DATA PROCESSING AGREEMENT

Last updated: 2026-06-25

between

[CUSTOMER LEGAL NAME] (the "Controller") [CUSTOMER REGISTERED ADDRESS] [CUSTOMER VAT / REGISTRATION NUMBER] represented by [CUSTOMER SIGNATORY NAME], [CUSTOMER SIGNATORY ROLE]

and

Grewing Mirko D.I. (the "Processor" or "ObligoBoard") Via delle Casine 19, Firenze, Italia P.IVA: IT07214970480 Codice Fiscale: GRWMRK79T26H501F PEC: mirko.grewing@pec.net represented by Mirko Grewing, Owner

each a "Party" and together the "Parties".

RECITALS

(A) The Controller and the Processor have entered into one or more service agreements concerning the use of the ObligoBoard software-as-a-service platform (the "Principal Agreement").

(B) Performance of the Principal Agreement requires the Processor to process personal data on behalf of the Controller within the meaning of Regulation (EU) 2016/679 ("GDPR") and, where applicable, the equivalent UK GDPR retained legislation.

(C) This Data Processing Agreement (the "DPA") sets out the terms on which the Processor processes such personal data and forms an integral part of the Principal Agreement, in compliance with Article 28 GDPR.

1. DEFINITIONS

1.1 Capitalised terms not defined in this DPA shall have the meaning given to them in the GDPR. The following definitions apply:

• "Controller" — the natural or legal person identified as the customer in the Principal Agreement, who determines the purposes and means of the processing of Personal Data.
• "Personal Data" — any personal data within the meaning of Article 4(1) GDPR processed by the Processor on behalf of the Controller in connection with the Principal Agreement.
• "Personal Data Breach" — a breach of security as defined in Article 4(12) GDPR.
• "Processing" — any operation or set of operations as defined in Article 4(2) GDPR.
• "Processor" — Grewing Mirko D.I., trading as ObligoBoard.
• "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "Sub-processor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. SUBJECT MATTER, NATURE AND PURPOSE

2.1 Subject matter. Provision of the ObligoBoard SaaS platform (compliance management software) to the Controller, as further described in the Principal Agreement.

2.2 Nature and purpose. Hosting, storage, retrieval, transmission, organisation, and deletion of Personal Data necessary for the operation of the platform features used by the Controller, including but not limited to: user authentication, organisation management, compliance task tracking, evidence storage, document generation (privacy policies, cookie policies), cookie scanning, billing administration, and customer support.

2.3 Documented instructions. The Controller's documented instructions to the Processor are constituted by the Principal Agreement, this DPA, and the Controller's use of the platform features within their intended functionality. Any additional instructions must be issued in writing.

3. DURATION

3.1 This DPA enters into force on the effective date of the Principal Agreement and remains in force for the duration of the Principal Agreement, plus any post-termination period required by the Processor to fulfil its obligations under Section 6.8 (Return or Deletion).

4. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA

4.1 Categories of data subjects.

• The Controller's employees, contractors, and authorised users of the platform
• The Controller's contact persons, vendors, and other third parties whose data the Controller chooses to upload to the platform
• Data subjects whose data is referenced in compliance documentation, policies, evidence, or records uploaded by the Controller

4.2 Categories of Personal Data.

• Identity data: name, email, role/title
• Authentication data: password hashes, session tokens, two-factor authentication identifiers
• Organisation data: organisation name, address, VAT number, contact details
• Activity data: actions performed on the platform, timestamps, IP addresses, audit logs
• Content data: documents, evidence files, compliance records, policy text, cookie scan results, free-text fields entered by users
• Billing data: invoicing information processed via Stripe (limited; see Annex III)
• Any further Personal Data the Controller chooses to upload via platform features

4.3 Special categories. The Controller shall not upload special categories of Personal Data within the meaning of Article 9 GDPR, or data relating to criminal convictions and offences (Article 10 GDPR), unless expressly agreed in writing in advance with the Processor.

5. CONTROLLER OBLIGATIONS

5.1 The Controller warrants that:

• (a) it has a valid lawful basis under Article 6 GDPR (and where applicable Article 9 GDPR) for the Processing it instructs the Processor to perform;
• (b) it provides the relevant data subjects with the information required by Articles 13 and 14 GDPR;
• (c) it maintains the records of processing required by Article 30(1) GDPR for processing carried out as Controller;
• (d) it issues documented instructions only for processing that is lawful, necessary, and proportionate.

5.2 The Controller is responsible for the accuracy, quality, and lawfulness of the Personal Data it provides to the Processor.

6. PROCESSOR OBLIGATIONS

6.1 Documented instructions. The Processor shall process Personal Data only on the Controller's documented instructions, including with regard to transfers to third countries, unless required to do otherwise by EU or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

6.2 Confidentiality of personnel. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security measures. The Processor shall implement and maintain the technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk, in compliance with Article 32 GDPR. The Processor shall regularly test, assess, and evaluate the effectiveness of these measures.

6.4 Sub-processors.

(a) General authorisation. The Controller grants the Processor a general written authorisation to engage Sub-processors for the Processing of Personal Data, subject to this Section 6.4. The current list of Sub-processors is set out in Annex III.

(b) Notification of changes. The Processor shall inform the Controller of any intended additions or replacements of Sub-processors at least thirty (30) days in advance via email to the Controller's billing or admin contact, or via in-platform notification.

(c) Right to object. Within thirty (30) days from such notification, the Controller may object on reasonable, documented data-protection grounds. If the Parties cannot agree on a solution within a further thirty (30) days, the Controller may terminate the Principal Agreement and this DPA by written notice without penalty for the avoided portion. Continued use of the platform after the notice period is deemed acceptance of the Sub-processor change.

(d) Sub-processor obligations. The Processor shall impose on each Sub-processor, by written contract, data-protection obligations equivalent to those imposed on the Processor under this DPA. The Processor remains fully liable to the Controller for the Sub-processor's performance of those obligations.

6.5 Assistance with data subject rights. Taking into account the nature of the Processing, the Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligations to respond to requests for the exercise of data-subject rights under Articles 12-22 GDPR. Where requests are made directly to the Processor, the Processor shall promptly notify the Controller and shall not respond directly except on the Controller's instructions or as required by law.

6.6 Personal Data Breach notification. The Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting the Personal Data. The notification shall include, to the extent known at the time:

• (a) the nature of the breach, including the categories and approximate number of data subjects and records concerned;
• (b) the likely consequences;
• (c) the measures taken or proposed to address the breach and mitigate its effects;
• (d) the contact point for further information.

The Processor shall provide additional information as it becomes available and cooperate with the Controller in fulfilling the Controller's notification obligations under Articles 33 and 34 GDPR.

6.7 DPIA assistance. The Processor shall provide reasonable assistance to the Controller, taking into account the nature of the Processing and the information available to the Processor, with any data protection impact assessments and prior consultations with supervisory authorities required under Articles 35 and 36 GDPR.

6.8 Return or deletion. Upon termination or expiration of the Principal Agreement, the Processor shall, at the Controller's choice expressed in writing within thirty (30) days of termination, either:

• (a) return all Personal Data to the Controller in a structured, commonly used, machine-readable format; or
• (b) delete all Personal Data,

unless EU or Member State law requires storage of the Personal Data. After expiry of the choice period, deletion shall be the default. The Processor shall confirm completion of return or deletion in writing within sixty (60) days. Backup copies shall be deleted in accordance with the Processor's regular backup-rotation schedule, with a maximum residual retention of ninety (90) days.

6.9 Audit cooperation.

• (a) The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR.
• (b) The Controller may audit the Processor's compliance with this DPA at the Controller's expense, no more than once per twelve-month period (unless following a Personal Data Breach affecting the Controller), upon at least thirty (30) days' written notice and during the Processor's normal business hours.
• (c) The Processor may satisfy audit requests by providing relevant third-party certifications, attestations, or audit reports (including ISO 27001 certifications and SOC 2 reports of Sub-processors) where reasonably appropriate.
• (d) The Controller and its auditors shall comply with the Processor's reasonable security and confidentiality requirements during any on-site audit.
• (e) Audit findings shall be promptly addressed by the Processor through a documented remediation plan.

7. INTERNATIONAL TRANSFERS

7.1 The Processor shall not transfer Personal Data outside the European Economic Area ("EEA") or the United Kingdom except:

• (a) to a country covered by an adequacy decision pursuant to Article 45 GDPR; or
• (b) under appropriate safeguards pursuant to Article 46 GDPR, including the Standard Contractual Clauses (Module 2 — Controller to Processor, or Module 3 — Processor to Sub-processor, as applicable); or
• (c) under another lawful transfer mechanism specified in Chapter V GDPR.

7.2 Where Sub-processors are located outside the EEA or the UK, the Processor warrants that an appropriate transfer mechanism is in place, as detailed in Annex III.

7.3 To the extent the Processor relies on the SCCs to transfer Personal Data to a Sub-processor in a third country, the Controller hereby provides the Processor with the authority required to enter into such SCCs on the Controller's behalf, on terms not less protective than those imposed by this DPA.

8. LIABILITY

8.1 Each Party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, except where such limitations would conflict with applicable mandatory law (including Article 1229 of the Italian Civil Code, which prohibits exclusions of liability for colpa grave and dolo).

8.2 Notwithstanding any cap on liability in the Principal Agreement, each Party retains liability towards data subjects under Article 82 GDPR. Where one Party has paid full compensation for damage suffered by a data subject, that Party may claim back from the other Party the part of the compensation corresponding to the other Party's responsibility for the damage.

8.3 The Processor's aggregate liability under this DPA is capped in accordance with the Principal Agreement, with the exception of:

• (a) liability for damages caused by Processing in violation of clearly documented instructions of the Controller;
• (b) liability for breaches of Section 6.6 (Breach Notification);
• (c) liability for breaches of Section 6.8 (Return or Deletion) where such breach causes a Personal Data Breach;
• (d) regulatory fines imposed on the Processor that are attributable to the Processor's wilful misconduct or gross negligence.

9. TERM AND TERMINATION

9.1 This DPA terminates automatically upon termination of the Principal Agreement, subject to Section 6.8 (Return or Deletion) and any other surviving obligations.

9.2 Any provision intended to survive termination shall continue in force after termination, including (without limitation) Sections 6.8 (Return or Deletion), 8 (Liability), and 11 (Governing Law).

10. AMENDMENTS

10.1 The Processor may update this DPA to reflect changes in applicable law, regulatory guidance, or material changes in the Processor's processing operations. Material amendments require thirty (30) days' written notice to the Controller.

10.2 If the Controller objects to a material amendment on documented data-protection grounds and the Parties cannot agree on a solution within thirty (30) days, the Controller may terminate the Principal Agreement without penalty for the avoided portion.

11. GOVERNING LAW AND JURISDICTION

11.1 This DPA is governed by Italian law.

11.2 The Parties submit to the exclusive jurisdiction of the Tribunale di Firenze (Court of Florence, Italy), without prejudice to mandatory data-subject rights under Article 79(2) GDPR.

12. ORDER OF PRECEDENCE

12.1 In case of conflict between this DPA and the Principal Agreement, this DPA prevails to the extent the conflict relates to the processing of Personal Data.

12.2 In case of conflict between this DPA and the SCCs (where applicable), the SCCs prevail to the extent of the conflict.

13. SEVERABILITY

13.1 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect, and the Parties shall replace the invalid provision with a valid provision that most closely reflects the original intent.

ANNEX I — DESCRIPTION OF PROCESSING

ANNEX II — TECHNICAL AND ORGANISATIONAL MEASURES (Article 32 GDPR)

The Processor maintains the following measures, which it reviews and updates regularly.

Encryption

• Encryption in transit (TLS 1.2 or higher) for all platform endpoints
• Encryption at rest (AES-256) for Personal Data stored in the production database
• Encryption at rest for Personal Data stored in object storage (Vercel Blob)

Access control

• Strong password authentication (bcrypt-hashed credentials) with session-token expiry for all administrative and customer access
• Role-based access control within the platform
• Principle of least privilege for all internal access
• Session timeout and inactivity logout
• Audit logs of administrative actions, retained for at least twelve (12) months

Pseudonymisation and anonymisation

• Pseudonymisation applied to identifiers in non-production environments
• Anonymisation of usage telemetry where possible

Resilience

• Automated daily backups with point-in-time recovery
• Multi-region redundancy via the cloud provider's infrastructure
• Disaster-recovery procedures with documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Testing and assessment

• Vulnerability scanning of third-party dependencies via GitHub's automated alerts on every release
• Automated test suite (unit, integration, end-to-end, and a tenant-isolation fuzz suite that exercises multi-tenant data-access boundaries) executed on every pull request before merge to the production branch
• TypeScript type-checking on every pull request
• Migration-checksum verification on every pull request (prevents schema drift between development, staging, and production)
• Mandatory pull-request review for every merge into the production branch (no direct pushes; branch-protection enforced)

Personnel

• The Operator is a Ditta Individuale (Italian sole trader); the natural person Mirko Grewing is the only person with administrative access to Personal Data. Confidentiality obligations are discharged personally and under the professional-secrecy duties that bind the operator under Italian law.
• The Operator maintains personal currency on data-protection and information-security developments through ongoing study of EDPB guidance, Italian Garante guidance, and industry security publications. Formalised onboarding / offboarding and structured awareness-training programmes will be introduced as the business scales beyond a sole-trader operation; the contract will be amended at that point per Section 10.1.

Incident response

• 24/7 security alerting via the cloud provider's infrastructure (Vercel + Neon platform monitoring)
• Incident response follows the principles of GDPR Articles 33 and 34, with notification to affected Controllers within 72 hours per Section 6.6 of this DPA
• A written incident-response runbook will be maintained as the business scales beyond a sole-trader operation; until then, response decisions are made by the Operator personally against the GDPR Art. 33-34 framework above

Sub-processor diligence

• Sub-processor selection criteria including data-protection assessment
• Contractual obligations imposed by written agreement (DPAs/MSAs)
• Diligence relies on each Sub-processor's published security attestations (e.g. ISO 27001, SOC 2 Type II) where available; the Processor reviews any material change in those attestations as it becomes aware of it

ANNEX III — SUB-PROCESSORS

The following Sub-processors are engaged by the Processor as of the date of this DPA. The list is updated in accordance with Section 6.4.

The latest version of this list is published at https://obligoboard.com/sub-processors. Material updates trigger the notification mechanism in Section 6.4(b).

ANNEX IV — STANDARD CONTRACTUAL CLAUSES

Where Personal Data is transferred to a Sub-processor in a third country in the absence of an adequacy decision, the Parties incorporate the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, with:

• Module 3 (Processor to Processor) selected for transfers Processor → Sub-processor;
• Module 2 (Controller to Processor) where the Controller transfers data directly to a Processor outside the EEA;
• Clause 7 (docking clause) selected;
• Clause 9(a) Option 2 (general written authorisation) selected, with the notification period set to thirty (30) days as in Section 6.4(b);
• Clause 11(a) option (independent dispute-resolution body) not selected;
• Clause 17 Option 1 (governing law of an EU Member State allowing third-party-beneficiary rights): governing law of Italy;
• Clause 18 (forum and jurisdiction): Italy;
• Annex I.A and I.B populated with the Parties' details from this DPA;
• Annex I.C: the Italian Garante per la protezione dei dati personali;
• Annex II populated with the technical and organisational measures from Annex II of this DPA;
• Annex III populated with the Sub-processors from Annex III of this DPA.

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (issued by the ICO) applies.

SIGNATURE BLOCK