Data Processing Agreement

1 Definitions

For the purposes of this Agreement, the following definitions apply:

• "Controller" or "Customer": the natural or legal person who uses the Dresium service on their e-commerce platform and determines the purposes of processing their end customers' data
• "Processor" or "Dresium": SOLIDA Digital Advertising SRL, which processes personal data on behalf of the Controller
• "Sub-Processor": a third party engaged by Dresium to carry out specific processing activities
• "Personal Data": any information relating to an identified or identifiable natural person
• "Data Subject": the natural person whose personal data is being processed (end customer of the e-commerce)
• "Data Breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
• "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council

2 Subject Matter and Duration

2.1 Subject Matter

This DPA governs the processing of personal data that Dresium carries out as Processor on behalf of the Customer, in connection with the provision of the Virtual Try-On service via WordPress/WooCommerce plugin and browser extension.

2.2 Duration

This Agreement takes effect from the date of activation of the Dresium service and remains in force for the duration of the contractual relationship between the parties. Obligations relating to confidentiality and data protection survive termination of the relationship.

3 Nature of Processing

3.1 Purpose of processing

Dresium processes personal data exclusively for:

• Providing the Virtual Try-On service (AI image generation)
• Managing user authentication and sessions
• Storing generated images in the user's personal gallery (upon request)
• Providing technical support and assistance
• Generating anonymous aggregate statistics on service usage

3.2 Types of personal data processed

3.3 Categories of data subjects

• End customers: users who use the Virtual Try-On service on merchant e-commerce sites
• Merchants: e-commerce owners who integrate the Dresium plugin

4 Processor Obligations

Dresium, as Processor, undertakes to:

• Process data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject
• Ensure confidentiality by ensuring that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement security measures required by Article 32 of the GDPR
• Comply with conditions for engaging sub-processors under Article 28(2) and (4)
• Assist the Controller in ensuring compliance with obligations relating to security, breaches, impact assessments, and prior consultation
• Delete or return all personal data at the end of the provision of services, unless retention is required by law
• Make available to the Controller all information necessary to demonstrate compliance with obligations and contribute to audits

5 Authorized Sub-Processors

The Controller authorizes Dresium to engage the following sub-processors for service delivery:

5.1 Changes to sub-processors

Dresium will inform the Controller of any changes to the list of sub-processors with 30 days notice via email. The Controller may object to the appointment of a new sub-processor within 15 days of the notification, providing reasonable and documented grounds. In the absence of objection, consent is deemed granted.

6 International Transfers

Some sub-processors are located outside the European Economic Area. Transfers of data to third countries are carried out in compliance with Chapter V of the GDPR, through:

• EU-US Data Privacy Framework (DPF): for certified providers (Google, Stripe)
• Standard Contractual Clauses (SCCs): adopted by European Commission Decision 2021/914
• Supplementary measures: end-to-end encryption, pseudonymization where applicable, Transfer Impact Assessment (TIA)

7 Technical and Organizational Security Measures

Pursuant to Article 32 of the GDPR, Dresium implements the following security measures:

7.1 Technical measures

• Encryption in transit: TLS 1.3 for all communications
• Encryption at rest: AES-256 for stored data
• Authentication: OAuth2/OpenID Connect with MFA support
• Access control: RBAC (Role-Based Access Control) with least privilege principle
• Logging and monitoring: recording of access and data operations
• Backups: daily encrypted backup copies
• Data isolation: logical separation of data per tenant

7.2 Organizational measures

• Internal policies: documented procedures for data management
• Training: periodic staff training on privacy and security
• Confidentiality agreements: NDAs with all employees and contractors
• Incident management: procedures for breach detection and response
• Business continuity: business continuity and disaster recovery plans

8 Personal Data Breach

8.1 Notification to Controller

In the event of a personal data breach, Dresium undertakes to:

• Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach
• Provide all information necessary for the Controller to comply with the obligation to notify the Supervisory Authority (Art. 33 GDPR)
• Assist the Controller in communicating to data subjects, if required (Art. 34 GDPR)

8.2 Content of notification

The notification will include, where possible:

• Description of the nature of the breach
• Categories and approximate number of data subjects concerned
• Categories and approximate number of data records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate adverse effects

9 Assistance with Data Subject Rights

Dresium assists the Controller in responding to requests from data subjects exercising their rights under Articles 15-22 of the GDPR:

• Access: provide a copy of the data processed
• Rectification: correct inaccurate data
• Erasure: delete data ("right to be forgotten")
• Restriction: restrict processing
• Portability: export data in structured format
• Objection: cease processing

Requests will be handled within 15 business days of receipt. For complex requests, Dresium will promptly inform the Controller of the time required.

10 Audits and Inspections

Dresium makes available to the Controller the information necessary to demonstrate compliance with the obligations of this DPA and contributes to audits, including inspections:

• Documentation: upon request, Dresium will provide reports on implemented security measures
• On-site audits: the Controller may request an audit with at least 30 days notice, at their own expense
• Third-party audits: Dresium may make available certifications or independent audit reports (SOC 2, ISO 27001, where available)

11 Return and Deletion of Data

Upon termination of the contractual relationship, at the Controller's choice:

• Return: Dresium will return all personal data in a structured, commonly used format (JSON, CSV)
• Deletion: Dresium will permanently delete all personal data within 30 days of service termination

Exceptions apply to data that Dresium is required to retain by law (e.g., tax documentation: 10 years).

Upon request, Dresium will provide written certification of deletion.

12 Final Provisions

12.1 Governing law and jurisdiction

This Agreement is governed by Italian law. Any dispute arising from the interpretation or performance of this DPA shall be subject to the exclusive jurisdiction of the Court of Palermo.

12.2 Amendments

Dresium may amend this DPA to comply with regulatory changes or improve the service. Changes will be communicated with at least 30 days notice. Continued use of the service after this period constitutes acceptance of the changes.

12.3 Contact information