Data Processing Agreement

Last updated 03/04/2023


  1. The contract forthe license to use the SaaS Utopia application, including in the Free Trial version, entails the operation by Dilaxia S.p.A. (hereinafter, Dilaxia or Responsible) of certain personal data of interested natural persons on behalf of the user, who is the Holder of the operation, as defined by art. 4 par. 7 of EU Reg. 2016/679;
  2. This Data Processing Agreement (hereafter, DPA) is an integral part of the Terms and Conditions of Service;
  3. ThisDPA describes the specific duties, tasks and requirements so that the operation of personal data carried out on behalf of the Data Controller by the operation Officer complies with the requirements imposed by applicable data protection legislation to date, national and/or EU;
  4. The operations performed, the nature and purpose of operation, the type of personal data and the categories of data subjects covered by this DPA are:

Stakeholder categories

  • Employees and Collaborators in various capacities of theTitleholder
  • Suppliers (e.g., sole proprietorships) and freelancers who work with the Holder

Type of Personal Data Subject to operation

  • Common personal data (master and contact information)

Nature and purpose of the operation

  • Management, development and maintenance of Utopia software for service delivery.

The forewords form an integral part of this DPA.

All this being said and considered, the Owner of operation designates Dilaxia S.p.A., pursuant to and in accordance with Article 28Reg. UE 2016/679 (hereinafter, GDPR), as the Responsible Party for operation for the entire duration of use of the Utopia SaaS, as reasonably necessary for the provision of services and in accordance with the obligations imposed by this DPA.

By signing this DPA, the person in charge of operation undertakes to carry out the activities of operation of the data in a lawful, transparent and fair manner as well as in full compliance with all regulatory provisions on operation of personal data, as well as the following and specific instructions:

Art. 1 Purpose

1.1 The operation Manager agrees to comply with any applicable data protection laws or regulations and with respect to the information subject to operation shall not perform any operation operations further and/or other than those necessary for the operation, maintenance and development of Utopia, unless the further activity of operation is required by a law from time to time in force to which the operation Manager is subject.

1.2 The Owner authorizes the Manager to process personal data as reasonably necessary to perform the service as well as in accordance with the terms and conditions of this DPA.

1.3 The object of the activities of operation personal data is the provision of SaaS service in favor of the Owner. The description of operations, including information regarding the duration, nature and purpose of operation, the types of personal data and the categories of persons covered by operation are governed in the recitals to this DPA, as integral and substantive parts thereof.

1.4 TheResponsible person undertakes to maintain a record of the activities of operation, as provided for in Article 30(2) of the GDPR, in which the characteristics of the operations he/she performs on behalf of the Owner are indicated.

Art. 2 Personnel of the Manager

2.1 The Head of operation ensures that personnel involved in operation of personal data have been informed in advance of the confidential nature of the information being processed, have received appropriate instruction regarding their responsibilities, and have signed a specific binding legal obligation designed to protect the confidentiality of personal data processed.

2.2 The Manager of operation shall ensure that access to personal data is limited to personnel authorized in advance to pursue the purposes of the service and this DPA.

Art. 3 Security and Audit

3.1 The Responsible operation shall take appropriate technical and organizational measures for the security (including prevention from unauthorized operation , accidental or unlawful destruction, loss of availability or alteration or damage of data, unauthorized disclosure or unlawful access to personal data), confidentiality and integrity of personal data processed. These measures must include, in accordance with Article 32 GDPR, where appropriate and applicable:

  • pseudonymisation and encryption of personal data;
  • the ability to ensure, on an ongoing basis, the confidentiality, integrity, availability and resilience of the systems and services of operation;
  • The ability to restore availability and access to personal data, in a timely manner, in the event of a physical or technical incident;
  • a procedure for testing, determining and periodically evaluating the effectiveness of technical and organizational measures to ensure the security of operation personal data;

3.2 In assessing the appropriate level of security, the operation Manager must take into account the risks regarding operation of personal data, particularly to prevent any breach of security, in accordance with the rules and regulations on data protection.

3.3 The Responsible of operation agrees that the Owner or its designated representatives, with at least 15 (fifteen) working days' notice, may inspect and verify the installations and information systems for the operation of the data carried out by the Responsible in order to ascertain their compliance with the terms of this DPA and the legislation on the protection of personal data. In the hypotheses provided for in this point, the Data Controller and/or the members of its organization, or the representatives designated by the latter, undertake to maintain loyal, cooperative and transparent behavior throughout the duration of the activities performed with respect to the Responsible.

Art. 4 Sub-Responsibilities

4.1 The Manager of operation may use another Manager only with the specific or general written authorization of the Owner. The Responsible Party shall provide, upon request of the Owner, the list of its Sub-Responsible Parties operation in relation to the operation referred to in the execution of the service.The signing of this DPA shall count as general written authorization.

4.2 The Manager of operation is required to inform the Owner about the selection, addition, or replacement of any additional Manager of operation.

4.3 Prior to allowing access by the additional Responsible Party to personal data, the Responsible Party of operation shall ensure that such other Responsible Party is obligated, through a written contract or other legal act under Union or Member State law, to comply with the same data protection obligations set forth in this DPA.

Article 5 Rights of Data Subjects

5.1 The Head of operation will notify the Data Controller without undue delay of instances received from a data subject relating to the exercise of a right of the data subject as provided for in Articles 15-22 of EU Regulation 2016/679.

5.2 Upon the Holder's request, the Manager of operation will provide reasonable assistance to the Holder in processing the requests referred to in section5.1 above.

Art. 6 Data Breach

6.1 The Person in charge of operation must notify the Owner, without undue delay and, in any case, within forty-eight (48) hours from the time the Person in charge of operation becomes aware of it, of the security incident or breach of security measures that led to unauthorized use, destruction, loss, disclosure, accidental or unlawful, alteration, unlawful access of the personal data subject to operation or any other breach of security that results in a loss of confidentiality, integrity or availability of the processed personal data.

6.2 In its communication, the operation Manager must indicate any useful information to enable the Holder to fulfill its obligations to notify the competent Supervisory Authority or to inform the data subjects involved in the Data Breach.

6.3 In the cases referred to in 6.2 above, the Manager shall assist the Owner by initiating an analysis aimed at collecting the following information:

  • Date and time when the violation became known;
  • Source report;
  • Type of violation and information involved;
  • Abnormal event description;
  • Number of stakeholders involved;
  • Numerosity of personal data of which a breach is alleged;
  • Indication of where the data breach occurred, including whether it occurred as a result of loss of devices or portable media;
  • Description of the data processing or storage systems involved, including their location;
  • Description of the technical and organizational security measures taken to ensure the security of the data, systems and IT infrastructure involved in the event.

Article 7 Impact assessment

7.1 The Data Protection Officer at operation undertakes to provide reasonable assistance to the Data Controller in ensuring compliance with obligations relating to the data protection impact assessment as well as any prior consultation with the Supervisory Authority.

Article 8 Return or deletion of personal data

8.1 Upon request and at the choice of the Owner, from the date of expiration of theService, the Manager undertakes to delete and/or return all personal data processed on behalf of the Owner within 90 (ninety) days. The latter may obtain the deletion of the data subject to operation in the event that there is no legal obligation on the part of theResponsible to retain them, arising from the Community and/or national legislation in force.

Art. 9 Effectiveness and termination

9.1 This DPA shall be effective as of the date of the Holder's subscription, exercisable by specific check mark at the time of first access to Utopia SaaS, and shall be valid, including any renewals, until the termination of all effect of the Service, for whatever cause occurred.

Art. 10 System Administration

10.1 WHEREAS, the General Provision of the Italian Guarantor for the Protection of Personal Data "Measures and expedients prescribed for the owners of operations carried out by electronic means with regard to the attributions of the functions of system administrator - of November 272008" has introduced some specific requirements for system administrators as a result of the functions by means of which some operations of operation involve special and broader privileges for access to personal data, i.e., when the activities are carried out in a context that makes it technically possible to access, even incidentally, personal data, hence the need to provide greater protection for access to personal data.

10.2 WHEREAS, the System Administrator has been chosen because he or she provides sufficient and suitable guarantees of experience, ability, and reliability regarding the application of data protection regulations, including with specific reference to the security of the personal data processed.

10.3 The Owner assigns the function of System Administrator to the Manager, specifying the following instructions:

  • The Manager undertakes to designate each administrator (natural person) of the Owner's systems also ensuring the experience, capacity and reliability of the designated person.
  • Upon written request from the Owner, upon reasonable notice, the Manager undertakes to communicate the identification details of the natural persons who are system administrators, with the functions assigned to them.
  • The Manager undertakes to make log systems operational for the unalterable recording of computer authentications (access logs) of designated system administrators, with at least semi-annual retention;
  • The Manager undertakes to audit, at least annually, the accesses of the system administrators so as to verify their compliance with the organizational, technical and security measures concerning the operations of personal data carried out on behalf of the Owner.
  • System Administrators designated by the Manager shall access information systems using unique credentials or, as a second resort and only if strictly necessary, using technical or generic credentials for systems administration.

10.4 The function of System Administrator assigned to the Manager of operation shall commence from the date of acceptance of this DPA and shall be effective until the termination of the Service.

Article 11 Responsibilities and Indemnities

11.1 The Person in charge of operation undertakes to indemnify and hold harmless the Owner from any loss, cost, penalty, damage and any liability ascribed to the latter arising from the violation by the Person in charge, its own authorized persons or its additional Persons in charge, of the provisions contained in this DPA and/or of the applicable data protection provisions.

11.2 If the Responsible person violates any of the provisions of this agreement, determining the purposes and means of operation personal data, the same will be considered for all purposes as an autonomous owner of the activities of operation for which he/she determined, independently and in violation of this DPA, the purposes and means of operation.

Article 12 Holder's Guarantees

12.1 The Owner warrants to the Manager that the data covered by operation:

  • are relevant and not excessive in relation to the purposes for which they were collected and subsequently processed;
  • personal data subject to the operations of operation entrusted to the Responsible, are collected and transmitted in compliance with applicable legislation. It is understood that it remains the responsibility of the Data Controller to identify the legal basis of operation the personal data of the data subjects.

Article 13 Final provisions and referral

13.1 The signing of this DPA does not provide for any additional compensation to the Manager over and above that already agreed upon in the Service.

13.2 For matters not expressly provided for, please refer to the applicable data protection regulations.

Art.14 DPO / DPO Contacts

12.1 The contact address of the Data Protection Officer of the Manager is:

More than 2500 customers have already chosen UTOPIA


Book a tailor-made demo or speak directly with our sales team.

contact us
Authorised persons
operations managed
Assets secured
Privacy policy generated