Data Processing Agreement (DPA)

Version: v1.0-draft — Last updated: May 13, 2026

Note — v1.0-draft: This DPA is provided as a baseline GDPR Article 28 template. For enterprise customers or processing of special-category data, we recommend a tailored DPA reviewed by your legal counsel. Contact us via info@certaddress.com to request a customised DPA.

1. Parties

This Data Processing Agreement (the "DPA") is entered into between:

  • The Controller: the business entity that has registered for and uses the CertAddress Service (the "Customer"), as identified in the Customer's CertAddress account.
  • The Processor: 3V Solution, operating the CertAddress Service (the "Service"), with registered office in Udine, Italy.

This DPA forms an integral part of the Terms of Service and is governed by the same Italian law and jurisdiction.

2. Definitions

Capitalized terms used in this DPA have the meanings ascribed to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR"), in particular:

  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on Personal Data.
  • Data Subject — the identified or identifiable natural person to whom the Personal Data relates.
  • Sub-Processor — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Personal Data Breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Subject Matter and Duration

Subject matter: Processing of address data and Customer account data necessary to provide the Service.

Duration: This DPA is effective from the date of acceptance and remains in effect for the entire duration of the underlying Service contract.

4. Nature and Purpose of Processing

The Processor processes Personal Data on behalf of the Controller for the following purposes:

  • Real-time validation and normalization of Italian postal addresses
  • Geographic enrichment (coordinates, postal codes, administrative regions)
  • Confidence scoring and quality assessment of address data
  • Account management, authentication, billing, and usage monitoring of the Customer

5. Categories of Personal Data

  • Address data: street, civic number, postal code, city, province, locality — potentially containing Personal Data of the Controller's end-customers (shipment recipients).
  • Customer account data: company name, VAT number, contact name, email, phone, business address.
  • Usage data: API call timestamps, IP addresses, endpoint paths, response confidence levels.

No special categories of Personal Data (GDPR Art. 9) are processed.

6. Categories of Data Subjects

  • End-customers of the Controller (recipients of shipments / deliveries / mailings)
  • Employees / authorized representatives of the Controller (account access, API key custody)

7. Controller Obligations

The Controller represents and warrants that:

  • It has a valid legal basis under GDPR Art. 6 for processing the Personal Data submitted to the Service.
  • It has provided required information to Data Subjects (transparency obligations).
  • Its instructions to the Processor (whether in this DPA, in Annex C, or in writing) comply with applicable data protection law.
  • It does not submit special-category data (Art. 9 GDPR) without prior written agreement with the Processor.

8. Processor Obligations (GDPR Art. 28.3)

The Processor commits to:

  • (a) Process Personal Data only on documented instructions from the Controller (instructions documented in this DPA, the Service Terms, and Annex C).
  • (b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.
  • (c) Take all security measures required by Art. 32 GDPR (see Annex A — Technical and Organizational Measures).
  • (d) Respect the conditions for engaging Sub-Processors set out in Section 9 and Annex B.
  • (e) Assist the Controller by appropriate technical and organizational measures, insofar as possible, in responding to Data Subject requests.
  • (f) Assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, breach notification, DPIA), taking into account the nature of processing.
  • (g) At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Italian law requires storage.
  • (h) Make available all information necessary to demonstrate compliance with this Article and allow for and contribute to audits (see Section 14).

9. Sub-Processors

The Controller grants general authorization for the Processor to engage Sub-Processors listed in Annex B.

  • The Processor shall notify the Controller of any intended addition or replacement of Sub-Processors at least 30 days in advance, providing the Controller the opportunity to object.
  • If the Controller objects on reasonable grounds related to data protection, the parties will seek a mutually acceptable solution. If no solution is reached, the Controller may terminate the Service contract without penalty.
  • The Processor remains fully liable to the Controller for the performance of Sub-Processor obligations.

10. International Transfers

All primary processing occurs within the European Economic Area (EEA).

Where any Sub-Processor processing involves transfer of Personal Data outside the EEA, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914), in compliance with GDPR Articles 44-49.

11. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex A. These measures are reviewed periodically and updated to reflect technical evolution and emerging threats.

12. Personal Data Breach

The Processor shall notify the Controller of any Personal Data Breach affecting the Controller's data without undue delay, and in any case within 72 hours of becoming aware of the breach.

The notification shall include, to the extent possible:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate adverse effects

If the breach poses a high risk to Data Subjects' rights and freedoms, the Processor will assist the Controller in fulfilling their notification obligations to Data Subjects under Art. 34 GDPR.

13. Data Subject Requests

If the Processor receives a request from a Data Subject in respect of Personal Data processed on behalf of the Controller, the Processor shall forward the request to the Controller within 5 business days and shall not respond directly to the Data Subject (other than to acknowledge receipt) unless authorized by the Controller.

14. Audits

  • The Processor makes available to the Controller information necessary to demonstrate compliance with Art. 28 GDPR through annual written self-certification.
  • The Controller may request an audit of the Processor's processing activities once per calendar year, with at least 30 days' written notice, conducted during normal business hours and in a manner that does not disrupt the Processor's operations.
  • Audit costs are borne by the Controller, unless the audit reveals material non-compliance, in which case the Processor shall bear reasonable audit costs.
  • Audits shall be conducted under appropriate confidentiality undertakings.

15. Liability

The aggregate liability of each party under this DPA is subject to the limitation of liability set out in the underlying Terms of Service, namely:

Total aggregate liability for any and all claims arising out of or related to this DPA shall not exceed the total fees paid by the Controller in the twelve (12) months preceding the event giving rise to the claim.

Neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages.

16. Termination and Data Return/Deletion

Upon termination of this DPA (concurrent with termination of the underlying Service contract):

  • Within 30 days of termination notice, the Processor shall, at the Controller's choice (specified in writing), either:
    • Return all Personal Data to the Controller in a structured, commonly used, machine-readable format; OR
    • Delete all Personal Data and existing copies.
  • Within 60 days of termination, the Processor shall complete deletion of all Personal Data from active systems and backups, unless continued retention is required by EU or Italian law (e.g., tax records, accounting). In such cases, the Processor shall protect the data and not process it for any other purpose.
  • Upon request, the Processor shall provide written confirmation of completed deletion.

17. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Italy, without giving effect to its conflict of laws principles.

Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Udine, Italy.

Annex A — Technical and Organizational Measures (TOM)

Technical measures

  • Encryption in transit: HTTPS/TLS 1.2+ for all API and portal communications.
  • Encryption at rest: server-side disk encryption (provided by Hetzner Online GmbH).
  • API key hashing: bcrypt hashed, never stored in plaintext.
  • Network security: UFW firewall restricting open ports to essential services (HTTPS, SSH, internal APIs).
  • Backup retention: daily encrypted backups + rollback snapshot chain (6+ points).
  • Access logging: API usage logs (45 days retention) + system access logs.
  • Vulnerability management: dependency scanning + regular software updates.

Organizational measures

  • Access control: SSH key-based authentication (no password) + restricted admin team.
  • Personnel confidentiality: staff bound by confidentiality obligations.
  • Vendor due diligence: Sub-Processors selected based on data protection certifications (ISO 27001 or equivalent).
  • Incident response: 72-hour breach notification procedure + post-incident review.
  • Data retention enforcement: automated rotation of usage logs (45 days).
  • Security review: regular code review + security monitoring.

Annex B — Authorized Sub-Processors

Sub-Processor Service Data processed Location Safeguards
Hetzner Online GmbH Infrastructure hosting All processed data (encrypted at rest) Germany (EU) Hetzner DPA GDPR-compliant + ISO 27001
HERE Technologies Geocoding API (street + house number validation) Address strings (no personal identifiers) EU + global SCCs EU Commission for non-EEA transfers
Agenzia delle Entrate (ANNCSU) Italian official street registry (local DB) Address validation queries (no outbound API) Italy (EU) Italian public agency, no cross-border transfer

Annex C — Specific Controller Instructions

In addition to the general instructions documented in this DPA and the Service Terms, the Controller may communicate additional written instructions via info@certaddress.com.

Default standing instructions:

  • Process Personal Data only for the purposes set out in Section 4 (Nature and Purpose).
  • Do not transfer Personal Data to any third party other than the Sub-Processors listed in Annex B.
  • Retain Personal Data only for the periods set out in the Privacy Policy (Section 5) and Service Terms.
  • Apply security measures set out in Annex A.

Accept this DPA

By clicking "I accept" below, you (acting on behalf of the Controller) acknowledge that you have read, understood, and agree to be bound by this DPA. Your acceptance, IP address, and timestamp will be recorded for audit purposes.

Please log in to the client portal to accept this DPA.

We use essential cookies for site functionality and session management. No tracking or advertising cookies. Learn more