This Data Processing Agreement ("DPA") is drafted under art. 28 of Regulation (EU) 2016/679 ("GDPR") and governs the processing of personal data carried out by SORAIA S.R.L. as Processor on behalf of the Client as Controller, in the context of the supply of the Linkly service.
Public model version: this document fully reproduces the text of the DPA that SORAIA S.R.L. signs with each Linkly client. The bilaterally signed DPA is an integral part of the supply contract and constitutes its annex A. The clauses set out below are identical to the contractual ones, except for the insertion of the specific identifying data of the Controller at the time of signing.
1. Parties
Between:
- [Client], with registered office at [address], VAT no. [IT…], as Controller under art. 4(7) GDPR (hereinafter "Controller")
- and SORAIA S.R.L., with registered office at Via Losana 13, 13900 Biella (BI), Italy, VAT no. IT02820060024, as Processor under art. 28 GDPR (hereinafter "Processor")
jointly the "Parties".
2. Subject
This Agreement governs the processing of personal data carried out by the Processor on behalf of the Controller in the context of the use of the Linkly platform.
3. Duration of the processing
The processing has the same duration as the main supply contract between the Parties. Upon termination, the provisions set out in section 12 of this Agreement apply.
4. Nature and purposes of the processing
The Processor processes personal data exclusively for the following purposes:
- acquisition and digitisation of contacts (e.g. badges, business cards, QR codes) via optical character recognition (OCR)
- storage, organisation and technical management of data
- data enrichment via public sources and third-party providers
- structuring, normalisation and classification of data via artificial intelligence technologies
- generation of commercial follow-up templates (on the Controller's instructions)
- technical integration with the Controller's CRM, ERP and marketing systems
- post-event reporting and analytics
- technical support and maintenance of the Platform
5. Categories of data processed
5.1 Data provided directly by the Controller or its users
- first name and surname
- company
- role
- business email
- professional phone number
- notes and commercial assessments entered by the user
5.2 Data acquired automatically
- data extracted via OCR from business cards and event badges
- data encoded in QR codes
- acquisition source (event, date, channel, user who performed the scan)
5.3 Enriched data
- business emails
- phone numbers
- public LinkedIn profiles
- public company information (sector, size, location)
5.4 Technical data
- IP address
- access logs
- device identifiers
- operation timestamps
5.5 Exclusions
The Controller undertakes not to upload to the Platform special categories of data (art. 9 GDPR: data revealing racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, data on sex life or sexual orientation) or data relating to criminal convictions and offences (art. 10 GDPR). Any breach of this undertaking is the sole responsibility of the Controller.
6. Categories of data subjects
- B2B professional contacts collected at fairs and events (leads)
- employees and collaborators of the Controller authorised to use the Platform
- commercial and administrative contacts of the Controller
7. Controller's instructions
The Processor:
- processes the data exclusively on the documented instructions of the Controller (art. 28(3)(a) GDPR), including this Agreement, the main contract and the Platform's operational configurations
- does not use the data for its own purposes or for services to third parties
- does not make solely automated decisions with legal or significant effects on the data subject under art. 22 GDPR
- immediately informs the Controller if it considers that an instruction breaches the GDPR or other applicable law (art. 28(3) last paragraph GDPR)
8. Processor's obligations
The Processor undertakes to:
- guarantee the confidentiality of personal data
- authorise to process only trained personnel bound by secrecy (art. 28(3)(b) GDPR; art. 29 GDPR)
- implement technical and organisational measures appropriate under art. 32 GDPR (see section 9)
- assist the Controller in complying with GDPR obligations (arts. 32-36 GDPR), including DPIAs and prior consultations
- notify the Controller of any personal-data breaches without undue delay (see section 15)
- make available to the Controller all information necessary to demonstrate compliance with obligations and allow audits (see section 14)
- delete or return the data to the Controller upon termination of the relationship (see section 12)
9. Security of processing
SORAIA adopts technical and organisational measures proportionate to the risk under art. 32 GDPR, including:
- Encryption of data in transit via TLS 1.2 or higher with modern cipher suites
- Encryption of data at rest on databases (AES-256)
- Access controls based on individual credentials, least-privilege principle, separation of roles
- Mandatory multi-factor authentication for administrative and developer accounts
- Password hashing with bcrypt (adequate cost factor)
- Logging and monitoring of administrative access (12-month retention)
- Logical separation of environments (dev/staging/prod) and of client data (multi-tenant with logical isolation)
- Daily automatic backups with periodically tested disaster-recovery procedures
- Formal management of security incidents (incident response plan)
- Periodic review of accesses (quarterly review)
- Patch management for components subject to known vulnerabilities
- Penetration tests periodically on critical components
- Training of authorised personnel (annual)
- Deletion or anonymisation of data upon termination of the service
- Infrastructure primarily located in the European Union (see section 11 for sub-processor details)
10. Sub-processors
The Controller generally authorises the Processor to engage sub-processors under art. 28(2) GDPR.
The Processor uses sub-processors belonging to the following categories:
- backend infrastructure and database
- frontend application
- workflow automation and orchestration
- AI providers for OCR, structuring, text generation
- B2B data enrichment providers
- public-source research services
The specific and updated list of sub-processors, with name, role, processing location and non-EU transfer instrument applied, is provided to the Controller at the time of signing the contract and on every subsequent update.
The Processor warrants that:
- each sub-processor is bound by contractual obligations equivalent to those of this DPA, via a signed Data Processing Agreement
- for sub-processors based outside the EU, safeguards under arts. 44 et seq. GDPR are adopted (Standard Contractual Clauses, adequacy decisions, EU-US Data Privacy Framework where applicable)
- any changes to the list (additions or replacements) are communicated by email to the Controller with 30 days' notice, during which the Controller may raise a reasoned written objection. In the event of objection, the Parties negotiate in good faith a solution; failing agreement, either Party may withdraw from the contract without penalties
11. Non-EU transfers
Where personal data are transferred outside the European Economic Area (EEA), the Processor ensures compliance with arts. 44 et seq. GDPR via the instruments provided by the law:
- Adequacy decisions under art. 45 GDPR (e.g. UK, Switzerland, Japan)
- EU-US Data Privacy Framework (DPF) for adhering US sub-processors
- Standard Contractual Clauses (SCC) approved by the EU Commission with Implementing Decision 2021/914 (module 3 for processor→sub-processor relationships)
- Supplementary technical and organisational measures where necessary in light of Schrems II case law and EDPB Recommendations 01/2020 (encryption, pseudonymisation, contractual controls on government requests)
For each non-EU sub-processor, SORAIA carries out a documented Transfer Impact Assessment (TIA).
12. Return and deletion of data
Upon termination of the contract, the Processor:
- makes available to the Controller the personal data in a structured, commonly used format (CSV, JSON, or agreed format) for a maximum period of 30 days from the termination date
- after such period, it proceeds to secure deletion or, upon written request from the Controller, anonymisation of the data
- also deletes the data from backups according to ordinary rotation procedures (at most within 90 days of termination)
- retains only the data necessary to fulfil legal obligations (e.g. invoicing, litigation, anti-money-laundering), with limited access and for the time strictly necessary
- upon request from the Controller, provides a written certification of the deletion carried out
13. Assistance to the Controller
The Processor assists the Controller, taking into account the nature of the processing and the information available, for:
- handling requests to exercise data-subject rights (arts. 15-22 GDPR), within the deadlines set by the GDPR
- carrying out data protection impact assessments (DPIA) under art. 35 GDPR, providing the relevant technical and organisational information
- prior consultations with the supervisory authority under art. 36 GDPR
- documentation necessary to demonstrate compliance with GDPR obligations (records of processing, security measures, sub-processors)
Assistance is provided free of charge for ordinary activities. For extraordinary requests that require significant technical effort, specific fees may be agreed, always within the limits of the actual costs incurred.
14. Audits
The Controller has the right, under art. 28(3)(h) GDPR, to request information and verify compliance by the Processor with its obligations. The modalities are as follows:
- Annual documentary audit: the Controller may request copies of the relevant technical and organisational documents (security policies, certifications if present, summary penetration-test reports, list of sub-processors). SORAIA replies within 30 days
- On-site or remote audits: upon reasoned request, the Parties agree the date and modalities. The audit is limited to what is strictly necessary and must not compromise the security of other clients or service continuity. Any costs borne by SORAIA for the activation of dedicated personnel are charged to the Controller unless the audit reveals breaches by the Processor
- Audits triggered by the supervisory authority: SORAIA cooperates fully, without additional charges to the Controller
15. Breach notification (art. 33 GDPR)
The Processor, upon becoming aware of a personal-data breach involving data processed on behalf of the Controller, is required to:
- Notify the Controller without undue delay after becoming aware, and in any case within 48 hours (operational margin that allows the Controller to comply with the 72-hour deadline set by art. 33 GDPR to the authority)
- provide the Controller with at least the following information:
- nature of the breach, categories and approximate number of data subjects and records involved
- name and contact details of the SORAIA contact point for incident management
- likely consequences of the breach
- measures taken or proposed to address the breach and mitigate adverse effects
- update the Controller progressively as new elements emerge
- cooperate in notifying the Italian DPA and, where applicable, in communicating to data subjects (arts. 33-34 GDPR)
- keep documentation of the breach and the actions taken (art. 33(5) GDPR)
The SORAIA contact point for breach notifications and for any security matter is: privacy@soraia.io.
16. Liability
The Processor is liable exclusively for GDPR breaches or breaches of this DPA attributable to its own conduct (art. 82(2) GDPR).
Any liability of the Processor is excluded for:
- processing carried out directly by the Controller
- unlawful or non-compliant use of the data by the Controller
- regulatory breaches attributable to the Controller (e.g. lack of notice to data subjects, inadequate legal basis, use beyond the limits of the notice)
- entry of categories of data not allowed (arts. 9, 10 GDPR) or data of minors
- damages arising from malfunctions of third-party systems controlled by the Controller
17. Final provisions
This DPA is an integral part of the main supply contract. In case of conflict between the provisions of this DPA and those of the main contract regarding personal-data protection, the provisions of this DPA prevail.
Any changes to this DPA must be agreed in writing. SORAIA may propose updates to align with regulatory changes, communicating them to the Controller with 30 days' notice; in the absence of written objection, the changes are deemed accepted.
For matters not expressly provided for, reference is made to the provisions of the GDPR, of the national implementing legislation (Italian Legislative Decree 196/2003 as amended) and of the applicable EDPB Guidelines.
Data protection contacts
For any question relating to the processing of personal data, the exercise of GDPR rights, or to receive a copy of the Data Processing Agreement, please contact:
- Privacy email: privacy@soraia.io
- Certified email (PEC): soraia@mypec.eu
- Address: SORAIA S.R.L., Via Losana 13, 13900 Biella (BI), Italia
Data Protection Officer (DPO): not designated. SORAIA S.R.L. is not subject to the obligation to designate a DPO under art. 37 GDPR (the requirements set out in par. 1 letters b and c are not met). Requests from data subjects and from clients' DPOs are managed directly by the company privacy function via the contacts above.
Complaints: without prejudice to the right to contact the Controller/Processor directly, data subjects have the right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or with another competent supervisory authority based on their place of residence.
Updates to this document
SORAIA S.R.L. reserves the right to update this document for regulatory reasons or service evolution. Material changes will be communicated to active clients via email and published on this page with the last-updated date refreshed.