Data Processing Agreement (DPA)
CertAddress — Address validation · pursuant to Article 28 GDPR
Version v1.0 · Governed by Italian law
This Data Processing Agreement ("DPA") governs the processing of personal data carried out by the Processor on behalf of the Controller within the CertAddress service, and forms an integral part of the Terms of Service ("Principal Agreement") accepted by the Client. It is based on the standard contractual clauses between controllers and processors adopted by Commission Implementing Decision (EU) 2021/915, and complies with Article 28(3) and (4) of Regulation (EU) 2016/679 ("GDPR"). In the event of conflict with the Principal Agreement, solely as to matters within the scope of Article 28 GDPR, this DPA prevails.
Parties
- Controller: the Client who accepts this DPA through the CertAddress portal, identified by its account data (company name, VAT/tax ID, contact). The Client determines the purposes and means of the processing of the data it submits to the Service.
- Processor: David Trevisan, sole trader (impresa individuale), trading as "CertAddress" — VAT (P.IVA) 03115400305 — Remanzacco (UD), Italy — PEC: trevisandavid@legalmail.it — Privacy contact: info@certaddress.com.
Definitions
"Personal data", "processing", "controller", "processor", "data subject", "personal data breach", "supervisory authority" have the meaning given in Article 4 GDPR. "Service" means the CertAddress address-validation platform. "Sub-processor" means a third party engaged by the Processor to process personal data on behalf of the Controller.
Clause 1 — Subject matter and duration
1.1 The Processor processes personal data on behalf of the Controller solely to provide the Service, as described in Annex II.
1.2 This DPA takes effect upon the Controller's acceptance and lasts for the term of the Principal Agreement, ending with it without prejudice to deletion/return obligations (Clause 9) and obligations that by their nature survive.
Clause 2 — Documented instructions
2.1 The Processor processes personal data only on the Controller's documented instructions, including as regards transfers, unless required by EU/Member State law (in which case it informs the Controller before processing, unless prohibited).
2.2 This DPA, together with use of the Service in accordance with the technical documentation (API input schema), constitutes the primary set of documented instructions. Further instructions require written agreement.
2.3 The Processor immediately informs the Controller if, in its opinion, an instruction infringes the GDPR or other applicable law.
Clause 3 — Confidentiality
3.1 The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and access the data only as necessary to provide the Service.
Clause 4 — Security of processing (Art. 32)
4.1 The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, described in Annex III.
4.2 In assessing the appropriate level of security, account is taken in particular of the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the data.
Clause 5 — Sub-processors
5.1 The Controller grants the Processor general authorisation to engage the sub-processors listed in Annex IV for hosting and e-mail infrastructure. The Processor ensures that each sub-processor is bound by data-protection obligations equivalent to those in this DPA (Art. 28(2),(4)).
5.2 All current sub-processors are established and process data within the EEA; no transfer of personal data outside the EEA takes place (see Clause 11).
5.3 The Processor informs the Controller in advance of any intended addition or replacement of a sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds.
5.4 The reference datasets used for validation (ANNCSU, ISTAT, OpenStreetMap) are local replicas on the Processor's infrastructure; the Controller's data is not transmitted to them and they are not sub-processors.
Clause 6 — Assistance with data subject rights
6.1 Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling requests to exercise data subject rights (Arts. 15–22 GDPR).
6.2 If a data subject contacts the Processor directly, the Processor forwards the request to the Controller without undue delay and does not act on it except on the Controller's instruction.
Clause 7 — Assistance with Arts. 32–36 obligations
7.1 The Processor assists the Controller in ensuring compliance with the obligations on security (Art. 32), breach notification (Arts. 33–34), data protection impact assessment and prior consultation (Arts. 35–36), taking into account the nature of processing and information available.
Clause 8 — Personal data breaches
8.1 The Processor notifies the Controller of any personal data breach without undue delay after becoming aware of it, providing the information reasonably available to help the Controller meet its own notification obligations under Arts. 33–34.
Clause 9 — Deletion or return of data
9.1 On termination of the Service, the Processor, at the Controller's choice, deletes or returns the personal data and deletes existing copies, unless retention is required by EU/Member State law.
9.2 Personal data contained in service logs is retained for a maximum of 45 days, after which: monitoring logs are permanently deleted; usage logs are anonymised in the fields containing personal data (IP address and request/response content), retaining only aggregate technical and billing counters (e.g. number of API calls, latency), which contain no personal data. Retention is automated and equipped with anti-failure observability.
Clause 10 — Audit and demonstration of compliance
10.1 The Processor makes available to the Controller the information necessary to demonstrate compliance with Art. 28 GDPR and this DPA, and contributes to audits/inspections by the Controller or a mandated auditor, on reasonable notice, while protecting the confidentiality and security of other clients.
Clause 11 — International transfers
11.1 The Processor does not transfer the Controller's personal data outside the EEA. All processing and sub-processing take place within the EEA. Any future transfer will be subject to a valid Chapter V GDPR mechanism and to prior notice to the Controller.
Clause 12 — Liability
12.1 Liability of the Parties is governed by the Principal Agreement and applicable law.
Clause 13 — Governing law and forum
13.1 This DPA is governed by Italian law. The courts of Gorizia, Italy have jurisdiction over any dispute, without prejudice to mandatory rules protecting the consumer/data subject.
Clause 14 — Acceptance
14.1 The Controller accepts this DPA through the CertAddress portal. On acceptance, the DPA version, date/time and IP address are recorded. Acceptance is idempotent (a single record per Controller and version).
Annex I — The Parties
- Controller: the Client, as identified by its CertAddress account data.
- Processor: David Trevisan, sole trader, trading as CertAddress — VAT 03115400305 — Remanzacco (UD), Italy — PEC trevisandavid@legalmail.it.
Annex II — Description of the processing
- Subject matter: validation of Italian postal addresses supplied by the Controller via API.
- Nature and purpose: verification/normalisation of the address and, only at the Controller's request (the
extract_fieldsoption), extraction of delivery fields (e.g. care-of/"c/o", company name, box, internal unit, stair, floor, exponent). The sole purpose is providing the Service. - Categories of personal data: postal addresses; where present in the free-text address line supplied by the Controller, recipient names / "c/o" names / company names. The Service input schema requires only the
addressfield (plus optional city/postcode/province): no name field is required (minimisation, Art. 5(1)(c)). - Categories of data subjects: the Controller's recipients/customers (the persons to whom the addresses relate).
- Duration of processing: for the term of the Principal Agreement; retention of personal data in logs ≤ 45 days (Clause 9).
- Special categories: the Service is not intended for special categories of data (Art. 9) or criminal-offence data (Art. 10). The Controller undertakes not to submit such data.
Annex III — Technical and organisational measures (Art. 32)
- Encryption in transit: TLS for communications to the Service (Let's Encrypt certificates).
- Access control: per-client API key authentication; a dedicated internal token for gateway↔engine communication; restricted permissions on configuration files holding secrets.
- Isolation: separation of service environments; the Controller's data is not copied to unmanaged environments.
- Data minimisation: input schema that does not require name data; no unnecessary persistence of content.
- Automated retention with observability: automatic deletion/anonymisation within 45 days, with a watchdog alerting on failed execution.
- Service monitoring: service-health watchdog with e-mail alerting.
Annex IV — Sub-processors
| Sub-processor | Service | Place of processing | Transfer |
|---|---|---|---|
| Hetzner Online GmbH | Hosting / server infrastructure | Germany (EEA) | None (intra-EEA) |
| VHosting Solution S.r.l. (VAT IT06439660827, Milan) | E-mail services (certaddress.com) | Italy / Germany (EEA) | None (intra-EEA) |
Not sub-processors: ANNCSU (Italian Revenue Agency), ISTAT, OpenStreetMap — used as local replicas on the Processor's infrastructure; the Controller's data is not transmitted to them.
Accept this DPA
Please log in to the client portal to accept this DPA.
CertAddress — Data Processing Agreement v1.0 · governed by Italian law · forum: Gorizia.