AGREEMENT FOR THE APPOINTMENT OF THE DATA PROCESSOR

(pursuant to Art. 28 EU Regulation 2016/679)

---

Between

and

Openapi S.p.A., with registered office at Viale Filippo Tommaso Marinetti 221, 00143 Rome (RM), VAT No. 12485671007, hereinafter also the “Supplier” or “Processor” (both, hereinafter, jointly the “Parties”)

Whereas

1. The Client has engaged the Supplier to provide services via API, entering into a services agreement for this purpose (hereinafter the “Agreement”);
2. performance of the Agreement entails that the Supplier carries out, on behalf of the Client, processing operations of personal data, as defined under Art. 4 of EU Regulation 2016/679 (hereinafter “GDPR”), relating to identified or identifiable natural persons (hereinafter “data subject” or “data subjects”);
3. pursuant to Art. 28(1) GDPR, where processing is to be carried out on behalf of the controller, the latter may entrust processing activities to a party, known as the processor, provided that it offers sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures that meet the requirements of the GDPR and ensure the protection of the rights of the data subject;
4. Pursuant to Art. 28(3) GDPR, the processing of personal data by a processor must be governed “by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller”;
5. the Client, considering that the Supplier meets the requirements of experience, capability and reliability, intends to appoint the latter, pursuant to Art. 28 GDPR, as processor of the personal data processed for the performance of the Agreement;

Now, therefore, the Parties agree as follows:

1. SUBJECT MATTER
   1. The Client appoints the Supplier, who expressly accepts, as Data Processor pursuant to Art. 28 GDPR, for the processing of personal data described below:

      Nature and purposes of the processing	Processing of data aimed at performing the requested services
      Categories of data subjects	Natural persons and legal entities
      Types of personal data	Name, documents and/or images, identity documents, telephone numbers, financial data

   2. This Agreement, as well as any subsequent agreements entered into in writing by the Parties, set out the conditions under which the Processor undertakes to carry out, on behalf of the Client, the processing operations on the personal data to which it has access or which it comes into possession of, as necessary to fulfil the obligations arising from the Agreement and to provide any ancillary services thereto.
2. TERM OF THE AGREEMENT
1. The term of this Agreement is functionally linked to the duration of the services agreement signed by the parties and mentioned in the recitals; termination of the latter shall automatically entail termination of this Agreement as well, unless further obligations — including statutory ones — require the Processor to continue processing personal data.
2. Once the effects of this Agreement cease, for any reason, the Processor shall, at the Client’s discretion:
   1. return to the Client the personal data processed; or
   2. proceed to their complete destruction, except solely where retention of the data is required by law and/or other purposes (accounting, tax, etc.).

PAGE 2/4

---

3. OBLIGATIONS OF THE PROCESSOR TOWARDS THE CLIENT
1. GENERAL OBLIGATIONS
1. The Processor undertakes to:
   1. process personal data solely for the purposes related to the performance of the Agreement and described in Art. 1 of this Agreement;
   2. comply with the provisions of the Code of conduct for the processing of personal data carried out for commercial information purposes signed by the Associazione Nazionale tra le Imprese di Informazioni Commerciali e di Gestione del Credito and approved by the Italian Data Protection Authority, insofar as applicable to the processing activities carried out on behalf of the Client;
   3. process personal data in accordance with the instructions given by the Client. Should the Processor consider that an instruction given by the Client may constitute a breach of the GDPR or any other provision of Union or Member State law relating to the protection of personal data, it shall promptly inform the Client;
   4. ensure the confidentiality of the personal data processed under this Agreement;
   5. identify and appoint the persons authorised to carry out processing operations on the data provided by the Client, defining the scope of the authorisation pursuant to Art. 29 GDPR and providing appropriate training. The Processor warrants that its employees and collaborators are reliable and possess full knowledge of the personal data protection legislation;
   6. ensure that the above-mentioned persons authorised to process personal data under this instrument undertake to respect confidentiality or are subject to a legal obligation of confidentiality and — also in this case — receive adequate training in personal data protection;
   7. in the cases required by Art. 37 GDPR, as well as where recommended by the competent supervisory authority, appoint a Data Protection Officer (“DPO”), in compliance with the selection criteria laid down by the GDPR and the guidance of the competent supervisory authority, ensuring compliance with Art. 38 GDPR so as to enable the DPO to effectively perform the tasks set out in Art. 39 GDPR. Where the Supplier has appointed a DPO, the name shall be notified to the Client;
   8. where applicable, designate in writing any person acting as system administrator(s), according to the definition and guidance of the Italian Data Protection Authority (specifically, the Measures of 27/11/2008 and 26/07/2009), with particular reference to the criteria for identifying and selecting the persons to be appointed, maintaining a list and annually reviewing their work, the logging methods and the retention period of related logical accesses. Where the activity of such System Administrators concerns, even indirectly, services or systems that process, or allow the processing of, personal information of the Client’s employees, communicate to the latter the identity of the appointed System Administrators;
   9. ensure that its tools, products, applications or services used in processing activities comply with the principles of privacy by design and privacy by default.
   10. make available to the Client the documentation necessary to demonstrate compliance with all obligations arising from this Agreement or from applicable law;
   11. allow inspections by the Client or by another person appointed by the Client, during working hours;
   12. cooperate with the Client if inspections or investigations are carried out by the competent supervisory authorities, either at the Client’s or at the Processor’s premises, in order to demonstrate the compliance of all activities relating to the processing of personal data.
2. APPOINTMENT OF SUB-PROCESSORS
1. During performance of the Agreement, the Processor is prohibited, pursuant to Art. 28 GDPR, from appointing additional processors (“Sub-processors”) to carry out any processing activity, unless the Client has specifically authorised the Processor to appoint such parties, after prior notice from the Processor to the Client clearly indicating the processing activities to be entrusted, the identity of the Sub-processor and the relevant contact details;
2. The legal relationship between the Processor and Sub-processors, although entirely separate from that between the Client and the Processor, must mandatorily comply with the content of this Agreement. Therefore, the Processor undertakes to ensure that the agreement concluded with the Sub-processors does not contain provisions that conflict or could potentially conflict with what is provided herein. In any case, the Processor undertakes to conclude with the Sub-processors an agreement that ensures adequate levels of personal data protection and information security.
3. The Processor is nevertheless required to ensure that its obligations regarding data protection arising from this Agreement are valid and binding on the Sub-processors. Should a Sub-processor fail to comply with data protection obligations, the Processor shall be held fully liable to the Client.

PAGE 2/4

3. Exercise of data subjects’ rights
1. Where a data subject intends to exercise their rights and submits a request to the Processor, the latter shall immediately forward such request to the Client. In any case, the Processor shall assist the Client, to the extent reasonably possible, in order to enable the controller to comply with requests for the exercise of data subjects’ rights, based on the instructions provided and agreed with the Client. In particular, where the Processor processes data subject to a portability request, it undertakes to assist the controller with appropriate technical and organisational measures to respond to such request.
4. Notification and communication of personal data breaches
1. The Processor undertakes to notify the Client of any personal data breach without undue delay and in any event no later than 24 hours from the moment it has reasonable suspicion of or becomes aware of a personal data breach. This notification shall be accompanied by all documentation useful to enable the controller, if necessary, to notify the breach to the competent supervisory authority and, where applicable, to the data subjects, in compliance with Arts. 33–34 GDPR.
5. Support to the controller
1. At the Client’s request, the Processor undertakes in particular to:
   1. assist the Client in carrying out the data protection impact assessment provided for in Art. 35 GDPR;
   2. assist the Client in any prior consultation with the supervisory authority provided for in Art. 36 GDPR.
6. Records of processing activities
1. The Processor undertakes to draw up the Records of processing activities carried out on behalf of the Client, pursuant to Art. 30 GDPR.
7. Security measures
1. The Processor undertakes to adopt, for the entire duration of the appointment, appropriate security measures pursuant to Art. 32 GDPR. In particular, such security measures shall be aimed at protecting the data and/or minimising risks in relation to:
   1. intentional and/or accidental destruction or loss of data;
   2. unauthorised processing or processing otherwise not compliant with the agreed purposes;
   3. unauthorised access.
2. The Processor is required to update, review, and modify the security measures already adopted whenever specific technical or protection needs so require, after notifying the Client of such need.
3. The Processor also expressly undertakes to hold harmless and indemnify the Client against any and all prejudice, including indirect (including any reputational damage), arising from incorrect compliance with the security measures required by law or contract, or from an incorrect assessment by the Processor of the adequacy of the security measures already in use.
8. Transfer of personal data outside the EU
1. The Processor undertakes to restrict the circulation and processing of personal data (e.g., storage, archiving and retention of data on its own servers or in the cloud) to EU Member States, with an express prohibition on transferring them to non-EU countries that do not ensure (or in the absence of) an adequate level of protection, or in the absence of safeguards provided for by EU Regulation 2016/679 (third country deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of data subjects, etc.).
2. Should the Processor be required to transfer personal data processed on behalf of the Client to a non-EU country and/or to an international organisation, under European Union law or the law of the Member State to which it is subject, it shall inform the Client of such legal obligation before the relevant processing, unless the relevant laws prohibit such information for important reasons of public interest.
9. Confidentiality
1. The Processor undertakes to keep confidential and not disclose the data, documents, information and news of any kind provided by the Client that it becomes aware of for the activities described in this Agreement, even after termination thereof and without any limitation of time or place. In particular, it may not communicate or disseminate any of the information, news, data and documents (unless expressly required by the Client, the supervisory authority or another authority), transfer them to third parties free of charge or for consideration, or use them for any purpose, including for third parties.
4. RIGHT TO INFORMATION OF DATA SUBJECTS
1. It remains the controller’s obligation, at the time of data collection, to provide data subjects with the information relating to the processing of personal data it carries out, pursuant to Arts. 13–14 GDPR.
5. BREACH BY THE PROCESSOR
1. In the event of violations that are not of minor importance of the legislation applicable to personal data processing by the Processor, the Client shall be entitled to terminate this Agreement, pursuant to Art. 1456 of the Italian Civil Code, with immediate effect for reasons attributable to the Processor, by written notice, without anything further being due, without prejudice to the right to claim damages.

PAGE 2/4

6. LIABILITY AND COMPENSATION FOR DAMAGES
1. In the event of civil claims for damages, or administrative liability, brought against the Client for damage caused or violations committed by the Processor as a result of non-compliance with laws or contractual obligations, the Processor shall fully indemnify the Client, with all exceptions waived. Likewise, the Processor shall fully indemnify the Client, with all exceptions waived, in the event of sanctions imposed by the supervisory authority for non-compliance with laws or contractual obligations attributable to the Processor.
2. In any case, the Processor shall be liable for the damage caused where it has acted in a manner that differs from or is contrary to the legitimate written instructions given by the Client and fails to prove that the non-compliance is not attributable to it.
7. GOVERNING LAW AND DISPUTES
1. This Agreement is governed by Italian law and, for any dispute between the parties, the court of Rome shall have exclusive jurisdiction.
8. MISCELLANEOUS
1. Any amendment to this Agreement shall be valid and binding only if made by a written instrument or by written communication, including in electronic form.
2. This Agreement cancels and replaces any previous appointment of the Supplier as Data Processor already signed between the Parties in relation to the same processing activities.
3. The Parties mutually acknowledge that the entire Agreement and each clause have been specifically negotiated, thereby excluding the applicability of Arts. 1341 and 1342 of the Italian Civil Code.
4. Should any provision of this instrument be invalid or unenforceable, the validity and enforceability of the other provisions contained herein shall not be affected.
5. For anything not provided for in this Agreement, reference is made to the general provisions in force and applicable in the field of personal data protection.

---

By signing this document, the Supplier accepts the appointment as Data Processor for the above-mentioned processing activities together with their specific characteristics.