to retrieve those Personal Data that it deems appropriate for storage, not later than 30 (thirty) days after the end of the Agreement. The Client acknowledges and accepts that after expiration of this term Personal Data may become unavailable. Furthermore, in the events considered in this paragraph 0, it is the duty of the Client to take care of the erasure of Personal Data as required by the law.

12.4       The above is without prejudice to what, which may be further or otherwise established with respect to the erasure of Personal Data in the relevant DPA – Special Terms.

13.         LIABILITY

13.1.      Either Party is liable for the fulfilment of the obligations placed upon that Party under this MDPA and the relevant DPA – Special Terms as well as under the Applicable Data Protection Law.

13.2.      Without prejudice to mandatory law provisions, the Provider shall compensate the Client in case of breach of this MDPA and/or of the relevant DPA – Special Terms within the maximum extent agreed upon in the Agreement.

14.         MISCELLANEOUS

14.1.      This MDPA supersedes and replaces any other agreement, contract, or understanding between the Parties with respect to its subject matter as well as any instructions, in any form, given by the Client to the Provider prior to the date of this MDPA with reference to the processing of Personal Data in the framework of performing the Agreement.

14.2.      The Provider may amend this MDPA by means of written notice to be sent to the Client (via e-mail or with the help of computer programs or otherwise). In this event, the Client will be entitled to withdraw from the Agreement by written notice to the Provider to be sent by registered letter with return receipt within 15 days from receipt of the Provider’s notice. Failing exercise by the Client of this right of withdrawal within the terms and in the manners as described above, the amendments to this MDPA shall be deemed as acknowledged and accepted by the Client and will become finally effective and binding on the Parties.

14.3.      In the event of any inconsistency between the provisions of this MDPA and those set forth in the Agreement for the provision of the Services or in any documents of the Client that have not been expressly accepted by the Provider by departing from this MDPA and/or from the respective DPA – Special Terms, the provisions of this MDPA and of the relevant DPA – Special Terms shall prevail.

15.         GOVERNING LAW AND VENUE

15.1       This DPA shall be construed in accordance with the laws of Italy and each party hereby irrevocably submits to the non-exclusive jurisdiction of the courts of Milan (Italy), without application of any conflicts of law provisions.


Exhibit 1

Technical and organisational measures

In addition to the security measures set forth in the Agreement and in the MDPA, the following organizational security measures shall be applied by the Data Controller based on the type of Service through which the product is delivered or licensed: 

A –  Cloud SaaS

B –  Iaas Services

C –  BPO (Business Process Outsourcing)

D –  BPI (Business Process Insourcing)

E –  On premises

 

A – CLOUD SaaS

Organizational Security Measures

User Policies and Regulations – The Provider has adopted detailed policies and regulations, which all users having access to information systems must comply with, aimed at granting that users’ behaviour is appropriate to ensure compliance with the principles of confidentiality, availability and integrity of data while using information resources.

Logical access authorization – The Provider defines access profiles based on the least privilege necessary to carry out the assigned duties. The authorization profiles are selected and configured prior to the beginning of the processing and in such a manner that access will be restricted only to those data that are strictly necessary for the processing activities.
The profiles undergo regular audits aimed at assessing whether the requirements to maintain the assigned profiles are still met.

Assistance Interventions – Assistance interventions will be managed with the aim of ensuring that only contractual activities are performed and that any unnecessary processing in relation to Personal Data of the Client or of the Final User is prevented.

Data Protection Impact Assessment (DPIA) – In compliance with Articles 35 and 36 of the GDPR and based on the document “WP248 – Guidelines on Data Protection Impact Assessment”, adopted by the Article 29 Working Party, the Provider has prepared its own methodology for the analysis and assessments of those processing activities that, taking into account the nature, scope, context and purposes of the processing, are likely to result in a high risk for the rights and freedoms of natural persons, in order to be able to carry out an assessment of the impact on the protection of personal data prior to the processing.

Incident Management – The Provider has adopted a specific Incident Management procedure aimed at ensuring restoration of the ordinary service operations at the soonest while ensuring to maintain best service levels.

Data Breach – The Provider has implemented a special procedure, aimed at the management of events and incidents that are likely to have an impact on personal data, which defines the roles and responsibilities, the process for detection of the (suspected or actual) incident/breach, the implementation of remedial actions, the response to, and containment of, such incident/breach as well as the formalities to inform the Client of personal data breaches.

Training: The Provider will periodically offer training courses on proper handling of personal data to members of its personnel that are involved in the processing activities.

Technical Security Measures      

Firewall, IDPS – Personal data shall be protected against the risk of a criminal intrusion by means of Intrusion Detection & Prevention Systems (IDPS), to be kept updated based on the best available technologies.

Security of communication lines – Within the extent of its responsibilities, the Provider shall implement secure communication protocols that are in line with the available technology.

Protection from malware – The systems shall be protected against the risk of an intrusion and of the activity of certain programs by activation of appropriate electronic tools to be periodically updated.

Antivirus features shall be implemented and kept constantly updated.

Authentication Credentials – The systems shall be configured in such a manner that access will be granted exclusively to those provided with authentication credentials allowing unique identification of the user. This include: a code associated to a confidential password that shall only be known by the user, or an authentication device that shall only be held and used by the user, which may, in certain cases, be associated with an ID code or a password.

Password – The use of a password, as far as concerns its basic features, being the obligation to change it at the first access, the minimum length, the absence of elements that may be easily referred to its holder, the rules about its complexity, the expiration, history, assessment of strength in context, display and storage, will comply with the best practices. Users being provided with credentials shall also receive specific instructions concerning the measures that must be adopted to ensure that such credentials remain secret.

Logging – The systems may be configured in such a manner as to track access requests and, where appropriate, other activities that are carried out, in relation to the different types of users (Administrator, Super User, etc.), and shall be protected by appropriate security measures ensuring their integrity.

Backup & Restore – Appropriate measures shall be implemented aimed at ensuring restoration of access to data in case of damages to such data or to electronic tools, within terms that are certain and consistent with the rights of the data subjects.
If so required by any agreement, a continuity operation plan shall be implemented and, where necessary, integrated with the disaster recovery plan. These plans ensure the availability and access to the systems also in the event of serious adverse events that may persist in time.

Vulnerability Assessment & Penetration Test – The Provider shall regularly carry out vulnerability analyses aimed at assessing the level of exposure to known vulnerabilities, in relation to both the infrastructures and the operations framework, taking into account either already operating systems and systems that are under development.
When deemed appropriate, in relation to those potential risks that have been identified, the assessments above are complemented, from time to time, by special Penetration Test technics, simulating unauthorized access in various scenarios of attack, with the aim of controlling the level of security attained by applications/systems/networks by using the identified vulnerabilities to circumvent the physic/logic security mechanisms and gain access to them.
The outcome of such assessments is thoroughly examined in order to detect and implement improvements that are necessary to ensure the high level of security that is required.

System Administrators – All users operating as System Administrators shall be indicated in a list to be regularly updated and the duties assigned to them shall be duly defined in special documents of appointment. The activity performed by System Administrators shall be monitored by means of a log management system allowing to accurately trace all performed activities and to store such data in an immutable manner in order to allow the monitoring also after performance. The behaviour of System Administrators shall be audited to verify compliance with the organizational, technical and security measures in relation to the processing of personal data as required by current regulations.

Data Centre – The physical access to the Data Centre is restricted to authorized persons only.
For further details on the security measures adopted in relation to the data centre services provided by the Data Sub-Processor specified in the DPA – Special Terms please refer to the descriptions of such security measures prepared by the same Data Sub-Processors and made available in the relevant official sites, at the address specified in the following (or at the address that may be made available in the future by the same Data Sub-Processors):

With reference to Data Centre services provided by Amazon Web Services:
https://aws.amazon.com/it/compliance/data-center/controls/

With reference to Data Centre services provided by Microsoft:
https://www.microsoft.com/en-us/trustcenter

 

B – Iaas Services

Organizational Security Measures

Certifications – The Provider has obtained the following certifications/assessments:
ISO/IEC 27001:2013: “Delivery of services for the design and management of ICT infrastructure, management of applications within the Group and management of Cloud infrastructure (IaaS)”.
ISO/IEC 27018:2014 for the protection of personal data in Public Cloud services.

Logical access authorization – The Provider defines access profiles based on the least privilege necessary to carry out the assigned duties. The authorization profiles are selected and configured prior to the beginning of the processing and in such a manner that access will be restricted only to those data that are strictly necessary for the processing activities.
The profiles undergo regular audits aimed at assessing whether the requirements to maintain the assigned profiles are still met.

Users – Users of the services are divided into administrative users of the virtualization infrastructure and administrative users of the console for the management of TeamSystem cloud infrastructure.
The VMs shall be configured in such a manner that access will be granted exclusively to those provided with authentication credentials allowing unique identification of the user.

Security of communication lines – Within the extent of its responsibilities, the Provider shall implement secure communication protocols that are in line with the available technology in relation to the authentication process.

Change Management – The Provider has implemented a specific procedure to regulate the Change Management process in view of the introduction (if any) of technological innovations or in case of modifications (if any) of its basic and organizational structure.

Training: The Provider will periodically offer training courses on proper handling of personal data to members of its personnel that are involved in the processing activities.

Protection from malware – The VMs shall be protected against the risk of an intrusion and of the activity of certain programs by activation of appropriate electronic tools to be periodically updated.
All VMs shall be managed through antivirus features (at both hypervisor and infrastructure level).

Backup & Restore – If so required by any agreement, appropriate measures shall be implemented aimed at ensuring restoration of access to data in case of damages to such data or to electronic tools, within terms that are certain and consistent with the rights of the data subjects.
It remains the responsibility of the Data Controller to decide whether to independently make backup copies during the term of the agreement and for a 60-day period following its termination.

Logging – The systems may be configured in such a manner as to track access requests and, where appropriate, other activities that are carried out, in relation to the different types of users (Administrator, Super User, etc.), and shall be protected by appropriate security measures ensuring their integrity.

Firewall, IDS/IPS – The systems for preventing intrusions, such as Firewall and IDS/IPS shall be placed in the network segment connecting the cloud infrastructure with the internet in order to intercept any malicious activity aimed at debasing, in full or in part, the provision of the service. In the case at issue, the adopted equipment belongs to the type UTM SourceFire (Cisco), which includes both the Firewall and the IDS/IPS component.

Incident Management – The Provider has adopted a specific Incident Management procedure aimed at ensuring restoration of the ordinary service operations at the soonest while ensuring to maintain best service levels.

High Reliability – The Provider ensures high reliability in the following terms:
•             The Server Architecture shall be based on the VMWare virtualization solution and be implemented by creating physical and virtual redundancies of each system, in order to ensure fault-tolerance and removal of single points of failure. In particular, in case of system failure, the virtual environment managing software shall be able to reallocate current activities to other systems (principles of high availability and load balancing), minimizing service inefficiencies and ensuring persistence of existing connections.
•             Each Server is placed on a SAN connected via high-speed iSCSI.
•             All infrastructure components, including servers, security and network equipment, Storage systems and SAN infrastructure, have been duplicated in full, in order to eliminate each single point of failure.
•             The network infrastructure has been designed to protect front-end systems from the Internet and from internal networks using a DMZ shielded by means of two-layer separate firewalls (Defence-in-Depth strategy): a boundary firewall connected to the Internet and a second firewall, including Intrusion Prevention and antimalware features and belonging to the organization, setup to protect the DMZ and backend systems.

Data centre – The virtualization environment (including the SAN – Storage Area Network) is placed on servers that are hosted in a data centre located in Italy and managed by a certified ISO 27001 provider. In particular, the following security measures shall be implemented to protect the Data Centre:
Exterior perimeter security:
•             External fence marking the boundary of the property not lower than 3 meters’ height, equipped with passive anti climb protection
•             Monitoring of external areas by means of infrared barriers and/or video analysis systems and by video surveillance with recording systems
•             Restricted/individual pedestrian access
•             Restricted vehicle access
•             Armed patrols
Interior perimeter security:
•             Surveillance room for the control of internal and external areas, supervision
•             Use of alarms, management of visitors by delivering badges according to company policies and to specific regulations for data centres
•             Reception desk for entry control
•             Three-arm turnstiles placed opposite to the surveillance room and reception desk
High security inner perimeter:
•             Interlocked access to system rooms equipped with passive protection
•             Entry control system based on lists of “AUTHORIZED” people
•             Magnetic sensors detecting the state of doors
•             Emergency exits with sensors detecting the state of door
All alarms are remotely linked to the surveillance room.

             

C – BUSINESS PROCESS OUTSOURCING (BPO)

Organizational Security Measures

Certifications – The Provider has obtained the following certifications/assessments:
ISO/IEC 27001:2013: “Delivery of services for the design and management of ICT infrastructure, management of applications within the Group and management of Cloud infrastructure (IaaS)”.
ISO/IEC 27018:2014 for the protection of personal data in Public Cloud services.

User Policies and Regulations – The Provider has adopted detailed policies and regulations, which all users having access to information systems must comply with, aimed at granting that users’ behaviour is appropriate to ensure compliance with the principles of confidentiality, availability and integrity of data while using information resources.

Logical access authorization – The Provider defines access profiles based on the least privilege necessary to carry out the assigned duties. The authorization profiles are selected and configured prior to the beginning of the processing and in such a manner that access will be restricted only to those data that are strictly necessary for the processing activities.
The profiles undergo regular audits aimed at assessing whether the requirements to maintain the assigned profiles are still met.

Assistance interventions – The Provider shall manage assistance interventions with the aim of ensuring that only contractual activities are performed and that any unnecessary processing in relation to Personal Data of the Client or of the Final User is prevented.

Change Management – The Provider has implemented a specific procedure to regulate the Change Management process in view of the introduction (if any) of technological innovations or in case of modifications (if any) of its basic and organizational structure.

Data Protection Impact Assessment (DPIA) – In compliance with Articles 35 and 36 of the GDPR and based on the document “WP248 – Guidelines on Data Protection Impact Assessment”, adopted by the Article 29 Working Party, the Provider has prepared its own methodology for the analysis and assessments of those processing activities that, taking into account the nature, scope, context and purposes of the processing, are likely to result in a high risk for the rights and freedoms of natural persons, in order to be able to carry out an assessment of the impact on the protection of personal data prior to the processing.

Incident Management – The Provider has adopted a specific Incident Management procedure aimed at ensuring restoration of the ordinary service operations at the soonest while ensuring to maintain best service levels.

Data Breach – The Provider has implemented a special procedure, aimed at the management of events and incidents that are likely to have an impact on personal data, which defines the roles and responsibilities, the process for detection of the (suspected or actual) incident/breach, the implementation of remedial actions, the response to, and containment of, such incident/breach as well as the formalities to inform the Client of personal data breaches.

Training: The Provider will periodically offer training courses on proper handling of personal data to members of its personnel that are involved in the processing activities.

Technical Security Measures

High Reliability – The Provider ensures high reliability in the following terms:
•             The Server Architecture shall be based on the VMWare virtualization solution and be implemented by creating physical and virtual redundancies of each system, in order to ensure fault-tolerance and removal of single points of failure. In particular, in case of system failure, the virtual environment managing software shall be able to reallocate current activities to other systems (principles of high availability and load balancing), minimizing service inefficiencies and ensuring persistence of existing connections.
•             Each Server is placed on a SAN connected via high-speed iSCSI.
•             All infrastructure components, including servers, security and network equipment, Storage systems and SAN infrastructure, have been duplicated in full, in order to eliminate each single point of failure.
•             The network infrastructure has been designed to protect front-end systems from the Internet and from internal networks using a DMZ shielded by means of two-layer separate firewalls (Defence-in-Depth strategy): a boundary firewall connected to the Internet and a second firewall, including Intrusion Prevention and antimalware features and belonging to the organization, setup to protect the DMZ and backend systems.

Hardening – Specially designed hardening activities shall be implemented with the aim of preventing security incidents by minimizing the architectural weaknesses of the operating systems, of the applications and of network equipment by taking into due account, in particular, the reduction of the risks relating to system vulnerabilities, the reduction of the risks relating to the applications installed on the systems, and the increase of the protection level covering the services provided.

Firewall, IDS/IPS – The systems for preventing intrusions, such as Firewall and IDS/IPS shall be placed in the network segment connecting the cloud infrastructure with the internet in order to intercept any malicious activity aimed at debasing, in full or in part, the provision of the service. In the case at issue, the adopted equipment belongs to the type UTM SourceFire (Cisco), which includes both the Firewall and the IDS/IPS component.

Security of communication lines – Within the extent of its responsibilities the Provider shall implement secure communication protocols that are in line with the available technology.

Protection from malware – The VMs shall be protected against the risk of an intrusion and of the activity of certain programs by activation of appropriate electronic tools to be periodically updated.
All VMs shall be managed through antivirus features (at both hypervisor and infrastructure level).

Authentication Credentials – The systems shall be configured in such a manner that access will be granted exclusively to those provided with authentication credentials allowing unique identification of the user. This include: a code associated to a confidential password that shall only be known by the user, or an authentication device that shall only be held and used by the user, which may, in certain cases, be associated with an ID code or a password.

Password – The use of a password, as far as concerns its basic features, being the obligation to change it at the first access, the minimum length, the absence of elements that may be easily referred to its holder, the rules about its complexity, the expiration, history, assessment of strength in context, display and storage, will comply with the best practices. Users being provided with credentials shall also receive specific instructions concerning the measures that must be adopted to ensure that such credentials remain secret.

Logging – The systems may be configured in such a manner as to track access requests and, where appropriate, other activities that are carried out, in relation to the different types of users (Administrator, Super User, etc.), and shall be protected by appropriate security measures ensuring their integrity.

Backup & Restore – Appropriate measures shall be implemented aimed at ensuring restoration of access to data in case of damages to such data or to electronic tools, within terms that are certain and consistent with the rights of the data subjects.
It remains the responsibility of the Data Controller to decide whether to independently make backup copies during the term of the agreement and for a 60-day period following its termination.
If so required by any agreement, a continuity operation plan shall be implemented and, where necessary, integrated with the disaster recovery plan. These plans ensure the availability and access to the systems also in the event of serious adverse events that may persist in time.

Vulnerability Assessment & Penetration Test – The Provider shall regularly carry out vulnerability analyses aimed at assessing the level of exposure to known vulnerabilities, in relation to both the infrastructures and the operations framework, taking into account either already operating systems and systems that are under development.
When deemed appropriate, in relation to those potential risks that have been identified, the assessments above are complemented, from time to time, by special Penetration Test technics, simulating unauthorized access in various scenarios of attack, with the aim of controlling the level of security attained by applications/systems/networks by using the identified vulnerabilities to circumvent the physic/logic security mechanisms and gain access to them.
The outcome of such assessments is thoroughly examined in order to detect and implement improvements that are necessary to ensure the high level of security that is required.

System Administrators – All users operating as System Administrators shall be indicated in a list to be regularly updated and the duties assigned to them shall be duly defined in special documents of appointment. The activity performed by System Administrators shall be monitored by means of a log management system allowing to accurately trace all performed activities and to store such data in an immutable manner in order to allow the monitoring also after performance. The behaviour of System Administrators shall be audited to verify compliance with the organizational, technical and security measures in relation to the processing of personal data as required by current regulations.

Data centre – The virtualization environment (including the SAN – Storage Area Network) is placed on servers that are hosted in a data centre located in Italy and managed by a certified ISO 27001 provider. In particular, the following security measures shall be implemented to protect the Data Centre:

Exterior perimeter security:
•             External fence marking the boundary of the property not lower than 3 meters’ height, equipped with passive anti climb protection
•             Monitoring of external areas by means of infrared barriers and/or video analysis systems and by video surveillance with recording systems
•             Restricted/individual pedestrian access
•             Restricted vehicle access
•             Armed patrols
Interior perimeter security:
•             Surveillance room for the control of internal and external areas, supervision
•             Use of alarms, management of visitors by delivering badges according to company policies and to specific regulations for data centres
•             Reception desk for entry control
•             Three-arm turnstiles placed opposite to the surveillance room and reception desk
High security inner perimeter:
•             Interlocked access to system rooms equipped with passive protection
•             Entry control system based on lists of “AUTHORIZED” people
•             Magnetic sensors detecting the state of doors
•             Emergency exits with sensors detecting the state of door
All alarms are remotely linked to the surveillance room.

 

D – BPI (BUSINESS PROCESS INSOURCING)

Organizational Security Measures

User Policies and Regulations – The Provider has adopted detailed policies and regulations, which all users having access to information systems must comply with, aimed at granting that users’ behaviour is appropriate to ensure compliance with the principles of confidentiality, availability and integrity of data while using information resources.

Logical access authorization – The Provider defines access profiles based on the least privilege necessary to carry out the assigned duties. The authorization profiles are selected and configured prior to the beginning of the processing and in such a manner that access will be restricted only to those data that are strictly necessary for the processing activities.
The profiles undergo regular audits aimed at assessing whether the requirements to maintain the assigned profiles are still met.

Data Breach – The Provider has implemented a special procedure, aimed at the management of events and incidents that are likely to have an impact on personal data, which defines the roles and responsibilities, the process for detection of the (suspected or actual) incident/breach, the implementation of remedial actions, the response to, and containment of, such incident/breach as well as the formalities to inform the Client of personal data breaches.

Training: The Provider will periodically offer training courses on proper handling of personal data to members of its personnel that are involved in the processing activities.

Technical Security Measures       Security of communication lines – Within the extent of its responsibilities the Provider shall implement secure communication protocols that are in line with the available technology in relation to the authentication process.

Backup & Restore – If so required by any agreement, appropriate measures shall be implemented aimed at ensuring restoration of access to data in case of damages to such data or to electronic tools, within terms that are certain and consistent with the rights of the data subjects.

 

E – ON PREMISES

Organizational Security Measures

User Policies and Regulations – The Provider has adopted detailed policies and regulations, which all users having access to information systems must comply with, aimed at granting that users’ behaviour is appropriate to ensure compliance with the principles of confidentiality, availability and integrity of data while using information resources.

Logical access authorization – The Provider defines access profiles based on the least privilege necessary to carry out the assigned duties. The authorization profiles are selected and configured prior to the beginning of the processing and in such a manner that access will be restricted only to those data that are strictly necessary for the processing activities.
The profiles undergo regular audits aimed at assessing whether the requirements to maintain the assigned profiles are still met.

Assistance interventions – The Provider shall manage assistance interventions with the aim of ensuring that only contractual activities are performed and that any unnecessary processing in relation to Personal Data of the Client is prevented.

Incident Management & Data Breach – The Provider has implemented a special procedure, aimed at the management of events and incidents that are likely to have an impact on personal data, which defines the roles and responsibilities, the process for detection of the (suspected or actual) incident/breach, the implementation of remedial actions, the response to, and containment of, such incident/breach as well as the formalities to inform the Client of personal data breaches.

Training: The Provider will periodically offer training courses on proper handling of personal data to members of its personnel that are involved in the processing activities.

Technical Security Measures

Security of communication lines – Within the extent of its responsibilities, during the technical assistance phase, the Provider shall implement secure communication protocols that are in line with the available technology.

Protection from malware – Workstations used during the technical assistance phase shall be protected against the risk of an intrusion and of the activity of certain programs by activation of appropriate electronic tools to be periodically updated.

All VMs are managed through antivirus features (at both hypervisor and infrastructure level).

System Administrators – All users operating as System Administrators shall be indicated in a list to be regularly updated and the duties assigned to them shall be duly defined in special documents of appointment. The activity performed by System Administrators shall be monitored by means of a log management system allowing to accurately trace all performed activities and to store such data in an immutable manner in order to allow the monitoring also after performance. The behaviour of System Administrators shall be audited to verify compliance with the organizational, technical and security measures in relation to the processing of personal data as required by current regulations.