Data Processing Agreement (DPA)
This Data Processing Agreement (“Agreement”) is made between:
AlgeniaLab Srl, operating as NinjaiBot (the “Processor”), and the Customer (the “Controller”).
Article 1 – Purpose and Scope
This Agreement governs the processing of personal data by AlgeniaLab Srl (NinjaiBot) on behalf of the Controller in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA). It applies to all data processed in the provision of the NinjaiBot AI chatbot service.
Article 2 – Duration
This Agreement shall remain in effect for the duration of the service provision and as long as the Processor retains personal data on behalf of the Controller.
Article 3 – Roles and Responsibilities
The Controller determines the purposes and means of the processing. The Processor acts solely on documented instructions from the Controller. The Processor shall not process data for any other purpose, nor disclose it to third parties except as permitted by this Agreement or by law.
Article 4 – Obligations of the Processor
- Process personal data only on written instructions from the Controller;
- Ensure all personnel authorized to process data are bound by confidentiality obligations;
- Implement appropriate technical and organizational measures (Annex II);
- Assist the Controller in ensuring compliance with data subject rights (Articles 15–22 GDPR);
- Assist with breach notifications and Data Protection Impact Assessments (DPIA);
- Delete or return all personal data upon termination of the services;
- Provide documentation to demonstrate compliance and allow audits under reasonable conditions.
Article 5 – Obligations of the Controller
- Ensure that personal data are collected and processed lawfully;
- Provide documented instructions to the Processor;
- Notify the Processor without delay of any errors or irregularities in data processing;
- Obtain all necessary consents from data subjects where required;
- Maintain records of processing activities under its responsibility.
Article 6 – Sub-Processors
The Processor may engage sub-processors to perform specific activities. Each sub-processor shall be bound by written terms equivalent to this Agreement. The Controller authorizes the sub-processors listed in Annex I and will be notified of any intended changes at least 10 days in advance. The Controller may object on legitimate grounds.
Article 7 – International Data Transfers
Where data are transferred outside the European Economic Area (EEA) or the United Kingdom, such transfers shall comply with:
- The EU Standard Contractual Clauses (SCCs) (Decision 2021/914/EU);
- The UK International Data Transfer Addendum; and/or
- The EU-US Data Privacy Framework or equivalent adequacy mechanisms.
Supplementary safeguards, such as encryption and pseudonymization, are applied as necessary.
Article 8 – Security of Processing
The Processor implements a comprehensive information security program to ensure confidentiality, integrity, and availability of data. Details of technical and organizational measures are included in Annex II.
Article 9 – Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller in fulfilling obligations to respond to data subject requests, including access, rectification, deletion, restriction, portability, and objection, in accordance with Chapter III of the GDPR.
Article 10 – Personal Data Breach
In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and in any case within 48 hours of becoming aware. The notification shall include relevant details and the Processor shall cooperate fully in remediation efforts.
Article 11 – Deletion or Return of Data
Upon termination of the services, the Processor shall delete or return all personal data and confirm deletion in writing within 30 days, unless retention is required by law or agreed otherwise in writing.
Article 12 – Audit Rights
The Controller has the right to conduct audits or request an independent third-party audit report (e.g., ISO 27001 certification evidence) to verify compliance with this Agreement. Such audits must not unreasonably disrupt the Processor’s operations.
Article 13 – Governing Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of Italy and the GDPR. Any dispute arising from this Agreement shall be subject to the exclusive jurisdiction of the Court of Milan (Italy).
Article 14 – Liability
Each Party’s liability under this DPA is subject to the limitations set forth in the principal Service Agreement. Nothing in this DPA limits the rights or obligations under the GDPR or other applicable privacy laws.
Annex I – Authorized Sub-Processors (Updated)
Technical Sub-Processors
| Provider | Role | Processing Location | Safeguards |
|---|---|---|---|
| Hosting Solutions (Genesys Informatica S.r.l.) | Primary hosting and virtual infrastructure management for NinjaiBot services. | Italy – Main data center in Florence with national disaster-recovery site. | ISO 27001 & ISO 9001 certified facilities; Data Processing Agreement compliant with Art. 28 GDPR. |
| Hyperstack (NexGen Cloud / hyperstack.cloud) | GPU-cloud provider for AI workloads and inference. | European infrastructure including region NORWAY-1 (Vestland, Norway – EEA). | SCC. Pseudonymized data, advanced security controls, no access to identifiable data. |
| OpenAI, L.L.C. | AI model processing and inference. | USA (via EU Data Privacy Framework and SCCs). | SCC + EU-US Data Privacy Framework compliance; no data used for public model training. |
Annex II – On-Premise Infrastructure and Security
- Local AI Server (ML Node 1) equipped with Nvidia RTX GPU, Xeon/Ryzen CPU, 128 GB RAM, encrypted NVMe storage.
- FAISS and SQL Server databases for logging and telemetry.
- Isolated AI VLAN network, accessible only via VPN.
- Firewall, IDS, centralized logging, AES-256 encryption, TLS 1.3.
- Daily encrypted backups (30-day retention) and semi-annual security audits.
- Role-based access control, MFA, least-privilege policies.
- Continuous monitoring and staff training on security and privacy.
- Privacy-by-design and privacy-by-default principles.