Version 2.2 – March 2026
This Data Processing Agreement (hereinafter "DPA" or "Agreement") forms an integral part of the SecBox Shield service agreement and governs the processing of personal data carried out by SecBox on behalf of the Customer pursuant to and for the purposes of Art. 28 of Regulation (EU) 2016/679 (hereinafter "GDPR").
Parties
Data Controller: the Customer, as identified in the SecBox Shield service agreement signed between the parties (hereinafter "Controller").
Data Processor: SecBox, IT consultant, VAT No. 03738170780, Certified E-mail (PEC) [email protected], provider of the SecBox Shield service (hereinafter "Processor").
1. Subject Matter and Duration
The Processor shall process the Controller's personal data exclusively within the scope and limits of the activities necessary for the provision of the SecBox Shield service, in accordance with the documented instructions of the Controller and the provisions of this Agreement.
This DPA enters into force concurrently with the signing of the service agreement and shall remain in force for its entire duration. The provisions of Art. 7 (deletion and return of data) shall continue to apply even after the termination of the agreement.
2. Purpose and Limitations of Processing
The Processor shall process personal data exclusively for the following purposes, which are strictly related to the provision of the service:
| Purpose | Description |
|---|---|
| Security infrastructure management | Configuration, monitoring, and updating of the next-generation firewall, VPN, and DDoS protection systems |
| Collection and retention of security logs | Acquisition of network events, access attempts, VPN connections, and security alerts using WORM technology |
| Technical support and incident management | Intervention in response to tickets and security incidents that require the analysis of the infrastructure's technical data |
| Periodic reporting | Generation of reports on uptime and security events for the contractual plans that include it |
The Processor shall not process the data for its own purposes, for commercial purposes, or for profiling. Any processing that falls outside the purposes indicated above requires documented instruction from the Controller.
3. Nature of the Data and Categories of Data Subjects
3.1 Categories of personal data processed
| Category | Type of data |
|---|---|
| Technical network identifiers | Public and private IP addresses, MAC addresses |
| VPN connection logs | Timestamp, authenticated user, source and destination IP, session duration |
| Network traffic data | Protocols, ports, volumes (without inspection of packet content) |
| Security event logs | Intrusion attempts, triggered firewall rules, DDoS alerts |
| Personal data of technical contacts | First name, last name, email address, telephone number |
Data belonging to the special categories referred to in Art. 9 of the GDPR are excluded from the processing, unless they are contained within the traffic of the Controller's infrastructure. In such a case, the Controller is required to inform the Processor in advance and in writing, in order to agree on the necessary additional measures.
3.2 Categories of data subjects
The scope of this Agreement includes employees, collaborators, and third parties authorised by the Controller who use the network infrastructure protected by SecBox Shield, as well as any end-users whose data transit through said infrastructure within the scope of the Controller's activities.
4. Obligations of the Processor
The Processor undertakes to:
a) Process data according to the Controller's instructions. The Processor shall process personal data only on documented instruction from the Controller, including with regard to transfers of data to third countries. If the Processor is required to carry out processing imposed by an applicable legal provision, it shall inform the Controller in advance, unless the applicable law prohibits it from doing so.
b) Ensure the confidentiality of authorised personnel. The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to data is limited to personnel who need it to perform their duties.
c) Adopt appropriate security measures. The Processor shall adopt and maintain the technical and organisational measures described in Art. 5 of this Agreement, ensuring a level of security appropriate to the risk pursuant to Art. 32 of the GDPR.
d) Comply with the conditions for engaging sub-processors. The Processor shall not engage another processor without prior written authorisation from the Controller. For the sub-processors already listed in Art. 6, authorisation is deemed to be granted upon the signing of this Agreement. For any additional sub-processor, the Processor shall notify the Controller with at least 30 days' prior notice, allowing the Controller to object in writing within said period. In the event of an objection, the parties undertake to find an alternative solution in good faith. The Processor shall remain fully liable to the Controller for the obligations of the sub-processors it appoints.
e) Assist the Controller in fulfilling the rights of data subjects. The Processor, within the scope of its activities and in a manner proportionate to the purposes of the processing, shall assist the Controller in responding to requests for exercising the data subject's rights pursuant to Arts. 15-22 of the GDPR. Should the Processor receive a request directly from a data subject, it shall inform the Controller without undue delay.
f) Assist the Controller in complying with its legal obligations. The Processor, taking into account the nature of the processing and the information available to it, shall assist the Controller in ensuring compliance with the obligations provided for in Arts. 32-36 of the GDPR, particularly concerning security measures, breach notifications, data protection impact assessments (DPIAs), and prior consultation with the Supervisory Authority.
g) Delete or return data upon termination of the contract. Upon termination of the service agreement, the Processor, at the choice of the Controller communicated within 30 days of termination, shall either: (i) carry out the secure and certified deletion of all of the Controller's personal data present in its systems, issuing a written attestation within 60 days of the request; or (ii) deliver a complete export of the data in a structured, machine-readable format within 30 days of the request. Data whose retention is required by applicable legal provisions are excluded from the immediate deletion obligation but, once the retention obligation has expired, they shall be deleted without delay.
h) Cooperate with the Controller and facilitate audits. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits shall be agreed upon between the parties in writing with at least 15 working days' prior notice and shall be conducted in a manner that does not disrupt the Processor's business operations. The costs of audit activities shall be borne by the Controller.
5. Technical and Organisational Security Measures
In accordance with Art. 32 of the GDPR, the Processor shall adopt and maintain the following security measures:
Technical Measures
| Measure | Technical specifications |
|---|---|
| Encryption in transit | TLS 1.3 protocol for all communications between systems |
| Encryption at rest | AES-256 algorithm for stored data and backups |
| VPN connection authentication | Mandatory multi-factor authentication (MFA) |
| Log immutability | WORM (Write Once Read Many) technology: logs cannot be altered or retroactively deleted |
| Access control | RBAC (Role-Based Access Control) with the principle of least privilege |
| Encrypted backup | Daily backups with AES-256 encryption and a documented retention policy |
| Infrastructure monitoring | Continuous automated infrastructure monitoring with active alerting; human technical intervention according to the SLA of the subscribed plan |
Organisational Measures
The Processor adopts documented internal procedures for security incident management, separation of duties, periodic review of access privileges, and training of personnel on IT security and personal data protection.
The security measures are subject to periodic review, at least annually or in the event of significant technological or regulatory changes, in order to ensure a level of protection appropriate to the risk over time.
6. Sub-processors
By signing this Agreement, the Controller grants prior authorisation for the engagement of the following sub-processors:
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Hosting service provider (cPanel) | Server infrastructure management | European Union / EEA | DPA compliant with Art. 28 GDPR |
| Backup service provider | Encrypted storage of backup data | European Union / EEA | DPA compliant with Art. 28 GDPR |
The updated list of sub-processors is available upon written request sent to [email protected]. The Processor shall update the list within 5 working days of the addition or removal of a sub-processor.
7. Notification of Personal Data Breaches
In the event of a personal data breach within the meaning of Art. 4(12) of the GDPR involving data processed on behalf of the Controller, the Processor shall:
a) Notify the Controller of the breach, via written communication to the email address of the contact person indicated in the contract, within 24 hours of becoming aware of the breach, even if the available information is still incomplete.
b) Provide, as soon as they become available and in any case within 72 hours of becoming aware, the information required by Art. 33(3) of the GDPR, including: the nature of the breach, the categories and approximate number of data subjects and data records concerned, the likely consequences of the breach, the measures taken or proposed to be taken to address it and, where appropriate, to mitigate its possible adverse effects.
c) Cooperate with the Controller in fulfilling the obligations to notify the Supervisory Authority pursuant to Art. 33 of the GDPR and, where required, in communicating to the data subjects pursuant to Art. 34 of the GDPR.
The notification made by the Processor does not constitute an admission of fault or liability in relation to the breach. The obligation to notify the Data Protection Authority within 72 hours of becoming aware is the exclusive responsibility of the Data Controller.
8. Transfer of Data to Third Countries
The Processor shall not transfer personal data processed on behalf of the Controller to third countries outside the European Economic Area, unless with the prior written authorisation of the Controller and in compliance with the safeguards provided for in Arts. 44-49 of the GDPR (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or other appropriate safeguards).
Should the Processor be required to transfer data to a third country in fulfilment of a legal obligation, it shall inform the Controller before proceeding with the transfer, unless the applicable law prohibits such information on important grounds of public interest.
9. Liability
The Processor shall be liable to the Controller for damage caused by processing carried out in breach of this Agreement or the GDPR, within the limits and under the conditions of Art. 82 of the GDPR and the limitation of liability clauses provided for in the SecBox Shield service agreement, which shall prevail in the event of a conflict.
10. Amendments to this Agreement
The Processor reserves the right to update this DPA to adapt it to regulatory, jurisprudential, or technological changes. The amendments shall be communicated to the Controller with at least 30 days' prior notice via email. The continuation of the contractual relationship beyond this period shall constitute acceptance of the amendments. Should the amendments have a substantive impact on the Controller's obligations, the latter shall have the right to terminate the contract without penalty within the notice period.
11. Governing Law and Jurisdiction
This Agreement is governed by Italian law and the GDPR. For any dispute relating to the interpretation, execution, or termination of this Agreement, the Court of Milan shall have exclusive jurisdiction, without prejudice to the Controller's right to lodge a complaint with the Data Protection Authority.
For any questions regarding this Agreement, please contact: [email protected]